Updates from: 03/26/2024 09:00:34
Category Microsoft Docs article Related commit history on GitHub Change details
includes Copilot Content Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/copilot/includes/copilot-content-updates.md
-## Week of February 26, 2024
--
-| Published On |Topic title | Change |
-|||--|
-| 2/29/2024 | [Get started with Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-setup) | modified |
--
-## Week of February 12, 2024
+## Week of March 18, 2024
| Published On |Topic title | Change | |||--|
-| 2/13/2024 | [Microsoft Copilot for Microsoft 365 documentation # < 60 chars](/microsoft-365-copilot/index) | modified |
+| 3/21/2024 | [Microsoft Copilot for Microsoft 365 requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements) | modified |
-## Week of January 29, 2024
+## Week of February 26, 2024
| Published On |Topic title | Change | |||--|
-| 2/2/2024 | [Microsoft Copilot for Microsoft 365 requirements](/microsoft-365-copilot/microsoft-365-copilot-requirements) | modified |
+| 2/29/2024 | [Get started with Microsoft Copilot for Microsoft 365](/microsoft-365-copilot/microsoft-365-copilot-setup) | modified |
admin Microsoft 365 Copilot Usage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage.md
You can view several numbers for Copilot for Microsoft 365 usage, which highligh
**Active Users** shows the total number of enabled users in your organization who tried a user-initiated Copilot for Microsoft 365 feature, in one or more Microsoft 365 apps over the selected time period.
-> [!NOTE]
-> A user is considered active in a given app if they performed an intentional action for an AI-powered capability. For example, if a user selects the Copilot icon in the Word ribbon to open the Copilot chat pane, this does not count towards active usage. However, if the user interacts with the chat pane by submitting a prompt, this action would count towards active usage.
- **Active users rate** shows you the number of active users in your organization divided by the number of enabled users. In Recommendations, the recommended action card highlights [Microsoft Copilot Dashboard](/viva/insights/org-team-insights/copilot-dashboard), where you can deliver insights to your IT leaders to explore Copilot readiness, adoption, and impact in Viva Insights.
The definitions for Enabled Users and Active Users metrics are the same as provi
To note, Active users of Word, Excel and PowerPoint is incomplete prior to Jan 25, 2024. Active users of Outlook might be lower than expected if there are people in your organization using the Coach feature on Outlook Win32 over the selected time period. We are currently working on integrating this data into our reports and will notify you as soon as it becomes available.
->[!NOTE]
-> This report now includes a new metric for Microsoft Copilot with Graph-grounded chat, simplified as "Copilot chat." The action list for active users of Copilot chat includes the following:
-> - Typing a message into the chat window and submitting.
-> - Selecting a prompt from the "Try these Prompts" section, which will automatically copy the prompt into the chat box.
-> - Clicking on one of the suggestions from the "Stay on top" tab in some platforms (such as Microsoft365.com).
-
-> Note that automated prompts are not included in this feature.
- >[!IMPORTANT] > Your organization must have optional diagnostic telemetry for Office apps enabled for Windows, Mac, iOS, and Android in order for comprehensive usage information to be captured in this report. [Learn more about diagnostic telemetry settings](/DeployOffice/privacy/optional-diagnostic-data).
Select **Choose columns** to add or remove columns from the table.
:::image type="content" alt-text="Screenshot showing the columns you can select for the Microsoft 365 Copilot usage report." source="../../media/copilot-usage-choose-columns2.png":::
->[!NOTE]
-> All up last activity date and last activity date per app are reflecting different narratives now. All up last activity date is reflecting the historical last activity date no matter what period is selected on the page, while last activity date per app is reflecting the last activity date within the selected time period; hence, if there is no activity in selected time period, the last activity date per app will be empty. We are planning to make them consistent to reflect the historical last activity date narrative and will provide update once itΓÇÖs done.
- You can also export the report data into an Excel .csv file by selecting the Export link. This exports the Copilot for Microsoft 365 usage data of all users and enables you to do simple sorting, filtering, and searching for further analysis. To ensure data quality, we perform daily data validation checks for the past three days and will fill any gaps detected. You may notice differences in historical data during the process.
To make the data in the Copilot for Microsoft 365 report anonymous, you must be
## FAQ
+### How is a user considered active in Copilot for Microsoft 365 usage?
+
+A user is considered active in a given app if they performed an intentional action for an AI-powered capability. For example, if a user selects the Copilot icon in the Word ribbon to open the Copilot chat pane, this does not count towards active usage. However, if the user interacts with the chat pane by submitting a prompt, this action would count towards active usage.
+
+### WhatΓÇÖs the action list for Copilot chat usage?
+
+This report now includes a new metric for Microsoft Copilot with Graph-grounded chat, simplified as "Copilot chat." The action list for active users of Copilot chat includes the following:
+
+- Typing a message into the chat window and submitting.
+- Selecting a prompt from the "Try these Prompts" section, which will automatically copy the prompt into the chat box.
+- Clicking on one of the suggestions from the "Stay on top" tab in some platforms (such as Microsoft365.com).
+
+Note that automated prompts are not included in this feature.
+
+### What are the behaviors of All up last activity date and last activity date per app in user-level table?
+
+All up last activity date and last activity date per app are reflecting different narratives now. All up last activity date is reflecting the historical last activity date no matter what period is selected on the page, while last activity date per app is reflecting the last activity date within the selected time period; hence, if there is no activity in selected time period, the last activity date per app will be empty. We are planning to make them consistent to reflect the historical last activity date narrative and will provide update once itΓÇÖs done.
+ ### What's the difference between the user activity table and audit log? The information captured in audit log records differs from that in [Microsoft 365 usage reports](#user-last-activity-table). It's important to note that audit logs are not designed for assessing user engagement in Microsoft 365, and they should not be used to replace or augment information in Microsoft 365 usage reports. To learn more about audit logs, see [Export, configure, and view audit log records](/purview/audit-log-export-records#step-1-export-audit-log-search-results).+
+### Is Intelligent Recap usage in Teams is captured in [Usage reports](activity-reports.md), [Adoption Score](../adoption/adoption-score.md), and [Microsoft Copilot Dashboard](/viva/insights/org-team-insights/copilot-dashboard)?
+
+ Not yet. [Roadmap ID #375760 Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=375760) states that feature Intelligent Recap in Teams has been available for Microsoft Copilot for Microsoft 365 users since Jan, 2024. However, telemetry is not captured in Usage reports, Adoption Score, and Microsoft Copilot Dashboard. We are working on bringing this feature into those products and will announce in Message Center once itΓÇÖs available.
+
+### WhatΓÇÖs the scope of user-level table?
+
+The user-level table in the report is configured to show all users who were licensed for Copilot for Microsoft 365 at any point over the past 180 days, even if the user has since had the license removed or never had any Copilot active usage.
admin Content Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/adoption/content-collaboration.md
Adoption Score provides insights into your organization's digital transformation
To get started with Content collaboration insights, people in your organization need to be licensed for: -- OneDrive for Business
+- OneDrive
- SharePoint - Exchange Online
We provide a primary insight that contains the key metrics for content collabora
### Primary insight
-Microsoft OneDrive for Business and SharePoint help people to easily create, read, and discover their individual and shared content in Microsoft 365 from across devices and applications. They also allow people to securely share and collaborate on content. The primary insight contains information from everyone who can use OneDrive for Business and SharePoint. Additionally it breaks down the details about how many people read, create, and collaborate on content stored in OneDrive for Business and SharePoint.
+Microsoft OneDrive and SharePoint help people to easily create, read, and discover their individual and shared content in Microsoft 365 from across devices and applications. They also allow people to securely share and collaborate on content. The primary insight contains information from everyone who can use OneDrive and SharePoint. Additionally it breaks down the details about how many people read, create, and collaborate on content stored in OneDrive and SharePoint.
:::image type="content" source="../../media/collabscore_primary.png" alt-text="Primary insights from communication collaboration score.":::
Understand how many users are attaching physical files in email rather than link
3. **Visualization:** Represents the extent to which people who have access to OneDrive or SharePoint are sharing files internally or externally: - **Externally:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people who have access to OneDrive or SharePoint and are sharing files externally. - Numerator: The number of people who have shared files externally with in the last 28 days
- - Denominator: The total number of people who have had access to OneDrive or SharePoint for at least 1 of the last 28 days.
+ - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both, and sent at least one attachment within the last 28 days.
- **Internally only:** The blue (colored) portion of the bar and the fraction (numerator/denominator) on the bar represent the percentage of people who have access to OneDrive or SharePoint and are sharing files internally only. - Numerator: The number of people who have shared files internally only within the last 28 days - Denominator: The number of people who have had access to Exchange and OneDrive, SharePoint, or both, and sent at least one attachment within the last 28 days.
admin Manage Office Scripts Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-office-scripts-settings.md
f1.keywords:
Previously updated : 08/12/2020 Last updated : 03/22/2024 audience: Admin
description: "Learn how to manage Office Scripts settings for users in your orga
2. Select **Office Scripts**.
-3. Office Scripts is turned on by default, and everyone in your organization can access and use the feature and share scripts. To turn off Office Scripts for your organization, clear the **Let users automate their tasks in Excel** check box.
+3. Office Scripts is turned on by default, and everyone in your organization can access and use the feature and share scripts. To turn off Office Scripts for your organization, clear the **Let users automate their tasks in Excel** checkbox.
4. If you previously turned off Office Scripts for your organization and you want to turn it back on, select **Let users automate their tasks in Excel**, and then specify who can access and use the feature: - To allow all users in your organization to access and use Office Scripts, leave **Everyone** (the default) selected.
- - To allow only members of a specific group to access and use Office Scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:
+ - To allow only members of a specific group to access and use Office Scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allowlist. You may add only one group to the allowlist, and it must be one of the following types:
- Microsoft 365 group - Distribution group - Security group
description: "Learn how to manage Office Scripts settings for users in your orga
- To allow all users with access to Office Scripts to share their scripts, leave **Everyone** (the default) selected.
- - To allow only members of a specific group with access to Office Scripts to share their scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:
+ - To allow only members of a specific group with access to Office Scripts to share their scripts, select **Specific group**, and then enter the name or email alias of the group to add it to the allowlist. You may add only one group to the allowlist, and it must be one of the following types:
- Microsoft 365 group - Distribution group - Security group
description: "Learn how to manage Office Scripts settings for users in your orga
To learn more about the different types of groups, see [Compare groups](../create-groups/compare-groups.md).
-7. To allow users to run their Office Scripts inside Power Automate flows, select **Let users with access to Office Scripts run their scripts with Power Automate**. This allows users to add flow steps with the [Excel Online (Business) Connector's](/connectors/excelonlinebusiness) **Run script** option.
+7. To allow users to run their Office Scripts inside Power Automate flows, select **Let users with access to Office Scripts run their scripts with Power Automate**. This allows users to add flow steps with the [Excel Online (Business) connector](/connectors/excelonlinebusiness) **Run script** option.
- To allow all users with access to Office Scripts to use their scripts in flows, leave **Everyone** (the default) selected.
- - To allow only members of a specific group with access to Office Scripts to use their scripts in flows, select **Specific group**, and then enter the name or email alias of the group to add it to the allow list. You may add only one group to the allowlist, and it must be one of the following types:
+ - To allow only members of a specific group with access to Office Scripts to use their scripts in flows, select **Specific group**, and then enter the name or email alias of the group to add it to the allowlist. You may add only one group to the allowlist, and it must be one of the following types:
- Microsoft 365 group - Distribution group - Security group
description: "Learn how to manage Office Scripts settings for users in your orga
Group Policy has a setting to control whether Office Scripts (including the relevant commands on the **Automate** tab) are available for use.
-If you enable this policy setting, Office Scripts will not be available for use in the installed Excel app on a desktop. You'll find Office Scripts settings under User Configuration\Administrative Templates\Microsoft Excel 2016\Miscellaneous in the Group Policy Management Console.
+If you enable this policy setting, Office Scripts won't be available for use in the installed Excel app on a desktop. You'll find Office Scripts settings under User Configuration\Administrative Templates\Microsoft Excel 2016\Miscellaneous in the Group Policy Management Console.
After applying this policy setting, users will still see the **Automate** tab, but the **Office Scripts** and **Automate** options will be greyed out. They can select the **Record Actions** button, but if they do, they'll see the following message: "You don't have access to Office Scripts. Your organization's admin may have turned off this feature, or you don't meet the requirements."
To learn more, see [Use Group Policy to configure update settings for Microsoft
## Next steps
-Because Office Scripts works with Power Automate, we recommend that you review your existing Microsoft Purview Data Loss Prevention (DLP) policies to ensure your organization's data remains protected while users use Office Scripts. For more information, see [Data loss prevention (DLP) policies](/power-automate/prevent-data-loss).
+Because Office Scripts works with Power Automate, we recommend that you review your existing Microsoft Purview Data Loss Prevention (DLP) policies to ensure your organization's data remains protected while users use Office Scripts. For more information, see [Set a policy to help prevent data loss](/power-automate/prevent-data-loss).
## Related content [Office Scripts technical documentation](/office/dev/scripts/) (link page)\ [Introduction to Office Scripts in Excel](https://support.microsoft.com/office/9fbe283d-adb8-4f13-a75b-a81c6baf163a) (article)\ [Sharing Office Scripts in Excel](https://support.microsoft.com/office/226eddbc-3a44-4540-acfe-fccda3d1122b) (article)\
-[Record, edit, and create Office Scripts in Excel](/office/dev/scripts/tutorials/excel-tutorial) (article)
+[Record, edit, and create Office Scripts in Excel](/office/dev/scripts/tutorials/excel-tutorial) (tutorial)
admin Customize Team Site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/customize-team-site.md
Title: Customize a SharePoint team site for file storage and sharing
+ Title: Customize your SharePoint team site for file storage and sharing
f1.keywords: - NOCSH Previously updated : 02/19/2020 Last updated : 03/22/2024 audience: Admin
search.appverid:
- MET150 - MOE150 ms.assetid: 70a62f09-45ea-4968-8482-43cddfb8cc01
-description: Learn how to customize, organize, and manage your SharePoint team site with document libraries, lists, and hubs.
+description: Learn how to customize, organize, and manage your SharePoint team site with color schemes, a custom header, document libraries, lists, and hubs.
-# Customize your team site for file storage and sharing
+# Customize your SharePoint team site for file storage and sharing
-If you have a small business with a few employees, one of the best ways to set up and facilitate file sharing and online collaboration is to use OneDrive and a SharePoint team site together. We recommend creating a team site that's connected to a Microsoft 365 group. If you want to use chat, you can create this site by creating a team in Microsoft Teams. For more info about Teams, see [Video: What is Microsoft Teams?](https://support.microsoft.com/office/b98d533f-118e-4bae-bf44-3df2470c2b12). If you don't want to use Teams, you can create a team site from the SharePoint start page.
+If you have a small business with a few employees, one of the best ways to set up and facilitate file sharing and online collaboration is to use OneDrive and a SharePoint team site together. We recommend creating a team site that's connected to a Microsoft 365 Group. If you want to use chat, you can create a team site by creating a team in Microsoft Teams. For more info about Teams, see [Video: Get started with Microsoft Teams?](https://support.microsoft.com/office/b98d533f-118e-4bae-bf44-3df2470c2b12). If you don't want to use Teams, you can create a team site from the SharePoint start page.
[What is a SharePoint team site?](https://support.microsoft.com/office/75545757-36c3-46a7-beed-0aaa74f0401e) [Create a team site in SharePoint](https://support.microsoft.com/office/ef10c1e7-15f3-42a3-98aa-b5972711777d)
-Here are some ideas and links to help you customize, organize, and manage your team site.
+This article provides some ideas and links to help you customize, organize, and manage your team site.
## Customize your team site
-To give more visibility to data on a team site, you can customize the SharePoint start page to help you and your employees get to the information you need quickly. For example, you might have a links to employee OneDrive folders, and links to Documents, Contacts, Tasks, Calendars, and a OneNote notebook where you store meeting agendas and notes.
+To give more visibility to data on a team site, you can customize your site to reflect your professional style and brand or to help you and your employees get to the information you need quickly. For example, you might use a SharePoint theme to change the color, add a custom header, or add links to employee OneDrive folders, Documents, Contacts, Tasks, Calendars, and a OneNote notebook where you store meeting agendas and notes.
-For info on customizing the look and feel of your start page, see [Change the look of your SharePoint site](https://support.microsoft.com/office/06bbadc3-6b04-4a60-9d14-894f6a170818).
+- For information on customizing the look and feel of your team site, see [Change the look of your SharePoint site](https://support.microsoft.com/office/06bbadc3-6b04-4a60-9d14-894f6a170818).
-Improve navigation on your site with [Customize the navigation on your SharePoint site](https://support.microsoft.com/office/3cd61ae7-a9ed-4e1e-bf6d-4655f0bf25ca).
+- To improve navigation on your team site, see [Customize the navigation on your SharePoint site](https://support.microsoft.com/office/3cd61ae7-a9ed-4e1e-bf6d-4655f0bf25ca).
-To improve the discoverability of a site, add it as a featured link on the SharePoint start page. For info, see [Add featured links to the SharePoint start page](/sharepoint/change-links-list-on-sharepoint-home-page).
+- To improve the discoverability of a team site, add it as a featured link on the SharePoint start page. For more information, see [Add featured links to the SharePoint start page](/sharepoint/change-links-list-on-sharepoint-home-page).
-To add an image to a team site start page, see [Add a picture or image file to a SharePoint page](https://support.microsoft.com/office/4a9b0e98-c89a-4a41-8adb-b7750dccca16).
+- To add an image to a SharePoint page, see [Add a picture or image file to a SharePoint page](https://support.microsoft.com/office/4a9b0e98-c89a-4a41-8adb-b7750dccca16).
-To add pages to your site, see [Add a page to a site](https://support.microsoft.com/office/b3d46deb-27a6-4b1e-87b8-df851e503dec).
+- To add pages to your team site, see [Create and use modern pages on a SharePoint site](https://support.microsoft.com/office/b3d46deb-27a6-4b1e-87b8-df851e503dec).
-To learn about team site settings, see [Manage your SharePoint team site settings](https://support.microsoft.com/office/8376034D-D0C7-446E-9178-6AB51C58DF42).
+- To learn about team site settings, see [Change a SharePoint site's title, description, logo, and site information settings](https://support.microsoft.com/office/8376034D-D0C7-446E-9178-6AB51C58DF42).
## Work with document libraries A team site includes a document library that you can start using immediately for file storage and document management.
-To begin uploading, see [Upload a folder or files to a document library](https://support.microsoft.com/office/eb18fcba-c953-4d45-8d90-8da66edeacdb)
+- To begin uploading documents, see [Upload a folder or files to a document library](https://support.microsoft.com/office/eb18fcba-c953-4d45-8d90-8da66edeacdb).
-Learn how to edit, delete, check out files, and more. For more info, see [Work with files in a document library](https://support.microsoft.com/office/a9d89171-1673-4892-9dd2-1ca52037dea2).
+- To learn how to edit, delete, check out files, and more, see [Work with files in a document library](https://support.microsoft.com/office/a9d89171-1673-4892-9dd2-1ca52037dea2).
-For info on creating views of libraries to surface specific data, see [Create a custom view of a document library](https://support.microsoft.com/office/8f6b08e0-a9a0-4232-9b9b-b374a2ad3da7).
+- To learn how to create views of libraries to surface specific data, see [Create a custom view of a document library](https://support.microsoft.com/office/8f6b08e0-a9a0-4232-9b9b-b374a2ad3da7).
## Work with lists to organize data
-SharePoint includes many templates for lists that you can add to your site, such as a list of links, a calendar, contacts, or tasks.
+SharePoint includes many templates for lists that you can add to your team site, such as a list of links, a calendar, contacts, or tasks.
-Learn how to [Create a list in SharePoint](https://support.microsoft.com/office/0D397414-D95F-41EB-ADDD-5E6EFF41B083#ID0EAAGAAA=Online).
+- To learn how to create a list, see [Create a list in SharePoint](https://support.microsoft.com/office/0D397414-D95F-41EB-ADDD-5E6EFF41B083#ID0EAAGAAA=Online).
-For info on expanding your lists with more columns, see [Create a column in a SharePoint list or library](https://support.microsoft.com/office/2b0361ae-1bd3-41a3-8329-269e5f81cfa2).
+- To learn how to expand your lists by adding more columns, see [Create a column in a SharePoint list or library](https://support.microsoft.com/office/2b0361ae-1bd3-41a3-8329-269e5f81cfa2).
-If you're storing a lot of data in a list, see [Manage large lists and libraries in SharePoint](https://support.microsoft.com/office/B8588DAE-9387-48C2-9248-C24122F07C59).
+- If you store large amounts of data in a list, see [Manage large lists and libraries in SharePoint](https://support.microsoft.com/office/B8588DAE-9387-48C2-9248-C24122F07C59).
-View a video on adding calendars to your site, see [Create a shared calendar](https://support.microsoft.com/office/61b96006-70e2-4535-a34f-ee4fc772f798).
+- To add a shared calendar to your site, watch [Video: Create a shared calendar](https://support.microsoft.com/office/61b96006-70e2-4535-a34f-ee4fc772f798).
## Organize sites into hubs
-Your team site shares almost everything with all members of the group associated with the site. If you want to have a separate site for specific customers, you can create additional team sites, and manage them using SharePoint hub sites. Here's more information.
+Your team site shares almost everything with all members of the group associated with the site. If you want a separate site for specific customers, you can create additional team sites and manage them by using SharePoint hub sites.
-Hub sites let you add and associate sites. For more info, see [What is a SharePoint hub site?](https://support.microsoft.com/office/fe26ae84-14b7-45b6-a6d1-948b3966427f).
+- To learn how to add and associate sites by using hub sites, see [What is a SharePoint hub site?](https://support.microsoft.com/office/fe26ae84-14b7-45b6-a6d1-948b3966427f).
-Ready to build a hub site, see [Create a hub site in SharePoint Online](/sharepoint/create-hub-site).
+- To learn how to build a hub site, see [Create a hub site in SharePoint](/sharepoint/create-hub-site).
-To learn how to add sites to a hub site, see [Associate a SharePoint site with a hub site](https://support.microsoft.com/office/ae0009fd-af04-4d3d-917d-88edb43efc05).
+- To learn how to add sites to a hub site, see [Associate a SharePoint site with a hub site](https://support.microsoft.com/office/ae0009fd-af04-4d3d-917d-88edb43efc05).
-## Sharing files with the team
+## Share files with the team
-While file storage and document management is a start, sharing with your team and external clients is also important. The following articles will help you manage users and share your data:
+Setting up file storage and document management is a good start, but sharing information with your team and external clients is also important.
-- For file sharing with your team, see [Share SharePoint files or folders in Microsoft 365](https://support.microsoft.com/office/1fe37332-0f9a-4719-970e-d2578da4941c).
+- To learn how to share files and folders with your team, see [Share SharePoint files or folders](https://support.microsoft.com/office/1fe37332-0f9a-4719-970e-d2578da4941c).
-- To understand sharing outside your team, see [External sharing overview](/sharepoint/external-sharing-overview).
+- To learn about sharing data outside your team, see [Overview of external sharing in SharePoint and OneDrive](/sharepoint/external-sharing-overview).
-## Managing users and groups
+## Manage users and Microsoft 365 Groups
-As you manage your team site, you may have to add or remove users. Here's information to help you understand, add, and manage users on your team site.
+As you manage your team site, you might need to add or remove users.
-View a video on groups with [Understand and manage groups](/training/m365/).
+- To learn about groups and managing permissions, see [Understand groups and permissions on a SharePoint site](https://support.microsoft.com/office/258e5f33-1b5a-4766-a503-d86655cf950d).
-To add users to a Microsoft 365 group, see [Add users and assign licenses at the same time](../add-users/add-users.md).
+- To learn how to add or remove users from a Microsoft 365 Group, see [Add or remove members from Microsoft 365 Groups](../create-groups/add-or-remove-members-from-groups.md).
-Learn how to handle access requests with [Set up and manage access requests](https://support.microsoft.com/office/94B26E0B-2822-49D4-929A-8455698654B3).
+- To learn how to manage access requests, see [Set up and manage access requests](https://support.microsoft.com/office/94B26E0B-2822-49D4-929A-8455698654B3).
## Next steps
-You must set up Microsoft 365 apps on your devices so you can edit files that are stored on your team site from your tablet or phone. If you don't install the Microsoft 365 apps for your tablet or phone, you'll be able to view the files on your team site, but not edit them.
-
- - [Install and set up Microsoft 365 on an Android](https://support.microsoft.com/office/cafe9d6f-8b0c-4b03-b20a-12438a82a22d)
-
- - [Install and set up Microsoft 365 on an iPhone or iPad](https://support.microsoft.com/office/9df6d10c-7281-4671-8666-6ca8e339b628)
-
- - [Set up Microsoft 365 apps and email on a mobile device](https://support.microsoft.com/office/set-up-office-apps-and-email-on-a-mobile-device-7dabb6cb-0046-40b6-81fe-767e0b1f014f)
+To edit files that are stored on your team site from your tablet or phone, you must set up Microsoft 365 apps on your devices. If you don't install the Microsoft 365 apps for your tablet or phone, you'll be able to view the files but not edit them.
+ - [Install and set up Microsoft 365 on an Android](https://support.microsoft.com/office/cafe9d6f-8b0c-4b03-b20a-12438a82a22d).
+ - [Install and set up Microsoft 365 on an iPhone or iPad](https://support.microsoft.com/office/9df6d10c-7281-4671-8666-6ca8e339b628).
+ - [Set up Microsoft 365 apps and email on a mobile device](https://support.microsoft.com/office/set-up-office-apps-and-email-on-a-mobile-device-7dabb6cb-0046-40b6-81fe-767e0b1f014f).
- [Learn more about using OneDrive](https://go.microsoft.com/fwlink/?LinkID=511458).
commerce About Registration Numbers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/about-registration-numbers.md
- commerce_purchase - okr_SMB - AdminSurgePortfolio
+- admindeeplinkMAC
description: "Learn about registration numbers and under-review notifications when you buy Microsoft business products or services." Last updated 08/24/2023
commerce Add Storage Space https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/add-storage-space.md
- AdminSurgePortfolio - business_assist - AdminTemplateSet
+- admindeeplinkMAC
- admindeeplinkSPO search.appverid: MET150 description: "Learn how to add extra SharePoint file storage in your Microsoft 365 subscription."
commerce Change Payment Frequency https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-payment-frequency.md
- TopSMBIssues - okr_SMB - AdminSurgePortfolio
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to change how often you're billed for your Microsoft 365 for business subscription." Last updated 10/13/2023
commerce Change Your Billing Addresses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses.md
- okr_SMB - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to change your billing address for Microsoft 365 for business." Last updated 02/16/2024
commerce Manage Billing Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-notifications.md
- commerce_billing - okr_SMB - AdminSurgePortfolio
+- admindeeplinkMAC
search.appverid: - MET150 description: "Learn how to manage who receives billing notification emails and invoice attachments in the Microsoft 365 admin center."
commerce Manage Billing Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-profiles.md
- admindeeplinkMAC - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn about billing profiles and how they're used to pay invoices for Microsoft business accounts." Last updated 02/16/2024
commerce Manage Multi Tenant Billing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-multi-tenant-billing.md
- Adm_O365 - commerce_billing-- empty
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to use multi-tenant billing relationships to share billing accounts across tenants in the Microsoft 365 admin center." Last updated 10/25/2023
commerce Manage Payment Methods https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-payment-methods.md
- AdminTemplateSet - adminvideo - business_assist
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to manage your payment methods for Microsoft business products or services in the Microsoft 365 admin center." Last updated 02/16/2024
commerce Mexico Billing Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/mexico-billing-info.md
description: "Learn about information specifically for Microsoft 365 for busines
- commerce_billing - AdminSurgePortfolio
+- admindeeplinkMAC
monikerRange: 'o365-worldwide' Last updated 10/10/2023
commerce Pay For Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md
- AdminSurgePortfolio - business_assist - AdminTemplateSet
+- admindeeplinkMAC
description: "Learn what payment options are available to pay for your Microsoft business subscription." Last updated 10/17/2023
commerce Tax Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/tax-information.md
- okr_SMB - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
description: "Learn about tax information for Microsoft 365 billing and payments, including how to update your address and tax status." Last updated 08/10/2023
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
- okr_smb - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to interpret the charges on your invoice for your Microsoft business subscription with an MOSA billing account." Last updated 02/21/2024
commerce View Your Bill Or Invoice https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/view-your-bill-or-invoice.md
- AdminSurgePortfolio - AdminTemplateSet - adminvideo
+- admindeeplinkMAC
search.appverid: MET150, GEA150 description: "Learn how to find your invoice or billing statement for a Microsoft business subscription in the Microsoft 365 admin center." Last updated 08/08/2023
commerce Buy Or Edit An Add On https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/buy-or-edit-an-add-on.md
- okr_SMB - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
description: "Learn how to buy and manage add-ons for your Microsoft 365 for business subscription." Last updated 08/28/2023
commerce Close Your Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/close-your-account.md
- AdminSurgePortfolio - fwlink 2133922 to Delete subscription heading - AdminTemplateSet
+ - admindeeplinkMAC
- has-azure-ad-ps-ref search.appverid: MET150 description: "Learn how to close your business account with Microsoft. All information related to your account is deleted including licenses, users, and user data."
commerce Enter Your Product Key https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/enter-your-product-key.md
- okr_SMB - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
description: "Learn how to redeem a product key to activate or extend your Microsoft business subscription." Last updated 09/07/2023
commerce Buy Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/buy-licenses.md
- manage_licenses - AdminTemplateSet - adminvideo
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to buy more licenses or reduce the number of licenses for your business subscription in the Microsoft 365 admin center." Last updated 02/22/2024
commerce Manage Auto Claim Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-auto-claim-policies.md
- commerce_licensing - AdminSurgePortfolio
+- admindeeplinkMAC
description: "Learn how to create and manage auto-claim policies that automatically assign licenses to users for certain apps." search.appverid: MET150 Last updated 02/12/2024
commerce Manage License Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-license-requests.md
- commerce_licensing - MACBillingLicensesRequests - AdminSurgePortfolio
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to review and approve or deny license requests for products and services from users in the Microsoft 365 admin center." Last updated 10/06/2023
commerce Manage Licenses For Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-licenses-for-devices.md
- commerce_licensing - AdminSurgePortfolio - okr_SMB
+- admindeeplinkMAC
search.appverid: MET150 Last updated 12/19/2023
commerce Manage Third Party App Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-third-party-app-licenses.md
- commerce_licensing - AdminSurgePortfolio
+- admindeeplinkMAC
search.appverid: - MET150 description: "Learn how to manage licenses for independent software vendor (ISV) apps in the Microsoft 365 admin center."
commerce Volume Licensing Invoices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/volume-licensing-invoices.md
- commerce_vl - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to access your non-Azure volume licensing invoices in the Microsoft 365 admin center."
commerce Review Partner Admin Privileges https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/review-partner-admin-privileges.md
- Adm_O365 - commerce_subscriptions-- empty
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to review your list of Microsoft-certified solution providers (partners) to determine what admin privileges they have, and how to remove those privileges." Last updated 11/16/2023
commerce Manage Pay As You Go Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-pay-as-you-go-services.md
- commerce_subscriptions - AdminSurgePortfolio - okr_smb
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to buy a subscription with a calling plan and enable overage for Microsoft Teams calls."
commerce Manage Self Service Purchases Admins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins.md
- commerce_ssp - AdminSurgePortfolio - okr_smb
+ - admindeeplinkMAC
search.appverid: - MET150 description: "Learn how admins can use the Microsoft 365 admin center to manage self-service purchases and trials made by users in their organization."
commerce Manage Self Service Purchases Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-users.md
- commerce_ssp - AdminSurgePortfolio
+- admindeeplinkMAC
search.appverid: - MET150 description: "Users can learn how to manage their self-service purchases."
commerce Manage Self Service Signup Subscriptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-signup-subscriptions.md
- commerce_subscriptions - AdminSurgePortfolio
+ - admindeeplinkMAC
- has-azure-ad-ps-ref - azure-ad-ref-level-one-done search.appverid: MET150
commerce Move Users Different Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/move-users-different-subscription.md
- commerce_subscriptions - AdminSurgePortfolio - manage_licenses
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to move users between subscriptions." Last updated 06/09/2023
commerce Reactivate Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/reactivate-your-subscription.md
- fwlink 874703 - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to reactivate a subscription in the Microsoft 365 admin center." Last updated 08/18/2023
commerce Renew Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/renew-your-subscription.md
- SaRA - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to manage your subscription renewal for a Microsoft business subscription by turning recurring billing off or on." Last updated 08/18/2023
commerce Upgrade To Different Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/upgrade-to-different-plan.md
- SaRA - AdminSurgePortfolio - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to upgrade or change to a different plan in the Microsoft 365 admin center." Last updated 02/23/2024
commerce Understand Proposal Workflow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/understand-proposal-workflow.md
- commerce_subscriptions - AdminSurgePortfolio
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn about the proposal workflow used when you buy Microsoft business products and services. Discover how to review and approve proposals."
commerce Use Cost Mgmt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/use-cost-mgmt.md
- commerce_billing - AdminTemplateSet
+- admindeeplinkMAC
search.appverid: MET150 description: "Learn how to use the cost management feature in the Microsoft 365 admin center to view, analyze, and manage costs for your organization." Last updated 03/09/2022
Last updated 03/09/2022
# Use Cost management in the Microsoft 365 admin center
-If you're a Global or Billing admin with a Microsoft Customer Agreement (MCA), you can use the **Cost management** page in the Microsoft 365 admin center to view, analyze, and manage your service costs. To get to the **Cost management** page, in the admin center left navigation pane, select **Billing** > **Cost management**.
+If you're a Global or Billing admin with a Microsoft Customer Agreement (MCA), you can use the <a href="https://go.microsoft.com/fwlink/p/?linkid=2201187" target="_blank">Cost management</a> page in the Microsoft 365 admin center to view, analyze, and manage your service costs. To get to the **Cost management** page, in the admin center left navigation pane, select **Billing** > **Cost management**.
## Before you begin
frontline Deploy Shifts At Scale https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/deploy-shifts-at-scale.md
To start using Shifts, frontline managers are responsible for configuring Shifts
As an admin, you can now standardize these Shifts settings across all your frontline teams and manage them centrally by deploying Shifts to your frontline teams at scale in the Teams admin center. You can select which capabilities to turn on or off and create schedule groups and time-off reasons that will be set uniformly across all your frontline teams. Your frontline managers can start using Shifts straight out-of-the-box with minimal setup required.
-> [!IMPORTANT]
-> This feature will begin rolling out for public preview in December 2023.
- ## Prerequisites - You created your organizationΓÇÖs frontline teams through the [deploy frontline dynamic teams](deploy-dynamic-teams-at-scale.md) experience in the Teams admin center.
frontline Shifts For Teams Landing Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/shifts-for-teams-landing-page.md
Use the following resources to help you set up and manage Shifts in your organiz
|&nbsp; |&nbsp; | |||
-|:::image type="icon" source="/office/medi)** (Preview) Configure and manage Shifts settings centrally in the Teams admin center and deploy Shifts to your frontline teams at scale. |
+|:::image type="icon" source="/office/medi)** Configure and manage Shifts settings centrally in the Teams admin center and deploy Shifts to your frontline teams at scale. |
|:::image type="icon" source="/office/media/icons/administrator-teams.png":::|**[Manage Shifts](/microsoftteams/expand-teams-across-your-org/shifts/manage-the-shifts-app-for-your-organization-in-teams?bc=/microsoft-365/frontline/breadcrumb/toc.json&toc=/microsoft-365/frontline/toc.json)** Get an overview of how to manage Shifts for your organization. Learn how to control access to Shifts, pin Shifts to the Teams app bar for easy access, enable shift-based tags, and more. | |:::image type="icon" source="/office/medi)** Learn how to use team owner and team member roles in Teams and the schedule owner role in Shifts to define your frontline managers and workers in Shifts. | |:::image type="icon" source="/office/medi)** Learn how to control the Shifts capabilities that are available to frontline managers for managing their team schedules, such as the Shifts settings that they can configure and whether they can create and manage schedule groups. |
includes Microsoft 365 Content Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md
<!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->----
-## Week of February 26, 2024
--
-| Published On |Topic title | Change |
-|||--|
-| 2/26/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified |
-| 2/26/2024 | [Understand app protection access requirements using Microsoft Intune](/microsoft-365/solutions/apps-protect-access-requirements?view=o365-worldwide) | added |
-| 2/26/2024 | [Understand app protection conditional launch using Microsoft Intune](/microsoft-365/solutions/apps-protect-conditional-launch?view=o365-worldwide) | added |
-| 2/26/2024 | [Understand app data protection using Microsoft Intune](/microsoft-365/solutions/apps-protect-data-protection?view=o365-worldwide) | added |
-| 2/26/2024 | [Use the app protection framework with Microsoft Intune](/microsoft-365/solutions/apps-protect-framework?view=o365-worldwide) | added |
-| 2/26/2024 | [Understand app protection health checks using Microsoft Intune](/microsoft-365/solutions/apps-protect-health-checks?view=o365-worldwide) | added |
-| 2/26/2024 | [Secure and protect apps using Microsoft Intune](/microsoft-365/solutions/apps-protect-overview?view=o365-worldwide) | added |
-| 2/26/2024 | [Step 1. Apply minimum data protection](/microsoft-365/solutions/apps-protect-step-1?view=o365-worldwide) | added |
-| 2/26/2024 | [Step 2. Apply enhanced data protection](/microsoft-365/solutions/apps-protect-step-2?view=o365-worldwide) | added |
-| 2/26/2024 | [Step 3. Apply high data protection](/microsoft-365/solutions/apps-protect-step-3?view=o365-worldwide) | added |
-| 2/26/2024 | [Step 4. Understand app protection delivery](/microsoft-365/solutions/apps-protect-step-4?view=o365-worldwide) | added |
-| 2/26/2024 | [Step 5. Verify and monitor app protection](/microsoft-365/solutions/apps-protect-step-5?view=o365-worldwide) | added |
-| 2/26/2024 | [Step 6. Use app protection actions](/microsoft-365/solutions/apps-protect-step-6?view=o365-worldwide) | added |
-| 2/26/2024 | [Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action.](/microsoft-365/security/defender/eval-overview?view=o365-worldwide) | modified |
-| 2/26/2024 | [Automatic user notifications for user reported phishing results in AIR](/microsoft-365/security/office-365-security/air-user-automatic-feedback-response?view=o365-worldwide) | modified |
-| 2/27/2024 | [Configuring external data integrations for Loop experiences](/microsoft-365/loop/loop-data-integrations-configuration?view=o365-worldwide) | added |
-| 2/27/2024 | [Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/elam-on-mdav?view=o365-worldwide) | added |
-| 2/27/2024 | [Manage Loop components in OneDrive and SharePoint](/microsoft-365/loop/loop-components-configuration?view=o365-worldwide) | modified |
-| 2/27/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified |
-| 2/27/2024 | [Manage Microsoft Defender Antivirus in your business](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/27/2024 | [Configure Microsoft Defender Antivirus features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide) | modified |
-| 2/27/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified |
-| 2/27/2024 | [Block vulnerable applications.](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified |
-| 2/27/2024 | [Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide) | modified |
-| 2/27/2024 | [Migrate from a third-party protection service to Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-worldwide) | modified |
-| 2/27/2024 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) | modified |
-| 2/27/2024 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide) | modified |
-| 2/27/2024 | [Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/27/2024 | [Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/amsi-on-mdav?view=o365-worldwide) | added |
-| 2/27/2024 | [Run and customize scheduled and on-demand scans](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/27/2024 | [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-compatibility?view=o365-worldwide) | modified |
-| 2/27/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/27/2024 | [Microsoft Defender Antivirus security intelligence and product updates](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide) | modified |
-| 2/27/2024 | [Microsoft Defender Antivirus updates - Previous versions for technical upgrade support](/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support?view=o365-worldwide) | modified |
-| 2/27/2024 | [Microsoft Defender for Cloud in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud?view=o365-worldwide) | modified |
-| 2/27/2024 | [Microsoft Defender for Endpoint in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mde?view=o365-worldwide) | modified |
-| 2/27/2024 | [Microsoft Defender for Identity in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdi?view=o365-worldwide) | modified |
-| 2/27/2024 | [Microsoft Defender for Office 365 in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdo?view=o365-worldwide) | modified |
-| 2/27/2024 | [Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-mde-redirection?view=o365-worldwide) | modified |
-| 2/27/2024 | [Compliance features in Microsoft 365 Archive (Preview)](/microsoft-365/syntex/archive/archive-compliance) | modified |
-| 2/28/2024 | [Coin miners](/microsoft-365/security/defender-endpoint/malware/coinminer-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Exploits and exploit kits](/microsoft-365/security/defender-endpoint/malware/exploits-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Fileless threats](/microsoft-365/security/defender-endpoint/malware/fileless-threats?view=o365-worldwide) | added |
-| 2/28/2024 | [Macro malware](/microsoft-365/security/defender-endpoint/malware/macro-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Phishing trends and techniques](/microsoft-365/security/defender-endpoint/malware/phishing-trends?view=o365-worldwide) | added |
-| 2/28/2024 | [How to protect against phishing attacks](/microsoft-365/security/defender-endpoint/malware/phishing?view=o365-worldwide) | added |
-| 2/28/2024 | [Prevent malware infection](/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection?view=o365-worldwide) | added |
-| 2/28/2024 | [Rootkits](/microsoft-365/security/defender-endpoint/malware/rootkits-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Supply chain attacks](/microsoft-365/security/defender-endpoint/malware/supply-chain-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Tech Support Scams](/microsoft-365/security/defender-endpoint/malware/support-scams?view=o365-worldwide) | added |
-| 2/28/2024 | [Trojan malware](/microsoft-365/security/defender-endpoint/malware/trojans-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Understanding malware & other threats](/microsoft-365/security/defender-endpoint/malware/understanding-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Unwanted software](/microsoft-365/security/defender-endpoint/malware/unwanted-software?view=o365-worldwide) | added |
-| 2/28/2024 | [Worms](/microsoft-365/security/defender-endpoint/malware/worms-malware?view=o365-worldwide) | added |
-| 2/28/2024 | [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-worldwide) | modified |
-| 2/28/2024 | [Manage Shifts permissions for frontline managers](/microsoft-365/frontline/manage-shifts-permissions-frontline-managers?view=o365-worldwide) | added |
-| 2/28/2024 | [Behavior monitoring in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/behavior-monitor?view=o365-worldwide) | added |
-| 2/28/2024 | [Windows and Office 365 deployment lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab?view=o365-worldwide) | modified |
-| 2/28/2024 | [Deploy frontline dynamic teams at scale](/microsoft-365/frontline/deploy-dynamic-teams-at-scale?view=o365-worldwide) | modified |
-| 2/28/2024 | [Overview of next-generation protection in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) | modified |
-| 2/28/2024 | [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/28/2024 | Configure Directory Services account in Microsoft Defender for Identity | removed |
-| 2/28/2024 | Microsoft Defender for Identity entity tags in Microsoft Defender XDR | removed |
-| 2/28/2024 | Microsoft Defender for Identity detection exclusions in Microsoft Defender XDR | removed |
-| 2/28/2024 | Microsoft Defender for Identity security alerts in Microsoft Defender XDR | removed |
-| 2/28/2024 | Microsoft Defender for Identity notifications in Microsoft Defender XDR | removed |
-| 2/28/2024 | Microsoft Defender for Identity sensor health and settings in Microsoft Defender XDR | removed |
-| 2/28/2024 | Microsoft Defender for Identity VPN integration in Microsoft Defender XDR | removed |
-| 2/28/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | added |
-| 2/28/2024 | [Run Microsoft Defender Antivirus in a sandbox environment](/microsoft-365/security/defender-endpoint/sandbox-mdav?view=o365-worldwide) | added |
-| 2/28/2024 | [Configure the Microsoft Defender Antivirus cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/28/2024 | [Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tags?view=o365-worldwide) | modified |
-| 2/29/2024 | [Configure and manage Microsoft Defender Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-worldwide) | modified |
-| 2/29/2024 | [Preview limitations in Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-limitations) | modified |
-| 2/29/2024 | [Disable access to Microsoft 365 services with PowerShell](/microsoft-365/enterprise/disable-access-to-services-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/29/2024 | [What's new in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management?view=o365-worldwide) | modified |
-| 2/29/2024 | [Manage Loop app preview](/microsoft-365/loop/loop-preview-configuration?view=o365-worldwide) | added |
-| 2/29/2024 | [Deploy Shifts to your frontline teams at scale](/microsoft-365/frontline/deploy-shifts-at-scale?view=o365-worldwide) | modified |
-| 2/29/2024 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified |
-| 2/29/2024 | [Manage Loop workspaces in SharePoint Embedded](/microsoft-365/loop/loop-workspaces-configuration?view=o365-worldwide) | modified |
-| 2/29/2024 | [Onboard Windows devices using a local script](/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide) | modified |
-| 2/29/2024 | [Set preferences for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide) | modified |
-| 2/29/2024 | [Microsoft Defender Antivirus in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency for Microsoft Copilot for Microsoft 365](/microsoft-365/enterprise/m365-dr-workload-copilot?view=o365-worldwide) | added |
-| 3/1/2024 | [Advanced data residency in Microsoft 365](/microsoft-365/enterprise/advanced-data-residency?view=o365-worldwide) | modified |
-| 3/1/2024 | [Advanced Data Residency Commitments](/microsoft-365/enterprise/m365-dr-commitments?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency Legacy Move Program](/microsoft-365/enterprise/m365-dr-legacy-move-program?view=o365-worldwide) | modified |
-| 3/1/2024 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified |
-| 3/1/2024 | [Overview of Product Terms Data Residency](/microsoft-365/enterprise/m365-dr-product-terms-dr?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency for Microsoft Defender for Office P1](/microsoft-365/enterprise/m365-dr-workload-mdo-p1?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency for Other Microsoft 365 Services](/microsoft-365/enterprise/m365-dr-workload-other?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency for Microsoft Purview](/microsoft-365/enterprise/m365-dr-workload-purview?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency for SharePoint and OneDrive](/microsoft-365/enterprise/m365-dr-workload-spo?view=o365-worldwide) | modified |
-| 3/1/2024 | [Data Residency for Microsoft Teams](/microsoft-365/enterprise/m365-dr-workload-teams?view=o365-worldwide) | modified |
-| 3/1/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | modified |
-| 3/1/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified |
-| 3/1/2024 | [Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI](/microsoft-365/security/defender/defender-xdr-custom-reports?view=o365-worldwide) | modified |
-| 3/1/2024 | [Memory regression analysis](/microsoft-365/test-base/memory?view=o365-worldwide) | modified |
-| 3/1/2024 | [Hardware acceleration and Microsoft Defender Antivirus.](/microsoft-365/security/defender-endpoint/hardware-acceleration-and-mdav?view=o365-worldwide) | added |
-| 3/1/2024 | [Evaluate Microsoft Defender Antivirus using PowerShell.](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-using-powershell?view=o365-worldwide) | added |
-| 3/1/2024 | [Microsoft 365 admin center SharePoint activity reports](/microsoft-365/admin/activity-reports/sharepoint-activity-ww?view=o365-worldwide) | modified |
-| 3/1/2024 | [Microsoft 365 admin center Viva Engage activity reports](/microsoft-365/admin/activity-reports/viva-engage-activity-report-ww?view=o365-worldwide) | modified |
-| 3/1/2024 | [Microsoft 365 admin center Viva Learning activity reports](/microsoft-365/admin/activity-reports/viva-learning-activity?view=o365-worldwide) | modified |
-| 3/1/2024 | [Transfer data manually between two accounts](/microsoft-365/admin/get-help-with-domains/transfer-data-manually?view=o365-worldwide) | modified |
-| 3/1/2024 | [Domains Frequently Asked Questions](/microsoft-365/admin/setup/domains-faq?view=o365-worldwide) | modified |
--
-## Week of February 19, 2024
--
-| Published On |Topic title | Change |
-|||--|
-| 2/19/2024 | [What's new in Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score-whats-new?view=o365-worldwide) | modified |
-| 2/20/2024 | [Use roles to define your frontline managers and workers in Shifts](/microsoft-365/frontline/shifts-frontline-manager-worker-roles?view=o365-worldwide) | added |
-| 2/20/2024 | [Block Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/20/2024 | [Delete Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/delete-and-restore-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/20/2024 | [Manage Microsoft 365 groups](/microsoft-365/enterprise/manage-microsoft-365-groups?view=o365-worldwide) | modified |
-| 2/20/2024 | [Manage security groups with PowerShell](/microsoft-365/enterprise/manage-security-groups-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/20/2024 | Manage schedule owners for shift management | removed |
-| 2/20/2024 | [Microsoft Teams Virtual Appointments Call Quality Dashboard](/microsoft-365/frontline/virtual-appointments-call-quality?view=o365-worldwide) | modified |
-| 2/20/2024 | [Set up multitenant management in Microsoft Defender XDR](/microsoft-365/security/defender/mto-requirements?view=o365-worldwide) | modified |
-| 2/20/2024 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-about?view=o365-worldwide) | modified |
-| 2/20/2024 | [Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools.](/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) | modified |
-| 2/21/2024 | [Manage add-ins in the admin center](/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy and manage Office Add-ins](/microsoft-365/admin/manage/office-addins?view=o365-worldwide) | modified |
-| 2/21/2024 | [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center?view=o365-worldwide) | modified |
-| 2/21/2024 | [View the details and results of an automated investigation](/microsoft-365/security/defender-endpoint/autoir-investigation-results?view=o365-worldwide) | modified |
-| 2/21/2024 | [Use basic permissions to access the portal](/microsoft-365/security/defender-endpoint/basic-permissions?view=o365-worldwide) | modified |
-| 2/21/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified |
-| 2/21/2024 | [Device health Sensor health & OS report](/microsoft-365/security/defender-endpoint/device-health-sensor-health-os?view=o365-worldwide) | modified |
-| 2/21/2024 | [Download the Microsoft Defender for Endpoint client analyzer](/microsoft-365/security/defender-endpoint/download-client-analyzer?view=o365-worldwide) | modified |
-| 2/21/2024 | [EDR detection test for verifying device's onboarding and reporting service](/microsoft-365/security/defender-endpoint/edr-detection?view=o365-worldwide) | modified |
-| 2/21/2024 | [Turn on cloud protection in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/21/2024 | [Enable and update Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws?view=o365-worldwide) | modified |
-| 2/21/2024 | [Evaluate controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access?view=o365-worldwide) | modified |
-| 2/21/2024 | [See how Exploit protection works in a demo](/microsoft-365/security/defender-endpoint/evaluate-exploit-protection?view=o365-worldwide) | modified |
-| 2/21/2024 | [Evaluate Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/evaluate-mde?view=o365-worldwide) | modified |
-| 2/21/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified |
-| 2/21/2024 | [Review events and errors using Event Viewer](/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide) | modified |
-| 2/21/2024 | [Apply mitigations to help prevent attacks through vulnerabilities](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide) | modified |
-| 2/21/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified |
-| 2/21/2024 | [Diagnosing performance issues with SharePoint](/microsoft-365/enterprise/diagnosing-performance-issues-with-sharepoint-online?view=o365-worldwide) | modified |
-| 2/21/2024 | [Microsoft 365 network connectivity test tool](/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool?view=o365-worldwide) | modified |
-| 2/21/2024 | [Frequently asked questions (FAQs) about tamper protection](/microsoft-365/security/defender-endpoint/faqs-on-tamper-protection?view=o365-worldwide) | modified |
-| 2/21/2024 | [Fix unhealthy sensors in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors?view=o365-worldwide) | modified |
-| 2/21/2024 | [Become a Microsoft Defender for Endpoint partner](/microsoft-365/security/defender-endpoint/get-started-partner-integration?view=o365-worldwide) | modified |
-| 2/21/2024 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide) | modified |
-| 2/21/2024 | [Grant access to managed security service provider (MSSP)](/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-worldwide) | modified |
-| 2/21/2024 | [Investigate agent health issues](/microsoft-365/security/defender-endpoint/health-status?view=o365-worldwide) | modified |
-| 2/21/2024 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-worldwide) | modified |
-| 2/21/2024 | [Create indicators based on certificates](/microsoft-365/security/defender-endpoint/indicator-certificates?view=o365-worldwide) | modified |
-| 2/21/2024 | [Create indicators for files](/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide) | modified |
-| 2/21/2024 | [Manage indicators](/microsoft-365/security/defender-endpoint/indicator-manage?view=o365-worldwide) | modified |
-| 2/21/2024 | [Use Microsoft Defender for Endpoint sensitivity labels to protect your data and prioritize security incident response](/microsoft-365/security/defender-endpoint/information-protection-investigation?view=o365-worldwide) | modified |
-| 2/21/2024 | [Investigate Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/investigate-alerts?view=o365-worldwide) | modified |
-| 2/21/2024 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-worldwide) | modified |
-| 2/21/2024 | [Investigate an IP address associated with an alert](/microsoft-365/security/defender-endpoint/investigate-ip?view=o365-worldwide) | modified |
-| 2/21/2024 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwide) | modified |
-| 2/21/2024 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-worldwide) | modified |
-| 2/21/2024 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune](/microsoft-365/security/defender-endpoint/ios-install?view=o365-worldwide) | modified |
-| 2/21/2024 | [Privacy information - Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-privacy?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-troubleshoot?view=o365-worldwide) | modified |
-| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-whatsnew?view=o365-worldwide) | modified |
-| 2/21/2024 | [How to Deploy Defender for Endpoint on Linux with Chef](/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef?view=o365-worldwide) | modified |
-| 2/21/2024 | [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-exclusions?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Ansible](/microsoft-365/security/defender-endpoint/linux-install-with-ansible?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Puppet](/microsoft-365/security/defender-endpoint/linux-install-with-puppet?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | modified |
-| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-privacy?view=o365-worldwide) | modified |
-| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-pua?view=o365-worldwide) | modified |
-| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde?view=o365-worldwide) | modified |
-| 2/21/2024 | [Microsoft Defender for Endpoint on Linux static proxy discovery](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-connectivity?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-events?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-perf?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6](/microsoft-365/security/defender-endpoint/linux-support-rhel?view=o365-worldwide) | modified |
-| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |
-| 2/21/2024 | [Live response library methods and properties](/microsoft-365/security/defender-endpoint/live-response-library-methods?view=o365-worldwide) | modified |
-| 2/21/2024 | [macOS Device control policies frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/mac-device-control-faq?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy and manage Device Control using Intune](/microsoft-365/security/defender-endpoint/mac-device-control-intune?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy and manage device control using JAMF](/microsoft-365/security/defender-endpoint/mac-device-control-jamf?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy and manage device control manually](/microsoft-365/security/defender-endpoint/mac-device-control-manual?view=o365-worldwide) | modified |
-| 2/21/2024 | [Device control for macOS](/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-worldwide) | modified |
-| 2/21/2024 | [Sign in to Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-with-jamf?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm?view=o365-worldwide) | modified |
-| 2/21/2024 | [Set up device groups in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups?view=o365-worldwide) | modified |
-| 2/21/2024 | [Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices?view=o365-worldwide) | modified |
-| 2/21/2024 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-worldwide) | modified |
-| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-privacy?view=o365-worldwide) | modified |
-| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-pua?view=o365-worldwide) | modified |
-| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-install?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-sys-ext?view=o365-worldwide) | modified |
-| 2/21/2024 | [New configuration profiles for macOS Big Sur and newer versions of macOS](/microsoft-365/security/defender-endpoint/mac-sysext-policies?view=o365-worldwide) | modified |
-| 2/21/2024 | [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deploy updates for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-updates?view=o365-worldwide) | modified |
-| 2/21/2024 | [Device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) | modified |
-| 2/21/2024 | [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide) | modified |
-| 2/21/2024 | [Manage automation folder exclusions](/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions?view=o365-worldwide) | modified |
-| 2/21/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/21/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified |
-| 2/21/2024 | [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents?view=o365-worldwide) | modified |
-| 2/21/2024 | Manage Microsoft Defender for Endpoint using Configuration Manager | removed |
-| 2/21/2024 | Manage Microsoft Defender for Endpoint using Group Policy Objects | removed |
-| 2/21/2024 | Manage Microsoft Defender for Endpoint using Intune | removed |
-| 2/21/2024 | Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe | removed |
-| 2/21/2024 | Manage Microsoft Defender for Endpoint after initial setup or migration | removed |
-| 2/21/2024 | [Apply Microsoft Defender Antivirus protection updates to out of date endpoints](/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/21/2024 | [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap?view=o365-worldwide) | modified |
-| 2/21/2024 | [Manage contracts using a Microsoft 365 solution](/microsoft-365/syntex/solution-manage-contracts-in-microsoft-365) | modified |
-| 2/22/2024 | [Set up multifactor authentication for users](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified |
-| 2/22/2024 | [Understand your invoice for your Microsoft MCA billing account](/microsoft-365/commerce/billing-and-payments/understand-your-invoice?view=o365-worldwide) | modified |
-| 2/22/2024 | [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide) | modified |
-| 2/22/2024 | [Manage self-service purchases and trials (for admins)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins?view=o365-worldwide) | modified |
-| 2/22/2024 | [Manage system extensions using JamF](/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get started with your Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/mde-planning-guide?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL)](/microsoft-365/security/defender-endpoint/mde-plugin-wsl?view=o365-worldwide) | modified |
-| 2/22/2024 | [Configure Microsoft Defender for Cloud Apps integration](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Cloud Apps integration overview](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration?view=o365-worldwide) | modified |
-| 2/22/2024 | [Pilot ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified |
-| 2/22/2024 | [Production ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified |
-| 2/22/2024 | [Production ring deployment using Group Policy and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update?view=o365-worldwide) | modified |
-| 2/22/2024 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | modified |
-| 2/22/2024 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | modified |
-| 2/22/2024 | [Ring deployment using Intune and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-intune-microsoft-update?view=o365-worldwide) | modified |
-| 2/22/2024 | [Ring deployment using System Center Configuration Manager and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-sscm-wsus?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender Antivirus ring deployment guide overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) | modified |
-| 2/22/2024 | [Schedule antivirus scans using Windows Management Instrumentation](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi?view=o365-worldwide) | modified |
-| 2/22/2024 | [Changes coming to Topics](/microsoft-365/topics/changes-coming-to-topics?view=o365-worldwide) | added |
-| 2/22/2024 | [Frequently asked questions about changes coming to Topics](/microsoft-365/topics/topics-changes-faq?view=o365-worldwide) | added |
-| 2/22/2024 | [How to schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde?view=o365-worldwide) | modified |
-| 2/22/2024 | [Schedule antivirus scans using Group Policy](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy?view=o365-worldwide) | modified |
-| 2/22/2024 | [Schedule antivirus scans using PowerShell](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell?view=o365-worldwide) | modified |
-| 2/22/2024 | [Server migration scenarios for the new version of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration?view=o365-worldwide) | modified |
-| 2/22/2024 | [Supported Microsoft Defender for Endpoint capabilities by platform](/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform?view=o365-worldwide) | modified |
-| 2/22/2024 | [Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection](/microsoft-365/security/defender-endpoint/switch-to-mde-overview?view=o365-worldwide) | modified |
-| 2/22/2024 | [Technological partners of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/technological-partners?view=o365-worldwide) | modified |
-| 2/22/2024 | [Understand threat intelligence concepts in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-indicator-concepts?view=o365-worldwide) | modified |
-| 2/22/2024 | [Integrate Microsoft Defender for Endpoint with other Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide) | modified |
-| 2/22/2024 | [Data privacy and compliance in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-data-privacy-and-compliance?view=o365-worldwide) | added |
-| 2/22/2024 | [Assign roles to Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/assign-roles-to-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get scan history by session](/microsoft-365/security/defender-endpoint/api/get-scan-history-by-session?view=o365-worldwide) | modified |
-| 2/22/2024 | [Add, update, or delete a scan definition](/microsoft-365/security/defender-endpoint/api/add-a-new-scan-definition?view=o365-worldwide) | modified |
-| 2/22/2024 | [Add or remove a tag for a machine](/microsoft-365/security/defender-endpoint/api/add-or-remove-machine-tags?view=o365-worldwide) | modified |
-| 2/22/2024 | [Add or remove a tag for multiple machines](/microsoft-365/security/defender-endpoint/api/add-or-remove-multiple-machine-tags?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get alerts API](/microsoft-365/security/defender-endpoint/api/alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [API Explorer in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/api-explorer?view=o365-worldwide) | modified |
-| 2/22/2024 | [Hello World for Microsoft Defender for Endpoint API](/microsoft-365/security/defender-endpoint/api/api-hello-world?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint APIs connection to Power BI](/microsoft-365/security/defender-endpoint/api/api-power-bi?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint API release notes](/microsoft-365/security/defender-endpoint/api/api-release-notes?view=o365-worldwide) | modified |
-| 2/22/2024 | [Access the Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/apis-intro?view=o365-worldwide) | modified |
-| 2/22/2024 | [Batch Delete Indicators API](/microsoft-365/security/defender-endpoint/api/batch-delete-ti-indicators?view=o365-worldwide) | modified |
-| 2/22/2024 | [Batch Update alert entities API](/microsoft-365/security/defender-endpoint/api/batch-update-alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [Cancel machine action API](/microsoft-365/security/defender-endpoint/api/cancel-machine-action?view=o365-worldwide) | modified |
-| 2/22/2024 | [Collect investigation package API](/microsoft-365/security/defender-endpoint/api/collect-investigation-package?view=o365-worldwide) | modified |
-| 2/22/2024 | [Common Microsoft Defender for Endpoint API errors](/microsoft-365/security/defender-endpoint/api/common-errors?view=o365-worldwide) | modified |
-| 2/22/2024 | [Create alert from event API](/microsoft-365/security/defender-endpoint/api/create-alert-by-reference?view=o365-worldwide) | modified |
-| 2/22/2024 | [Delete a file from the live response library](/microsoft-365/security/defender-endpoint/api/delete-library?view=o365-worldwide) | modified |
-| 2/22/2024 | [Delete Indicator API.](/microsoft-365/security/defender-endpoint/api/delete-ti-indicator-by-id?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get alert information by ID API](/microsoft-365/security/defender-endpoint/api/get-alert-info-by-id?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get alert related domains information](/microsoft-365/security/defender-endpoint/api/get-alert-related-domain-info?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get alert related files information](/microsoft-365/security/defender-endpoint/api/get-alert-related-files-info?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get alert-related IPs' information](/microsoft-365/security/defender-endpoint/api/get-alert-related-ip-info?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get alert related machine information](/microsoft-365/security/defender-endpoint/api/get-alert-related-machine-info?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get alert related user information](/microsoft-365/security/defender-endpoint/api/get-alert-related-user-info?view=o365-worldwide) | modified |
-| 2/22/2024 | [List alerts API](/microsoft-365/security/defender-endpoint/api/get-alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [List all recommendations](/microsoft-365/security/defender-endpoint/api/get-all-recommendations?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get all vulnerabilities by machine and software](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities-by-machines?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get all vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities?view=o365-worldwide) | modified |
-| 2/22/2024 | [Export assessment methods and properties per device](/microsoft-365/security/defender-endpoint/api/get-assessment-methods-properties?view=o365-worldwide) | modified |
-| 2/22/2024 | [Export secure configuration assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-secure-config?view=o365-worldwide) | modified |
-| 2/22/2024 | [Export software inventory assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-inventory?view=o365-worldwide) | modified |
-| 2/22/2024 | [Export software vulnerabilities assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-vulnerabilities?view=o365-worldwide) | modified |
-| 2/22/2024 | [Authenticated scan methods and properties](/microsoft-365/security/defender-endpoint/api/get-authenticated-scan-properties?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get the device secure score](/microsoft-365/security/defender-endpoint/api/get-device-secure-score?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get discovered vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-discovered-vulnerabilities?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get domain-related alerts API](/microsoft-365/security/defender-endpoint/api/get-domain-related-alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get domain-related machines API](/microsoft-365/security/defender-endpoint/api/get-domain-related-machines?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get domain statistics API](/microsoft-365/security/defender-endpoint/api/get-domain-statistics?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get exposure score](/microsoft-365/security/defender-endpoint/api/get-exposure-score?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get file information API](/microsoft-365/security/defender-endpoint/api/get-file-information?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get file-related alerts API](/microsoft-365/security/defender-endpoint/api/get-file-related-alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get file-related machines API](/microsoft-365/security/defender-endpoint/api/get-file-related-machines?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get file statistics API](/microsoft-365/security/defender-endpoint/api/get-file-statistics?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get installed software](/microsoft-365/security/defender-endpoint/api/get-installed-software?view=o365-worldwide) | modified |
-| 2/22/2024 | [List Investigations API](/microsoft-365/security/defender-endpoint/api/get-investigation-collection?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get Investigation object API](/microsoft-365/security/defender-endpoint/api/get-investigation-object?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get IP related alerts API](/microsoft-365/security/defender-endpoint/api/get-ip-related-alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get IP statistics API](/microsoft-365/security/defender-endpoint/api/get-ip-statistics?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get live response results](/microsoft-365/security/defender-endpoint/api/get-live-response-result?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get machine by ID API](/microsoft-365/security/defender-endpoint/api/get-machine-by-id?view=o365-worldwide) | modified |
-| 2/22/2024 | [List exposure score by device group](/microsoft-365/security/defender-endpoint/api/get-machine-group-exposure-score?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get machine logon users API](/microsoft-365/security/defender-endpoint/api/get-machine-log-on-users?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get machine related alerts API](/microsoft-365/security/defender-endpoint/api/get-machine-related-alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get MachineAction object API](/microsoft-365/security/defender-endpoint/api/get-machineaction-object?view=o365-worldwide) | modified |
-| 2/22/2024 | [List machineActions API](/microsoft-365/security/defender-endpoint/api/get-machineactions-collection?view=o365-worldwide) | modified |
-| 2/22/2024 | [List devices by software](/microsoft-365/security/defender-endpoint/api/get-machines-by-software?view=o365-worldwide) | modified |
-| 2/22/2024 | [List devices by vulnerability](/microsoft-365/security/defender-endpoint/api/get-machines-by-vulnerability?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get missing KBs by device ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-machine?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get missing KBs by software ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-software?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get package SAS URI API](/microsoft-365/security/defender-endpoint/api/get-package-sas-uri?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get recommendation by Id](/microsoft-365/security/defender-endpoint/api/get-recommendation-by-id?view=o365-worldwide) | modified |
-| 2/22/2024 | [List devices by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-machines?view=o365-worldwide) | modified |
-| 2/22/2024 | [List vulnerabilities by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-vulnerabilities?view=o365-worldwide) | modified |
-| 2/22/2024 | [List all remediation activities](/microsoft-365/security/defender-endpoint/api/get-remediation-all-activities?view=o365-worldwide) | modified |
-| 2/22/2024 | [List exposed devices of one remediation activity](/microsoft-365/security/defender-endpoint/api/get-remediation-exposed-devices-activities?view=o365-worldwide) | modified |
-| 2/22/2024 | [Remediation activity methods and properties](/microsoft-365/security/defender-endpoint/api/get-remediation-methods-properties?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get one remediation activity by ID](/microsoft-365/security/defender-endpoint/api/get-remediation-one-activity?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get security recommendations](/microsoft-365/security/defender-endpoint/api/get-security-recommendations?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get software by ID](/microsoft-365/security/defender-endpoint/api/get-software-by-id?view=o365-worldwide) | modified |
-| 2/22/2024 | [List software version distribution](/microsoft-365/security/defender-endpoint/api/get-software-ver-distribution?view=o365-worldwide) | modified |
-| 2/22/2024 | [List software](/microsoft-365/security/defender-endpoint/api/get-software?view=o365-worldwide) | modified |
-| 2/22/2024 | [List Indicators API](/microsoft-365/security/defender-endpoint/api/get-ti-indicators-collection?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get user-related alerts API](/microsoft-365/security/defender-endpoint/api/get-user-related-alerts?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get user-related machines API](/microsoft-365/security/defender-endpoint/api/get-user-related-machines?view=o365-worldwide) | modified |
-| 2/22/2024 | [List vulnerabilities by software](/microsoft-365/security/defender-endpoint/api/get-vuln-by-software?view=o365-worldwide) | modified |
-| 2/22/2024 | [Get vulnerability by ID](/microsoft-365/security/defender-endpoint/api/get-vulnerability-by-id?view=o365-worldwide) | modified |
-| 2/22/2024 | [Import Indicators API](/microsoft-365/security/defender-endpoint/api/import-ti-indicators?view=o365-worldwide) | modified |
-| 2/22/2024 | [Start Investigation API](/microsoft-365/security/defender-endpoint/api/initiate-autoir-investigation?view=o365-worldwide) | modified |
-| 2/22/2024 | [Stream Microsoft Defender for Endpoint event](/microsoft-365/security/defender-endpoint/api/raw-data-export?view=o365-worldwide) | modified |
-| 2/22/2024 | [Recommendation methods and properties](/microsoft-365/security/defender-endpoint/api/recommendation?view=o365-worldwide) | modified |
-| 2/22/2024 | [Restrict app execution API](/microsoft-365/security/defender-endpoint/api/restrict-code-execution?view=o365-worldwide) | modified |
-| 2/22/2024 | [Advanced Hunting API](/microsoft-365/security/defender-endpoint/api/run-advanced-query-api?view=o365-worldwide) | modified |
-| 2/22/2024 | [Advanced Hunting with PowerShell API Basics](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-powershell?view=o365-worldwide) | modified |
-| 2/22/2024 | [Advanced Hunting with Python API Guide](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-python?view=o365-worldwide) | modified |
-| 2/22/2024 | [Run antivirus scan API](/microsoft-365/security/defender-endpoint/api/run-av-scan?view=o365-worldwide) | modified |
-| 2/22/2024 | [Set device value API](/microsoft-365/security/defender-endpoint/api/set-device-value?view=o365-worldwide) | modified |
-| 2/22/2024 | [Software methods and properties](/microsoft-365/security/defender-endpoint/api/software?view=o365-worldwide) | modified |
-| 2/22/2024 | [Stop and quarantine file API](/microsoft-365/security/defender-endpoint/api/stop-and-quarantine-file?view=o365-worldwide) | modified |
-| 2/22/2024 | [Indicator resource type](/microsoft-365/security/defender-endpoint/api/ti-indicator?view=o365-worldwide) | modified |
-| 2/22/2024 | [Release device from isolation API](/microsoft-365/security/defender-endpoint/api/unisolate-machine?view=o365-worldwide) | modified |
-| 2/22/2024 | [Remove app restriction API](/microsoft-365/security/defender-endpoint/api/unrestrict-code-execution?view=o365-worldwide) | modified |
-| 2/22/2024 | [Update alert entity API](/microsoft-365/security/defender-endpoint/api/update-alert?view=o365-worldwide) | modified |
-| 2/22/2024 | [Update machine entity API](/microsoft-365/security/defender-endpoint/api/update-machine-method?view=o365-worldwide) | modified |
-| 2/22/2024 | [Upload files to the live response library](/microsoft-365/security/defender-endpoint/api/upload-library?view=o365-worldwide) | modified |
-| 2/22/2024 | [User resource type](/microsoft-365/security/defender-endpoint/api/user?view=o365-worldwide) | modified |
-| 2/22/2024 | [Vulnerability methods and properties](/microsoft-365/security/defender-endpoint/api/vulnerability?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender Offline scan in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-offline?view=o365-worldwide) | modified |
-| 2/22/2024 | [Migrating from non-Microsoft HIPS to attack surface reduction rules](/microsoft-365/security/defender-endpoint/migrating-asr-rules?view=o365-worldwide) | modified |
-| 2/22/2024 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-worldwide) | modified |
-| 2/22/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified |
-| 2/22/2024 | [Monthly security summary reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/monthly-security-summary-report?view=o365-worldwide) | modified |
-| 2/22/2024 | [Managed security service provider (MSSP) partnership opportunities](/microsoft-365/security/defender-endpoint/mssp-support?view=o365-worldwide) | modified |
-| 2/22/2024 | [Use network protection to help prevent Linux connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-linux?view=o365-worldwide) | modified |
-| 2/22/2024 | [Use network protection to help prevent macOS connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-macos?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint on other platforms](/microsoft-365/security/defender-endpoint/non-windows?view=o365-worldwide) | modified |
-| 2/22/2024 | [Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats](/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/22/2024 | [Onboarding using Microsoft Intune](/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide) | modified |
-| 2/22/2024 | [Create an onboarding or offboarding notification rule](/microsoft-365/security/defender-endpoint/onboarding-notification?view=o365-worldwide) | modified |
-| 2/22/2024 | [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](/microsoft-365/security/defender-endpoint/overview-client-analyzer?view=o365-worldwide) | modified |
-| 2/22/2024 | [Partner applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/partner-applications?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint partner opportunities and scenarios](/microsoft-365/security/defender-endpoint/partner-integration?view=o365-worldwide) | modified |
-| 2/22/2024 | [Hide the Microsoft Defender Antivirus interface](/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/22/2024 | [Turn on the preview experience in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/preview-settings?view=o365-worldwide) | modified |
-| 2/22/2024 | [Microsoft Defender for Endpoint preview features](/microsoft-365/security/defender-endpoint/preview?view=o365-worldwide) | modified |
-| 2/22/2024 | [Professional services supported by Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/professional-services?view=o365-worldwide) | modified |
-| 2/22/2024 | [Use role-based access control to grant fine-grained access to Microsoft Defender portal](/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide) | modified |
-| 2/22/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | modified |
-| 2/22/2024 | [Run a detection test on a device recently onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-worldwide) | modified |
-| 2/22/2024 | [Use Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp?view=o365-worldwide) | modified |
-| 2/22/2024 | [Partner access through Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners?view=o365-worldwide) | modified |
-| 2/22/2024 | [Create an app to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp?view=o365-worldwide) | modified |
-| 2/22/2024 | [Advanced Hunting with PowerShell API Guide](/microsoft-365/security/defender-endpoint/api/exposed-apis-full-sample-powershell?view=o365-worldwide) | modified |
-| 2/22/2024 | [Supported Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-list?view=o365-worldwide) | modified |
-| 2/22/2024 | [OData queries with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/exposed-apis-odata-samples?view=o365-worldwide) | modified |
-| 2/22/2024 | [Fetch alerts from MSSP customer tenant](/microsoft-365/security/defender-endpoint/api/fetch-alerts-mssp?view=o365-worldwide) | modified |
-| 2/22/2024 | [File resource type](/microsoft-365/security/defender-endpoint/api/files?view=o365-worldwide) | modified |
-| 2/22/2024 | [Find device information by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machine-info-by-ip?view=o365-worldwide) | modified |
-| 2/22/2024 | [Find devices by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machines-by-ip?view=o365-worldwide) | modified |
-| 2/22/2024 | [Find devices by tag API](/microsoft-365/security/defender-endpoint/api/find-machines-by-tag?view=o365-worldwide) | modified |
-| 2/22/2024 | [Investigation resource type](/microsoft-365/security/defender-endpoint/api/investigation?view=o365-worldwide) | modified |
-| 2/22/2024 | [Isolate machine API](/microsoft-365/security/defender-endpoint/api/isolate-machine?view=o365-worldwide) | modified |
-| 2/22/2024 | [List library files](/microsoft-365/security/defender-endpoint/api/list-library-files?view=o365-worldwide) | modified |
-| 2/22/2024 | [List software by recommendation](/microsoft-365/security/defender-endpoint/api/list-recommendation-software?view=o365-worldwide) | modified |
-| 2/22/2024 | [Machine resource type](/microsoft-365/security/defender-endpoint/api/machine?view=o365-worldwide) | modified |
-| 2/22/2024 | [machineAction resource type](/microsoft-365/security/defender-endpoint/api/machineaction?view=o365-worldwide) | modified |
-| 2/22/2024 | [Overview of management and APIs](/microsoft-365/security/defender-endpoint/api/management-apis?view=o365-worldwide) | modified |
-| 2/22/2024 | [Submit or Update Indicator API](/microsoft-365/security/defender-endpoint/api/post-ti-indicator?view=o365-worldwide) | modified |
-| 2/22/2024 | [Stream Microsoft Defender for Endpoint events to your Storage account](/microsoft-365/security/defender-endpoint/api/raw-data-export-storage?view=o365-worldwide) | modified |
-| 2/23/2024 | [Upgrade or change to a different Microsoft 365 for business plan](/microsoft-365/commerce/subscriptions/upgrade-to-different-plan?view=o365-worldwide) | modified |
-| 2/23/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | modified |
-| 2/23/2024 | [Use a promo code to reduce price of a new Microsoft 365 for business subscription](/microsoft-365/commerce/use-a-promo-code?view=o365-worldwide) | modified |
-| 2/23/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified |
--
-## Week of February 12, 2024
--
-| Published On |Topic title | Change |
-|||--|
-| 2/12/2024 | [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode?view=o365-worldwide) | added |
-| 2/12/2024 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide) | modified |
-| 2/12/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |
-| 2/12/2024 | [How to schedule scans with Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide) | modified |
-| 2/12/2024 | [Tenant roadmap for Microsoft 365](/microsoft-365/enterprise/tenant-roadmap-microsoft-365?view=o365-worldwide) | modified |
-| 2/12/2024 | [Microsoft 365 admin center Microsoft 365 Copilot usage](/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage?view=o365-worldwide) | modified |
-| 2/12/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified |
-| 2/12/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified |
-| 2/12/2024 | [Run script and code analysis with Security Copilot in Microsoft Defender XDR](/microsoft-365/security/defender/security-copilot-m365d-script-analysis?view=o365-worldwide) | modified |
-| 2/12/2024 | [Anti-phishing policies](/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide) | modified |
-| 2/12/2024 | [Spoof intelligence insight](/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence?view=o365-worldwide) | modified |
-| 2/12/2024 | [Email authentication in Microsoft 365](/microsoft-365/security/office-365-security/email-authentication-about?view=o365-worldwide) | modified |
-| 2/12/2024 | How Sender Policy Framework (SPF) prevents spoofing | removed |
-| 2/12/2024 | [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure?view=o365-worldwide) | modified |
-| 2/12/2024 | [How to use DKIM for email in your custom domain](/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide) | modified |
-| 2/12/2024 | Support for validation of Domain Keys Identified Mail (DKIM) signed messages | removed |
-| 2/12/2024 | [Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide) | modified |
-| 2/12/2024 | Use DMARC Reports to protect against spoofing and phishing in Microsoft Office 365 | removed |
-| 2/12/2024 | [Set up SPF identify valid email sources for your Microsoft 365 domain](/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide) | modified |
-| 2/12/2024 | [Get started with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/mdo-deployment-guide?view=o365-worldwide) | modified |
-| 2/12/2024 | [How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains?view=o365-worldwide) | modified |
-| 2/13/2024 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide) | modified |
-| 2/13/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified |
-| 2/13/2024 | [Enable the limited periodic Microsoft Defender Antivirus scanning feature](/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/13/2024 | [IdentityLogonEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide) | modified |
-| 2/13/2024 | [Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-billing) | added |
-| 2/13/2024 | Help your clients and customers use virtual appointments scheduled with the Bookings app in Teams | removed |
-| 2/13/2024 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified |
-| 2/13/2024 | [Set up Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-setup) | modified |
-| 2/14/2024 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide) | modified |
-| 2/14/2024 | [Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-billing) | modified |
-| 2/14/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo?view=o365-worldwide) | modified |
-| 2/14/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | modified |
-| 2/14/2024 | [Device control in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-overview?view=o365-worldwide) | modified |
-| 2/14/2024 | [Device control policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-policies?view=o365-worldwide) | modified |
-| 2/14/2024 | [Device control walkthroughs](/microsoft-365/security/defender-endpoint/device-control-walkthroughs?view=o365-worldwide) | modified |
-| 2/15/2024 | Managers - Get your team started with Microsoft 365 for frontline workers | removed |
-| 2/15/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |
-| 2/15/2024 | [Unified cloud.microsoft domain for Microsoft 365 apps](/microsoft-365/enterprise/cloud-microsoft-domain?view=o365-worldwide) | added |
-| 2/15/2024 | [Engage your frontline employees and focus on wellbeing](/microsoft-365/frontline/flw-wellbeing-engagement?view=o365-worldwide) | modified |
-| 2/15/2024 | [Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant configurations](/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview?view=o365-worldwide) | modified |
-| 2/16/2024 | [Change the billing addresses for your Microsoft business subscription](/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses?view=o365-worldwide) | modified |
-| 2/16/2024 | [Manage billing notifications and invoice attachment settings in the Microsoft 365 admin center](/microsoft-365/commerce/billing-and-payments/manage-billing-notifications?view=o365-worldwide) | modified |
-| 2/16/2024 | [Manage your Microsoft business billing profiles](/microsoft-365/commerce/billing-and-payments/manage-billing-profiles?view=o365-worldwide) | modified |
-| 2/16/2024 | [Manage payment methods for Microsoft business accounts](/microsoft-365/commerce/billing-and-payments/manage-payment-methods?view=o365-worldwide) | modified |
-| 2/16/2024 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified |
-| 2/16/2024 | [Access the Microsoft Defender XDR MSSP customer portal](/microsoft-365/security/defender-endpoint/access-mssp-portal?view=o365-worldwide) | modified |
-| 2/16/2024 | [Submit files in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/admin-submissions-mde?view=o365-worldwide) | modified |
-| 2/16/2024 | [Alerts queue in Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response?view=o365-worldwide) | modified |
-| 2/16/2024 | [View and organize the Microsoft Defender for Endpoint Alerts queue](/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide) | modified |
-| 2/16/2024 | [Provide feedback on the Microsoft Defender for Endpoint Client Analyzer tool](/microsoft-365/security/defender-endpoint/analyzer-feedback?view=o365-worldwide) | modified |
-| 2/16/2024 | [Understand the client analyzer HTML report](/microsoft-365/security/defender-endpoint/analyzer-report?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-worldwide) | modified |
-| 2/16/2024 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint on Android - Privacy information](/microsoft-365/security/defender-endpoint/android-privacy?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-worldwide) | modified |
-| 2/16/2024 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified |
-| 2/16/2024 | [How to use Power Automate Connector to set up a Flow for events](/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-worldwide) | modified |
-| 2/16/2024 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-worldwide) | modified |
-| 2/16/2024 | [Assign user access](/microsoft-365/security/defender-endpoint/assign-portal-access?view=o365-worldwide) | modified |
-| 2/16/2024 | [Attack surface reduction frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide) | modified |
-| 2/16/2024 | [Implement attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement?view=o365-worldwide) | modified |
-| 2/16/2024 | [Plan attack surface reduction rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan?view=o365-worldwide) | modified |
-| 2/16/2024 | [Test attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint attack surface reduction rules deployment overview](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment?view=o365-worldwide) | modified |
-| 2/16/2024 | [Attack surface reduction rules reporting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide) | modified |
-| 2/16/2024 | [Use automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide) | modified |
-| 2/16/2024 | [Integration with Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide) | modified |
-| 2/16/2024 | [Check the device health at Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide) | modified |
-| 2/16/2024 | [Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide) | modified |
-| 2/16/2024 | [Enable Conditional Access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide) | modified |
-| 2/16/2024 | [Manage Microsoft Defender Antivirus in your business](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Understand and use attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide) | modified |
-| 2/16/2024 | [Enable block at first sight to detect malware in seconds](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure the Microsoft Defender Antivirus cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide) | modified |
-| 2/16/2024 | [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr?view=o365-worldwide) | modified |
-| 2/16/2024 | [Increase compliance to the Microsoft Defender for Endpoint security baseline](/microsoft-365/security/defender-endpoint/configure-machines-security-baseline?view=o365-worldwide) | modified |
-| 2/16/2024 | [Ensure your devices are configured properly](/microsoft-365/security/defender-endpoint/configure-machines?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure alert notifications that are sent to MSSPs](/microsoft-365/security/defender-endpoint/configure-mssp-notifications?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure managed security service provider support](/microsoft-365/security/defender-endpoint/configure-mssp-support?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure Microsoft Defender Antivirus notifications](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Enable and configure Microsoft Defender Antivirus protection features](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Onboard Windows servers to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide) | modified |
-| 2/16/2024 | [Migrate from the MDE SIEM API to the Microsoft Defender XDR alerts API](/microsoft-365/security/defender-endpoint/configure-siem?view=o365-worldwide) | modified |
-| 2/16/2024 | [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates?view=o365-worldwide) | modified |
-| 2/16/2024 | [Connected applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/connected-applications?view=o365-worldwide) | modified |
-| 2/16/2024 | [Contact Microsoft Defender for Endpoint support](/microsoft-365/security/defender-endpoint/contact-support?view=o365-worldwide) | modified |
-| 2/16/2024 | [Protect important folders from ransomware from encrypting your files with controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide) | modified |
-| 2/16/2024 | [Run and customize scheduled and on-demand scans](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide) | modified |
-| 2/16/2024 | [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-compatibility?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint SmartScreen app reputation demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint attack surface reduction rules demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint Cloud-delivered protection demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint Controlled folder access (CFA) demonstration test tool](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint Controlled folder access (CFA) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint Exploit protection (EP) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint Network protection demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint Potentially unwanted applications (PUA) demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-potentially-unwanted-applications?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint SmartScreen URL reputation demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified |
-| 2/16/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender XDR time zone settings](/microsoft-365/security/defender-endpoint/time-settings?view=o365-worldwide) | modified |
-| 2/16/2024 | [Report and troubleshoot Microsoft Defender for Endpoint attack surface reduction rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot problems with attack surface reduction rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac?view=o365-worldwide) | modified |
-| 2/16/2024 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot exploit protection mitigations](/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint live response issues](/microsoft-365/security/defender-endpoint/troubleshoot-live-response?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating?view=o365-worldwide) | modified |
-| 2/16/2024 | [Microsoft Defender Antivirus event IDs and error codes](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot problems with Network protection](/microsoft-365/security/defender-endpoint/troubleshoot-np?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot onboarding issues and error messages](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot problems with reporting tools for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-reporting?view=o365-worldwide) | modified |
-| 2/16/2024 | [Troubleshoot SIEM tool integration issues in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-siem?view=o365-worldwide) | modified |
-| 2/16/2024 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure Microsoft Defender Antivirus using Microsoft Intune](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [Configure Microsoft Defender Antivirus with WMI](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 2/16/2024 | [View and organize the Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue?view=o365-worldwide) | modified |
-| 2/16/2024 | [Monitoring web browsing security in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-monitoring?view=o365-worldwide) | modified |
-| 2/16/2024 | [Web protection](/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-worldwide) | modified |
-| 2/16/2024 | [Respond to web threats in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-response?view=o365-worldwide) | modified |
-| 2/16/2024 | [Protect your organization against web threats](/microsoft-365/security/defender-endpoint/web-threat-protection?view=o365-worldwide) | modified |
-| 2/16/2024 | [Zero Trust with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?view=o365-worldwide) | modified |
--
-## Week of February 05, 2024
--
-| Published On |Topic title | Change |
-|||--|
-| 2/5/2024 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide) | modified |
-| 2/5/2024 | [Other endpoints not included in the Microsoft 365 IP Address and URL Web service](/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide) | modified |
-| 2/5/2024 | [Microsoft 365 IP Address and URL web service](/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide) | modified |
-| 2/5/2024 | [Microsoft 365 US Government DOD endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints?view=o365-worldwide) | modified |
-| 2/5/2024 | [Microsoft 365 U.S. Government GCC High endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints?view=o365-worldwide) | modified |
-| 2/5/2024 | [URLs and IP address ranges for Microsoft 365 operated by 21Vianet](/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide) | modified |
-| 2/5/2024 | [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) | modified |
-| 2/6/2024 | [Manage the join experience for Teams Virtual Appointments on browsers](/microsoft-365/frontline/browser-join?view=o365-worldwide) | modified |
-| 2/6/2024 | [Allow cookies for LMS URLs in your browser](/microsoft-365/lti/browser-cookies?view=o365-worldwide) | modified |
-| 2/6/2024 | Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration | removed |
-| 2/6/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified |
-| 2/6/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Configure anti-phishing policies in EOP](/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Configure anti-phishing policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified |
-| 2/6/2024 | [Configure outbound spam policies](/microsoft-365/security/office-365-security/outbound-spam-policies-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified |
-| 2/6/2024 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified |
-| 2/6/2024 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Use Microsoft Defender for Office 365 in SharePoint Online](/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online?view=o365-worldwide) | modified |
-| 2/6/2024 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified |
-| 2/6/2024 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags-about?view=o365-worldwide) | modified |
-| 2/6/2024 | [Pricing model for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-pricing) | modified |
-| 2/6/2024 | [Set up Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-setup) | modified |
-| 2/7/2024 | [Detect and Remediate Illicit Consent Grants](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide) | modified |
-| 2/7/2024 | [Get started with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/mdo-deployment-guide?view=o365-worldwide) | modified |
-| 2/7/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified |
-| 2/7/2024 | [Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide) | modified |
-| 2/7/2024 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-common?view=o365-worldwide) | modified |
-| 2/7/2024 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview?view=o365-worldwide) | modified |
-| 2/7/2024 | [Prerequisite work for implementing Zero Trust identity and device access policies](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-prereq?view=o365-worldwide) | modified |
-| 2/7/2024 | [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide) | modified |
-| 2/7/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified |
-| 2/7/2024 | [View Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/view-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/7/2024 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified |
-| 2/7/2024 | [Microsoft 365 for Financial Services](/microsoft-365/frontline/teams-for-financial-services?view=o365-worldwide) | modified |
-| 2/7/2024 | [Microsoft 365 for Manufacturing](/microsoft-365/frontline/teams-for-manufacturing?view=o365-worldwide) | modified |
-| 2/7/2024 | [Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page?view=o365-worldwide) | modified |
-| 2/7/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified |
-| 2/7/2024 | [Configure apps using Microsoft Intune](/microsoft-365/solutions/apps-config-overview?view=o365-worldwide) | modified |
-| 2/7/2024 | [Step 1. Configure the Company Portal](/microsoft-365/solutions/apps-config-step-1?view=o365-worldwide) | modified |
-| 2/7/2024 | [Step 3. Configure Microsoft 365](/microsoft-365/solutions/apps-config-step-3?view=o365-worldwide) | modified |
-| 2/7/2024 | [Step 4. Configure Microsoft Edge](/microsoft-365/solutions/apps-config-step-4?view=o365-worldwide) | modified |
-| 2/7/2024 | [Step 5. Configure Microsoft Teams](/microsoft-365/solutions/apps-config-step-5?view=o365-worldwide) | modified |
-| 2/7/2024 | [Step 6. Configure other apps](/microsoft-365/solutions/apps-config-step-6?view=o365-worldwide) | modified |
-| 2/7/2024 | [Feature update validation](/microsoft-365/test-base/feature?view=o365-worldwide) | modified |
-| 2/8/2024 | Industry collaboration programs | removed |
-| 2/8/2024 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified |
-| 2/8/2024 | [Troubleshoot a signature request for SharePoint eSignature](/microsoft-365/syntex/esignature-troubleshoot) | modified |
-| 2/8/2024 | [Remove Microsoft 365 licenses from user accounts with PowerShell](/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/9/2024 | [Manage Office Scripts settings](/microsoft-365/admin/manage/manage-office-scripts-settings?view=o365-worldwide) | modified |
-| 2/9/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | added |
-| 2/9/2024 | Manage self-service purchases and organizational trials for Microsoft Project | removed |
-| 2/9/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified |
-| 2/9/2024 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified |
--
-## Week of January 29, 2024
--
-| Published On |Topic title | Change |
-|||--|
-| 1/29/2024 | [GDPR simplified: A guide for your small business](/microsoft-365/admin/security-and-compliance/gdpr-compliance?view=o365-worldwide) | modified |
-| 1/29/2024 | [Accept an email invitation to a Microsoft 365 for business subscription organization using an Outlook, Yahoo, Gmail or other account (User)](/microsoft-365/admin/simplified-signup/user-invite-msa-nodomain-join?view=o365-worldwide) | modified |
-| 1/29/2024 | [SharePoint Cross-tenant SharePoint migration Step 5 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5?view=o365-worldwide) | modified |
-| 1/29/2024 | [SharePoint site Cross-tenant SharePoint migration Step 6 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6?view=o365-worldwide) | modified |
-| 1/29/2024 | [Mailbox utilization service alerts](/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts?view=o365-worldwide) | modified |
-| 1/29/2024 | [Microsoft Azure Architectures for SharePoint 2013](/microsoft-365/enterprise/microsoft-azure-architectures-for-sharepoint-2013?view=o365-worldwide) | modified |
-| 1/29/2024 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | modified |
-| 1/29/2024 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide) | modified |
-| 1/29/2024 | [Microsoft Defender Antivirus event IDs and error codes](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide) | modified |
-| 1/29/2024 | [Step 2. Configure Microsoft Outlook](/microsoft-365/solutions/apps-config-step-2?view=o365-worldwide) | modified |
-| 1/29/2024 | [Key Compliance and Security Considerations for the Energy Industry](/microsoft-365/solutions/energy-secure-collaboration?view=o365-worldwide) | modified |
-| 1/29/2024 | [To identity and beyondΓÇöOne architect's viewpoint](/microsoft-365/solutions/identity-design-principles?view=o365-worldwide) | modified |
-| 1/29/2024 | [Communicating with Microsoft Defender Experts](/microsoft-365/security/defender/communicate-defender-experts-xdr?view=o365-worldwide) | added |
-| 1/29/2024 | [How to use the Microsoft Defender Experts for XDR service](/microsoft-365/security/defender/start-using-mdex-xdr?view=o365-worldwide) | modified |
-| 1/29/2024 | [How to schedule an update of the Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-update-mde-linux?view=o365-worldwide) | modified |
-| 1/29/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |
-| 1/30/2024 | [Protect macOS security settings with tamper protection](/microsoft-365/security/defender-endpoint/tamperprotection-macos?view=o365-worldwide) | modified |
-| 1/30/2024 | [Get started with Microsoft Defender Experts for XDR](/microsoft-365/security/defender/get-started-xdr?view=o365-worldwide) | modified |
-| 1/30/2024 | [View Microsoft 365 account license and service details with PowerShell](/microsoft-365/enterprise/view-account-license-and-service-details-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 1/30/2024 | [Microsoft 365 OneDrive usage reports](/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww?view=o365-worldwide) | modified |
-| 1/30/2024 | [Microsoft 365 network provider assessments.](/microsoft-365/enterprise/office-365-network-mac-perf-nppdata?view=o365-worldwide) | modified |
-| 1/30/2024 | [Network provider connectivity attribution in the Microsoft 365 Admin Center](/microsoft-365/enterprise/office-365-network-mac-perf-nppux?view=o365-worldwide) | modified |
-| 1/30/2024 | [Network connectivity in the Microsoft 365 Admin Center](/microsoft-365/enterprise/office-365-network-mac-perf-overview?view=o365-worldwide) | modified |
-| 1/30/2024 | [Configuration analyzer for security policies](/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide) | modified |
-| 1/31/2024 | [Network provider details in the Microsoft 365 Admin Center (PREVIEW)](/microsoft-365/enterprise/office-365-network-mac-perf-nppdetails?view=o365-worldwide) | added |
-| 1/31/2024 | [Security advisories](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses-security-advisories?view=o365-worldwide) | added |
-| 1/31/2024 | [Vulnerability methods and properties](/microsoft-365/security/defender-endpoint/api/vulnerability?view=o365-worldwide) | modified |
-| 1/31/2024 | [Use basic permissions to access the portal](/microsoft-365/security/defender-endpoint/basic-permissions?view=o365-worldwide) | modified |
-| 1/31/2024 | [Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses?view=o365-worldwide) | modified |
-| 1/31/2024 | [Automatic attack disruption in Microsoft Defender XDR](/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) | modified |
-| 1/31/2024 | [Microsoft 365 for frontline workers - scenario posters](/microsoft-365/frontline/flw-scenario-posters?view=o365-worldwide) | modified |
-| 1/31/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified |
-| 2/1/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo?view=o365-worldwide) | added |
-| 2/1/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | added |
-| 2/1/2024 | [Microsoft Defender for Endpoint Device Control frequently asked questions](/microsoft-365/security/defender-endpoint/device-control-faq?view=o365-worldwide) | renamed |
-| 2/1/2024 | [Device control in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-overview?view=o365-worldwide) | added |
-| 2/1/2024 | [Device control policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-policies?view=o365-worldwide) | added |
-| 2/1/2024 | [Device control walkthroughs](/microsoft-365/security/defender-endpoint/device-control-walkthroughs?view=o365-worldwide) | added |
-| 2/1/2024 | Deploy and manage using group policy | removed |
-| 2/1/2024 | Deploy and manage printer protection using Intune | removed |
-| 2/1/2024 | Deploy and manage Removable Storage Access Control using group policy | removed |
-| 2/1/2024 | Deploy and manage Removable Storage Access Control using Intune | removed |
-| 2/1/2024 | Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | removed |
-| 2/1/2024 | Microsoft Defender for Endpoint Device Control Removable Storage Protection | removed |
-| 2/1/2024 | [View device control events and information in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-report?view=o365-worldwide) | modified |
-| 2/1/2024 | Microsoft Defender for Endpoint Device Control Device Installation | removed |
-| 2/1/2024 | Printer Protection frequently asked questions | removed |
-| 2/1/2024 | Printer Protection Overview | removed |
-| 2/1/2024 | Microsoft Defender for Endpoint Device Control Printer Protection | removed |
-| 2/1/2024 | [How Microsoft identifies malware and potentially unwanted applications](/microsoft-365/security/intelligence/criteria?view=o365-worldwide) | modified |
-| 2/2/2024 | [Synchronize users in multitenant organizations in Microsoft 365 (Preview)](/microsoft-365/enterprise/sync-users-multi-tenant-orgs?view=o365-worldwide) | modified |
-| 2/2/2024 | [View licensed and unlicensed Microsoft 365 users with PowerShell](/microsoft-365/enterprise/view-licensed-and-unlicensed-users-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/2/2024 | [View Microsoft 365 licenses and services with PowerShell](/microsoft-365/enterprise/view-licenses-and-services-with-microsoft-365-powershell?view=o365-worldwide) | modified |
-| 2/2/2024 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) | modified |
-| 2/2/2024 | [Microsoft Defender XDR # < 60 chars](/microsoft-365/security/defender/index?view=o365-worldwide) | modified |
+++
+## Week of March 18, 2024
++
+| Published On |Topic title | Change |
+|||--|
+| 3/18/2024 | [Overview of the Tenants page in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-tenants-page-overview?view=o365-worldwide) | modified |
+| 3/18/2024 | [Test Base FAQ](/microsoft-365/test-base/faq?view=o365-worldwide) | modified |
+| 3/18/2024 | [Onboard Windows devices to Microsoft Defender for Endpoint via Group Policy](/microsoft-365/security/defender-endpoint/configure-endpoints-gp?view=o365-worldwide) | modified |
+| 3/18/2024 | [Onboard Windows devices using Configuration Manager](/microsoft-365/security/defender-endpoint/configure-endpoints-sccm?view=o365-worldwide) | modified |
+| 3/18/2024 | [Device health Microsoft Defender Antivirus health report](/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health?view=o365-worldwide) | modified |
+| 3/18/2024 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-worldwide) | modified |
+| 3/18/2024 | [Onboarding using Microsoft Configuration Manager](/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager?view=o365-worldwide) | modified |
+| 3/18/2024 | [Onboarding using Microsoft Intune](/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide) | modified |
+| 3/18/2024 | [Partner applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/partner-applications?view=o365-worldwide) | modified |
+| 3/18/2024 | [Pilot Microsoft Defender for Identity](/microsoft-365/security/defender/eval-defender-identity-pilot?view=o365-worldwide) | modified |
+| 3/18/2024 | [Campaigns in Microsoft Defender for Office 365 Plan](/microsoft-365/security/office-365-security/campaigns?view=o365-worldwide) | modified |
+| 3/18/2024 | [The email entity page in Defender for Office 365](/microsoft-365/security/office-365-security/mdo-email-entity-page?view=o365-worldwide) | modified |
+| 3/18/2024 | [Migrate to Microsoft Defender for Office 365 Phase 3: Onboard](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard?view=o365-worldwide) | modified |
+| 3/18/2024 | [Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/threat-explorer-email-security?view=o365-worldwide) | added |
+| 3/18/2024 | [Investigate malicious email that was delivered in Microsoft 365, find and investigate malicious email](/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email?view=o365-worldwide) | added |
+| 3/18/2024 | [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about?view=o365-worldwide) | added |
+| 3/18/2024 | [Threat hunting in Threat Explorer and Real-time detections](/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide) | modified |
+| 3/18/2024 | [Microsoft Defender for Office 365 trial user guide](/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365?view=o365-worldwide) | modified |
+| 3/18/2024 | [Manage auto-claim policies in the Microsoft 365 admin center](/microsoft-365/commerce/licenses/manage-auto-claim-policies?view=o365-worldwide) | modified |
+| 3/18/2024 | [Microsoft Teams frontline usage report](/microsoft-365/frontline/frontline-usage-report?view=o365-worldwide) | added |
+| 3/18/2024 | [Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-offline-security-intelligence-update?view=o365-worldwide) | added |
+| 3/18/2024 | [Getting started with defense in-depth configuration for email security](/microsoft-365/security/office-365-security/step-by-step-guides/defense-in-depth-guide?view=o365-worldwide) | modified |
+| 3/19/2024 | [Microsoft 365 admin center email activity reports](/microsoft-365/admin/activity-reports/email-activity-ww?view=o365-worldwide) | modified |
+| 3/19/2024 | [Message center in the Microsoft 365 admin center](/microsoft-365/admin/manage/message-center?view=o365-worldwide) | modified |
+| 3/19/2024 | [Devices in multitenant management](/microsoft-365/security/defender/mto-tenant-devices?view=o365-worldwide) | modified |
+| 3/19/2024 | [Fix unhealthy sensors in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors?view=o365-worldwide) | modified |
+| 3/19/2024 | [Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-offline-security-intelligence-update?view=o365-worldwide) | modified |
+| 3/19/2024 | [Investigate users in Microsoft Defender XDR](/microsoft-365/security/defender/investigate-users?view=o365-worldwide) | modified |
+| 3/19/2024 | [Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide) | modified |
+| 3/19/2024 | [Configure exclusions for files opened by specific processes](/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 3/19/2024 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-worldwide) | modified |
+| 3/19/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified |
+| 3/19/2024 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide) | modified |
+| 3/19/2024 | [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about?view=o365-worldwide) | modified |
+| 3/19/2024 | [Threat trackers in Microsoft Defender for Office 365 Plan 2](/microsoft-365/security/office-365-security/threat-trackers?view=o365-worldwide) | modified |
+| 3/19/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified |
+| 3/19/2024 | [Troubleshoot Microsoft Defender Antivirus settings](/microsoft-365/security/defender-endpoint/troubleshoot-settings?view=o365-worldwide) | added |
+| 3/20/2024 | [Copilot for Microsoft 365 features adoption using organizational messages](/microsoft-365/admin/activity-reports/microsoft-365-copilot-organizational-messages?view=o365-worldwide) | modified |
+| 3/20/2024 | [Microsoft Adoption Score Organizational Messages](/microsoft-365/admin/adoption/organizational-messages?view=o365-worldwide) | modified |
+| 3/20/2024 | [Move users to a different subscription](/microsoft-365/commerce/subscriptions/move-users-different-subscription?view=o365-worldwide) | modified |
+| 3/20/2024 | [Create indicators for files](/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide) | modified |
+| 3/20/2024 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide) | modified |
+| 3/20/2024 | [Exclude devices in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/exclude-devices?view=o365-worldwide) | modified |
+| 3/20/2024 | [Understand and use attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide) | modified |
+| 3/20/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-worldwide) | modified |
+| 3/21/2024 | [Sign up for Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management?view=o365-worldwide) | modified |
+| 3/21/2024 | [Trial user guide - Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management?view=o365-worldwide) | modified |
+| 3/21/2024 | [Manage tenants with multitenant management in Microsoft Defender XDR](/microsoft-365/security/defender/mto-tenants?view=o365-worldwide) | modified |
+| 3/21/2024 | Getting an account disabled error in Outlook on the web | removed |
+| 3/21/2024 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-worldwide) | modified |
+| 3/21/2024 | [Deploy Microsoft 365 Directory Synchronization in Microsoft Azure](/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure?view=o365-worldwide) | modified |
+| 3/21/2024 | [Microsoft 365 monitoring](/microsoft-365/enterprise/microsoft-365-monitoring?view=o365-worldwide) | modified |
+| 3/21/2024 | [Plan for third-party SSL certificates for Microsoft 365](/microsoft-365/enterprise/plan-for-third-party-ssl-certificates?view=o365-worldwide) | modified |
+| 3/21/2024 | [Zero Trust deployment plan with Microsoft 365](/microsoft-365/security/microsoft-365-zero-trust?view=o365-worldwide) | modified |
+| 3/21/2024 | [Step 1. Your Microsoft 365 for enterprise tenants](/microsoft-365/solutions/tenant-management-tenants?view=o365-worldwide) | modified |
+| 3/22/2024 | [Use PowerShell to resolve site URLs in reports](/microsoft-365/admin/activity-reports/resolve-site-urls?view=o365-worldwide) | modified |
+| 3/22/2024 | [Microsoft 365 admin center - Overview](/microsoft-365/admin/admin-overview/admin-center-overview?view=o365-worldwide) | modified |
+| 3/22/2024 | [Set up Basic Mobility and Security](/microsoft-365/admin/basic-mobility-security/set-up?view=o365-worldwide) | modified |
+| 3/22/2024 | [Add or remove members from Microsoft 365 groups](/microsoft-365/admin/create-groups/add-or-remove-members-from-groups?view=o365-worldwide) | modified |
+| 3/22/2024 | [Restore a deleted Microsoft 365 group](/microsoft-365/admin/create-groups/restore-deleted-group?view=o365-worldwide) | modified |
+| 3/22/2024 | [Manage Industry news](/microsoft-365/admin/manage/manage-industry-news?view=o365-worldwide) | modified |
+| 3/22/2024 | [What's new in the Microsoft 365 admin center?](/microsoft-365/admin/whats-new-in-preview?view=o365-worldwide) | modified |
+| 3/22/2024 | [Microsoft Bookings](/microsoft-365/bookings/bookings-overview?view=o365-worldwide) | modified |
+| 3/22/2024 | [Troubleshoot a signature request for SharePoint eSignature](/microsoft-365/syntex/esignature-troubleshoot) | modified |
+| 3/22/2024 | [Set up OneDrive file storage and sharing](/microsoft-365/admin/setup/set-up-file-storage-and-sharing?view=o365-worldwide) | modified |
+| 3/22/2024 | [Understand frontline worker user types and licensing](/microsoft-365/frontline/flw-licensing-options?view=o365-worldwide) | modified |
+| 3/22/2024 | [Get started with Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-overview?view=o365-worldwide) | modified |
+| 3/22/2024 | [How to find the best frontline team solution for your organization](/microsoft-365/frontline/frontline-team-options?view=o365-worldwide) | modified |
++
+## Week of February 26, 2024
++
+| Published On |Topic title | Change |
+|||--|
+| 2/26/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified |
+| 2/26/2024 | [Understand app protection access requirements using Microsoft Intune](/microsoft-365/solutions/apps-protect-access-requirements?view=o365-worldwide) | added |
+| 2/26/2024 | [Understand app protection conditional launch using Microsoft Intune](/microsoft-365/solutions/apps-protect-conditional-launch?view=o365-worldwide) | added |
+| 2/26/2024 | [Understand app data protection using Microsoft Intune](/microsoft-365/solutions/apps-protect-data-protection?view=o365-worldwide) | added |
+| 2/26/2024 | [Use the app protection framework with Microsoft Intune](/microsoft-365/solutions/apps-protect-framework?view=o365-worldwide) | added |
+| 2/26/2024 | [Understand app protection health checks using Microsoft Intune](/microsoft-365/solutions/apps-protect-health-checks?view=o365-worldwide) | added |
+| 2/26/2024 | [Secure and protect apps using Microsoft Intune](/microsoft-365/solutions/apps-protect-overview?view=o365-worldwide) | added |
+| 2/26/2024 | [Step 1. Apply minimum data protection](/microsoft-365/solutions/apps-protect-step-1?view=o365-worldwide) | added |
+| 2/26/2024 | [Step 2. Apply enhanced data protection](/microsoft-365/solutions/apps-protect-step-2?view=o365-worldwide) | added |
+| 2/26/2024 | [Step 3. Apply high data protection](/microsoft-365/solutions/apps-protect-step-3?view=o365-worldwide) | added |
+| 2/26/2024 | [Step 4. Understand app protection delivery](/microsoft-365/solutions/apps-protect-step-4?view=o365-worldwide) | added |
+| 2/26/2024 | [Step 5. Verify and monitor app protection](/microsoft-365/solutions/apps-protect-step-5?view=o365-worldwide) | added |
+| 2/26/2024 | [Step 6. Use app protection actions](/microsoft-365/solutions/apps-protect-step-6?view=o365-worldwide) | added |
+| 2/26/2024 | [Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action.](/microsoft-365/security/defender/eval-overview?view=o365-worldwide) | modified |
+| 2/26/2024 | [Automatic user notifications for user reported phishing results in AIR](/microsoft-365/security/office-365-security/air-user-automatic-feedback-response?view=o365-worldwide) | modified |
+| 2/27/2024 | [Configuring external data integrations for Loop experiences](/microsoft-365/loop/loop-data-integrations-configuration?view=o365-worldwide) | added |
+| 2/27/2024 | [Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/elam-on-mdav?view=o365-worldwide) | added |
+| 2/27/2024 | [Manage Loop components in OneDrive and SharePoint](/microsoft-365/loop/loop-components-configuration?view=o365-worldwide) | modified |
+| 2/27/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified |
+| 2/27/2024 | [Manage Microsoft Defender Antivirus in your business](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/27/2024 | [Configure Microsoft Defender Antivirus features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide) | modified |
+| 2/27/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified |
+| 2/27/2024 | [Block vulnerable applications.](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified |
+| 2/27/2024 | [Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide) | modified |
+| 2/27/2024 | [Migrate from a third-party protection service to Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-worldwide) | modified |
+| 2/27/2024 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) | modified |
+| 2/27/2024 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide) | modified |
+| 2/27/2024 | [Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/27/2024 | [Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/amsi-on-mdav?view=o365-worldwide) | added |
+| 2/27/2024 | [Run and customize scheduled and on-demand scans](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/27/2024 | [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-compatibility?view=o365-worldwide) | modified |
+| 2/27/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/27/2024 | [Microsoft Defender Antivirus security intelligence and product updates](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide) | modified |
+| 2/27/2024 | [Microsoft Defender Antivirus updates - Previous versions for technical upgrade support](/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support?view=o365-worldwide) | modified |
+| 2/27/2024 | [Microsoft Defender for Cloud in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud?view=o365-worldwide) | modified |
+| 2/27/2024 | [Microsoft Defender for Endpoint in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mde?view=o365-worldwide) | modified |
+| 2/27/2024 | [Microsoft Defender for Identity in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdi?view=o365-worldwide) | modified |
+| 2/27/2024 | [Microsoft Defender for Office 365 in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdo?view=o365-worldwide) | modified |
+| 2/27/2024 | [Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-mde-redirection?view=o365-worldwide) | modified |
+| 2/27/2024 | [Compliance features in Microsoft 365 Archive (Preview)](/microsoft-365/syntex/archive/archive-compliance) | modified |
+| 2/28/2024 | [Coin miners](/microsoft-365/security/defender-endpoint/malware/coinminer-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Exploits and exploit kits](/microsoft-365/security/defender-endpoint/malware/exploits-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Fileless threats](/microsoft-365/security/defender-endpoint/malware/fileless-threats?view=o365-worldwide) | added |
+| 2/28/2024 | [Macro malware](/microsoft-365/security/defender-endpoint/malware/macro-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Phishing trends and techniques](/microsoft-365/security/defender-endpoint/malware/phishing-trends?view=o365-worldwide) | added |
+| 2/28/2024 | [How to protect against phishing attacks](/microsoft-365/security/defender-endpoint/malware/phishing?view=o365-worldwide) | added |
+| 2/28/2024 | [Prevent malware infection](/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection?view=o365-worldwide) | added |
+| 2/28/2024 | [Rootkits](/microsoft-365/security/defender-endpoint/malware/rootkits-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Supply chain attacks](/microsoft-365/security/defender-endpoint/malware/supply-chain-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Tech Support Scams](/microsoft-365/security/defender-endpoint/malware/support-scams?view=o365-worldwide) | added |
+| 2/28/2024 | [Trojan malware](/microsoft-365/security/defender-endpoint/malware/trojans-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Understanding malware & other threats](/microsoft-365/security/defender-endpoint/malware/understanding-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Unwanted software](/microsoft-365/security/defender-endpoint/malware/unwanted-software?view=o365-worldwide) | added |
+| 2/28/2024 | [Worms](/microsoft-365/security/defender-endpoint/malware/worms-malware?view=o365-worldwide) | added |
+| 2/28/2024 | [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-worldwide) | modified |
+| 2/28/2024 | [Manage Shifts permissions for frontline managers](/microsoft-365/frontline/manage-shifts-permissions-frontline-managers?view=o365-worldwide) | added |
+| 2/28/2024 | [Behavior monitoring in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/behavior-monitor?view=o365-worldwide) | added |
+| 2/28/2024 | [Windows and Office 365 deployment lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab?view=o365-worldwide) | modified |
+| 2/28/2024 | [Deploy frontline dynamic teams at scale](/microsoft-365/frontline/deploy-dynamic-teams-at-scale?view=o365-worldwide) | modified |
+| 2/28/2024 | [Overview of next-generation protection in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) | modified |
+| 2/28/2024 | [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/28/2024 | Configure Directory Services account in Microsoft Defender for Identity | removed |
+| 2/28/2024 | Microsoft Defender for Identity entity tags in Microsoft Defender XDR | removed |
+| 2/28/2024 | Microsoft Defender for Identity detection exclusions in Microsoft Defender XDR | removed |
+| 2/28/2024 | Microsoft Defender for Identity security alerts in Microsoft Defender XDR | removed |
+| 2/28/2024 | Microsoft Defender for Identity notifications in Microsoft Defender XDR | removed |
+| 2/28/2024 | Microsoft Defender for Identity sensor health and settings in Microsoft Defender XDR | removed |
+| 2/28/2024 | Microsoft Defender for Identity VPN integration in Microsoft Defender XDR | removed |
+| 2/28/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | added |
+| 2/28/2024 | [Run Microsoft Defender Antivirus in a sandbox environment](/microsoft-365/security/defender-endpoint/sandbox-mdav?view=o365-worldwide) | added |
+| 2/28/2024 | [Configure the Microsoft Defender Antivirus cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/28/2024 | [Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tags?view=o365-worldwide) | modified |
+| 2/29/2024 | [Configure and manage Microsoft Defender Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-worldwide) | modified |
+| 2/29/2024 | [Preview limitations in Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-limitations) | modified |
+| 2/29/2024 | [Disable access to Microsoft 365 services with PowerShell](/microsoft-365/enterprise/disable-access-to-services-with-microsoft-365-powershell?view=o365-worldwide) | modified |
+| 2/29/2024 | [What's new in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management?view=o365-worldwide) | modified |
+| 2/29/2024 | [Manage Loop app preview](/microsoft-365/loop/loop-preview-configuration?view=o365-worldwide) | added |
+| 2/29/2024 | [Deploy Shifts to your frontline teams at scale](/microsoft-365/frontline/deploy-shifts-at-scale?view=o365-worldwide) | modified |
+| 2/29/2024 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified |
+| 2/29/2024 | [Manage Loop workspaces in SharePoint Embedded](/microsoft-365/loop/loop-workspaces-configuration?view=o365-worldwide) | modified |
+| 2/29/2024 | [Onboard Windows devices using a local script](/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide) | modified |
+| 2/29/2024 | [Set preferences for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide) | modified |
+| 2/29/2024 | [Microsoft Defender Antivirus in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency for Microsoft Copilot for Microsoft 365](/microsoft-365/enterprise/m365-dr-workload-copilot?view=o365-worldwide) | added |
+| 3/1/2024 | [Advanced data residency in Microsoft 365](/microsoft-365/enterprise/advanced-data-residency?view=o365-worldwide) | modified |
+| 3/1/2024 | [Advanced Data Residency Commitments](/microsoft-365/enterprise/m365-dr-commitments?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency Legacy Move Program](/microsoft-365/enterprise/m365-dr-legacy-move-program?view=o365-worldwide) | modified |
+| 3/1/2024 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified |
+| 3/1/2024 | [Overview of Product Terms Data Residency](/microsoft-365/enterprise/m365-dr-product-terms-dr?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency for Microsoft Defender for Office P1](/microsoft-365/enterprise/m365-dr-workload-mdo-p1?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency for Other Microsoft 365 Services](/microsoft-365/enterprise/m365-dr-workload-other?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency for Microsoft Purview](/microsoft-365/enterprise/m365-dr-workload-purview?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency for SharePoint and OneDrive](/microsoft-365/enterprise/m365-dr-workload-spo?view=o365-worldwide) | modified |
+| 3/1/2024 | [Data Residency for Microsoft Teams](/microsoft-365/enterprise/m365-dr-workload-teams?view=o365-worldwide) | modified |
+| 3/1/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | modified |
+| 3/1/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified |
+| 3/1/2024 | [Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI](/microsoft-365/security/defender/defender-xdr-custom-reports?view=o365-worldwide) | modified |
+| 3/1/2024 | [Memory regression analysis](/microsoft-365/test-base/memory?view=o365-worldwide) | modified |
+| 3/1/2024 | [Hardware acceleration and Microsoft Defender Antivirus.](/microsoft-365/security/defender-endpoint/hardware-acceleration-and-mdav?view=o365-worldwide) | added |
+| 3/1/2024 | [Evaluate Microsoft Defender Antivirus using PowerShell.](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-using-powershell?view=o365-worldwide) | added |
+| 3/1/2024 | [Microsoft 365 admin center SharePoint activity reports](/microsoft-365/admin/activity-reports/sharepoint-activity-ww?view=o365-worldwide) | modified |
+| 3/1/2024 | [Microsoft 365 admin center Viva Engage activity reports](/microsoft-365/admin/activity-reports/viva-engage-activity-report-ww?view=o365-worldwide) | modified |
+| 3/1/2024 | [Microsoft 365 admin center Viva Learning activity reports](/microsoft-365/admin/activity-reports/viva-learning-activity?view=o365-worldwide) | modified |
+| 3/1/2024 | [Transfer data manually between two accounts](/microsoft-365/admin/get-help-with-domains/transfer-data-manually?view=o365-worldwide) | modified |
+| 3/1/2024 | [Domains Frequently Asked Questions](/microsoft-365/admin/setup/domains-faq?view=o365-worldwide) | modified |
++
+## Week of February 19, 2024
++
+| Published On |Topic title | Change |
+|||--|
+| 2/19/2024 | [What's new in Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score-whats-new?view=o365-worldwide) | modified |
+| 2/20/2024 | [Use roles to define your frontline managers and workers in Shifts](/microsoft-365/frontline/shifts-frontline-manager-worker-roles?view=o365-worldwide) | added |
+| 2/20/2024 | [Block Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
+| 2/20/2024 | [Delete Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/delete-and-restore-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
+| 2/20/2024 | [Manage Microsoft 365 groups](/microsoft-365/enterprise/manage-microsoft-365-groups?view=o365-worldwide) | modified |
+| 2/20/2024 | [Manage security groups with PowerShell](/microsoft-365/enterprise/manage-security-groups-with-microsoft-365-powershell?view=o365-worldwide) | modified |
+| 2/20/2024 | Manage schedule owners for shift management | removed |
+| 2/20/2024 | [Microsoft Teams Virtual Appointments Call Quality Dashboard](/microsoft-365/frontline/virtual-appointments-call-quality?view=o365-worldwide) | modified |
+| 2/20/2024 | [Set up multitenant management in Microsoft Defender XDR](/microsoft-365/security/defender/mto-requirements?view=o365-worldwide) | modified |
+| 2/20/2024 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-about?view=o365-worldwide) | modified |
+| 2/20/2024 | [Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools.](/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) | modified |
+| 2/21/2024 | [Manage add-ins in the admin center](/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy and manage Office Add-ins](/microsoft-365/admin/manage/office-addins?view=o365-worldwide) | modified |
+| 2/21/2024 | [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center?view=o365-worldwide) | modified |
+| 2/21/2024 | [View the details and results of an automated investigation](/microsoft-365/security/defender-endpoint/autoir-investigation-results?view=o365-worldwide) | modified |
+| 2/21/2024 | [Use basic permissions to access the portal](/microsoft-365/security/defender-endpoint/basic-permissions?view=o365-worldwide) | modified |
+| 2/21/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified |
+| 2/21/2024 | [Device health Sensor health & OS report](/microsoft-365/security/defender-endpoint/device-health-sensor-health-os?view=o365-worldwide) | modified |
+| 2/21/2024 | [Download the Microsoft Defender for Endpoint client analyzer](/microsoft-365/security/defender-endpoint/download-client-analyzer?view=o365-worldwide) | modified |
+| 2/21/2024 | [EDR detection test for verifying device's onboarding and reporting service](/microsoft-365/security/defender-endpoint/edr-detection?view=o365-worldwide) | modified |
+| 2/21/2024 | [Turn on cloud protection in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/21/2024 | [Enable and update Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws?view=o365-worldwide) | modified |
+| 2/21/2024 | [Evaluate controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access?view=o365-worldwide) | modified |
+| 2/21/2024 | [See how Exploit protection works in a demo](/microsoft-365/security/defender-endpoint/evaluate-exploit-protection?view=o365-worldwide) | modified |
+| 2/21/2024 | [Evaluate Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/evaluate-mde?view=o365-worldwide) | modified |
+| 2/21/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified |
+| 2/21/2024 | [Review events and errors using Event Viewer](/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide) | modified |
+| 2/21/2024 | [Apply mitigations to help prevent attacks through vulnerabilities](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide) | modified |
+| 2/21/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified |
+| 2/21/2024 | [Diagnosing performance issues with SharePoint](/microsoft-365/enterprise/diagnosing-performance-issues-with-sharepoint-online?view=o365-worldwide) | modified |
+| 2/21/2024 | [Microsoft 365 network connectivity test tool](/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool?view=o365-worldwide) | modified |
+| 2/21/2024 | [Frequently asked questions (FAQs) about tamper protection](/microsoft-365/security/defender-endpoint/faqs-on-tamper-protection?view=o365-worldwide) | modified |
+| 2/21/2024 | [Fix unhealthy sensors in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors?view=o365-worldwide) | modified |
+| 2/21/2024 | [Become a Microsoft Defender for Endpoint partner](/microsoft-365/security/defender-endpoint/get-started-partner-integration?view=o365-worldwide) | modified |
+| 2/21/2024 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide) | modified |
+| 2/21/2024 | [Grant access to managed security service provider (MSSP)](/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-worldwide) | modified |
+| 2/21/2024 | [Investigate agent health issues](/microsoft-365/security/defender-endpoint/health-status?view=o365-worldwide) | modified |
+| 2/21/2024 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-worldwide) | modified |
+| 2/21/2024 | [Create indicators based on certificates](/microsoft-365/security/defender-endpoint/indicator-certificates?view=o365-worldwide) | modified |
+| 2/21/2024 | [Create indicators for files](/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide) | modified |
+| 2/21/2024 | [Manage indicators](/microsoft-365/security/defender-endpoint/indicator-manage?view=o365-worldwide) | modified |
+| 2/21/2024 | [Use Microsoft Defender for Endpoint sensitivity labels to protect your data and prioritize security incident response](/microsoft-365/security/defender-endpoint/information-protection-investigation?view=o365-worldwide) | modified |
+| 2/21/2024 | [Investigate Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/investigate-alerts?view=o365-worldwide) | modified |
+| 2/21/2024 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-worldwide) | modified |
+| 2/21/2024 | [Investigate an IP address associated with an alert](/microsoft-365/security/defender-endpoint/investigate-ip?view=o365-worldwide) | modified |
+| 2/21/2024 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwide) | modified |
+| 2/21/2024 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-worldwide) | modified |
+| 2/21/2024 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune](/microsoft-365/security/defender-endpoint/ios-install?view=o365-worldwide) | modified |
+| 2/21/2024 | [Privacy information - Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-privacy?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-troubleshoot?view=o365-worldwide) | modified |
+| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-whatsnew?view=o365-worldwide) | modified |
+| 2/21/2024 | [How to Deploy Defender for Endpoint on Linux with Chef](/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef?view=o365-worldwide) | modified |
+| 2/21/2024 | [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-exclusions?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Ansible](/microsoft-365/security/defender-endpoint/linux-install-with-ansible?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Puppet](/microsoft-365/security/defender-endpoint/linux-install-with-puppet?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | modified |
+| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-privacy?view=o365-worldwide) | modified |
+| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-pua?view=o365-worldwide) | modified |
+| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde?view=o365-worldwide) | modified |
+| 2/21/2024 | [Microsoft Defender for Endpoint on Linux static proxy discovery](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-connectivity?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-events?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-perf?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6](/microsoft-365/security/defender-endpoint/linux-support-rhel?view=o365-worldwide) | modified |
+| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified |
+| 2/21/2024 | [Live response library methods and properties](/microsoft-365/security/defender-endpoint/live-response-library-methods?view=o365-worldwide) | modified |
+| 2/21/2024 | [macOS Device control policies frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/mac-device-control-faq?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy and manage Device Control using Intune](/microsoft-365/security/defender-endpoint/mac-device-control-intune?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy and manage device control using JAMF](/microsoft-365/security/defender-endpoint/mac-device-control-jamf?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy and manage device control manually](/microsoft-365/security/defender-endpoint/mac-device-control-manual?view=o365-worldwide) | modified |
+| 2/21/2024 | [Device control for macOS](/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-worldwide) | modified |
+| 2/21/2024 | [Sign in to Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-with-jamf?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm?view=o365-worldwide) | modified |
+| 2/21/2024 | [Set up device groups in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups?view=o365-worldwide) | modified |
+| 2/21/2024 | [Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices?view=o365-worldwide) | modified |
+| 2/21/2024 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-worldwide) | modified |
+| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-privacy?view=o365-worldwide) | modified |
+| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-pua?view=o365-worldwide) | modified |
+| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-install?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-sys-ext?view=o365-worldwide) | modified |
+| 2/21/2024 | [New configuration profiles for macOS Big Sur and newer versions of macOS](/microsoft-365/security/defender-endpoint/mac-sysext-policies?view=o365-worldwide) | modified |
+| 2/21/2024 | [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deploy updates for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-updates?view=o365-worldwide) | modified |
+| 2/21/2024 | [Device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) | modified |
+| 2/21/2024 | [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide) | modified |
+| 2/21/2024 | [Manage automation folder exclusions](/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions?view=o365-worldwide) | modified |
+| 2/21/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/21/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified |
+| 2/21/2024 | [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents?view=o365-worldwide) | modified |
+| 2/21/2024 | Manage Microsoft Defender for Endpoint using Configuration Manager | removed |
+| 2/21/2024 | Manage Microsoft Defender for Endpoint using Group Policy Objects | removed |
+| 2/21/2024 | Manage Microsoft Defender for Endpoint using Intune | removed |
+| 2/21/2024 | Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe | removed |
+| 2/21/2024 | Manage Microsoft Defender for Endpoint after initial setup or migration | removed |
+| 2/21/2024 | [Apply Microsoft Defender Antivirus protection updates to out of date endpoints](/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/21/2024 | [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap?view=o365-worldwide) | modified |
+| 2/21/2024 | [Manage contracts using a Microsoft 365 solution](/microsoft-365/syntex/solution-manage-contracts-in-microsoft-365) | modified |
+| 2/22/2024 | [Set up multifactor authentication for users](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified |
+| 2/22/2024 | [Understand your invoice for your Microsoft MCA billing account](/microsoft-365/commerce/billing-and-payments/understand-your-invoice?view=o365-worldwide) | modified |
+| 2/22/2024 | [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide) | modified |
+| 2/22/2024 | [Manage self-service purchases and trials (for admins)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins?view=o365-worldwide) | modified |
+| 2/22/2024 | [Manage system extensions using JamF](/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get started with your Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/mde-planning-guide?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL)](/microsoft-365/security/defender-endpoint/mde-plugin-wsl?view=o365-worldwide) | modified |
+| 2/22/2024 | [Configure Microsoft Defender for Cloud Apps integration](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Cloud Apps integration overview](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration?view=o365-worldwide) | modified |
+| 2/22/2024 | [Pilot ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified |
+| 2/22/2024 | [Production ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified |
+| 2/22/2024 | [Production ring deployment using Group Policy and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update?view=o365-worldwide) | modified |
+| 2/22/2024 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | modified |
+| 2/22/2024 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | modified |
+| 2/22/2024 | [Ring deployment using Intune and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-intune-microsoft-update?view=o365-worldwide) | modified |
+| 2/22/2024 | [Ring deployment using System Center Configuration Manager and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-sscm-wsus?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender Antivirus ring deployment guide overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) | modified |
+| 2/22/2024 | [Schedule antivirus scans using Windows Management Instrumentation](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi?view=o365-worldwide) | modified |
+| 2/22/2024 | [Changes coming to Topics](/microsoft-365/topics/changes-coming-to-topics?view=o365-worldwide) | added |
+| 2/22/2024 | [Frequently asked questions about changes coming to Topics](/microsoft-365/topics/topics-changes-faq?view=o365-worldwide) | added |
+| 2/22/2024 | [How to schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde?view=o365-worldwide) | modified |
+| 2/22/2024 | [Schedule antivirus scans using Group Policy](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy?view=o365-worldwide) | modified |
+| 2/22/2024 | [Schedule antivirus scans using PowerShell](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell?view=o365-worldwide) | modified |
+| 2/22/2024 | [Server migration scenarios for the new version of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration?view=o365-worldwide) | modified |
+| 2/22/2024 | [Supported Microsoft Defender for Endpoint capabilities by platform](/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform?view=o365-worldwide) | modified |
+| 2/22/2024 | [Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection](/microsoft-365/security/defender-endpoint/switch-to-mde-overview?view=o365-worldwide) | modified |
+| 2/22/2024 | [Technological partners of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/technological-partners?view=o365-worldwide) | modified |
+| 2/22/2024 | [Understand threat intelligence concepts in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-indicator-concepts?view=o365-worldwide) | modified |
+| 2/22/2024 | [Integrate Microsoft Defender for Endpoint with other Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide) | modified |
+| 2/22/2024 | [Data privacy and compliance in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-data-privacy-and-compliance?view=o365-worldwide) | added |
+| 2/22/2024 | [Assign roles to Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/assign-roles-to-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get scan history by session](/microsoft-365/security/defender-endpoint/api/get-scan-history-by-session?view=o365-worldwide) | modified |
+| 2/22/2024 | [Add, update, or delete a scan definition](/microsoft-365/security/defender-endpoint/api/add-a-new-scan-definition?view=o365-worldwide) | modified |
+| 2/22/2024 | [Add or remove a tag for a machine](/microsoft-365/security/defender-endpoint/api/add-or-remove-machine-tags?view=o365-worldwide) | modified |
+| 2/22/2024 | [Add or remove a tag for multiple machines](/microsoft-365/security/defender-endpoint/api/add-or-remove-multiple-machine-tags?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get alerts API](/microsoft-365/security/defender-endpoint/api/alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [API Explorer in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/api-explorer?view=o365-worldwide) | modified |
+| 2/22/2024 | [Hello World for Microsoft Defender for Endpoint API](/microsoft-365/security/defender-endpoint/api/api-hello-world?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint APIs connection to Power BI](/microsoft-365/security/defender-endpoint/api/api-power-bi?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint API release notes](/microsoft-365/security/defender-endpoint/api/api-release-notes?view=o365-worldwide) | modified |
+| 2/22/2024 | [Access the Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/apis-intro?view=o365-worldwide) | modified |
+| 2/22/2024 | [Batch Delete Indicators API](/microsoft-365/security/defender-endpoint/api/batch-delete-ti-indicators?view=o365-worldwide) | modified |
+| 2/22/2024 | [Batch Update alert entities API](/microsoft-365/security/defender-endpoint/api/batch-update-alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [Cancel machine action API](/microsoft-365/security/defender-endpoint/api/cancel-machine-action?view=o365-worldwide) | modified |
+| 2/22/2024 | [Collect investigation package API](/microsoft-365/security/defender-endpoint/api/collect-investigation-package?view=o365-worldwide) | modified |
+| 2/22/2024 | [Common Microsoft Defender for Endpoint API errors](/microsoft-365/security/defender-endpoint/api/common-errors?view=o365-worldwide) | modified |
+| 2/22/2024 | [Create alert from event API](/microsoft-365/security/defender-endpoint/api/create-alert-by-reference?view=o365-worldwide) | modified |
+| 2/22/2024 | [Delete a file from the live response library](/microsoft-365/security/defender-endpoint/api/delete-library?view=o365-worldwide) | modified |
+| 2/22/2024 | [Delete Indicator API.](/microsoft-365/security/defender-endpoint/api/delete-ti-indicator-by-id?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get alert information by ID API](/microsoft-365/security/defender-endpoint/api/get-alert-info-by-id?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get alert related domains information](/microsoft-365/security/defender-endpoint/api/get-alert-related-domain-info?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get alert related files information](/microsoft-365/security/defender-endpoint/api/get-alert-related-files-info?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get alert-related IPs' information](/microsoft-365/security/defender-endpoint/api/get-alert-related-ip-info?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get alert related machine information](/microsoft-365/security/defender-endpoint/api/get-alert-related-machine-info?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get alert related user information](/microsoft-365/security/defender-endpoint/api/get-alert-related-user-info?view=o365-worldwide) | modified |
+| 2/22/2024 | [List alerts API](/microsoft-365/security/defender-endpoint/api/get-alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [List all recommendations](/microsoft-365/security/defender-endpoint/api/get-all-recommendations?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get all vulnerabilities by machine and software](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities-by-machines?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get all vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities?view=o365-worldwide) | modified |
+| 2/22/2024 | [Export assessment methods and properties per device](/microsoft-365/security/defender-endpoint/api/get-assessment-methods-properties?view=o365-worldwide) | modified |
+| 2/22/2024 | [Export secure configuration assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-secure-config?view=o365-worldwide) | modified |
+| 2/22/2024 | [Export software inventory assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-inventory?view=o365-worldwide) | modified |
+| 2/22/2024 | [Export software vulnerabilities assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-vulnerabilities?view=o365-worldwide) | modified |
+| 2/22/2024 | [Authenticated scan methods and properties](/microsoft-365/security/defender-endpoint/api/get-authenticated-scan-properties?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get the device secure score](/microsoft-365/security/defender-endpoint/api/get-device-secure-score?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get discovered vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-discovered-vulnerabilities?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get domain-related alerts API](/microsoft-365/security/defender-endpoint/api/get-domain-related-alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get domain-related machines API](/microsoft-365/security/defender-endpoint/api/get-domain-related-machines?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get domain statistics API](/microsoft-365/security/defender-endpoint/api/get-domain-statistics?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get exposure score](/microsoft-365/security/defender-endpoint/api/get-exposure-score?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get file information API](/microsoft-365/security/defender-endpoint/api/get-file-information?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get file-related alerts API](/microsoft-365/security/defender-endpoint/api/get-file-related-alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get file-related machines API](/microsoft-365/security/defender-endpoint/api/get-file-related-machines?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get file statistics API](/microsoft-365/security/defender-endpoint/api/get-file-statistics?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get installed software](/microsoft-365/security/defender-endpoint/api/get-installed-software?view=o365-worldwide) | modified |
+| 2/22/2024 | [List Investigations API](/microsoft-365/security/defender-endpoint/api/get-investigation-collection?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get Investigation object API](/microsoft-365/security/defender-endpoint/api/get-investigation-object?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get IP related alerts API](/microsoft-365/security/defender-endpoint/api/get-ip-related-alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get IP statistics API](/microsoft-365/security/defender-endpoint/api/get-ip-statistics?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get live response results](/microsoft-365/security/defender-endpoint/api/get-live-response-result?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get machine by ID API](/microsoft-365/security/defender-endpoint/api/get-machine-by-id?view=o365-worldwide) | modified |
+| 2/22/2024 | [List exposure score by device group](/microsoft-365/security/defender-endpoint/api/get-machine-group-exposure-score?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get machine logon users API](/microsoft-365/security/defender-endpoint/api/get-machine-log-on-users?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get machine related alerts API](/microsoft-365/security/defender-endpoint/api/get-machine-related-alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get MachineAction object API](/microsoft-365/security/defender-endpoint/api/get-machineaction-object?view=o365-worldwide) | modified |
+| 2/22/2024 | [List machineActions API](/microsoft-365/security/defender-endpoint/api/get-machineactions-collection?view=o365-worldwide) | modified |
+| 2/22/2024 | [List devices by software](/microsoft-365/security/defender-endpoint/api/get-machines-by-software?view=o365-worldwide) | modified |
+| 2/22/2024 | [List devices by vulnerability](/microsoft-365/security/defender-endpoint/api/get-machines-by-vulnerability?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get missing KBs by device ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-machine?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get missing KBs by software ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-software?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get package SAS URI API](/microsoft-365/security/defender-endpoint/api/get-package-sas-uri?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get recommendation by Id](/microsoft-365/security/defender-endpoint/api/get-recommendation-by-id?view=o365-worldwide) | modified |
+| 2/22/2024 | [List devices by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-machines?view=o365-worldwide) | modified |
+| 2/22/2024 | [List vulnerabilities by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-vulnerabilities?view=o365-worldwide) | modified |
+| 2/22/2024 | [List all remediation activities](/microsoft-365/security/defender-endpoint/api/get-remediation-all-activities?view=o365-worldwide) | modified |
+| 2/22/2024 | [List exposed devices of one remediation activity](/microsoft-365/security/defender-endpoint/api/get-remediation-exposed-devices-activities?view=o365-worldwide) | modified |
+| 2/22/2024 | [Remediation activity methods and properties](/microsoft-365/security/defender-endpoint/api/get-remediation-methods-properties?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get one remediation activity by ID](/microsoft-365/security/defender-endpoint/api/get-remediation-one-activity?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get security recommendations](/microsoft-365/security/defender-endpoint/api/get-security-recommendations?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get software by ID](/microsoft-365/security/defender-endpoint/api/get-software-by-id?view=o365-worldwide) | modified |
+| 2/22/2024 | [List software version distribution](/microsoft-365/security/defender-endpoint/api/get-software-ver-distribution?view=o365-worldwide) | modified |
+| 2/22/2024 | [List software](/microsoft-365/security/defender-endpoint/api/get-software?view=o365-worldwide) | modified |
+| 2/22/2024 | [List Indicators API](/microsoft-365/security/defender-endpoint/api/get-ti-indicators-collection?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get user-related alerts API](/microsoft-365/security/defender-endpoint/api/get-user-related-alerts?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get user-related machines API](/microsoft-365/security/defender-endpoint/api/get-user-related-machines?view=o365-worldwide) | modified |
+| 2/22/2024 | [List vulnerabilities by software](/microsoft-365/security/defender-endpoint/api/get-vuln-by-software?view=o365-worldwide) | modified |
+| 2/22/2024 | [Get vulnerability by ID](/microsoft-365/security/defender-endpoint/api/get-vulnerability-by-id?view=o365-worldwide) | modified |
+| 2/22/2024 | [Import Indicators API](/microsoft-365/security/defender-endpoint/api/import-ti-indicators?view=o365-worldwide) | modified |
+| 2/22/2024 | [Start Investigation API](/microsoft-365/security/defender-endpoint/api/initiate-autoir-investigation?view=o365-worldwide) | modified |
+| 2/22/2024 | [Stream Microsoft Defender for Endpoint event](/microsoft-365/security/defender-endpoint/api/raw-data-export?view=o365-worldwide) | modified |
+| 2/22/2024 | [Recommendation methods and properties](/microsoft-365/security/defender-endpoint/api/recommendation?view=o365-worldwide) | modified |
+| 2/22/2024 | [Restrict app execution API](/microsoft-365/security/defender-endpoint/api/restrict-code-execution?view=o365-worldwide) | modified |
+| 2/22/2024 | [Advanced Hunting API](/microsoft-365/security/defender-endpoint/api/run-advanced-query-api?view=o365-worldwide) | modified |
+| 2/22/2024 | [Advanced Hunting with PowerShell API Basics](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-powershell?view=o365-worldwide) | modified |
+| 2/22/2024 | [Advanced Hunting with Python API Guide](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-python?view=o365-worldwide) | modified |
+| 2/22/2024 | [Run antivirus scan API](/microsoft-365/security/defender-endpoint/api/run-av-scan?view=o365-worldwide) | modified |
+| 2/22/2024 | [Set device value API](/microsoft-365/security/defender-endpoint/api/set-device-value?view=o365-worldwide) | modified |
+| 2/22/2024 | [Software methods and properties](/microsoft-365/security/defender-endpoint/api/software?view=o365-worldwide) | modified |
+| 2/22/2024 | [Stop and quarantine file API](/microsoft-365/security/defender-endpoint/api/stop-and-quarantine-file?view=o365-worldwide) | modified |
+| 2/22/2024 | [Indicator resource type](/microsoft-365/security/defender-endpoint/api/ti-indicator?view=o365-worldwide) | modified |
+| 2/22/2024 | [Release device from isolation API](/microsoft-365/security/defender-endpoint/api/unisolate-machine?view=o365-worldwide) | modified |
+| 2/22/2024 | [Remove app restriction API](/microsoft-365/security/defender-endpoint/api/unrestrict-code-execution?view=o365-worldwide) | modified |
+| 2/22/2024 | [Update alert entity API](/microsoft-365/security/defender-endpoint/api/update-alert?view=o365-worldwide) | modified |
+| 2/22/2024 | [Update machine entity API](/microsoft-365/security/defender-endpoint/api/update-machine-method?view=o365-worldwide) | modified |
+| 2/22/2024 | [Upload files to the live response library](/microsoft-365/security/defender-endpoint/api/upload-library?view=o365-worldwide) | modified |
+| 2/22/2024 | [User resource type](/microsoft-365/security/defender-endpoint/api/user?view=o365-worldwide) | modified |
+| 2/22/2024 | [Vulnerability methods and properties](/microsoft-365/security/defender-endpoint/api/vulnerability?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender Offline scan in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-offline?view=o365-worldwide) | modified |
+| 2/22/2024 | [Migrating from non-Microsoft HIPS to attack surface reduction rules](/microsoft-365/security/defender-endpoint/migrating-asr-rules?view=o365-worldwide) | modified |
+| 2/22/2024 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-worldwide) | modified |
+| 2/22/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified |
+| 2/22/2024 | [Monthly security summary reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/monthly-security-summary-report?view=o365-worldwide) | modified |
+| 2/22/2024 | [Managed security service provider (MSSP) partnership opportunities](/microsoft-365/security/defender-endpoint/mssp-support?view=o365-worldwide) | modified |
+| 2/22/2024 | [Use network protection to help prevent Linux connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-linux?view=o365-worldwide) | modified |
+| 2/22/2024 | [Use network protection to help prevent macOS connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-macos?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint on other platforms](/microsoft-365/security/defender-endpoint/non-windows?view=o365-worldwide) | modified |
+| 2/22/2024 | [Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats](/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/22/2024 | [Onboarding using Microsoft Intune](/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide) | modified |
+| 2/22/2024 | [Create an onboarding or offboarding notification rule](/microsoft-365/security/defender-endpoint/onboarding-notification?view=o365-worldwide) | modified |
+| 2/22/2024 | [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](/microsoft-365/security/defender-endpoint/overview-client-analyzer?view=o365-worldwide) | modified |
+| 2/22/2024 | [Partner applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/partner-applications?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint partner opportunities and scenarios](/microsoft-365/security/defender-endpoint/partner-integration?view=o365-worldwide) | modified |
+| 2/22/2024 | [Hide the Microsoft Defender Antivirus interface](/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide) | modified |
+| 2/22/2024 | [Turn on the preview experience in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/preview-settings?view=o365-worldwide) | modified |
+| 2/22/2024 | [Microsoft Defender for Endpoint preview features](/microsoft-365/security/defender-endpoint/preview?view=o365-worldwide) | modified |
+| 2/22/2024 | [Professional services supported by Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/professional-services?view=o365-worldwide) | modified |
+| 2/22/2024 | [Use role-based access control to grant fine-grained access to Microsoft Defender portal](/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide) | modified |
+| 2/22/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | modified |
+| 2/22/2024 | [Run a detection test on a device recently onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-worldwide) | modified |
+| 2/22/2024 | [Use Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp?view=o365-worldwide) | modified |
+| 2/22/2024 | [Partner access through Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners?view=o365-worldwide) | modified |
+| 2/22/2024 | [Create an app to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp?view=o365-worldwide) | modified |
+| 2/22/2024 | [Advanced Hunting with PowerShell API Guide](/microsoft-365/security/defender-endpoint/api/exposed-apis-full-sample-powershell?view=o365-worldwide) | modified |
+| 2/22/2024 | [Supported Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-list?view=o365-worldwide) | modified |
+| 2/22/2024 | [OData queries with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/exposed-apis-odata-samples?view=o365-worldwide) | modified |
+| 2/22/2024 | [Fetch alerts from MSSP customer tenant](/microsoft-365/security/defender-endpoint/api/fetch-alerts-mssp?view=o365-worldwide) | modified |
+| 2/22/2024 | [File resource type](/microsoft-365/security/defender-endpoint/api/files?view=o365-worldwide) | modified |
+| 2/22/2024 | [Find device information by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machine-info-by-ip?view=o365-worldwide) | modified |
+| 2/22/2024 | [Find devices by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machines-by-ip?view=o365-worldwide) | modified |
+| 2/22/2024 | [Find devices by tag API](/microsoft-365/security/defender-endpoint/api/find-machines-by-tag?view=o365-worldwide) | modified |
+| 2/22/2024 | [Investigation resource type](/microsoft-365/security/defender-endpoint/api/investigation?view=o365-worldwide) | modified |
+| 2/22/2024 | [Isolate machine API](/microsoft-365/security/defender-endpoint/api/isolate-machine?view=o365-worldwide) | modified |
+| 2/22/2024 | [List library files](/microsoft-365/security/defender-endpoint/api/list-library-files?view=o365-worldwide) | modified |
+| 2/22/2024 | [List software by recommendation](/microsoft-365/security/defender-endpoint/api/list-recommendation-software?view=o365-worldwide) | modified |
+| 2/22/2024 | [Machine resource type](/microsoft-365/security/defender-endpoint/api/machine?view=o365-worldwide) | modified |
+| 2/22/2024 | [machineAction resource type](/microsoft-365/security/defender-endpoint/api/machineaction?view=o365-worldwide) | modified |
+| 2/22/2024 | [Overview of management and APIs](/microsoft-365/security/defender-endpoint/api/management-apis?view=o365-worldwide) | modified |
+| 2/22/2024 | [Submit or Update Indicator API](/microsoft-365/security/defender-endpoint/api/post-ti-indicator?view=o365-worldwide) | modified |
+| 2/22/2024 | [Stream Microsoft Defender for Endpoint events to your Storage account](/microsoft-365/security/defender-endpoint/api/raw-data-export-storage?view=o365-worldwide) | modified |
+| 2/23/2024 | [Upgrade or change to a different Microsoft 365 for business plan](/microsoft-365/commerce/subscriptions/upgrade-to-different-plan?view=o365-worldwide) | modified |
+| 2/23/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | modified |
+| 2/23/2024 | [Use a promo code to reduce price of a new Microsoft 365 for business subscription](/microsoft-365/commerce/use-a-promo-code?view=o365-worldwide) | modified |
+| 2/23/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified |
security Android Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md
Follow the steps below to add Microsoft Defender for Endpoint app into your mana
By default, managed Google Play selects **Keep approved when app requests new permissions**. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/ffecfdda1c4df14148f1526c22cc0236.png" alt-text=" The approval settings configuration completion page in the in the Microsoft Defender 365 portal" lightbox="images/ffecfdda1c4df14148f1526c22cc0236.png":::
+ > :::image type="content" source="media/ffecfdda1c4df14148f1526c22cc0236.png" alt-text=" The approval settings configuration completion page in the in the Microsoft Defender 365 portal" lightbox="media/ffecfdda1c4df14148f1526c22cc0236.png":::
6. After the permissions handling selection is made, select **Sync** to sync Microsoft Defender for Endpoint to your apps list.
Follow the steps below to add Microsoft Defender for Endpoint app into your mana
8. Select the **Refresh** button in the Android apps screen and Microsoft Defender for Endpoint should be visible in the apps list.
- :::image type="content" source="images/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="images/fa4ac18a6333335db3775630b8e6b353.png":::
+ :::image type="content" source="media/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="media/fa4ac18a6333335db3775630b8e6b353.png":::
9. Defender for Endpoint supports App configuration policies for managed devices via Microsoft Intune. This capability can be leveraged to select different configurations for Defender.
Follow the steps below to add Microsoft Defender for Endpoint app into your mana
1. You should see all the selected configurations listed. You can change the configuration value as required and then select **Next**.
- :::image type="content" alt-text="Image of selected configuration policies." source="images/listedconfigurations.png" lightbox="images/listedconfigurations.png":::
+ :::image type="content" alt-text="Image of selected configuration policies." source="media/listedconfigurations.png" lightbox="media/listedconfigurations.png":::
1. In the **Assignments** page, select the user group to which this app config policy would be assigned. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
If a user faces an issue, which isn't already addressed in the above sections or
5. Provide details of the issue that you're facing and check "Send diagnostic data". We recommend checking "Include your email address" so that the team can reach back to you with a solution or a follow-up.
- :::image type="content" source="images/finalsubmit5.png" alt-text="The pane on which you can add details and attach diagnostic data" lightbox="images/finalsubmit5.png":::
+ :::image type="content" source="media/finalsubmit5.png" alt-text="The pane on which you can add details and attach diagnostic data" lightbox="media/finalsubmit5.png":::
6. Select on "Submit" to successfully send the feedback. [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/api-hello-world.md
For the Application registration stage, you must have a **Global administrator**
> [!NOTE] > Every time you add permission, you must click on **Grant consent** for the new permission to take effect.
- :::image type="content" source="../images/grant-consent.png" alt-text="The grant permission consent option in the Microsoft Entra admin center" lightbox="../images/grant-consent.png":::
+ :::image type="content" source="../media/grant-consent.png" alt-text="The grant permission consent option in the Microsoft Entra admin center" lightbox="../media/grant-consent.png":::
6. Add a secret to the application.
security Exposed Apis Create App Nativeapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp.md
This page explains how to create a Microsoft Entra application, get an access to
> [!NOTE] > Every time you add permission you must select on **Grant consent** for the new permission to take effect.
- :::image type="content" source="../images/grant-consent.png" alt-text="The Grand admin consent option" lightbox="../images/grant-consent.png":::
+ :::image type="content" source="../media/grant-consent.png" alt-text="The Grand admin consent option" lightbox="../media/grant-consent.png":::
5. Write down your application ID and your tenant ID.
security Exposed Apis Create App Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners.md
In the following example we use **'Read all alerts'** permission:
- **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect.
- :::image type="content" source="../images/grant-consent.png" alt-text="The option that allows consent to be granted" lightbox="../images/grant-consent.png":::
+ :::image type="content" source="../media/grant-consent.png" alt-text="The option that allows consent to be granted" lightbox="../media/grant-consent.png":::
3. Add a secret to the application.
security Exposed Apis Create App Webapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp.md
This article explains how to create a Microsoft Entra application, get an access
> [!NOTE] > Every time you add a permission, you must select **Grant consent** for the new permission to take effect.
- :::image type="content" source="../images/grant-consent.png" alt-text="The grant permissions page" lightbox="../images/grant-consent.png":::
+ :::image type="content" source="../media/grant-consent.png" alt-text="The grant permissions page" lightbox="../media/grant-consent.png":::
6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**.
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/raw-data-export-event-hub.md
To get the data types for event properties do the following:
- Here is an example for Device Info event:
- :::image type="content" source="../images/machine-info-datatype-example.png" alt-text="The Event Hubs resource Id-2" lightbox="../images/machine-info-datatype-example.png":::
+ :::image type="content" source="../media/machine-info-datatype-example.png" alt-text="The Event Hubs resource Id-2" lightbox="../media/machine-info-datatype-example.png":::
## Related topics
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
You can also specify where the diagnostic `.cab` file is created using a Group P
2. Select **Define the directory path to copy support log files**.
- :::image type="content" source="images/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="images/GPO1-SupportLogLocationDefender.png":::
+ :::image type="content" source="media/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="media/GPO1-SupportLogLocationDefender.png":::
- :::image type="content" source="images/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for log files setting" lightbox="images/GPO2-SupportLogLocationGPPage.png":::
+ :::image type="content" source="media/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for log files setting" lightbox="media/GPO2-SupportLogLocationGPPage.png":::
- :::image type="content" source="images/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="images/GPO1-SupportLogLocationDefender.png":::
+ :::image type="content" source="media/GPO1-SupportLogLocationDefender.png" alt-text="The local group policy editor" lightbox="media/GPO1-SupportLogLocationDefender.png":::
- :::image type="content" source="images/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for configuring the log files setting" lightbox="images/GPO2-SupportLogLocationGPPage.png":::
+ :::image type="content" source="media/GPO2-SupportLogLocationGPPage.png" alt-text="The define path for configuring the log files setting" lightbox="media/GPO2-SupportLogLocationGPPage.png":::
3. Inside the policy editor, select **Enabled**. 4. Specify the directory path where you want to copy the support log files in the **Options** field.
- :::image type="content" source="images/GPO3-SupportLogLocationGPPageEnabledExample.png" alt-text="The Enabled directory path custom setting" lightbox="images/GPO3-SupportLogLocationGPPageEnabledExample.png":::
+ :::image type="content" source="media/GPO3-SupportLogLocationGPPageEnabledExample.png" alt-text="The Enabled directory path custom setting" lightbox="media/GPO3-SupportLogLocationGPPageEnabledExample.png":::
5. Select **OK** or **Apply**.
security Comprehensive Guidance On Linux Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md
With macOS and Linux, you could take a couple of systems and run in the Beta cha
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current. In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either Beta or Preview.
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Create a new Group Policy or group these settings in with the other policies. Th
4. In the Scan folder, configure the scan settings.
- :::image type="content" source="images/gpo-scans.png" alt-text="gpo scans" lightbox="images/gpo-scans.png":::
+ :::image type="content" source="media/gpo-scans.png" alt-text="gpo scans" lightbox="media/gpo-scans.png":::
### Monitor all files in Real time protection
Browse to **Computer Configuration** \> **Policies** \> **Administrative Templat
Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **MAPS**. :::image type="content" source="images/send-file-sample-further-analysis-require.png" alt-text="Send file sample when further analysis is required" lightbox="images/send-file-sample-further-analysis-require.png":::
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
You can use **Local Group Policy Editor** to enable and configure Microsoft Defe
2. Under **Best match**, select **Edit group policy** to launch **Local Group Policy Editor**.
- :::image type="content" source="images/gpedit-search.png" alt-text="The GPEdit taskbar search result in the Control panel" lightbox="images/gpedit-search.png":::
+ :::image type="content" source="media/gpedit-search.png" alt-text="The GPEdit taskbar search result in the Control panel" lightbox="media/gpedit-search.png":::
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus**.
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
You'll need to download both the **installation** and **onboarding** packages fr
> The installation package is updated monthly. Be sure to download the latest package before usage. > To update after installation, you do not have to run the installer package again. If you do, the installer will ask you to offboard first as that is a requirement for uninstallation. See [Update packages for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016](#update-packages-for-microsoft-defender-for-endpoint-on-windows-server-2012-r2-and-2016). > [!NOTE] > On Windows Server 2012R2, Microsoft Defender Antivirus will get installed by the installation package and will be active unless you set it to passive mode. On Windows Server 2016, Microsoft Defender Antivirus must be installed as a feature (see [Switch to MDE](/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2#re-enable-microsoft-defender-antivirus-on-windows-server-2016)) first and fully updated before proceeding with the installation.
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
search.appverid: met150
In endpoint protection solutions, a false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Defender for Endpoint](microsoft-defender-endpoint.md). Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives occurring with Defender for Endpoint, your security operations can take steps to address them by using the following process:
Fortunately, steps can be taken to address and reduce these kinds of issues. If
You can get help if you still have issues with false positives/negatives after performing the tasks described in this article. See [Still need help?](#still-need-help) > [!NOTE] > This article is intended as guidance for security operators and security administrators who are using [Defender for Endpoint](microsoft-defender-endpoint.md).
To specify entities as exclusions for Defender for Endpoint, create "allow" indi
- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) - [Application certificates](#indicators-for-application-certificates) #### Indicators for files
security Defender Endpoint Trial User Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-trial-user-guide.md
This playbook is a simple guide to help you make the most of your free trial. Us
<center><h2>Microsoft Defender for Endpoint</center></h2> <table> <tr>
-<td><a href="microsoft-defender-endpoint.md#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>
+<td><a href="microsoft-defender-endpoint.md#tvm"><center><img src="medivm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>
<td><a href="microsoft-defender-endpoint.md#asr"><center><img src="media/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td> <td><center><a href="microsoft-defender-endpoint.md#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td> <td><center><a href="microsoft-defender-endpoint.md#edr"><img src="media/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td>
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
Already have a lab? Make sure to enable the new threat simulators and have activ
2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**.
- :::image type="content" source="images/lab-creation-page.png" alt-text="The lab configuration options" lightbox="images/lab-creation-page.png":::
+ :::image type="content" source="media/lab-creation-page.png" alt-text="The lab configuration options" lightbox="media/lab-creation-page.png":::
3. (Optional) You can choose to install threat simulators in the lab.
- :::image type="content" source="images/install-agent.png" alt-text="The install simulators agent page" lightbox="images/install-agent.png":::
+ :::image type="content" source="media/install-agent.png" alt-text="The install simulators agent page" lightbox="media/install-agent.png":::
> [!IMPORTANT] > You'll first need to accept and provide consent to the terms and information sharing statements. 4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add.
- :::image type="content" source="images/lab-setup-summary.png" alt-text="The summary page" lightbox="images/lab-setup-summary.png":::
+ :::image type="content" source="media/lab-setup-summary.png" alt-text="The summary page" lightbox="media/lab-setup-summary.png":::
5. Review the summary and select **Setup lab**.
Automated investigation settings will be dependent on tenant settings. It will b
5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab.
- :::image type="content" source="images/machines-tab.png" alt-text="The devices tab" lightbox="images/machines-tab.png":::
+ :::image type="content" source="media/machines-tab.png" alt-text="The devices tab" lightbox="media/machines-tab.png":::
> [!TIP] > In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent.
security Grant Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md
To implement a multitenant delegated access solution, take the following steps:
To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, it's called, **MSSP Accesses**.
- :::image type="content" source="images/goverance-catalog.png" alt-text="The new catalog page" lightbox="images/goverance-catalog.png":::
+ :::image type="content" source="media/goverance-catalog.png" alt-text="The new catalog page" lightbox="media/goverance-catalog.png":::
Further more information, see [Create a catalog of resources](/azure/active-directory/governance/entitlement-management-catalog-create).
security Host Firewall Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md
catch {
Here are some examples of the firewall report pages. Here you'll find a summary of inbound, outbound, and application activity. You can access this page directly by going to <https://security.microsoft.com/firewall>. These reports can also be accessed by going to **Reports** > **Security Report** > **Devices** (section) located at the bottom of the **Firewall Blocked Inbound Connections** card.
These reports can also be accessed by going to **Reports** > **Security Report**
Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch the Microsoft Defender portal in a new tab, and take you directly to the **Device Timeline** tab. You can now select the **Timeline** tab, which will give you a list of events associated with that device. After clicking on the **Filters** button on the upper right-hand corner of the viewing pane, select the type of event you want. In this case, select **Firewall events** and the pane will be filtered to Firewall events. ### Drill into advanced hunting (preview refresh) Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query will be pre-populated. The query can now be executed, and all related Firewall events from the last 30 days can be explored.
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Choose if to Generate an alert on the file block event and define the alerts set
- Description - Recommended actions > [!IMPORTANT] >
security Information Protection Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md
Learn how to use data sensitivity labels to prioritize incident investigation.
3. Open the incident page to further investigate.
- :::image type="content" source="images/incident-page.png" alt-text="The incident page details" lightbox="images/incident-page.png":::
+ :::image type="content" source="media/incident-page.png" alt-text="The incident page details" lightbox="media/incident-page.png":::
4. Select the **Devices** tab to identify devices storing files with sensitivity labels.
- :::image type="content" source="images/investigate-devices-tab.png" alt-text="The Device tab" lightbox="images/investigate-devices-tab.png":::
+ :::image type="content" source="media/investigate-devices-tab.png" alt-text="The Device tab" lightbox="media/investigate-devices-tab.png":::
5. Select the devices that store sensitive data and search through the timeline to identify which files might be impacted then take appropriate action to ensure that data is protected. You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this shows only events associated with files that the label name.
- :::image type="content" source="images/machine-timeline-labels.png" alt-text="The device timeline with narrowed down search results based on label" lightbox="images/machine-timeline-labels.png":::
+ :::image type="content" source="media/machine-timeline-labels.png" alt-text="The device timeline with narrowed down search results based on label" lightbox="media/machine-timeline-labels.png":::
> [!TIP] > These data points are also exposed through the 'DeviceFileEvents' in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
The **Azure Advanced Threat Protection** card displays a high-level overview of
The **Logged on users** card shows how many users logged on in the past 30 days, along with the most and least frequent users. Selecting the **See all users** link opens the details pane, which displays information such as user type, sign-in type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md). > [!NOTE] > The 'Most frequent' user value is calculated only based on evidence of users who successfully logged on interactively.
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
While enabled by default, there might be some cases that require you to disable
3. Toggle off **Connect On Demand** to disable VPN.
- :::image type="content" source="images/ios-vpn-config.png" alt-text="The toggle button for the VPN config Connect on demand option" lightbox="images/ios-vpn-config.png":::
+ :::image type="content" source="media/ios-vpn-config.png" alt-text="The toggle button for the VPN config Connect on demand option" lightbox="media/ios-vpn-config.png":::
> [!NOTE] > Web Protection isn't available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**.
Follow the steps below to create a compliance policy against jailbroken devices.
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** \> **Compliance policies** \> **Create Policy**. Select "iOS/iPadOS" as platform and select **Create**.
- :::image type="content" source="images/ios-jb-policy.png" alt-text="The Create Policy tab" lightbox="images/ios-jb-policy.png":::
+ :::image type="content" source="media/ios-jb-policy.png" alt-text="The Create Policy tab" lightbox="media/ios-jb-policy.png":::
2. Specify a name of the policy, such as *Compliance Policy for Jailbreak*. 3. In the compliance settings page, select to expand **Device Health** section and select **Block** for **Jailbroken devices** field.
- :::image type="content" source="images/ios-jb-settings.png" alt-text="The Compliance settings tab" lightbox="images/ios-jb-settings.png":::
+ :::image type="content" source="media/ios-jb-settings.png" alt-text="The Compliance settings tab" lightbox="media/ios-jb-settings.png":::
4. In the **Actions for noncompliance** section, select the actions as per your requirements and select **Next**.
- :::image type="content" source="images/ios-jb-actions.png" alt-text="The Actions for noncompliance tab" lightbox="images/ios-jb-actions.png":::
+ :::image type="content" source="media/ios-jb-actions.png" alt-text="The Actions for noncompliance tab" lightbox="media/ios-jb-actions.png":::
5. In the **Assignments** section, select the user groups that you want to include for this policy and then select **Next**.
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Deploy Defender for Endpoint on iOS via Microsoft Intune Company Portal.
1. In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** > **iOS/iPadOS** > **Add** > **iOS store app** and click **Select**.
- :::image type="content" source="images/ios-deploy-1.png" alt-text="The Add applications tab in the Microsoft Intune admin center" lightbox="images/ios-deploy-1.png":::
+ :::image type="content" source="media/ios-deploy-1.png" alt-text="The Add applications tab in the Microsoft Intune admin center" lightbox="media/ios-deploy-1.png":::
1. On the **Add app** page, click on **Search the App Store** and type **Microsoft Defender** in the search bar. In the search results section, click on *Microsoft Defender* and click **Select**.
Deploy Defender for Endpoint on iOS via Microsoft Intune Company Portal.
> [!NOTE] > The selected user group should consist of Microsoft Intune enrolled users.
- :::image type="content" source="images/ios-deploy-2.png" alt-text="The Add group tab in the Microsoft Intune admin center" lightbox="images/ios-deploy-2.png":::
+ :::image type="content" source="media/ios-deploy-2.png" alt-text="The Add group tab in the Microsoft Intune admin center" lightbox="media/ios-deploy-2.png":::
1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page. 1. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.
- :::image type="content" source="images/ios-deploy-3.png" alt-text="The Device install status page" lightbox="images/ios-deploy-3.png":::
+ :::image type="content" source="media/ios-deploy-3.png" alt-text="The Device install status page" lightbox="media/ios-deploy-3.png":::
## Complete deployment for supervised devices
Configure the supervised mode for Defender for Endpoint app through an App confi
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** \> **App configuration policies** \> **Add**. Select **Managed devices**.
- :::image type="content" source="images/ios-deploy-4.png" alt-text="Image of Microsoft Intune admin center4." lightbox="images/ios-deploy-4.png":::
+ :::image type="content" source="media/ios-deploy-4.png" alt-text="Image of Microsoft Intune admin center4." lightbox="media/ios-deploy-4.png":::
1. In the *Create app configuration policy* page, provide the following information: - Policy Name - Platform: Select iOS/iPadOS - Targeted app: Select **Microsoft Defender for Endpoint** from the list
- :::image type="content" source="images/ios-deploy-5.png" alt-text="Image of Microsoft Intune admin center5." lightbox="images/ios-deploy-5.png":::
+ :::image type="content" source="media/ios-deploy-5.png" alt-text="Image of Microsoft Intune admin center5." lightbox="media/ios-deploy-5.png":::
1. In the next screen, select **Use configuration designer** as the format. Specify the following properties: - Configuration Key: `issupervised` - Value type: String - Configuration Value: `{{issupervised}}`
- :::image type="content" source="images/ios-deploy-6.png" alt-text="Image of Microsoft Intune admin center6." lightbox="images/ios-deploy-6.png":::
+ :::image type="content" source="media/ios-deploy-6.png" alt-text="Image of Microsoft Intune admin center6." lightbox="media/ios-deploy-6.png":::
1. Select **Next** to open the **Scope tags** page. Scope tags are optional. Select **Next** to continue.
Once the profile has been downloaded, deploy the custom profile. Follow the step
1. Navigate to **Devices** > **iOS/iPadOS** > **Configuration profiles** > **Create Profile**. 1. Select **Profile Type** > **Templates** and **Template name** > **Custom**.
- :::image type="content" source="images/ios-deploy-7.png" alt-text="Image of Microsoft Intune admin center7." lightbox="images/ios-deploy-7.png":::
+ :::image type="content" source="media/ios-deploy-7.png" alt-text="Image of Microsoft Intune admin center7." lightbox="media/ios-deploy-7.png":::
1. Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded from the previous step. 1. In the **Assignment** section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Select **Next**.
Admins can configure Microsoft Defender for Endpoint to deploy and activate sile
- Type of Automatic VPN = On-demand VPN - Select **Add** for **On Demand Rules** and select **I want to do the following = Connect VPN**, **I want to restrict to = All domains**.
- :::image type="content" source="images/ios-deploy-9.png" alt-text="The VPN profile Configuration page" lightbox="images/ios-deploy-9.png":::
+ :::image type="content" source="media/ios-deploy-9.png" alt-text="The VPN profile Configuration page" lightbox="media/ios-deploy-9.png":::
- To mandate that VPN can't be disabled in users device, Admins can select **Yes** from **Block users from disabling automatic VPN**. By default, it's not configured and users can disable VPN only in the Settings. - To allow Users to Change the VPN toggle from within the app, add **EnableVPNToggleInApp = TRUE**, in the key-value pairs. By default, users can't change the toggle from within the app.
Admins can configure auto-setup of VPN profile. This will automatically set up t
- Type of Automatic VPN = On-demand VPN - Select **Add** for **On Demand Rules** and select **I want to do the following = Connect VPN**, **I want to restrict to = All domains**.
- :::image type="content" source="images/ios-deploy-8.png" alt-text="The VPN profile Configuration settings tab." lightbox="images/ios-deploy-8.png":::
+ :::image type="content" source="media/ios-deploy-8.png" alt-text="The VPN profile Configuration settings tab." lightbox="media/ios-deploy-8.png":::
- To require that VPN cannot be disabled on a users' device, Admins can select **Yes** from **Block users from disabling automatic VPN**. By default, this setting not configured and users can disable VPN only in the Settings. - To allow Users to Change the VPN toggle from within the app, add **EnableVPNToggleInApp = TRUE**, in the key-value pairs. By default, users cannot change the toggle from within the app.
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
While enabled by default, there might be some cases that require you to disable
1. Toggle off **Connect On Demand** to disable VPN. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/ios-vpn-config.png" alt-text="The Connect on demand option" lightbox="images/ios-vpn-config.png":::
+ > :::image type="content" source="media/ios-vpn-config.png" alt-text="The Connect on demand option" lightbox="media/ios-vpn-config.png":::
> [!NOTE] > Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and Enable Web Protection.
Microsoft Defender for Endpoint protects you against phishing or other web-based
In addition, a notification is shown on the iOS device. Tapping on the notification opens the following screen for the user to review the details. > [!div class="mx-imgBorder"]
-> :::image type="content" source="images/ios-phish-alert.png" alt-text="The site reported as unsafe notification" lightbox="images/ios-phish-alert.png":::
+> :::image type="content" source="media/ios-phish-alert.png" alt-text="The site reported as unsafe notification" lightbox="media/ios-phish-alert.png":::
## Device not seen on the Defender for Endpoint console after onboarding
security Mac Device Control Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-faq.md
This article provides answers to frequently asked questions about Device Control
Answer: Run _mdatp device-control policy preferences list_ to see all the iOS policies on this machine: ### How do I know whether the policy has been delivered to the client machine? Answer: Run _mdatp device-control policy rules list_ to see all the iOS policies on this machine: Answer 2: Run _mdatp device-control policy groups list_ to see all the iOS groups on this machine: ## See also
security Mac Device Control Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md
You can deploy the mobileconfig file through [**https://endpoint.microsoft.com/*
- select 'Create profile' - select 'Templates' and 'Custom' ## See also
security Mac Device Control Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md
See [Device Control for macOS](mac-device-control-overview.md) for information a
The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macos/schemE Preferences configuration profile should be updated to use the new schema file's content. ### Step 3: Add Device Control Policy to MDE Preferences
A new 'Device Control' property will now be available to add to the UX.
1. Select the topmost **Add/Remove properties** button, then select **Device Control** and press **Apply**. 2. Next, scroll down until you see the **Device Control** property (it will be the bottommost entry), and select **Add/Remove properties** directly underneath it. 3. Select **Device Control Policy**, and then click **Apply**. 4. To finish, copy and paste the Device Control policy JSON into the text box, and save your changes to the configuration profile. ## See also
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
Microsoft Defender for Endpoint Device Control feature enables you to:
Example 1: JAMF using [schema.json](https://github.com/microsoft/mdatp-xplat/tree/master/macos/schema) Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig)
Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/
- Minimum product version: 101.91.92 or higher - Run _mdatp version_ through Terminal to see the product version on your client machine:
- :::image type="content" source="images/macos-device-control-mdatp-version-terminal.png " alt-text="Screenshot that shows the results when you run mdatp version in Terminal to see the product version on a client machine." lightbox="images/macos-device-control-mdatp-version-terminal.png ":::
+ :::image type="content" source="mediatp-version-terminal.png ":::
## Device Control for macOS properties
The following table lists the properties you can use in entry:
Once Deny happens and the notification is enabled in the policy, the end user sees a dialog: ## Status
security Mac Install Jamfpro Login https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md
Last updated 12/18/2020
1. Enter your credentials.
- :::image type="content" source="images/jamf-pro-portal1.png" alt-text="The Jamf Pro dashboard1" lightbox="images/jamf-pro-portal1.png":::
+ :::image type="content" source="media/jamf-pro-portal1.png" alt-text="The Jamf Pro dashboard1" lightbox="media/jamf-pro-portal1.png":::
2. Select **Computers**.
- :::image type="content" source="images/jamf-pro-dashboard.png" alt-text="The Jamf Pro dashboard2" lightbox="images/jamf-pro-dashboard.png":::
+ :::image type="content" source="media/jamf-pro-dashboard.png" alt-text="The Jamf Pro dashboard2" lightbox="media/jamf-pro-dashboard.png":::
3. You see the settings that are available.
- :::image type="content" source="images/jamfpro-settings.png" alt-text="The Jamf Pro dashboard3" lightbox="images/jamfpro-settings.png":::
+ :::image type="content" source="media/jamfpro-settings.png" alt-text="The Jamf Pro dashboard3" lightbox="media/jamfpro-settings.png":::
## Next step
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
To complete this process, you must have admin privileges on the device.
6. To change the installation destination, select **Change Install Location...**.
- :::image type="content" source="images/installation-type.png" alt-text="Screenshot that shows the final installation step.":::
+ :::image type="content" source="media/installation-type.png" alt-text="Screenshot that shows the final installation step.":::
7. Click **Install**.
To grant full disk access:
1. Grant **Full Disk Access** permission to **Microsoft Defender** and **Microsoft Defenders Endpoint Security Extension**.
- :::image type="content" source="images/full-disk-access-security-privacy.png" alt-text="The screenshot shows the full disk access's security and privacy.":::
+ :::image type="content" source="media/full-disk-access-security-privacy.png" alt-text="The screenshot shows the full disk access's security and privacy.":::
1. Select **General** \> **Restart** for the new system extensions to take effect.
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2
|com.microsoft.wdav.epsext|UBF8T346G9| |com.microsoft.wdav.netext|UBF8T346G9|
- :::image type="content" source="images/mac-system-extension-intune2.png" alt-text="The settings of the system's extension" lightbox="images/mac-system-extension-intune2.png":::
+ :::image type="content" source="media/mac-system-extension-intune2.png" alt-text="The settings of the system's extension" lightbox="media/mac-system-extension-intune2.png":::
1. On the **Assignments** tab, assign the profile to a group where the macOS devices and/or users are located, or All Users and All devices. 1. Review the configuration profile. Click **Create**.
To download the onboarding packages from Microsoft 365 Defender portal:
2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
- :::image type="content" source="images/macos-install-with-intune.png" alt-text="The Onboarding settings page" lightbox="images/macos-install-with-intune.png":::
+ :::image type="content" source="media/macos-install-with-intune.png" alt-text="The Onboarding settings page" lightbox="media/macos-install-with-intune.png":::
3. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
security Mac Jamfpro Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md
Set up the device groups similar to Group policy organizational unite (OUs), Mi
2. Select **New**.
- :::image type="content" source="images/jamf-pro-static-group.png" alt-text="The Jamf Pro1 page" lightbox="images/jamf-pro-static-group.png":::
+ :::image type="content" source="media/jamf-pro-static-group.png" alt-text="The Jamf Pro1 page" lightbox="media/jamf-pro-static-group.png":::
3. Provide a display name and select **Save**.
- :::image type="content" source="images/jamfpro-machine-group.png" alt-text="The Jamf Pro2 page" lightbox="images/jamfpro-machine-group.png":::
+ :::image type="content" source="media/jamfpro-machine-group.png" alt-text="The Jamf Pro2 page" lightbox="media/jamfpro-machine-group.png":::
4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**.
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/c
1. Select **Continue** and install the CA certificate from a **System Preferences** window.
- :::image type="content" source="images/jamfpro-ca-certificate.png" alt-text="The Jamf Pro enrollment1" lightbox="images/jamfpro-ca-certificate.png":::
+ :::image type="content" source="media/jamfpro-ca-certificate.png" alt-text="The Jamf Pro enrollment1" lightbox="media/jamfpro-ca-certificate.png":::
2. Once CA certificate is installed, return to the browser window and select **Continue** and install the MDM profile.
- :::image type="content" source="images/jamfpro-install-mdm-profile.png" alt-text="The Jamf Pro enrollment2" lightbox="images/jamfpro-install-mdm-profile.png":::
+ :::image type="content" source="medim-profile.png":::
3. Select **Allow** to downloads from JAMF.
- :::image type="content" source="images/jamfpro-download.png" alt-text="The Jamf Pro enrollment3" lightbox="images/jamfpro-download.png":::
+ :::image type="content" source="media/jamfpro-download.png" alt-text="The Jamf Pro enrollment3" lightbox="media/jamfpro-download.png":::
4. Select **Continue** to proceed with the MDM Profile installation.
- :::image type="content" source="images/jamfpro-install-mdm.png" alt-text="The Jamf Pro enrollment4" lightbox="images/jamfpro-install-mdm.png":::
+ :::image type="content" source="medim.png":::
5. Select **Continue** to install the MDM Profile.
- :::image type="content" source="images/jamfpro-mdm-unverified.png" alt-text="The Jamf Pro enrollment5" lightbox="images/jamfpro-mdm-unverified.png":::
+ :::image type="content" source="medim-unverified.png":::
6. Select **Continue** to complete the configuration.
- :::image type="content" source="images/jamfpro-mdm-profile.png" alt-text="The Jamf Pro enrollment6" lightbox="images/jamfpro-mdm-profile.png":::
+ :::image type="content" source="medim-profile.png":::
[!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)]
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
You'll need to take the following steps:
2. Sign in to Jamf Pro, navigate to **Computers** > **Configuration Profiles**, and select **New**.
- :::image type="content" source="images/jamf-pro-configure-profile.png" alt-text="The page on which you create a new Jamf Pro dashboard." lightbox="images/jamf-pro-configure-profile.png":::
+ :::image type="content" source="media/jamf-pro-configure-profile.png" alt-text="The page on which you create a new Jamf Pro dashboard." lightbox="media/jamf-pro-configure-profile.png":::
3. Enter the following details in the **General** tab:
You'll need to take the following steps:
4. Navigate to the **Application & Custom Settings** page and select **Upload** > **Add**.
- :::image type="content" source="images/jamfpro-mac-profile.png" alt-text="The configurate app and custom settings." lightbox="images/jamfpro-mac-profile.png":::
+ :::image type="content" source="media/jamfpro-mac-profile.png" alt-text="The configurate app and custom settings." lightbox="media/jamfpro-mac-profile.png":::
5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
- :::image type="content" source="images/jamfpro-plist-upload.png" alt-text="The jamfpro plist upload file." lightbox="images/jamfpro-plist-upload.png":::
+ :::image type="content" source="media/jamfpro-plist-upload.png" alt-text="The jamfpro plist upload file." lightbox="media/jamfpro-plist-upload.png":::
- :::image type="content" source="images/jamfpro-plist-file.png" alt-text="The upload file property List file." lightbox="images/jamfpro-plist-file.png":::
+ :::image type="content" source="media/jamfpro-plist-file.png" alt-text="The upload file property List file." lightbox="media/jamfpro-plist-file.png":::
6. Select **Open** and select the onboarding file.
- :::image type="content" source="images/jamfpro-plist-file-onboard.png" alt-text="The onboarding file." lightbox="images/jamfpro-plist-file-onboard.png":::
+ :::image type="content" source="media/jamfpro-plist-file-onboard.png" alt-text="The onboarding file." lightbox="media/jamfpro-plist-file-onboard.png":::
7. Select **Upload**.
- :::image type="content" source="images/jamfpro-upload-plist.png" alt-text="The uploading plist file." lightbox="images/jamfpro-upload-plist.png":::
+ :::image type="content" source="media/jamfpro-upload-plist.png" alt-text="The uploading plist file." lightbox="media/jamfpro-upload-plist.png":::
8. Select the **Scope** tab.
- :::image type="content" source="images/jamfpro-scope-tab.png" alt-text="The Scope tab." lightbox="images/jamfpro-scope-tab.png":::
+ :::image type="content" source="media/jamfpro-scope-tab.png" alt-text="The Scope tab." lightbox="media/jamfpro-scope-tab.png":::
9. Select the target computers.
- :::image type="content" source="images/jamfpro-target-computer.png" alt-text="The target computers." lightbox="images/jamfpro-target-computer.png":::
+ :::image type="content" source="media/jamfpro-target-computer.png" alt-text="The target computers." lightbox="media/jamfpro-target-computer.png":::
- :::image type="content" source="images/jamfpro-targets.png" alt-text="The targets." lightbox="images/jamfpro-targets.png":::
+ :::image type="content" source="media/jamfpro-targets.png" alt-text="The targets." lightbox="media/jamfpro-targets.png":::
10. Select **Save**.
- :::image type="content" source="images/jamfpro-deployment-target.png" alt-text="The deployment of target computers." lightbox="images/jamfpro-deployment-target.png":::
+ :::image type="content" source="media/jamfpro-deployment-target.png" alt-text="The deployment of target computers." lightbox="media/jamfpro-deployment-target.png":::
- :::image type="content" source="images/jamfpro-target-selected.png" alt-text="The selection of target computers." lightbox="images/jamfpro-target-selected.png":::
+ :::image type="content" source="media/jamfpro-target-selected.png" alt-text="The selection of target computers." lightbox="media/jamfpro-target-selected.png":::
11. Select **Done**.
- :::image type="content" source="images/jamfpro-target-group.png" alt-text="The computers of a target group." lightbox="images/jamfpro-target-group.png":::
+ :::image type="content" source="media/jamfpro-target-group.png" alt-text="The computers of a target group." lightbox="media/jamfpro-target-group.png":::
- :::image type="content" source="images/jamfpro-configuration-policies.png" alt-text="The list of configuration profiles." lightbox="images/jamfpro-configuration-policies.png":::
+ :::image type="content" source="media/jamfpro-configuration-policies.png" alt-text="The list of configuration profiles." lightbox="media/jamfpro-configuration-policies.png":::
## Step 3: Configure Microsoft Defender for Endpoint settings
All you need to do to have updates is to download an updated schema, edit existi
:::image type="content" source="media/0adb21c13206861ba9b30a879ade93d3.png" alt-text="The configuration setting upload." lightbox="media/0adb21c13206861ba9b30a879ade93d3.png":::
- :::image type="content" source="images/f624de59b3cc86e3e2d32ae5de093e02.png" alt-text="The prompt to upload the image related to the configuration settings." lightbox="images/f624de59b3cc86e3e2d32ae5de093e02.png":::
+ :::image type="content" source="media/f624de59b3cc86e3e2d32ae5de093e02.png" alt-text="The prompt to upload the image related to the configuration settings." lightbox="media/f624de59b3cc86e3e2d32ae5de093e02.png":::
> [!NOTE] > If you happen to upload the Intune file, you'll get the following error:
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
2. Rename it to `wdav_MDM_Contoso_200329.pkg`.
- :::image type="content" source="images/fb2220fed3a530f4b3ef36f600da0c27.png" alt-text="The file explorer1 wdavmdm package." lightbox="images/fb2220fed3a530f4b3ef36f600da0c27.png":::
+ :::image type="content" source="medim package." lightbox="media/fb2220fed3a530f4b3ef36f600da0c27.png":::
3. Open the Jamf Pro dashboard.
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
9. Navigate to the **Policies** page.
- :::image type="content" source="images/f878f8efa5ebc92d069f4b8f79f62c7f.png" alt-text="The configuration settings policies." lightbox="images/f878f8efa5ebc92d069f4b8f79f62c7f.png":::
+ :::image type="content" source="media/f878f8efa5ebc92d069f4b8f79f62c7f.png" alt-text="The configuration settings policies." lightbox="media/f878f8efa5ebc92d069f4b8f79f62c7f.png":::
10. Select **+ New** to create a new policy.
Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint
Select **Profile Name** as a criterion, and use the name of a previously created configuration profile as Value:
- :::image type="content" source="images/ffae2332be230870f865585c84733225.png" alt-text="Creating a smart group." lightbox="images/ffae2332be230870f865585c84733225.png":::
+ :::image type="content" source="media/ffae2332be230870f865585c84733225.png" alt-text="Creating a smart group." lightbox="media/ffae2332be230870f865585c84733225.png":::
Click **Save**. Return back to the window where you configure a package policy.
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
When you select the **x** symbol, you see options as shown in the following scre
When you select **Action needed**, you get the error message as shown in the following screenshot: You encounter this message in a different way: If you're using the terminal to enter **mdatp health** without the double quotes, the message as shown in the following screenshot is displayed:
If the file exists, it will prevent the macOS from being onboarded again. Delet
3. Select **View and purchase licenses in the Microsoft 365 admin center**. The following screen in the Microsoft 365 admin center portal appears:
- :::image type="content" source="images/m365-admin-center-purchase-assign-licenses.png" alt-text="Screenshot of the Microsoft 365 admin center portal page from which licenses can be purchased and assigned." lightbox="images/m365-admin-center-purchase-assign-licenses.png":::
+ :::image type="content" source="media/m365-admin-center-purchase-assign-licenses.png" alt-text="Screenshot of the Microsoft 365 admin center portal page from which licenses can be purchased and assigned." lightbox="media/m365-admin-center-purchase-assign-licenses.png":::
4. Check the checkbox of the license you want to purchase from Microsoft, and select it. The screen displaying detail of the chosen license appears:
On implementing these solution-options (either of them), if the licensing issues
## Sign in with your Microsoft account ### Message
security Mac Sysext Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-policies.md
To approve the system extensions, create the following payload:
- **com.microsoft.wdav.epsext** - **com.microsoft.wdav.netext**
- :::image type="content" source="images/mac-approved-system-extensions.png" alt-text=" The Approved system extensions page" lightbox="images/mac-approved-system-extensions.png":::
+ :::image type="content" source="media/mac-approved-system-extensions.png" alt-text=" The Approved system extensions page" lightbox="media/mac-approved-system-extensions.png":::
### Privacy Preferences Policy Control
Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend
3. Set Code Requirement to `identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9` 4. Set **App or service** to **SystemPolicyAllFiles** and access to **Allow**.
- :::image type="content" source="images/mac-system-extension-privacy.png" alt-text=" The Privacy Preferences Policy Control menu item" lightbox="images/mac-system-extension-privacy.png":::
+ :::image type="content" source="media/mac-system-extension-privacy.png" alt-text=" The Privacy Preferences Policy Control menu item" lightbox="media/mac-system-extension-privacy.png":::
### Network Extension Policy
To approve the system extensions:
|com.microsoft.wdav.netext|UBF8T346G9| |||
- :::image type="content" source="images/mac-system-extension-intune2.png" alt-text=" The System configuration profiles page" lightbox="images/mac-system-extension-intune2.png":::
+ :::image type="content" source="media/mac-system-extension-intune2.png" alt-text=" The System configuration profiles page" lightbox="media/mac-system-extension-intune2.png":::
5. In the `Assignments` tab, assign this profile to **All Users & All devices**. 6. Review and create this configuration profile.
To deploy this custom configuration profile:
3. Open the configuration profile and upload **sysext.xml**. This file was created in the preceding step. 4. Select **OK**.
- :::image type="content" source="images/mac-system-extension-intune.png" alt-text=" The System extension in Intune page" lightbox="images/mac-system-extension-intune.png":::
+ :::image type="content" source="media/mac-system-extension-intune.png" alt-text=" The System extension in Intune page" lightbox="media/mac-system-extension-intune.png":::
5. In the `Assignments` tab, assign this profile to **All Users & All devices**. 6. Review and create this configuration profile.
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
On the **Network devices** tab, select **Customize columns** to see the columns
On the **IoT devices** tab, select **Customize columns** to see the columns available. The default values are checked in the following image: ## Related articles
security Manage Sys Extensions Manual Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md
You might see the prompt that's shown in the following screenshot:
1. From this second-prompt screen, select **OK**. You'll receive a notification message that reads **Installation succeeded**, as shown in the following screenshot:
- :::image type="content" source="images/installation-succeeded-notification-message.png" alt-text="The screen displaying the installation succeeded notification message." lightbox="images/installation-succeeded-notification-message.png":::
+ :::image type="content" source="media/installation-succeeded-notification-message.png" alt-text="The screen displaying the installation succeeded notification message." lightbox="media/installation-succeeded-notification-message.png":::
1. On the screen displaying the **Installation succeeded** notification message, select **OK**. You'll return to the following screen:
If you run systemextensionsctl list, the following screen appears:
1. On the **Security & Privacy** screen, select the **Privacy** tab. 1. Select **Full Disk Access** from the left navigation pane, and then click the **Lock** icon.
- :::image type="content" source="images/full-disk-access-and-lock-icon.png" alt-text="The Full Disk Access option in the menu and the Lock icon." lightbox="images/full-disk-access-and-lock-icon.png":::
+ :::image type="content" source="media/full-disk-access-and-lock-icon.png" alt-text="The Full Disk Access option in the menu and the Lock icon." lightbox="media/full-disk-access-and-lock-icon.png":::
1. Confirm that the Microsoft Defender extension has full disk access; if not, check the **Microsoft Defender** checkbox.
security Manage Sys Extensions Using Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf.md
To approve the system extensions, perform the following steps:
- com.microsoft.wdav.epsext - com.microsoft.wdav.netext
- :::image type="content" source="images/jamf-system-extensions-approval.png" alt-text="Approving system extensions in JamF." lightbox="images/jamf-system-extensions-approval.png":::
+ :::image type="content" source="media/jamf-system-extensions-approval.png" alt-text="Approving system extensions in JamF." lightbox="media/jamf-system-extensions-approval.png":::
### Privacy Preferences Policy Control (also known as Full Disk Access)
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Defender for Endpoint uses the following combination of technology built into Wi
<center><h2>Microsoft Defender for Endpoint</center></h2> <table> <tr>
-<td><a href="#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>
+<td><a href="#tvm"><center><img src="medivm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td>
<td><a href="#asr"><center><img src="media/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td> <td><center><a href="#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td> <td><center><a href="#edr"><img src="media/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td>
security Migrate Devices Streamlined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrate-devices-streamlined.md
Open the Defender for Endpoint service event log using the following steps:
2. In the log list, under **Log Summary**, scroll down until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to open the log.
- :::image type="content" source="images/log-summary-event-viewer.png" alt-text="Screenshot of Event Viewer with log summary section":::
+ :::image type="content" source="media/log-summary-event-viewer.png" alt-text="Screenshot of Event Viewer with log summary section":::
You can also access the log by expanding**Applications and Services Logs>Microsoft>Windows>SENSE** and select **Operational**.
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
Create a new group policy specifically for onboarding devices such as "Microsoft
- Create a Group Policy Folder named "c:\windows\MMA"
- :::image type="content" source="images/grppolicyconfig1.png" alt-text="The folders location" lightbox="images/grppolicyconfig1.png":::
+ :::image type="content" source="media/grppolicyconfig1.png" alt-text="The folders location" lightbox="media/grppolicyconfig1.png":::
**This will add a new folder on every server that gets the GPO applied, called MMA, and will be stored in c:\windows. This will contain the installation files for the MMA, prerequisites, and install script.** - Create a Group Policy Files preference for each of the files stored in Net logon.
- :::image type="content" source="images/grppolicyconfig2.png" alt-text="The group policy - 1" lightbox="images/grppolicyconfig2.png":::
+ :::image type="content" source="media/grppolicyconfig2.png" alt-text="The group policy - 1" lightbox="media/grppolicyconfig2.png":::
It copies the files from DOMAIN\NETLOGON\MMA\filename to C:\windows\MMA\filename - **so the installation files are local to the server**:
security Onboarding Endpoint Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md
Microsoft Defender Antivirus is a built-in anti-malware solution that provides n
3. Right-click on the newly created anti-malware policy and select **Deploy**.
- :::image type="content" source="images/f5508317cd8c7870627cb4726acd5f3d.png" alt-text="The next-generation protection pane10" lightbox="images/f5508317cd8c7870627cb4726acd5f3d.png":::
+ :::image type="content" source="media/f5508317cd8c7870627cb4726acd5f3d.png" alt-text="The next-generation protection pane10" lightbox="media/f5508317cd8c7870627cb4726acd5f3d.png":::
4. Target the new anti-malware policy to your Windows collection and select **OK**.
security Onboarding Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md
Then, you continue by creating several different types of endpoint security poli
7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. > [!div class="mx-imgBorder"]
- > :::image type="content" source="images/fc3525e20752da026ec9f46ab4fec64f.png" alt-text="The Microsoft Intune admin center9" lightbox="images/fc3525e20752da026ec9f46ab4fec64f.png":::
+ > :::image type="content" source="media/fc3525e20752da026ec9f46ab4fec64f.png" alt-text="The Microsoft Intune admin center9" lightbox="media/fc3525e20752da026ec9f46ab4fec64f.png":::
8. Review and accept, then select **Create**.
security Onboarding Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md
You need to have access to:
- Credential Type: Select **Secret**. - Secret: Sign-in to https://portal.azure.com and navigate to **Microsoft Entra ID > App Registrations** and get the Tenant ID value.
- :::image type="content" source="images/http-conditions.png" alt-text="The HTTP conditions" lightbox="images/http-conditions.png":::
+ :::image type="content" source="media/http-conditions.png" alt-text="The HTTP conditions" lightbox="media/http-conditions.png":::
6. Add a new step by selecting **Add new action** then search for **Data Operations** and select **Parse JSON**.
You need to have access to:
- If yes, no notification is triggered - If no, will register the newly onboarded devices in the SharePoint list and a notification is sent to the Defender for Endpoint admin
- :::image type="content" source="images/flow-apply.png" alt-text="The application of the flow to each element" lightbox="images/flow-apply.png":::
+ :::image type="content" source="media/flow-apply.png" alt-text="The application of the flow to each element" lightbox="media/flow-apply.png":::
:::image type="content" source="media/apply-to-each.png" alt-text="The application of the flow to the Get items element" lightbox="media/apply-to-each.png":::
security Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md
With macOS and Linux, you could take a couple of systems and run in the Beta cha
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current. In order to preview new features and provide early feedback, it's recommended that you configure some devices in your enterprise to use either Beta or Preview.
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
Logo|Partner name|Description
![Logo for Microsoft Sentinel.](images/sentinel-logo.png)|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel ![Logo for Cymulate.](media/cymulate-logo.png)|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions ![Logo for Elastic security.](media/elastic-security-logo.png)|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats
-![Logo for IBM QRadar.](images/ibm-qradar-logo.png)|[IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903)|Configure IBM QRadar to collect detections from Defender for Endpoint
+![Logo for IBM QRadar.](media/ibm-qradar-logo.png)|[IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903)|Configure IBM QRadar to collect detections from Defender for Endpoint
![Logo for Micro Focus ArcSight.](media/arcsight-logo.png)|[Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548)|Use Micro Focus ArcSight to pull Defender for Endpoint detections ![Logo for RSA NetWitness.](images/rsa-netwitness-logo.png)|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API ![Logo for SafeBreach.](images/safebreach-logo.png)|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)|Gain visibility into Defender for Endpoint security events that are automatically correlated with SafeBreach simulations
Logo|Partner name|Description
Logo|Partner name|Description :|:|:
-![Logo for Fortinet.](images/fortinet-logo.jpg)|[Fortinet FortiSOAR](https://www.fortinet.com/products/fortisoar)|Fortinet FortiSOAR is a holistic Security Orchestration, Automation and Response (SOAR) workbench, designed for SOC teams to efficiently respond to the ever-increasing influx of alerts, repetitive manual processes, and shortage of resources. It pulls together all of organization's tools, helps unify operations and reduces alert fatigue, context switching, and the mean time to respond to incidents.
+![Logo for Fortinet.](media/fortinet-logo.jpg)|[Fortinet FortiSOAR](https://www.fortinet.com/products/fortisoar)|Fortinet FortiSOAR is a holistic Security Orchestration, Automation and Response (SOAR) workbench, designed for SOC teams to efficiently respond to the ever-increasing influx of alerts, repetitive manual processes, and shortage of resources. It pulls together all of organization's tools, helps unify operations and reduces alert fatigue, context switching, and the mean time to respond to incidents.
![Logo for Delta Risk ActiveEye.](media/delta-risk-activeeye-logo.png)|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. ![Logo for Demisto, a Palo Alto Networks Company.](media/demisto-logo.png)|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response ![Logo for Microsoft Flow & Azure Functions.](images/ms-flow-logo.png)|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
Logo|Partner name|Description
![Logo for Aruba ClearPass Policy Manager.](media/aruba-logo.png)|[Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544)|Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network ![Logo for Blue Hexagon for Network.](media/bluehexagon-logo.png)|[Blue Hexagon for Network](/training/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection ![Logo for CyberMDX.](mediX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment
-![Logo for HYAS Protect.](images/hyas-logo.png)|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks
+![Logo for HYAS Protect.](media/hyas-logo.png)|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks
![Logo for Vectra Network Detection and Response (NDR).](images/vectra-logo.png)|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time ### Cross platform
Logo|Partner name|Description
![Logo for Bitdefender.](media/bitdefender-logo.png)|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats ![Logo for Better Mobile.](media/bettermobile-logo.png)|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy ![Logo for Corrata.](media/corrata-new.png)|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata
-![Logo for Lookout.](images/lookout-logo.png)|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
+![Logo for Lookout.](media/lookout-logo.png)|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
![Logo for Symantec Endpoint Protection Mobile.](images/symantec-logo.png)|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices ![Logo for Zimperium.](images/zimperium-logo.png)|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
On Windows 10, version 1709 or later, you'll have more control over the network
Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event. > [!NOTE] > The device will remain connected to the Defender for Endpoint service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated. Selective isolation only works on the classic versions of Outlook and Microsoft Teams.
security Run Analyzer Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md
All the PowerShell scripts and modules included with the analyzer are Microsoft-
If you see this error, the issuerInfo.txt output contains detailed information about why this happened and the affected file: Example contents after MDEClientAnalyzer.ps1 is modified:
security Techniques Device Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md
You can customize which columns to expose. You can also filter for flagged event
You can choose which columns to expose in the timeline by selecting the **Choose columns** button. From there you can select which information set to include.
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
One of the easiest ways to determine if attack surface reduction rules are alrea
Here's an example: There are multiple attack surface reduction rules active, with different configured actions.
Example:
Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids ``` The above shows all the IDs for attack surface reduction rules that have a setting different from 0 (Not Configured).
The next step is then to list the actual actions (Block or Audit) that each rule
Get-MPPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions ``` ### Querying blocking and auditing events
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
If the deployment tools used do not indicate an error in the onboarding process,
5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
- :::image type="content" source="images/filter-log.png" alt-text="The Event Viewer log filter" lightbox="images/filter-log.png":::
+ :::image type="content" source="media/filter-log.png" alt-text="The Event Viewer log filter" lightbox="media/filter-log.png":::
6. Events which can indicate issues appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
For more information on Microsoft Defender for Endpoint on specific operating sy
- [What's new in Defender for Endpoint on Android](android-whatsnew.md) - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) +
+> [!TIP]
+> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: >
+>
+> (/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=)
+>
+> (/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=)
+ ## February 2024 **Attack Surface Reduction (ASR) Rules**
Two new ASR rules are now in public preview:
- Live Response is now generally available for macOS and Linux. For more information, see [Investigate entities on devices using live response](live-response.md). -- [Live response API and library API for Linux and macOS is now generally available](run-live-response.md) <br/> You can now run live response API commands on Linux and macOS. -
-## December 2022
--- Microsoft Defender for Endpoint Device control removable storage access control updates:
- 1. Microsoft Intune support for removable storage access control is now available. See [Deploy and manage device control with Intune](device-control-deploy-manage-intune.md).
- 2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.
- - Intune: *./Vendor/MSFT/Defender/Configuration/DefaultEnforcement* <br> See [Deploy and manage device control using Intune](device-control-deploy-manage-intune.md)
- - Group policy: *Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement*<br> See [Deploy and manage device control with Group Policy](device-control-deploy-manage-gpo.md)
--- Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see [Device control policies](device-control-policies.md).-
-## November 2022
--- [Built-in protection](built-in-protection.md) is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure your devices are protected. -
-## October 2022
--- [Network protection C2 detection and remediation is now generally available](network-protection.md#block-command-and-control-attacks). <br/>Attackers often compromise existing internet-connected servers to become their command and control servers. Attackers can use the compromised servers to hide malicious traffic and deploy malicious bots that are used to infect endpoints. Network protection detection and remediation will help improve the time it takes security operations (SecOps) teams to pinpoint and respond to malicious network threats that are looking to compromise endpoints.--
-## September 2022
--- [Attack surface reduction rules report now available in the Microsoft Defender portal](attack-surface-reduction-rules-report.md). <br/>The attack surface reduction rules report is now available in the Microsoft Defender portal. This ASR report provides information about the attack surface reduction rules that are applied to devices in your organization and helps you detect threats, block potential threats, and get visibility into ASR and device configuration.--- [Built-in protection](built-in-protection.md) (preview) is rolling out. Built-in protection is a set of default settings, such as tamper protection turned on, to help protect devices from ransomware and other threats.--- [Device health reporting is now generally available](device-health-reports.md). <br/>The device health report provides information about the health and security of your endpoints. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.--- [Device health reporting is now available for US Government customers using Defender for Endpoint](device-health-reports.md). <br/>Device health reporting is now available for GCC, GCC High and DoD customers.--- [Troubleshooting mode](enable-troubleshooting-mode.md) is now available for more Windows operating systems, including Windows Server 2012 R2 and above. See the article for more information about the required updates.-
-## August 2022
--- [Device health status](investigate-machines.md#device-health-status)<br>The Device health status card shows a summarized health report for the specific device.--- [Device health reporting (Preview)](/microsoft-365/security/defender-endpoint/machine-reports)<br> The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.--- [Tamper protection on macOS is now generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/tamper-protection-on-macOS-is-now-generally-available/ba-p/3595422)<br> This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability. Later this year, we'll offer a gradual rollout mechanism that will automatically switch endpoints to block mode; note this will only apply if you have not made a choice to either enable (block mode) or disable the capability.--- [Network Protection and Web Protection for macOS and Linux is now in Public Preview!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/network-protection-and-web-protection-for-macOS-and-linux-is-now/ba-p/3601576)<br>Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It's the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.--- [Improved Microsoft Defender for Endpoint onboarding for Windows Server 2012 R2 and Windows Server 2016](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016)<br>Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Windows Server 2012 and 2016 devices that are targeted with Microsoft Defender for Endpoint onboarding policy will use the unified agent versus the existing Microsoft Monitoring Agent based solution, if configured through Client Settings.-
-## July 2022
--- [Add domain controller devices - Evaluation lab enhancement](evaluation-lab.md#add-a-domain-controller)<br>Now generally available - Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.--- [Announcing File page enhancements in Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-file-page-enhancements-in-microsoft-defender-for/ba-p/3584004)<br>Have you ever investigated files in Microsoft Defender for Endpoint? We now make it even easier with our recent announcement of enhancements to the File page and side panel. Users can now streamline processes by having a more efficient navigation experience that hosts all this information in one place.--- [Introducing the new alert suppression experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719)<br>We're excited to share the new and advanced alert suppression experience is now Generally Available. The new experience provides tighter granularity and control, allowing users to tune Microsoft Defender for Endpoint alerts.--- [Prevent compromised unmanaged devices from moving laterally in your organization with "Contain](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/prevent-compromised-unmanaged-devices-from-moving-laterally-in/ba-p/3482134)<br>Starting today, when a device that isn't enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you'll be able to "Contain" it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.--- [Mobile device support is now available for US Government Customers using Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mobile-device-support-is-now-available-for-us-government/ba-p/3472590)<br>Microsoft Defender for Endpoint for US Government customers is built in the Azure US Government environment and uses the same underlying technologies as Defender in Azure Commercial. This offering is available to GCC, GCC High and DoD customers and further extends our platform availability from Windows, macOS, and Linux, to Android and iOS devices as well.-
-## June 2022
--- [Defender for Servers Plan 2 now integrates with MDE unified solution](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-servers-plan-2-now-integrates-with-mde-unified/ba-p/3527534)<br>You can now start deploying the modern, unified solution for Windows Server 2012 R2 and 2016 to servers covered by Defender for Servers Plan 2 using a single button.--- [Mobile Network Protection in Microsoft Defender for Endpoint on Android & iOS now in Public Preview](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mobile-network-protection-in-microsoft-defender-for-endpoint-on/ba-p/3559121)<br>Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence. We're delighted to announce that users can now benefit from this new feature on both Android and iOS platforms with Microsoft Defender for Endpoint.
+- [Live response API and library API for Linux and macOS is now generally available](run-live-response.md) <br/> You can now run live response API commands on Linux and macOS.
+## Prior to 2023
+For information about features released prior to 2023, see [Archive - What's new in Defender for Endpoint, December 2022 and earlier](whats-new-mde-archive.md#whats-new-in-microsoft-defender-for-endpointbefore-2023)
security Whats New Mde Archive https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-mde-archive.md
+
+ Title: What's new in Microsoft Defender for Endpoint - Before 2023
+description: See what features were available for Microsoft Defender for Endpoint in the releases before 2023.
+search.appverid: met150
+++
+ms.localizationpriority: medium
Last updated : 03/25/2024+
+audience: ITPro
+
+- m365-security
+- tier1
+++
+# What's new in Microsoft Defender for Endpoint - Before 2023
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender XDR](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
++
+The following features were in preview or generally available (GA) in Microsoft Defender for Endpoint prior to the calendar year 2023.
+
+For more information on preview features, see [Preview features](preview.md).
+
+For more information on what's new with Microsoft Defender for Endpoint on Windows, see:
+[What's new in Microsoft Defender for Endpoint on Windows](windows-whatsnew.md)
+
+For more information on what's new with other Microsoft Defender security products, see:
+
+- [What's new in Microsoft Defender XDR](../defender/whats-new.md)
+- [What's new in Microsoft Defender for Office 365](../office-365-security/defender-for-office-365-whats-new.md)
+- [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new)
+- [What's new in Microsoft Defender for Cloud Apps](/cloud-app-security/release-notes)
+
+For more information on Microsoft Defender for Endpoint on specific operating systems and on other operating systems:
+
+- [What's new in Defender for Endpoint on Windows](windows-whatsnew.md)
+- [What's new in Defender for Endpoint on macOS](mac-whatsnew.md)
+- [What's new in Defender for Endpoint on Linux](linux-whatsnew.md)
+- [What's new in Defender for Endpoint on Android](android-whatsnew.md)
+- [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)
+
+## December 2022
+
+- Microsoft Defender for Endpoint Device control removable storage access control updates:
+
+ 1. Microsoft Intune support for removable storage access control is now available. See [Deploy and manage device control with Intune](device-control-deploy-manage-intune.md).
+
+ 2. The new default enforcement policy of removable storage access control is designed for all device control features. Printer Protection is now available for this policy. If you create a Default Deny policy, printers will be blocked in your organization.
+
+ - Intune: *./Vendor/MSFT/Defender/Configuration/DefaultEnforcement* <br> See [Deploy and manage device control using Intune](device-control-deploy-manage-intune.md)
+
+ - Group policy: *Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Features > Device Control > Select Device Control Default Enforcement*<br> See [Deploy and manage device control with Group Policy](device-control-deploy-manage-gpo.md)
+
+- Microsoft Defender for Endpoint Device control New Printer Protection solution to manage printer is now available. For more information, see [Device control policies](device-control-policies.md).
+
+## November 2022
+
+- [Built-in protection](built-in-protection.md) is now generally available. Built-in protection helps protect your organization from ransomware and other threats with default settings that help ensure that your devices are protected.
+
+## October 2022
+
+[Network protection C2 detection and remediation is now generally available](network-protection.md#block-command-and-control-attacks). <br/>Attackers often compromise existing internet-connected servers to become their command and control servers. Attackers can use the compromised servers to hide malicious traffic and deploy malicious bots that are used to infect endpoints. Network protection detection and remediation helps improve the time it takes for the security operations (SecOps) teams to pinpoint and respond to malicious network threats that are looking to compromise endpoints.
+
+## September 2022
+
+- [Attack surface reduction rules report now available in the Microsoft Defender portal](attack-surface-reduction-rules-report.md). <br/>The attack surface reduction rules report is now available in the Microsoft Defender portal. This ASR report provides information about the attack surface reduction rules that are applied to devices in your organization and helps you detect threats, block potential threats, and get visibility into ASR and device configuration.
+
+- [Built-in protection](built-in-protection.md) (preview) is rolling out. Built-in protection is a set of default settings, such as tamper protection turned on, to help protect devices from ransomware and other threats.
+
+- [Device health reporting is now generally available](device-health-reports.md). <br/>The device health report provides information about the health and security of your endpoints. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.
+
+- [Device health reporting is now available for US Government customers using Defender for Endpoint](device-health-reports.md). <br/>Device health reporting is now available for GCC, GCC High, and DoD customers.
+
+- [Troubleshooting mode](enable-troubleshooting-mode.md) is now available for more Windows operating systems, including Windows Server 2012 R2 and higher. For more information about the required updates, see [Troubleshooting mode](enable-troubleshooting-mode.md).
+
+## August 2022
+
+- [Device health status](investigate-machines.md#device-health-status)<br>The Device health status card shows a summarized health report for the specific device.
+
+- [Device health reporting (Preview)](/microsoft-365/security/defender-endpoint/machine-reports)<br> The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
+
+- [Tamper protection on macOS is now generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/tamper-protection-on-macOS-is-now-generally-available/ba-p/3595422)<br> This feature will be released with audit mode enabled by default, and you can decide whether to enforce (block) or turn off the capability. Later this year, we'll offer a gradual rollout mechanism that will automatically switch endpoints to "block" mode; this mechanism applies only if you haven't made a choice to either enable ("block" mode) or disable the capability.
+
+- [Network Protection and Web Protection for macOS and Linux is now in Public Preview!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/network-protection-and-web-protection-for-macOS-and-linux-is-now/ba-p/3601576)<br>Network Protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It's the foundation on which our Web Protection for Microsoft Defender for Endpoint is built. These capabilities include Web threat protection, Web content filtering, and IP/URL Custom indicators. Web protection enables you to secure your devices against web threats and helps to regulate unwanted content.
+
+- [Improved Microsoft Defender for Endpoint onboarding for Windows Server 2012 R2 and Windows Server 2016](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2207#improved-microsoft-defender-for-endpoint-mde-onboarding-for-windows-server-2012-r2-and-windows-server-2016)<br>Configuration Manager version 2207 now supports automatic deployment of modern, unified Microsoft Defender for Endpoint for Windows Server 2012 R2 & 2016. Devices running Windows Server 2012 R2 or Windows Server 2016 that are targeted by the Defender for Endpoint onboarding policy now use the unified agent instead of the Microsoft Monitoring Agent-based solution, if configured through client settings.
+
+## July 2022
+
+- [Add domain controller devices - Evaluation lab enhancement](evaluation-lab.md#add-a-domain-controller)<br>Now generally available - Add a domain controller to run complex scenarios such as lateral movement and multistage attacks across multiple devices.
+
+- [Announcing File page enhancements in Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-file-page-enhancements-in-microsoft-defender-for/ba-p/3584004)<br>Have you ever investigated files in Microsoft Defender for Endpoint? We now make it even easier with our recent announcement of enhancements to the File page and side panel. Users can now streamline processes by having a more efficient navigation experience that hosts all this information in one place.
+
+- [Introducing the new alert suppression experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719)<br>We're excited to share that the new and advanced alert suppression experience is now Generally Available. The new experience provides tighter granularity and control, allowing users to tune Microsoft Defender for Endpoint alerts.
+
+- [Prevent compromised unmanaged devices from moving laterally in your organization with "Contain](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/prevent-compromised-unmanaged-devices-from-moving-laterally-in/ba-p/3482134)<br>Starting today, when a device that isn't enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as an SOC analyst, you'll be able to "Contain" it. As a result, any device enrolled in Microsoft Defender for Endpoint will now block any incoming/outgoing communication with the suspected device.
+
+- [Mobile device support is now available for US Government Customers using Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mobile-device-support-is-now-available-for-us-government/ba-p/3472590)<br>Microsoft Defender for Endpoint for US Government customers is built in the Azure US Government environment and uses the same underlying technologies as Defender in Azure Commercial. This offering is available to GCC, GCC High, and DoD customers, and it further extends our platform availability from Windows, macOS, and Linux, to Android and iOS devices.
+
+## June 2022
+
+- [Defender for Servers Plan 2 now integrates with MDE unified solution](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-servers-plan-2-now-integrates-with-mde-unified/ba-p/3527534)<br>You can now start deploying the modern, unified solution for Windows Server 2012 R2 and 2016 to servers covered by Defender for Servers Plan 2, using a single button.
+
+- [Mobile Network Protection in Microsoft Defender for Endpoint on Android & iOS now in Public Preview](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/mobile-network-protection-in-microsoft-defender-for-endpoint-on/ba-p/3559121)<br>Microsoft offers a mobile network protection feature in Defender for Endpoint that helps organizations identify, assess, and remediate endpoint weaknesses with the help of robust threat intelligence. We're delighted to announce that users can now benefit from this new feature on both Android and iOS platforms that have Microsoft Defender for Endpoint.
++
+## October 2021
+
+- [Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016 (preview)](configure-server-endpoints.md)<br> The new unified solution package makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements.
+
+- Windows 11 support added to Microsoft Defender for Endpoint and Microsoft 365 Defender.
+
+## September 2021
+
+- [Web content filtering](web-content-filtering.md) . As part of web protection capabilities in Microsoft Defender for Endpoint, web content filtering enables your organization's security team to track and regulate access to websites based on their content categories. Categories include adult content, high bandwidth, legal liability, leisure, and uncategorized. Although many websites that fall into one or more of these categories might not be malicious, they could be problematic because of compliance regulations, bandwidth usage, or other concerns. [Learn more about web content filtering](web-content-filtering.md).
+
+## August 2021
+
+- [Microsoft Defender for Endpoint Plan 1 ](defender-endpoint-plan-1.md) (preview). Defender for Endpoint Plan 1 (preview) is an endpoint protection solution that includes next-generation protection, attack surface reduction, centralized management and reporting, and APIs. Defender for Endpoint Plan 1 (preview) is a new offering for customers who:
+
+ - Want to try our endpoint protection capabilities
+ - Have Microsoft 365 E3, and
+ - Don't yet have Microsoft 365 E5
+
+ For more information on Defender for Endpoint Plan 1 (preview), see [Microsoft Defender for Endpoint Plan 1 (preview)](defender-endpoint-plan-1.md).
+
+ Existing [Defender for Endpoint](microsoft-defender-endpoint.md) capabilities will be known as Defender for Endpoint Plan 2.
+
+- (Preview) [Web Content Filtering](web-content-filtering.md)<br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
+
+## June 2021
+
+- [Delta export software vulnerabilities assessment](get-assessment-methods-properties.md#31-methods) API <br> An addition to the [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API collection. <br> Unlike the full software vulnerabilities assessment (JSON response) - which is used to obtain an entire snapshot of the software vulnerabilities assessment of your organization by device - the delta export API call is used to fetch only the changes that have happened between a selected date and the current date (the "delta" API call). Instead of getting a full export with a large amount of data every time, you'll only get specific information on new, fixed, and updated vulnerabilities. Delta export API call can also be used to calculate different KPIs such as "how many vulnerabilities were fixed" or "how many new vulnerabilities were added to an organization."
+
+- [Export assessments of vulnerabilities and secure configurations](get-assessment-methods-properties.md) API <br> Adds a collection of APIs that pull threat and vulnerability management data on a per-device basis. There are different API calls to get different types of data: secure configuration assessment, software inventory assessment, and software vulnerabilities assessment. Each API call contains the requisite data for devices in your organization.
+
+- [Remediation activity](get-remediation-methods-properties.md) API <br> Adds a collection of APIs with responses that contain threat and vulnerability management remediation activities that have been created in your tenant. Response information types include one remediation activity by ID, all remediation activities, and exposed devices of one remediation activity.
+
+- [Device discovery](device-discovery.md) <br> Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.
+
+ > [!IMPORTANT]
+ > Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the "basic mode" through the **Settings** page.
+
+- [Device group definitions](/microsoft-365/security/defender-endpoint/machine-groups) can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.
+
+- [Mobile Application management support](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730) <br> This enhancement enables Microsoft Defender for Endpoint protect an organization's data within a managed application when Intune is being used to manage mobile applications. For more information about mobile application management, see [this documentation](/mem/intune/apps/mam-faq).
+
+- [Microsoft Tunnel VPN integration](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730) <br> Microsoft Tunnel VPN capabilities are now integrated with Microsoft Defender for Endpoint app for Android. This unification enables organizations to offer a simplified end-user experience with one security app ΓÇô offering both mobile threat defense and the ability to access on-prem resources from their mobile device ΓÇô while security and IT teams are able to maintain the same admin experiences they are familiar with.
+
+- [Jailbreak detection on iOS](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios) <br> Jailbreak detection capability in Microsoft Defender for Endpoint on iOS is now generally available. This adds to the phishing protection that already exists. For more information, see [Setup Conditional Access Policy based on device risk signals](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios).
+
+## March 2021
+
+ [Manage tamper protection using the Microsoft Defender Security Center](manage-tamper-protection-microsoft-365-defender.md#manage-tamper-protection-for-your-organization-using-microsoft-defender-portal) <br> You can manage tamper protection settings on Windows 10, Windows Server 2016, Windows Server 2019, and Windows Server 2022 by using a method called *tenant attach*.
+
+## January 2021
+
+- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) <br> Microsoft Defender for Endpoint now adds support for Windows Virtual Desktop.
+
+## December 2020
+
+- [Microsoft Defender for Endpoint on iOS](microsoft-defender-endpoint-ios.md) <br> Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS.
+
+## September 2020
+
+- [Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) <br> Microsoft Defender for Endpoint now adds support for Android. In addition to the provisions for you to install, configure, and use Microsoft Defender for Endpoint for Android (introducted in the previous sprint in August 2020), the provision to "update" Microsoft Defender for Endpoint for Android has been introduced in this sprint.
+
+- [Threat and vulnerability management macOS support](tvm-supported-os.md)<br> Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. For more information, see [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824).
+
+## August 2020
+
+- [Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) <br> Microsoft Defender for Endpoint now adds support for Android. The article [Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) enables you learn how to install, configure, and use Microsoft Defender for Endpoint for Android.
+
+## July 2020
+
+- [Create indicators for certificates](manage-indicators.md) <br> Create indicators to allow or block certificates.
+
+## June 2020
+
+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) <br> Microsoft Defender for Endpoint now adds support for Linux. This article [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) enables you learn how to install, configure, update, and use Microsoft Defender for Endpoint for Linux.
+
+- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios) <br> Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from within the portal.
+
+## April 2020
+
+- [Threat & Vulnerability Management API support](api/exposed-apis-list.md) <BR>Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, and security recommendation information. For more information, see [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
+
+## November-December 2019
+
+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) <BR> Microsoft Defender for Endpoint for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](overview-endpoint-detection-response.md).
+
+- [Threat & Vulnerability Management application and application version end-of-life information](../defender-vulnerability-management/tvm-security-recommendation.md) <BR>Applications and application versions which have reached their end of life (EOL) are tagged or labeled as such; so, you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
+
+- [Threat & Vulnerability Management Advanced Hunting Schemas](../defender/advanced-hunting-schema-tables.md) <BR>Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
+
+ - [Threat & Vulnerability Management role-based access controls](user-roles.md) <BR>Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so that only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
+
+## October 2019
+
+- [Indicators for IP addresses, URLs/Domains](manage-indicators.md) <BR> You can now allow or block URLs/domains using your own threat intelligence.
+
+- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md) <BR> You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.
+
+- [Connected Azure AD applications](connected-applications.md)<br> The **Connected applications** page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization.
+
+- [API Explorer](api-explorer.md)<br> The API explorer makes it easy to construct and execute API queries, and to test and send requests for any available Microsoft Defender for Endpoint API endpoint.
+
+## September 2019
+
+- [Tamper Protection settings using Intune](manage-tamper-protection-intune.md)<br/>You can now turn on Tamper Protection (or turn off) for your organization in the Microsoft 365 Device Management Portal (Intune).
+
+- [Live response](live-response.md)<BR> Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real time.
+
+- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can
+ focus on evaluating the capabilities of the platform; running simulations; and seeing the prevention, detection, and remediation features in action.
+
+- [Windows Server 2008 R2 SP1](configure-server-endpoints.md) <BR> You can now onboard Windows Server 2008 R2 SP1.
+
+## June 2019
+
+- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) <BR> A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
+
+- [Device health and compliance report](machine-reports.md) The device health and compliance report provides high-level information about the devices in your organization.
+
+## May 2019
+
+- [Threat protection reports](threat-protection-reports.md)<BR>The threat protection report provides high-level information about alerts generated in your organization.
+
+- [Microsoft Threat Experts](endpoint-attack-notifications.md)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender for Endpoint that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides an additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
+
+- [Indicators](api/ti-indicator.md) <BR> APIs for indicators are now generally available.
+
+- [Interoperability](partner-applications.md) <BR> Microsoft Defender for Endpoint supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
+
+## April 2019
+
+- [Microsoft Threat Experts Targeted Attack Notification capability](endpoint-attack-notifications.md) <BR> Microsoft Threat Experts' Targeted Attack Notification alerts are tailored for organizations to provide as much information as can be quickly delivered, including the timeline, scope of breach, and the methods of intrusion, thus bringing attention to critical threats in their network.
+
+- [Microsoft Defender for Endpoint API](api/apis-intro.md) <BR> Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities.
+
+## February 2019
+
+- [Incidents](view-incidents-queue.md) <BR> Incident is a new entity in Microsoft Defender for Endpoint that brings together all relevant alerts and related entities to narrate the broader-attack story, giving analysts better perspective on the purview of complex threats.
+
+- [Onboard previous versions of Windows](onboard-downlevel.md)<BR> Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
+
+## October 2018
+
+- [Attack surface reduction rules](attack-surface-reduction.md)<BR>All Attack surface reduction rules are now supported on Windows Server 2019.
+
+- [Controlled folder access](enable-controlled-folders.md)<BR> Controlled folder access is now supported on Windows Server 2019.
+
+- [Custom detection](../defender/custom-detections-overview.md)<BR>With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.
+
+- [Integration with Azure Security Center](configure-server-endpoints.md)<BR> Microsoft Defender for Endpoint integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
+
+- [Managed security service provider](mssp-support.md) (MSSP) support<BR> Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration allows MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)<BR>Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
+
+- [Support for iOS and Android devices](configure-endpoints-non-windows.md)<BR> iOS and Android devices are now supported and can be onboarded to the service.
+
+- [Threat analytics](threat-analytics.md)<BR>
+Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provide recommended actions to contain the impact, increase organizational resilience, and prevent specific threats.
+
+- There are two new attack surface reduction rules in Windows 10 version 1809:
+
+ - Block Adobe Reader from creating child processes
+
+ - Block Office communication application from creating child processes
+
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)
+
+- Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
+
+ - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
+
+ - [Configure CPU priority settings](configure-advanced-scan-types-microsoft-defender-antivirus.md) for Microsoft Defender Antivirus scans.
+
+## March 2018
+
+- [Advanced Hunting](../defender/advanced-hunting-query-language.md)<BR>Query data using advanced hunting in Microsoft Defender for Endpoint.
+
+- [Attack surface reduction rules](attack-surface-reduction.md)<BR>The newly introduced attack surface reduction rules are:
+
+ - Use advanced protection against ransomware
+
+ - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
+
+ - Block process creations originating from PSExec and WMI commands
+
+ - Block untrusted and unsigned processes that run from USB
+
+ - Block executable content from email client and webmail
+
+- [Automated investigation and remediation](automated-investigations.md)<BR> Use Automated investigations to investigate and remediate threats.
+
+ > [!NOTE]
+ > Available from Windows 10, version 1803 or later.
+
+- [Conditional Access](conditional-access.md) <br> Enable conditional access to better protect users, devices, and data.
+
+- [Microsoft Defender for Endpoint Community center](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP)<BR>The Microsoft Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.
+
+- [Controlled folder access](enable-controlled-folders.md)<BR>You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
+
+- [Onboard non-Windows devices](configure-endpoints-non-windows.md)<BR>Microsoft Defender for Endpoint provides a centralized security operations experience for Windows and non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
+
+- [Role-based access control (RBAC)](rbac.md)<BR>Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.
+
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)<BR>Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md).
+
+- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) and executable files. For more information, see [Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
security Streaming Api Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md
To get the data types for event properties, do the following steps:
- Here's an example for Device Info event:
- :::image type="content" source="../defender-endpoint/images/machine-info-datatype-example.png" alt-text="An example query for device info" lightbox="../defender-endpoint/images/machine-info-datatype-example.png":::
+ :::image type="content" source="../defender-endpoint/media/machine-info-datatype-example.png" alt-text="An example query for device info" lightbox="../defender-endpoint/media/machine-info-datatype-example.png":::
## Estimating initial Event Hub capacity The following Advanced Hunting query can help provide a rough estimate of data volume throughput and initial event hub capacity based on events/sec and estimated MB/sec. We recommend running the query during regular business hours so as to capture 'real' throughput.
security Streaming Api Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-storage.md
Last updated 02/08/2023
### Add contributor permissions
-Once the Storage account is created you will need to:
+Once the Storage account is created, you'll need to:
-1. Define the user who will be logging into Microsoft Defender XDR as Contributor.
+1. Define the user who is logging into Microsoft Defender XDR as Contributor.
Go to **Storage Account > Access control (IAM) > Add** and verify under **Role assignments**.
Once the Storage account is created you will need to:
2. Go to **Settings** \> **Microsoft Defender XDR** \> **Streaming API**. To go directly to the **Streaming API** page, use <https://security.microsoft.com/settings/mtp_settings/raw_data_export>.
-3. Click **Add**.
+3. Select **Add**.
4. In the **Add new Streaming API settings** flyout that appears, configure the following settings: 1. **Name**: Choose a name for your new settings.
Once the Storage account is created you will need to:
4. Back on the **Add new Streaming API settings** flyout, choose the **Event types** that you want to stream.
- When you're finished, click **Submit**.
+ When you're finished, select **Submit**.
## The schema of the events in the Storage account -- A blob container will be created for each event type:
+- A blob container is created for each event type:
:::image type="content" source="../defender-endpoint/images/storage-account-event-schema.png" alt-text="Example of a blob container" lightbox="../defender-endpoint/images/storage-account-event-schema.png":::
Once the Storage account is created you will need to:
- Each blob contains multiple rows. -- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
+- Each row contains the event name, the time Defender for Endpoint received the event, the tenant it belongs (you'll only get events from your tenant), and the event in JSON format in a property called "properties".
- For more information about the schema of Microsoft Defender XDR events, see [Advanced Hunting overview](../defender/advanced-hunting-overview.md).
In order to get the data types for our events properties do the following:
| project ColumnName, ColumnType ``` -- Here is an example for Device Info event:
+- Here's an example for Device Info event:
- :::image type="content" source="../defender-endpoint/images/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="../defender-endpoint/images/machine-info-datatype-example.png":::
+ :::image type="content" source="../defender-endpoint/media/machine-info-datatype-example.png" alt-text="An example device info query" lightbox="../defender-endpoint/media/machine-info-datatype-example.png":::
## Monitoring created resources
security Attack Simulation Training End User Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications.md
description: Admins can learn how to create end-user notification email messages for Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 6/14/2023 Last updated : 3/11/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
To see the available end-user notifications, open the Microsoft Defender portal
**End user notifications** in the **Content library** tab has two tabs: -- **Global notifications**: Contains the built-in, nonmodifiable notifications.-- **Tenant notifications**: Contains the custom notifications that you've created.
+- **Global notifications**: Contains the built-in, unmodifiable notifications.
+- **Tenant notifications**: Contains the custom notifications that you created.
-The following information is shown for each notification<sup>\*</sup>:
+The following information is shown for each notification. You can sort the notifications by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Notifications**: The name of the notification. - **Γï«** (**Actions** control): Take action on the notification. The available actions depend on the **Status** value of the notification as described in the procedure sections.
The following information is shown for each notification<sup>\*</sup>:
- **Source**: For built-in notifications, the value is **Global**. For custom notifications, the value is **Tenant**. - **Status**: The value is **Ready** or **Draft**. On the **Global notifications** tab, the value is always **Ready**. - **Linked simulations**: The total number of [simulations](attack-simulation-training-simulations.md) or [simulation automations](attack-simulation-training-simulation-automations.md) that use the notification.-- **Created by**: For built-in notifications, the value is **Microsoft**. For custom notifications, the value is the UPN of the user who created the notification.
+- **Created by**: For built-in notifications, the value is **Microsoft**. For custom notifications, the value is the user principal name (UPN) of the user who created the notification.
- **Created time** - **Modified by** - **Last modified time**
-Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
- > [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+>
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Remove columns from the view.
+> - Zoom out in your web browser.
+>
> The **Γï«** (**Actions** control) is associated with the **Notifications** column. If you remove that column from view, the **Γï«** control goes away.
-<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
--- Horizontally scroll in your web browser.-- Narrow the width of appropriate columns.-- Remove columns from the view.-- Zoom out in your web browser.- To find a notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. To group the notifications by type, select :::image type="icon" source="../../media/m365-cc-sc-group-icon.png" border="false"::: **Group** and then select **Notification type**. To ungroup the notifications, select **None**.
On the **Tenant notifications** tab only, select :::image type="icon" source="..
When you select a notification from the list, a details flyout appears with the following information: -- **Preview** tab: View the notification message as users will see it. To view the message in different languages, use the **Select notification language** dropdown list.
+- **Preview** tab: View the notification message as users see it. To view the message in different languages, use the **Select notification language** dropdown list.
- **Details** tab: View details about the notification: - **Notification description** - **Source**: For built-in notifications, the value is **Global**. For custom notifications, the value is **Tenant**.
When you select a notification from the list, a details flyout appears with the
- **Modified by** - **Last modified** - **Active training campaigns and phishing simulations**
- - **Simulation names**
- - **Simulation status**
+ - **Name**
+ - **Type**
+ - **Status**
- **End by** On the details flyout from the **Tenant notifications** tab only, select **Edit notification** to modify the notification.
+> [!TIP]
+> To see details about other notifications without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+ ## Create end-user notifications 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> **End user notifications** \> and then select the **Tenant notifications** tab. To go directly to the **Content library** tab where you can select **End user notifications**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
On the details flyout from the **Tenant notifications** tab only, select **Edit
When you're finished n the **Define details** page, select **Next**.
-4. On the **Define content** page, the only setting that's available is the **Add content in business language** button. When you select it, an **Add content in default language** flyout opens that contains the following settings:
+4. On the **Define content** page, the only setting that's available is **Add content in business language**. When you select it, an **Add content in default language** flyout opens that contains the following settings:
- **From display name**: Enter the display name of the sender. - **From email address**: Enter the email address of the sender.
- - **Select the language of the email**: Select a language from the list.
+ - **Select the language of the email**: Select one of the following languages: **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, **Dutch**, **Polish**, **Arabic**, **Finnish**, **Greek**, **Hungarian**, **Indonesian**, **Norwegian Bokmål**, **Romanian**, **Slovak**, **Swedish**, **Thai**, **Turkish**, **Vietnamese**, **Catalan**, **Croatian**, or **Slovenian**.
- **Mark this as the default language**: Because this is the first and only language for the notification, this language value is selected as the default, and you can't change it. - **Subject**: The default that's used depends on the notification type that you selected in the previous step, but you can change it: - Positive reinforcement: **Thank you for reporting a phish!**
On the details flyout from the **Tenant notifications** tab only, select **Edit
The following controls are also available on the **Text** tab:
- - **Dynamic tag**: Select from the following tags:
-
- |Tag name|Tag value|
- |||
- |**Insert User name**|`${userName}`|
- |**Insert First name**|`${firstName}`|
- |**Insert Last name**|`${lastName}`|
- |**Insert UPN**|`${upn}`|
- |**Insert Email**|`${emailAddress}`|
- |**Insert Department**|`${department}`|
- |**Insert Manager**|`${manager}`|
- |**Insert Mobile phone**|`${mobilePhone}`|
- |**Insert City**|`${city}`|
- |**Insert Date**|`${date|MM/dd/yyyy|offset}`|
- |**Insert training count**|`${trainingCount}`|
- |**Insert training due date**|`${trainingDueDate}`|
- |**Insert training duration**|`${trainingDuration}`|
- |**Insert training details**|`${trainingDetails}`|
+ - **Dynamic tag**: Select from the following tags based on the notification type:
+
+ |Tag name|Tag value|Positive<br/>reinforcement|Simulation|Training<br/>assignment|Training<br/>reminder|
+ |||::|::|::|::|
+ |**Insert User name**|`${userName}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert First name**|`${firstName}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert Last name**|`${lastName}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert UPN**|`${upn}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert Email**|`${emailAddress}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert Department**|`${department}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert Manager**|`${manager}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert Mobile phone**|`${mobilePhone}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert City**|`${city}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert Date**|`${date|MM/dd/yyyy|offset}`|Γ£ö|Γ£ö|Γ£ö|Γ£ö|
+ |**Insert training count**|`${trainingCount}`|||Γ£ö|Γ£ö|
+ |**Insert training due date**|`${trainingDueDate}`|||Γ£ö|Γ£ö|
+ |**Insert training duration**|`${trainingDuration}`|||Γ£ö|Γ£ö|
+ |**Insert training details**|`${trainingDetails}`|||Γ£ö|Γ£ö|
+ |**Insert payload**|`${payloadSnapshotEmailContent}`|Γ£ö|Γ£ö|Γ£ö||
- **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the notification back to the default text and layout of the template, select **Reset to default**. - **Code** tab: You can view and modify the HTML code directly.
- You can preview the results by clicking the **Preview email** button at the top of the page.
+ You can preview the results by selecting **Preview email** at the top of the page.
When you're finished in new end-user notification wizard, select **Save**.
You can't modify built-in notifications on the **Global notifications** tab. You
To modify an existing custom notification on the **Tenant notifications** tab, do one of the following steps: -- Select the notification from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
+- Select the notification from the list by selecting the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** action that appears.
- Select **Γï«** (**Actions**) next to the **Notifications** value, and then select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit**. - Select the notification from the list by clicking anywhere in the row other than the check box. In the details flyout that opens, select **Edit notification** at the bottom of the flyout.
To copy an existing notification on the **Tenant notifications** or **Global not
When you copy a custom notification on the **Tenant notifications** tab, a copy of the notification named "\<OriginalName\> - Copy" is added to the list.
-When you copy a built-in notification on the **Global notifications** tab, a **Create copy** dialog appears. The dialog confirms that a copy of the notification has been created, and is available on the **Tenant notifications** tab. If you select **Go to Tenant notification** you're taken to the **Tenant notifications** tab, where the copied built-in notification is named "\<OriginalName\> - Copy" is available. If you select **Stay here** in the dialog, you return to the **Global notifications** tab.
+When you copy a built-in notification on the **Global notifications** tab, a **Create copy** dialog appears. The dialog confirms that a copy of the notification was created, and is available on the **Tenant notifications** tab. If you select **Go to Tenant notification** you're taken to the **Tenant notifications** tab, where the copied built-in notification is named "\<OriginalName\> - Copy" is available. If you select **Stay here** in the dialog, you return to the **Global notifications** tab.
After the copy is created, you can modify it as [previously described](#modify-end-user-notifications).
security Attack Simulation Training Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-get-started.md
description: Admins can learn how to use Attack simulation training to run simulated phishing and password attacks in their Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2 organizations. Previously updated : 7/17/2023 Last updated : 3/21/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), you can use Attack simulation training in the Microsoft Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line. Read this article to learn more.
+In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5), you can use Attack simulation training in the Microsoft Defender portal to run realistic attack scenarios in your organization. These simulated attacks can help you identify and find vulnerable users before a real attack impacts your bottom line.
+
+This article explains the basics of Attack simulation training.
Watch this short video to learn more about Attack simulation training. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWMhvB]
Watch this short video to learn more about Attack simulation training.
- **Attack Simulation Administrators**<sup>\*</sup>: Create and manage all aspects of attack simulation campaigns. - **Attack Payload Author**<sup>\*</sup>: Create attack payloads that an admin can initiate later.
- <sup>\*</sup> Adding users to this role in [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) is currently unsupported.
+ <sup>\*</sup> Adding users to this role group in [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md) is currently unsupported.
Currently, [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) isn't supported.
Watch this short video to learn more about Attack simulation training.
- Attack simulation and training related data is stored with other customer data for Microsoft 365 services. For more information, see [Microsoft 365 data locations](/microsoft-365/enterprise/o365-data-locations). Attack simulation training is available in the following regions: APC, EUR, and NAM. Countries within these regions where Attack simulation training is available include ARE, AUS, BRA, CAN, CHE, DEU, FRA, GBR, IND, JPN, KOR, LAM, NOR, POL, QAT, SGP, SWE, and ZAF. > [!NOTE]
- > NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry will be available in these regions. We are working to enable the features and will notify our customers as soon as reported email telemetry becomes available.
+ > NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry are available in these regions. We're working to enable the features and we'll notify customers as soon as reported email telemetry becomes available.
-- As of September 2023, Attack simulation training is available in Microsoft 365 GCC and GCC High environments, but certain advanced features are not available in GCC High (for example, payload automation, recommended payloads, the predicted compromised rate). If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training as described in this article. Attack simulation training isn't yet available in DoD environments.
+- As of September 2023, Attack simulation training is available in Microsoft 365 GCC and GCC High environments, but certain advanced features aren't available in GCC High (for example, payload automation, recommended payloads, the predicted compromised rate). If your organization has Office 365 G5 GCC or Microsoft Defender for Office 365 (Plan 2) for Government, you can use Attack simulation training as described in this article. Attack simulation training isn't yet available in DoD environments.
> [!NOTE] > Attack simulation training offers a subset of capabilities to E3 customers as a trial. The trial offering contains the ability to use a Credential Harvest payload and the ability to select 'ISA Phishing' or 'Mass Market Phishing' training experiences. No other capabilities are part of the E3 trial offering. ## Simulations
-*Phishing* is a generic term for email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders. *Phishing* is a part of a subset of techniques we classify as *social engineering*.
+A simulation in Attack simulation training is the overall campaign that delivers realistic but harmless phishing messages to users. The basic elements of a simulation are:
+
+- Who gets the simulated phishing message and on what schedule.
+- Training that users get based on their action or lack of action (for both correct and incorrect actions) on the simulated phishing message.
+- The _payload_ that's used in the simulated phishing message (a link or an attachment), and the composition of the phishing message (for example, package delivered, problem with your account, or you won a prize).
+- The _social engineering technique_ that's used. The payload and social engineering technique are closely related.
+
+In Attack simulation training, multiple types of social engineering techniques are available. Except for **How-to Guide**, these techniques were curated from the [MITRE ATT&CK® framework](https://attack.mitre.org/techniques/enterprise/). Different payloads are available for different techniques.
-In Attack simulation training, multiple types of social engineering techniques are available:
+The following social engineering techniques are available:
- **Credential Harvest**: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that typically shows a dialog box that asks the user for their username and password. Typically, the destination page is themed to represent a well-known website in order to build trust in the user.
In Attack simulation training, multiple types of social engineering techniques a
- **Link to Malware**: An attacker sends the recipient a message that contains a link to an attachment on a well-known file sharing site (for example, SharePoint Online or Dropbox). When the recipient clicks on the URL, the attachment opens, and arbitrary code (for example, a macro) is run on the user's device to help the attacker install additional code or further entrench themselves. -- **Drive-by-url**: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a *watering hole attack*.
+- **Drive-by-url**: An attacker sends the recipient a message that contains a URL. When the recipient clicks on the URL, they're taken to a website that tries to run background code. This background code attempts to gather information about the recipient or deploy arbitrary code on their device. Typically, the destination website is a well-known website that has been compromised or a clone of a well-known website. Familiarity with the website helps convince the user that the link is safe to click. This technique is also known as a _watering hole attack_.
- **OAuth Consent Grant**: An attacker creates a malicious Azure Application that seeks to gain access to data. The application sends an email request that contains a URL. When the recipient clicks on the URL, the consent grant mechanism of the application asks for access to the data (for example, the user's Inbox).
-The URLs that are used by Attack simulation training are described in the following table:
+- **How-to Guide**: A teaching guide that contains instructions for users (for example, how to report phishing messages).
+
+The URLs that are used by Attack simulation training are listed in the following table:
|&nbsp;|&nbsp;|&nbsp;| ||||
The URLs that are used by Attack simulation training are described in the follow
|<https://www.exportants.fr>|<https://www.resetts.fr>|| > [!NOTE]
-> Check the availability of the simulated phishing URL in your supported web browsers before you use the URL in a phishing campaign. While we work with many URL reputation vendors to always allow these simulation URLs, we don't always have full coverage (for example, Google Safe Browsing). Most vendors provide guidance that allows you to always allow specific URLs (for example, <https://support.google.com/chrome/a/answer/7532419>).
+> Check the availability of the simulated phishing URL in your supported web browsers before you use the URL in a phishing campaign. For more information, see [Phishing simulation URLs blocked by Google Safe Browsing](attack-simulation-training-faq.md#phishing-simulation-urls-blocked-by-google-safe-browsing).
+
+### Create simulations
+
+For instructions on how to create and launch simulations, see [Simulate a phishing attack](attack-simulation-training-simulations.md).
+
+The _landing page_ in the simulation is where users go when they open the payload. When you create a simulation, you select the landing page to use. You can select from built-in landing pages, custom landing pages that you already created, or you can create a new landing page to use during the creation of the simulation. To create landing pages, see [Landing pages in Attack simulation training](attack-simulation-training-landing-pages.md).
+
+_End user notifications_ in the simulation send periodic reminders to users (for example, training assignment and reminder notifications). You can select from built-in notifications, custom notifications that you already created, or you can create new notifications to use during the creation of the simulation. To create notifications, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
+
+> [!TIP]
+> _Simulation automations_ provide the following improvements over traditional simulations:
+>
+> - Simulation automations can include multiple social engineering techniques and related payloads (simulations contain only one).
+> - Simulation automations support automated scheduling options (more than just the start date and end date in simulations).
+>
+> For more information, see [Simulation automations for Attack simulation training](attack-simulation-training-simulation-automations.md).
+
+### Payloads
-### Create a simulation
+Although Attack simulation contains many built-in payloads for the available social engineering techniques, you can create custom payloads to better suit your business needs, including [copying and customizing an existing payload](attack-simulation-training-payloads.md#copy-payloads). You can create payloads at any time before you create the simulation or during the creation of the simulation. To create payloads, see [Create a custom payload for Attack simulation training](attack-simulation-training-payloads.md#create-payloads).
-For step by step instructions on how to create and send a new simulation, see [Simulate a phishing attack](attack-simulation-training-simulations.md).
+In simulations that use **Credential Harvest** or **Link in Attachment** social engineering techniques, _login pages_ are part of the payload that you select. The login page is the web page where users enter their credentials. Each applicable payload uses a default login page, but you can change the login page that's used. You can select from built-in login pages, custom login pages that you already created, or you can create a new login page to use during the creation of the simulation or the payload. To create login pages, see [Login pages in Attack simulation training](attack-simulation-training-login-pages.md).
-### Create a payload
+The best training experience for simulated phishing messages is to make them as close as possible to real phishing attacks that your organization might experience. What if you could capture and use harmless versions of real-world phishing messages that were detected in Microsoft 365 and use them in simulated phishing campaigns? You can, with _payload automations_ (also known as _payload harvesting_). To create payload automations, see [Payload automations for Attack simulation training](attack-simulation-training-payload-automations.md).
-For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for Attack simulation training](attack-simulation-training-payloads.md#create-payloads).
+### Reports and insights
-### Gaining insights
+After you create and launch the simulation, you need to see how it's going. For example:
-For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](attack-simulation-training-insights.md).
+- Did everyone receive it?
+- Who did what to the simulated phishing message and the payload within it (delete, report, open the payload, enter credentials, etc.).
+- Who completed the assigned training.
+
+The available reports and insights for Attack simulation training are described in [Insights and reports for Attack simulation training](attack-simulation-training-insights.md).
### Predicted compromise rate
-One of the most crucial elements in a phishing simulation is the payload selection. If you're tracking only click-through as a quality metric, there's an incentive to decrease the click rate by selecting easier-to-spot phishing payloads. Eventually, it's less likely that the user will change their behavior when a real phishing message comes along.
+You often need to tailor a simulated phishing campaign for specific audiences. If the phishing message is too close to perfect, almost everyone will be fooled by it. If it's too suspicious, no will be fooled by it. And, the phishing messages that some users consider difficult to identify are considered easy to identify by other users. So how do you strike a balance?
-To combat the tendency to use low click rate payloads and to maximize educational returns, we've created a new piece of metadata for every global payload called the predicted compromise rate (PCR).
+The _predicted compromise rate (PCR)_ indicates the potential effectiveness when the payload is used in a simulation. PCR uses intelligent historical data across Microsoft 365 to predict the percentage of people who will be compromised by the payload. For example:
-PCR uses historical data across Microsoft 365 that predicts the percentage of people who will be compromised by the payload. PCR is an intelligent mechanism that's built on information like payload content, compromise rates (aggregated and anonymized), and payload metadata. PCR predicts a more accurate potential compromise rate when the payload is used within a simulation. The benefit of PCR comes from predicting actual vs. predicted click through for a given simulation and payload.
+- Payload content.
+- Aggregated and anonymized compromise rates from other simulations.
+- Payload metadata.
-You can also review the overall performance of your organization by measuring the difference between the predicted compromise rate and the actual compromise rate across simulations using the Training efficacy report.
+PCR allows you to compare the predicted vs. actual click through rates for your phishing simulations. You can also use this data to see how your organization performs compared to predicted outcomes.
-> [!NOTE]
+PCR information for a payload is available wherever you view and select payloads, and in the following reports and insights:
+
+- [Behavior impact on compromise rate card](attack-simulation-training-insights.md#behavior-impact-on-compromise-rate-card)
+- [Training efficacy tab for the Attack simulation report](attack-simulation-training-insights.md#training-efficacy-tab-for-the-attack-simulation-report)
+
+> [!TIP]
> Attack Simulator uses Safe Links in Defender for Office 365 to securely track click data for the URL in the payload message that's sent to targeted recipients of a phishing campaign, even if the **Track user clicks** setting in Safe Links policies is turned off.+
+## Training without tricks
+
+Traditional phishing simulations present users with suspicious messages and the following goals:
+
+- Get users to report the message as suspicious.
+- Provide training after users click on or launch the simulated malicious payload and give up their credentials.
+
+But, sometimes you don't want to wait for users to take correct or incorrect actions before you give them training. Attack simulation training provides the following features to skip the wait and go straight to training:
+
+- **Training campaigns**: A Training campaign is a training-only assignment for the targeted users. You can directly assign training without putting users through the test of a simulation. Training campaigns make it easy to conduct learning sessions like monthly cybersecurity awareness training. For more information, see [Training campaigns in Attack simulation training](attack-simulation-training-training-campaigns.md).
+
+- **How-to Guides in simulations**: Simulations based on the **How-to Guide** social engineering technique don't attempt to test users. A How-to guide is a lightweight learning experience that users can view directly in their Inbox. For example, the following built-in **How-to Guide** payloads are available, and you can create your own (including [copying and customizing an existing payload](attack-simulation-training-payloads.md#copy-payloads)):
+ - **Teaching guide: How to report phishing messages**
+ - **Teaching Guide: How to recognize and report QR phishing messages**
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
description: Admins can learn how Attack simulation training in the Microsoft Defender portal affects users and can gain insights from simulation and training outcomes. search.appverid: met150 Previously updated : 6/14/2023 Last updated : 3/14/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
In Attack simulation training in Microsoft Defender for Office 365 Plan 2 or Mic
Insights and reports are available in the following locations on the **Attack simulation training** page in the Microsoft Defender portal: -- The **Overview** tab.-- The simulation report for in-progress or completed simulations that you select from the **Recent simulations** card on the **Overview** tab or on the **Simulations** tab.
+- Insights:
+ - The **Overview** tab at <https://security.microsoft.com/attacksimulator?viewid=overview>.
+ - The **Reports** tab at <https://security.microsoft.com/attacksimulator?viewid=reports>.
+- Reports:
+ - The **Attack simulation report** page at <https://security.microsoft.com/attacksimulationreport>:
+ - [Training efficacy tab](#training-efficacy-tab-for-the-attack-simulation-report)
+ - [User coverage tab](#user-coverage-tab-for-the-attack-simulation-report)
+ - [Training completion tab](#training-completion-tab-for-the-attack-simulation-report)
+ - [Repeat offenders tab](#repeat-offenders-tab-for-the-attack-simulation-report)
+ - The reports for in-progress and completed simulations and training campaigns: For more information, see [Attack simulation report](#attack-simulation-report).
-The rest of this article describes the available information.
+The rest of this article describes the reports and insights for Attack simulation training.
For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
-## Insights and reports on the Overview tab of Attack simulation training
+## Insights on the Overview and Reports tabs of Attack simulation training
-To go to the **Overview** tab, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training**, and verify that the **Overview** tab is selected (it's the default). To go directly to the **Overview** tab on the **Attack simulation training** page, use <https://security.microsoft.com/attacksimulator?viewid=overview>.
+To go to the **Overview** tab, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training**:
-The rest of this section describes the information that's available on the **Overview** tab of Attack simulation training.
+- **Overview** tab: Verify that the **Overview** tab is selected (it's the default). Or, to go directly to the **Overview** tab, use <https://security.microsoft.com/attacksimulator?viewid=overview>.
+- **Reports** tab: Select the **Reports** tab. Or, to go directly to the **Reports** tab, use <https://security.microsoft.com/attacksimulationreport>.
+
+The distribution of insights on the tabs is described in the following table:
+
+|Report|Overview tab|Reports tab|
+||::|::|
+|[Recent simulations card](#recent-simulations-card)|Γ£ö||
+|[Recommendations card](#recommendations-card)|Γ£ö||
+|[Simulation coverage card](#simulation-coverage-card)|Γ£ö|Γ£ö|
+|[Training completion card](#training-completion-card)|Γ£ö|Γ£ö|
+|[Repeat offenders card](#repeat-offenders-card)|Γ£ö|Γ£ö|
+|[Behavior impact on compromise rate card](#behavior-impact-on-compromise-rate-card)|Γ£ö|Γ£ö|
+
+The rest of this section describes the information that's available on the **Overview** and **Reports** tabs of Attack simulation training.
### Recent simulations card
-The **Recent simulations** card on the **Overview** tab shows the last three simulations that you've created or run in your organization.
+The **Recent simulations** card on the **Overview** tab shows the last three simulations that you created or ran in your organization.
You can select a simulation to view details.
Selecting **View all simulations** takes you to the **Simulations** tab.
Selecting **Launch a simulation** starts the new simulation wizard. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md). ### Recommendations card
The **Recommendations** card on the **Overview** tab suggests different types of
Selecting **Launch now** starts the new simulation wizard with the specified simulation type automatically selected on the **Select technique** page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md). ### Simulation coverage card
-The **Simulation coverage** card on the **Overview** tab shows the percentage of users in your organization who have received a simulation (**Simulated users**) vs. users who haven't received a simulation (**Non-simulated users**). You can hover over a section in the chart to see the actual number of users in each category.
-
-Selecting **Launch simulation for non-simulated users** starts the new simulation wizard where the users who didn't receive the simulation are automatically selected on the **Target user** page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md).
+The **Simulation coverage** card on the **Overview** and **Reports** tabs shows the percentage of users in your organization who received a simulation (**Simulated users**) vs. users who didn't receive a simulation (**Non-simulated users**). You can hover over a section in the chart to see the actual number of users in each category.
Selecting **View simulation coverage report** takes you to the [User coverage tab for the Attack simulation report](#user-coverage-tab-for-the-attack-simulation-report).
+Selecting **Launch simulation for non-simulated users** starts the new simulation wizard where the users who didn't receive the simulation are automatically selected on the **Target user** page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md).
+ ### Training completion card
-The **Training completion** card on the **Overview** tab organizes the percentages of users who received trainings based on the results of simulations into the following categories:
+The **Training completion** card on the **Overview** and **Reports** tabs organizes the percentages of users who received trainings based on the results of simulations into the following categories:
- **Completed** - **In progress**
You can hover over a section in the chart to see the actual number of users in e
Selecting **View training completion report** takes you to the [Training completion tab for the Attack simulation report](#training-completion-tab-for-the-attack-simulation-report). + ### Repeat offenders card
-The **Repeat offenders** card on the **Overview** tab shows the information about repeat offenders. A _repeat offender_ is a user who was compromised by consecutive simulations. The default number of consecutive simulations is two, but you can change the value on the **Settings** tab of Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=setting>. For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold).
+The **Repeat offenders** card on the **Overview** and **Reports** tabs shows the information about repeat offenders. A _repeat offender_ is a user who was compromised by consecutive simulations. The default number of consecutive simulations is two, but you can change the value on the **Settings** tab of Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=setting>. For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold).
The chart organizes repeat offender data by [simulation type](attack-simulation-training-simulations.md#select-a-social-engineering-technique):
The chart organizes repeat offender data by [simulation type](attack-simulation-
Selecting **View repeat offender report** takes you to the [Repeat offenders tab for the Attack simulation report](#repeat-offenders-tab-for-the-attack-simulation-report). + ### Behavior impact on compromise rate card
-The **Behavior impact on compromise rate** card on the **Overview** tab shows how your users responded to your simulations as compared to the historical data in Microsoft 365. You can use these insights to track progress in users threat readiness by running multiple simulations against the same groups of users.
+The **Behavior impact on compromise rate** card on the **Overview** and **Reports** tabs shows how your users responded to your simulations as compared to the historical data in Microsoft 365. You can use these insights to track progress in users threat readiness by running multiple simulations against the same groups of users.
The chart data shows the following information: -- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this simulation. To learn more about the predicted compromise rate (PCR), see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).- - **Actual compromise rate**: The actual percentage of people who were compromised by the simulation (actual users compromised / total number of users in your organization who received the simulation).
+- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this simulation. To learn more about the predicted compromise rate (PCR), see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
If you hover over a data point in the chart, the actual percentage values are shown.
-The following summary information is also shown on the card:
--- **users less susceptible to phishing**: The difference between the actual number of users compromised by the simulated attack and the predicted compromise rate. This number of users is less likely to be compromised by similar attacks in the future.-- **x% better than predicted rate**: Indicates how users did overall in contrast with the predicted compromise rate.-
+To see a detailed report, select **View simulations and training efficacy report**. This report is explained [later in this article](#training-efficacy-tab-for-the-attack-simulation-report).
-To see a more detailed report, select **View simulations and training efficacy report**. This report is explained [later in this article](#training-efficacy-tab-for-the-attack-simulation-report).
-### Attack simulation report
+## Attack simulation report
-You can open the **Attack simulation report** from the **Overview** tab by clicking on the **View ... report** buttons that are available in some of the cards that are described in this article. To go directly to the report, use <https://security.microsoft.com/attacksimulationreport>
+You can open the **Attack simulation report** from the **Overview** tab by selecting the **View ... report** actions that are available on some of the cards on the **Overview** and **Reports** tabs that are described in this article. To go directly to the **Attack simulation report** page, use <https://security.microsoft.com/attacksimulationreport>
-#### Training efficacy tab for the Attack simulation report
+### Training efficacy tab for the Attack simulation report
-On the **Attack simulation report** page, the **Training efficacy** tab is selected by default. This tab provides the same information that's available in the **Behavior impact on compromise rate** card, with additional context from the simulation itself.
+The **Training efficacy** tab is selected by default on the **Attack simulation report** page. This tab provides the same information that's available in the **Behavior impact on compromise rate** card, with additional context from the simulation itself.
-The chart shows the **Predicted compromise rate** and **Actual compromised rate**. If you hover over a section in the chart, the actual percentage values for are shown.
+The chart shows the **Actual compromised rate** and the **Predicted compromise rate**. If you hover over a section in the chart, the actual percentage values for are shown.
-The details table below the chart shows the following information:
+The details table below the chart shows the following information. You can sort the simulations by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Simulation name** - **Simulation technique**
The details table below the chart shows the following information:
- **Total users targeted** - **Count of clicked users**
-You can sort the results by clicking on an available column header.
-
-Select **Customize columns** to remove the columns that are shown. When you're finished, select **Apply**.
-
-Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Simulation name** or **Simulation Technique**. Wildcards aren't supported.
-
-If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Simulation name** or **Simulation Technique**. Wildcards aren't supported.
-#### User coverage tab for the Attack simulation report
+Use the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button to save the information to a CSV file. The default filename is Attack simulation report - Microsoft Defender.csv, and the default location is the local Downloads folder. If an exported report already exists in that location, the filename is incremented (for example, Attack simulation report - Microsoft Defender (1).csv).
+### User coverage tab for the Attack simulation report
On the **User coverage** tab, the chart shows the **Simulated users** and **Non-simulated users**. If you hover over a data point in the chart, the actual values are shown.
-The details table below the chart shows the following information:
+
+The details table below the chart shows the following information. You can sort the information by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Username** - **Email address**
The details table below the chart shows the following information:
- **Count of clicked** - **Count of compromised**
-You can sort the results by clicking on an available column header. Select **Customize columns** to remove the columns that are shown.
-
-Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
-If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
+Use the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button to save the information to a CSV file. The default filename is Attack simulation report - Microsoft Defender.csv, and the default location is the local Downloads folder. If an exported report already exists in that location, the filename is incremented (for example, Attack simulation report - Microsoft Defender (1).csv).
-#### Training completion tab for the Attack simulation report
-
+### Training completion tab for the Attack simulation report
On the **Training completion** tab, the chart shows the number of **Completed**, **In progress**, and **Incomplete** simulations. If you hover over a section in the chart, the actual values are shown.
-The details table below the chart shows the following information:
+
+The details table below the chart shows the following information. You can sort the information by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Username** - **Email address**
The details table below the chart shows the following information:
- **Date completed** - **All trainings**
-You can sort the results by clicking on an available column header. Select **Customize columns** to remove the columns that are shown.
-
-Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the chart and details table by the **Status** values of the trainings: **Completed**, **In progress**, or **All**.
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the chart and details table by a **Status** values of the trainings: **Completed**, **In progress**, or **All**.
When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by **Username** or **Email address**. Wildcards aren't supported.
If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
-#### Repeat offenders tab for the Attack simulation report
-
+### Repeat offenders tab for the Attack simulation report
A _repeat offender_ is a user who was compromised by consecutive simulations. The default number of consecutive simulations is two, but you can change the value on the **Settings** tab of Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=setting>. For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold).
-On the **Repeat offenders** tab, the chart organizes repeat offender data by [simulation type](attack-simulation-training-simulations.md#select-a-social-engineering-technique):
+On the **Repeat offenders** tab, the chart shows the number of **Repeat offender users** and **Simulated users**.
-- **All**-- **Credential Harvest**-- **Malware Attachment**-- **Link in Attachment**-- **Link to Malware**-- **Drive-by URL** If you hover over a data point in the chart, the actual values are shown.
-The details table below the chart shows the following information:
+The details table below the chart shows the following information. You can sort the information by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **User**-- **Repeat count** - **Simulation types** - **Simulations**
+- **Email address**
+- **Last repeat count**
+- **Repeat offenses**
+- **Last simulation name**
+- **Last simulation result**
+- **Last training assigned**
+- **Last training status**
-You can sort the results by clicking on an available column header. Select **Customize columns** to remove the columns that are shown.
-
-Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the chart and details table by some or all of the simulation type values:
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the chart and details table by one or more simulation type values:
- **Credential Harvest** - **Malware Attachment**
Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" bord
When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-Use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by any of the column values. Wildcards aren't supported.
+Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to filter the results by any of the column values. Wildcards aren't supported.
-If you select the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button, report generation progress is shown as a percentage of complete. In the dialog that opens, you can choose to open the .csv file, save the .csv file, and remember the selection.
+Use the :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export report** button to save the information to a CSV file. The default filename is Attack simulation report - Microsoft Defender.csv, and the default location is the local Downloads folder. If an exported report already exists in that location, the filename is incremented (for example, Attack simulation report - Microsoft Defender (1).csv).
## Simulation report in Attack simulation training
-To view the details of in-progress or completed simulations, use either of the following methods:
+The simulation report shows the details of in-progress or completed simulations (the **Status** value is **In progress** or **Completed**). To view the simulation report, use any of the following methods:
-- On the **Overview** tab at <https://security.microsoft.com/attacksimulator?viewid=overview>, select a simulation from the [Recent simulations card](#recent-simulations-card).-- On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, select a simulation by clicking anywhere in the row other than the check box next to the name.
+- On the **Overview** tab of the **Attack simulation training** page at <https://security.microsoft.com/attacksimulator?viewid=overview>, select a simulation from the [Recent simulations card](#recent-simulations-card).
-The page that opens contains **Report**, **Users** and **Details** tabs that contain information about the simulation. The rest of this section describes the insights and reports that are available on the **Report** tab.
+ :::image type="content" source="../../media/attack-sim-training-overview-recent-simulations-card.png" alt-text="The Recent simulations card on the Overview tab in Attack simulation training in the Microsoft Defender portal." lightbox="../../media/attack-sim-training-overview-recent-simulations-card.png":::
-For details about the **Users** and **Details** tabs, see [View simulation details](attack-simulation-training-simulations.md#view-simulation-reports).
+- On the **Simulations** tab of the **Attack simulation training** page at <https://security.microsoft.com/attacksimulator?viewid=simulations>, select a simulation by clicking anywhere in the row other than the check box next to the name. For more information, see [View simulation reports](attack-simulation-training-simulations.md#view-simulation-reports).
-### Simulation impact section
+ - On the **Training** tab of the **Attack simulation training** page at <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>, select the training campaign using either of the following methods:
+ - Click anywhere in the row other than the check box next to the name.
+ - Select the check box next to the name, and then select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **View report**.
-The **Simulation impact** section on the simulation details page shows how many users were completely tricked by the simulation and the total number of users in the simulation. The information that's shown varies based on the simulation type. For example:
+ For more information, see [View Training campaign reports](attack-simulation-training-training-campaigns.md#view-training-campaign-reports).
-- Links: **Entered credentials** and **Did not enter credentials**.
+The report page that opens contains **Report**, **Users, and **Details** tabs that contain information about the simulation. The rest of this section describes the insights and reports that are available on the **Report** tab.
- :::image type="content" source="../../media/attack-sim-training-sim-details-sim-impact-links.png" alt-text="The Simulation impact section for link-related simulation details" lightbox="../../media/attack-sim-training-sim-details-sim-impact-links.png":::
+The sections on the **Report** tab for a simulation are described in the following subsections.
-- Attachments: **Opened attachment** and **Did not open attachment**.
+For more information about the **Users** and **Details** tabs, see the following links.
- :::image type="content" source="../../media/attack-sim-training-sim-details-sim-impact-attachments.png" alt-text="The Simulation impact section for attachment-related simulation details" lightbox="../../media/attack-sim-training-sim-details-sim-impact-attachments.png":::
+- Simulations:
+ - [Users tab](attack-simulation-training-simulations.md#users-tab)
+ - [Details tab](attack-simulation-training-simulations.md#details-tab)
+- Training campaigns:
+ - [Users tab](attack-simulation-training-training-campaigns.md#users-tab)
+ - [Details tab](attack-simulation-training-training-campaigns.md#details-tab)
+
+### Simulation report for simulations
+
+This section describes the information in the simulation report for regular simulations (not [Training campaigns](#simulation-report-for-training-campaigns)).
++
+#### Simulation impact section in the report for simulations
+
+The **Simulation impact** section on **Report** tab** for a simulation shows the number and percentage of **Compromised users** and **Users who reported** the message.
If you hover over a section in the chart, the actual numbers for each category are shown.
-### All user activity section
+Select **View compromised users** to go to the [Users tab](attack-simulation-training-simulations.md#users-tab) tab in the report where the results are filtered by **Compromised: Yes**.
+
+Select **View users who reported** to go to the [Users tab](attack-simulation-training-simulations.md#users-tab) tab in the report where the results are filtered by **Reported message: Yes**.
++
+#### All user activity section in the report for simulations
+
+The **All user activity** section on **Report** tab** for a simulation shows numbers for the possible outcomes of the simulation. The information varies based on the simulation type. For example:
+
+- **Clicked message link** or **Attachment link clicked** or **Attachment opened**
+- **Supplied credentials**
+- **Read message**
+- **Deleted message**
+- **Replied to message**
+- **Forwarded message**
+- **Out of office**
+
+Select **View all users** to go to the [Users tab](attack-simulation-training-simulations.md#users-tab) tab in the report where the results are unfiltered.
++
+#### Delivery status section in the report for simulations
+
+The **Delivery status** section on **Report** tab** for a simulation shows the numbers for the possible delivery statuses for the simulation message. For example:
+
+- **Successfully received message**
+- **Positive reinforcement message delivered**
+- **Just simulation message delivered
+
+Select **View users to whom message delivery failed** to go to the [Users tab](attack-simulation-training-simulations.md#users-tab) tab in the report where the results are filtered by **Simulation message delivery: Failed to deliver**.
+
+Select **View excluded users or groups** to open an **Excluded users or groups** flyout that shows the users or groups that were excluded from the simulation.
+
-The **All user activity** section on the simulation details page shows numbers for the possible outcomes of the simulation. The information that's shown varies based on the simulation type. For example:
+#### Training completion section in the report for simulations
-- **SuccessfullyDeliveredEmail**-- **ReportedEmail**: How many users reported the simulation message as suspicious.-- Links:
- - **EmailLinkClicked**: How many users clicked on the link in the simulation message.
- - **CredSupplied**: After clicking on the link, how many users supplied their credentials.
+The **Training completion** section on the simulation details page shows the trainings that are required for the simulation, and how many users completed the trainings.
- :::image type="content" source="../../media/attack-sim-training-sim-details-all-user-activity-links.png" alt-text="The All user activity section for link-related simulation details" lightbox="../../media/attack-sim-training-sim-details-all-user-activity-links.png":::
+If no trainings were included in the simulation, the only value in this section is **Trainings were not part of this simulation**.
-- Attachments:
- - **AttachmentOpened**: How many users opened the attachment in the simulation message.
- :::image type="content" source="../../media/attack-sim-training-sim-details-all-user-activity-attachments.png" alt-text="The All user activity section for attachment-related simulation details" lightbox="../../media/attack-sim-training-sim-details-all-user-activity-attachments.png":::
+#### First & average instance section in the report for simulations
+
+The **First & average instance** section on **Report** tab** for a simulation shows information about the time it took to do specific actions in the simulation. For example:
+
+- **First link clicked**
+- **Avg. link clicked**
+- **First credential entered**
+- **Avg. credential entered**
++
+#### Recommendations section in the report for simulations
+
+The **Recommendations** section on **Report** tab** for a simulation shows recommendations for using Attack simulation training to help secure your organization.
++
+### Simulation report for Training campaigns
+
+This section describes the information in the simulation report for Training campaigns (not [simulations](#simulation-report-for-simulations)).
++
+#### Training completion classification section in the report for Training campaigns
+
+The **Training completion classification** section on **Report** tab** for a Training campaign shows information about the completed Training modules in the Training campaign.
++
+#### Training completion summary section in the report for Training campaigns
+
+The **Training completion summary** section on **Report** tab** for a Training campaign uses bar graphs show the progression of assigned users through all Training modules in the campaign (number of users / total number of users):
+
+- **Completed**
+- **In progress**
+- **Not started**
+- **Not completed**
+- **Previously assigned**
-### Training completion section
+You can hover over a section in the chart to see the actual percentage in each category.
-The **Training completion** section on the simulation details page shows the trainings that are required for the simulation, and how many users have completed the trainings.
+#### All user activity section in the report for Training campaigns
-## Recommended actions section
+The **All user activity** section on **Report** tab** for a Training campaign uses a bar graph to shows how main people **Successfully received training notification** (number of users / total number of users).
-The **Recommended actions** section on the simulation details page shows recommendation actions from [Microsoft Secure Score](../defender/microsoft-secure-score.md) and the effect the action will have on your Secure Score. These recommendations are based on the payload that was used in the simulation, and will help protect your users and your environment. Selecting an **Improvement action** from the list takes you to the location to implement the suggested action.
+You can hover over a section in the chart to see the actual numbers in each category.
## Related Links
security Attack Simulation Training Landing Pages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-landing-pages.md
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Offi
For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
-To see the available landing pages, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Phish landing pages**. To go directly to the **Content library** tab where you can select **Landing pages**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
+To see the available landing pages, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Phish landing pages**. To go directly to the **Content library** tab where you can select **Phish landing pages**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
-**Landing pages** in the **Content library** tab has two tabs:
+**Phish landing pages** in the **Content library** tab has two tabs:
-- **Global landing pages** tab: Contains the built-in, nonmodifiable landing page templates named **Microsoft Landing Page Template 1** to **Microsoft Landing Page Template 5**. These built-in landing pages are localized into 12+ languages.-- **Tenant landing pages** tab: Contains the custom landing pages that you've created.
+- **Global landing pages** tab: Contains built-in, unmodifiable landing page templates named **Microsoft Landing Page Template 1** to **Microsoft Landing Page Template 5**. These built-in landing pages are localized into 12+ languages.
+- **Tenant landing pages** tab: Contains custom landing pages that you created.
-The following information is shown for each landing page<sup>\*</sup>:
+The following information is shown for each landing page. You can sort the landing pages by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Name** - **Γï«** (**Actions** control): Take action on the landing page. The available actions depend on the **Status** value of the landing page as described in the procedure sections.-- **Language**
+- **Language**: One or more of the following values: **German**, **English**, **Spanish**, **French**, **Italian**, **Japanese**, **Korean**, **Dutch**, **Portuguese**, **Russian**, **Chinese (Simplified)**, and **Chinese (Traditional, Taiwan)**.
- **Default language** - **Status**: **Ready** or **Draft**. - **Linked simulations**-- **Created by**: For built-in landing pages, the value is **Microsoft**. For custom landing pages, the value is the UPN of the user who created the landing page.
+- **Created by**: For built-in landing pages, the value is **Microsoft**. For custom landing pages, the value is the user principal name (UPN) of the user who created the landing page.
- **Created time** - **Modified by**
-Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
- > [!TIP]
-> The **Γï«** (**Actions** control) is associated with the **Name** column. If you remove that column from view, the **Γï«** control goes away.
-
-<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
--- Horizontally scroll in your web browser.-- Narrow the width of appropriate columns.-- Remove columns from the view.-- Zoom out in your web browser.
+> To see all columns, you likely need to do one or more of the following steps:
+>
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Remove columns from the view.
+> - Zoom out in your web browser.
+>
+> The **Γï«** (**Actions** control) is associated with the **Notifications** column. If you remove that column from view, the **Γï«** control goes away.
To find a landing page in the list, type part of the landing page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
When you select a landing page from the list by clicking anywhere in the row oth
In custom landing pages only, an **Edit landing page** link is available at the bottom of both tabs.
+> [!TIP]
+> To see details about other landing pages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+ ## Create landing pages 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Phish landing pages**. To go directly to the **Content library** tab where you can select **Phish landing pages**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
In custom landing pages only, an **Edit landing page** link is available at the
> > You can also create landing pages during the creation of simulations and simulation automations. For more information, see [Create a simulation: Select a landing page](attack-simulation-training-simulations.md#select-a-landing-page) and [Create a simulation automation: Select a landing page](attack-simulation-training-simulation-automations.md#select-a-landing-page).
-3. On the **Define details for phish landing page** page, configured the following settings:
+3. On the **Define details for phish landing page** page, configure the following settings:
- **Name**: Enter a unique, descriptive name for the landing page. - **Description**: Enter an optional description. When you're finished on the **Define details for phish landing page** page, select **Next**. 4. On the **Configure landing page** page, select **Define content in preferred language**. In the **Add content in default language** flyout that opens, configure the following settings:
- - **Select the language for the landing page**: Select one of the 29+ available languages.
+ - **Select the language for the landing page**: Select one of the available languages: **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **Dutch**, **English**, **Spanish**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Swedish**, **Norwegian Bokmål**, **Polish**, **Finnish**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.
- **Mark this as default language**: For the first landing page you create, this setting is selected and unchangeable. - Landing page content: Two tabs are available:- - **Text** tab: A rich text editor is available to create the landing page. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**. The following controls are also available on the **Text** tab:
In custom landing pages only, an **Edit landing page** link is available at the
- **Code** tab: You can view and modify the HTML code directly.
- You can preview the results by clicking the **Preview phish landing page** button at the top of the page.
+ You can preview the results by selecting **Preview phish landing page** at the top of the page.
When you're finished on the **Add content in default language** flyout, select **Save**.
security Attack Simulation Training Login Pages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-login-pages.md
description: Admins can learn how to create and manage login pages for simulated phishing attacks in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 6/14/2023 Last updated : 3/11/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
To see the available login pages, open the Microsoft Defender portal at <https:/
**Login pages** in the **Content library** tab has two tabs: -- **Global login pages** tab: Contains the built-in, non-modifiable login pages. There are four built-in login pages localized into 12+ languages:
+- **Global login pages** tab: Contains the built-in, unmodifiable login pages. There are four built-in login pages localized into 12+ languages:
- **GitHub login page** - **LinkedIn login page** - **Microsoft login page** - **Non-branded login page** -- **Tenant login pages** tab: Contains the custom login pages that you've created.
+- **Tenant login pages** tab: Contains the custom login pages that you created.
-The following information is shown for each login page:
+The following information is shown for each login page. You can sort the login pages by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Name** - **Γï«** (**Actions** control): Take action on the login page. The available actions depend on the **Status** value of the login page as described in the procedure sections.
The following information is shown for each login page:
- **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page. - **Last modified**
-Select a column header to sort by that column. To remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**.
- To find a login page in the list, type part of the login page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the login pages by **Language** or **Status**.
When you select a login page from the list by clicking anywhere in the row other
- :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** is available only in custom login pages on the **Tenant login pages** tab. - :::image type="icon" source="../../medi). If the login page is already the default, :::image type="icon" source="../../media/m365-cc-sc-set-as-default-icon.png" border="false"::: **Mark as default** isn't available.-- **Preview** tab: View the login page as users will see it. **Page 1** and **Page 2** links are available at the bottom of the page for two-page login pages.
+- **Preview** tab: View the login page as users see it. **Page 1** and **Page 2** links are available at the bottom of the page for two-page login pages.
- **Details** tab: View details about the login page: - **Description** - **Status**: **Ready** or **Draft**.
When you select a login page from the list by clicking anywhere in the row other
- **Language** - **Last modified**
+> [!TIP]
+> To see details about other login pages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+ ## Create login pages 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Login pages**. To go directly to the **Content library** tab where you can select **Login pages**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
When you select a login page from the list by clicking anywhere in the row other
4. On the **Configure login page** page, configure the following settings:
- - **Select a language**: The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, and **Dutch**.
+ - **Select a language**: The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, **Dutch**, and **Other**.
- **Make this the default login page**: If you select this option, the login page is the default selection in **Credential Harvest** or **Link in Attachment** [payloads](attack-simulation-training-payloads.md) or [payload automations](attack-simulation-training-payload-automations.md).
To make a login page the default on the **Tenant login pages** or **Global login
- Select **Make this the default login page** on the **Configure login page** page in the wizard when you [create or modify a login page](#create-login-pages). > [!NOTE]
-> The previous procedures are not available if the login page is already the default.
+> The previous procedures aren't available if the login page is already the default.
> > The default login page is also marked in the list, although you might need to widen the **Name** column to see it: >
security Attack Simulation Training Payload Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations.md
description: Admins can learn how to use payload automations (payload harvesting) to collect and launch automated simulations for Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 6/21/2023 Last updated : 3/14/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, payload automations (also known as _payload harvesting_) collect information from real-world phishing attacks that were reported by users in your organization. Although the numbers of these messages are likely low in your organization, you can specify the conditions to look for in phishing attacks (for example, recipients, social engineering technique, sender information, etc.). Attack simulation training then mimics the messages and payloads used in the attack to automatically launch harmless simulations to targeted users.
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, payload automations (also known as _payload harvesting_) collect information from real-world phishing attacks that were reported by users in your organization. You can specify the conditions to look for in phishing attacks (for example, recipients, social engineering technique, or sender information). Attack simulation training then mimics the messages and payloads used in the attack to automatically launch harmless simulations to targeted users.
For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). To see any existing payload automations that you created, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> and then select **Payload automations**. To go directly to the **Automations** tab where you can select **Payload automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.
-The following information is shown for each payload automation<sup>\*</sup>:
+The following information is shown for each payload automation. You can sort the payload automations by clicking on an available column header.
- **Automation name** - **Type**: The value is **Payload**.
The following information is shown for each payload automation<sup>\*</sup>:
- **Last modified** - **Status**: The value is **Ready** or **Draft**.
-<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
--- Horizontally scroll in your web browser.-- Narrow the width of appropriate columns.-- Remove columns from the view.-- Zoom out in your web browser.-
-When you select a payload automation from the list, a details flyout appears with the following information:
--- **General** tab: Displays basic information about the payload automation.-- **Run history** tab: This tab is available only for payload automations with the **Status** value **Ready**.
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+>
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Remove columns from the view.
+> - Zoom out in your web browser.
## Create payload automations
To create a payload automation, do the following steps:
> [!NOTE] > At any point after you name the payload automation during the new payload automation wizard, you can select **Save and close** to save your progress and continue configuring the payload automation later. The incomplete payload automation has the **Status** value **Draft** in **Payload automations** on the **Automations** tab. You can pick up where you left off by selecting the payload automation and clicking :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit automation**. >
- > Currently, payload harvesting is enabled in GCC environments due to data gathering restrictions.
+ > Currently, payload harvesting isn't enabled in GCC environments due to data gathering restrictions.
3. On the **Automation name** page, configure the following settings:
To create a payload automation, do the following steps:
- **Malware Attachment** - **Link in Attachment** - **Link to Malware**
- - **Phish training**
+ - **How-to Guide**
- **Specific sender domain**: In the box that appears, enter a sender email domain value (for example, contoso.com). - **Specific sender name**: In the box that appears, enter a sender name value. - **Specific sender email**: In the box that appears, enter a sender email address.
To create a payload automation, do the following steps:
To add another condition, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add condition**.
- To remove a condition after you've added it, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false":::.
+ To remove a condition after you add it, select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false":::.
When you're finished on the **Run conditions** page, select **Next**.
To turn off a payload automation, select it from the list by clicking the check
## Modify payload automations
-You can only modify payload automations that are turned off.
+You can only modify payload automations with the **Status** value **Draft** or that are turned off.
To modify an existing payload automation on the **Payload automations** page, do one of the following steps: -- Select the payload automation from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit automation** action that appears.
+- Select the payload automation from the list by selecting the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit automation** action that appears.
- Select the payload automation from the list by clicking anywhere in the row except the check box. In the details flyout that opens, on the **General** tab, select **Edit** in the **Name**, **Description**, or **Run conditions** sections. The payload automation wizard opens with the settings and values of the selected payload automation. The steps are the same as described in the [Create payload automations](#create-payload-automations) section.
The payload automation wizard opens with the settings and values of the selected
To remove a payload automation, select the payload automation from the list by clicking the check box. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Confirm** in the dialog.
+## View payload automation details
+
+For payload automations with the **Status** value **Ready**, select the payload from the **Payload automations** page by clicking anywhere in the row other than the check box next to the name. The details flyout that opens contains the following information:
+
+- The payload automation name and the number of items collected.
+- **General** tab:
+ - **Last modified**
+ - **Type**: The value is **Payload**.
+ - **Name**, **Description**, and **Run conditions** sections: Select **Edit** to open the payload automation wizard on the related page.
+- **Run history** tab: This tab is available only for payload automations with the **Status** value **Ready**.
+
+ Shows information about the run history of simulations that used the payload automation.
+
+ :::image type="content" source="../../media/attack-sim-training-payload-automations-details-run-history.png" alt-text="The Run history tab in the details flyout of a payload automation." lightbox="../../media/attack-sim-training-payload-automations-details-run-history.png":::
+
+> [!TIP]
+> To see details about other payload automations without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+ ## Related links [Get started using Attack simulation training](attack-simulation-training-get-started.md)
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
description: Admins can learn how to create and manage payloads for Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 6/14/2023 Last updated : 3/11/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Offi
For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
-To see the available payloads, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Payloads**. To go directly to the **Content library** tab where you can select **Payloads**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
+To see the available payloads, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Payloads**. Or, to go directly to the **Content library** tab where you can select **Payloads**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
**Payloads** in the **Content library** tab has three tabs: -- **Global payloads**: Contains the built-in, non-modifiable payloads.-- **Tenant payloads**: Contains the custom payloads that you've created.
+- **Global payloads**: Contains the built-in, unmodifiable payloads.
+- **Tenant payloads**: Contains the custom payloads that you created.
- **MDO recommendations**: Payloads that are recommended by Defender for Office 365 as having considerable impact when used by attackers. This list is refreshed monthly.
-The following information is shown for each payload on the **Global payloads** and **Tenant payloads** tabs<sup>\*</sup>:
--- **Payload name**-- **Type**: Currently, this value is always **Social engineering**.-- **Language**: If the payload contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).-- **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**.-- **Simulations launched**: The number of launched simulations that use the payload.-- **Predicted compromised rate (%)**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).-- **Created by**: For built-in payloads, the value is **Microsoft**. For custom payloads, the value is the UPN of the user who created the payload.-- **Last modified**-- **Technique**: One of the available [social engineering techniques](attack-simulation-training-simulations.md#select-a-social-engineering-technique):
+The information that's available on the tabs is described in the following list:
+
+- **MDO recommendations** tab: The following information is shown for each payload:
+ - **Payload name**
+ - **Compromised rate (%)**
+ - **Recommended by**
+ - **Recommendation date time**
+
+- **Global payloads** and **Tenant payloads** tabs: The following information is shown for each payload. You can sort the payloads by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default columns are marked with an asterisk (<sup>\*</sup>):
+ - **Payload name**<sup>\*</sup>
+ - **Type<sup>\*</sup>**: Currently, this value is always **Social engineering**.
+ - **Platform**
+ - **Technique**<sup>\*</sup>: One of the available [social engineering techniques](attack-simulation-training-simulations.md#select-a-social-engineering-technique):
+ - **Credential Harvest**
+ - **Malware Attachment**
+ - **Link in Attachment**
+ - **Link to Malware**
+ - **Drive-by URL**
+ - **OAuth Consent Grant**
+ - **How-to Guide**
+ - **Language**<sup>\*</sup>: If the payload contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).
+ - **Simulations launched**<sup>\*</sup>: The number of launched simulations that use the payload.
+ - **Source**
+ - **Predicted compromised rate (%)**<sup>\*</sup>: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
+ - **Created by**<sup>\*</sup>: For built-in payloads, the value is **Microsoft**. For custom payloads, the value is the user principal name (UPN) of the user who created the payload.
+ - **Last modified**<sup>\*</sup>
+ - **Status**<sup>\*</sup>: Values are:
+ - **Ready**
+ - **Draft**: Available only on the **Tenant payloads** tab.
+ - **Archive**: Archived payloads are visible only when **Show archived payloads** is toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+ - **Γï«** (**Actions** control)<sup>\*</sup>: Take action on the payload. The available actions depend on the **Status** value of the payload as described in the procedure sections. This control always appears at the end of the payload row.
+
+ > [!TIP]
+ > To see all columns, you likely need to do one or more of the following steps:
+ >
+ > - Horizontally scroll in your web browser.
+ > - Narrow the width of appropriate columns.
+ > - Remove columns from the view.
+ > - Zoom out in your web browser.
+
+ To find a payload in the list, type part of the payload name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
+
+ Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: to filter the payloads by one or of the following values:
+
+ - **Technique**: One of the available [social engineering techniques](attack-simulation-training-simulations.md#select-a-social-engineering-technique):
- **Credential Harvest** - **Malware Attachment** - **Link in Attachment** - **Link to Malware** - **Drive-by URL** - **OAuth Consent Grant**-- **Status**: Values are:
- - **Ready**
- - **Draft**: Available only on the **Tenant payloads** tab.
- - **Archive**: Archived payloads are visible only when **Show archived payloads** is toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
-- **Γï«** (**Actions** control): Take action on the payload. The available actions depend on the **Status** value of the payload as described in the procedure sections. This control always appears at the end of the payload row.
+ - **How-to Guide**
-Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, the only available column that's not selected is **Platform**.
+ - **Complexity**: Calculated based on the number of indicators in the payload that indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier to identify as an attack and indicate lower complexity. The available values are: **High**, **Medium**, and **Low**.
-<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
+ - **Language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, and **Other**.
-- Horizontally scroll in your web browser.-- Narrow the width of appropriate columns.-- Remove columns from the view.-- Zoom out in your web browser.
+ - **Add tag(s)**
-To find a payload in the list, type part of the payload name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
+ - **Filter by theme**: The available values are: **Account Activation**, **Account Verification**, **Billing**, **Clean up Mail**, **Document Received**, **Expense**, **Fax**, **Finance Report**, **Incoming Messages**, **Invoice**, **Item Received**, **Login Alert**, **Mail Received**, **Password**, **Payment**, **Payroll**, **Personalized Offer**, **Quarantine**, **Remote Work**, **Review Message**, **Security Update**, **Service Suspended**, **Signature Required**, **Upgrade Mailbox Storage**, **Verify mailbox**, **Voicemail**, and **Other**.
-Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: to filter the payloads by one or of the following values:
+ - **Filter by brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, and **Other**.
-- **Complexity**: Calculated based on the number of indicators in the payload that indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier to identify as an attack and indicate lower complexity. The available values are: **High**, **Medium**, and **Low**.
+ - **Filter by industry**: The available values are: **Banking**, **Business Services**, **Consumer Services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial Services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier Services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real Estate**, and **Other**.
-- **Language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.
+ - **Current event**: The available values are **Yes** or **No**.
-- **Add tag(s)**
+ - **Controversial**: The available values are **Yes** or **No**.
-- **Filter by theme**: The available values are: **Account activation**, **Account verification**, **Billing**, **Clean up mail**, **Document received**, **Expense**, **Fax**, **Finance report**, **Incoming messages**, **Invoice**, **Items received**, **Login alert**, **Mail received**, **Password**, **Payment**, **Payroll**, **Personalized offer**, **Quarantine**, **Remote work**, **Review message**, **Security update**, **Service suspended**, **Signature required**, **Upgrade mailbox storage Verify mailbox**, **Voicemail**, and **Other**.--- **Filter by brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, and **Other**.--- **Filter by industry**: The available values are: **Banking**, **Business services**, **Consumer services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real estate**, and **Other**.--- **Current event**: The available values are **Yes** or **No**.--- **Controversial**: The available values are **Yes** or **No**.-
-When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
+ When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
When you select a payload by clicking anywhere in the row other than the check box next to the name, a details flyout appears with the following information:
When you select a payload by clicking anywhere in the row other than the check b
- **From email** - **Email subject** - **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**.
+ - **Click rate**
+ - **Simulations launched**
- **Theme** - **Brand** - **Industry**
To see payloads that have been archived (the **Status** value is **Archive**), u
> > You can also create payloads during the creation of simulations. For more information, see [Create a simulation: Select a payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page).
-2. On the **Select type** page, the only value that you can currently select is **Email**.
+2. On the **Select type** page, select one of the following values:
+ - **Email**
+ - **Teams**: Currently, this value is available only in Private Preview. For more information, see [Microsoft Teams in Attack simulation training](attack-simulation-training-teams.md).
When you're finished on the **Select type** page, select **Next**.
To see payloads that have been archived (the **Status** value is **Archive**), u
- **Link to Malware** - **Drive-by URL** - **OAuth Consent Grant**
+ - **How-to Guide**
- For more information, see [Simulate a phishing attack with Attack simulation training in Defender for Office 365](attack-simulation-training-simulations.md).
+ For more information about the different social engineering techniques, see [Simulations](attack-simulation-training-get-started.md#simulations).
When you're finished on the **Select technique** page, select **Next**.
To see payloads that have been archived (the **Status** value is **Archive**), u
- **Name your attachment**: Enter a filename for the attachment. - **Select an attachment type**: Select a filetype for the attachment. Available values are **Docx** or **HTML**.
- - **Link for attachment** section (**Link to Malware** technique only): In the **Select a URL you want to be your malware attachment link** box, select one of the available URLs (the same URLs that are described for the **Phishing link** section). You embed the URL in the body of the message in the **Email message** section.
-
- - **Phishing link** section (**Credential Harvest**, **Link in Attachment**, **Drive-by URL**, or **OAuth Consent Grant** techniques only):
- - For **Credential Harvest**, **Drive-by URL**, or **OAuth Consent Grant**, the name of the box is **Select a URL you want to be your phishing link**. You embed the URL in the body of the message in the **Email message** section.
- - For **Link in Attachment**, the name of the box is **Select a URL in this attachment that you want to be your phishing link**. You embed the URL in the attachment in the **Attachment content** section.
-
- Select one of the available URL values:
-
- |&nbsp;|&nbsp;|&nbsp;|
- ||||
- |<https://www.attemplate.com>|<https://www.exportants.it>|<https://www.resetts.it>|
- |<https://www.bankmenia.com>|<https://www.exportants.org>|<https://www.resetts.org>|
- |<https://www.bankmenia.de>|<https://www.financerta.com>|<https://www.salarytoolint.com>|
- |<https://www.bankmenia.es>|<https://www.financerta.de>|<https://www.salarytoolint.net>|
- |<https://www.bankmenia.fr>|<https://www.financerta.es>|<https://www.securembly.com>|
- |<https://www.bankmenia.it>|<https://www.financerta.fr>|<https://www.securembly.de>|
- |<https://www.bankmenia.org>|<https://www.financerta.it>|<https://www.securembly.es>|
- |<https://www.banknown.de>|<https://www.financerta.org>|<https://www.securembly.fr>|
- |<https://www.banknown.es>|<https://www.financerts.com>|<https://www.securembly.it>|
- |<https://www.banknown.fr>|<https://www.financerts.de>|<https://www.securembly.org>|
- |<https://www.banknown.it>|<https://www.financerts.es>|<https://www.securetta.de>|
- |<https://www.banknown.org>|<https://www.financerts.fr>|<https://www.securetta.es>|
- |<https://www.browsersch.com>|<https://www.financerts.it>|<https://www.securetta.fr>|
- |<https://www.browsersch.de>|<https://www.financerts.org>|<https://www.securetta.it>|
- |<https://www.browsersch.es>|<https://www.hardwarecheck.net>|<https://www.shareholds.com>|
- |<https://www.browsersch.fr>|<https://www.hrsupportint.com>|<https://www.sharepointen.com>|
- |<https://www.browsersch.it>|<https://www.mcsharepoint.com>|<https://www.sharepointin.com>|
- |<https://www.browsersch.org>|<https://www.mesharepoint.com>|<https://www.sharepointle.com>|
- |<https://www.docdeliveryapp.com>|<https://www.officence.com>|<https://www.sharesbyte.com>|
- |<https://www.docdeliveryapp.net>|<https://www.officenced.com>|<https://www.sharession.com>|
- |<https://www.docstoreinternal.com>|<https://www.officences.com>|<https://www.sharestion.com>|
- |<https://www.docstoreinternal.net>|<https://www.officentry.com>|<https://www.supportin.de>|
- |<https://www.doctorican.de>|<https://www.officested.com>|<https://www.supportin.es>|
- |<https://www.doctorican.es>|<https://www.passwordle.de>|<https://www.supportin.fr>|
- |<https://www.doctorican.fr>|<https://www.passwordle.fr>|<https://www.supportin.it>|
- |<https://www.doctorican.it>|<https://www.passwordle.it>|<https://www.supportres.de>|
- |<https://www.doctorican.org>|<https://www.passwordle.org>|<https://www.supportres.es>|
- |<https://www.doctrical.com>|<https://www.payrolltooling.com>|<https://www.supportres.fr>|
- |<https://www.doctrical.de>|<https://www.payrolltooling.net>|<https://www.supportres.it>|
- |<https://www.doctrical.es>|<https://www.prizeably.com>|<https://www.supportres.org>|
- |<https://www.doctrical.fr>|<https://www.prizeably.de>|<https://www.techidal.com>|
- |<https://www.doctrical.it>|<https://www.prizeably.es>|<https://www.techidal.de>|
- |<https://www.doctrical.org>|<https://www.prizeably.fr>|<https://www.techidal.fr>|
- |<https://www.doctricant.com>|<https://www.prizeably.it>|<https://www.techidal.it>|
- |<https://www.doctrings.com>|<https://www.prizeably.org>|<https://www.techniel.de>|
- |<https://www.doctrings.de>|<https://www.prizegiveaway.net>|<https://www.techniel.es>|
- |<https://www.doctrings.es>|<https://www.prizegives.com>|<https://www.techniel.fr>|
- |<https://www.doctrings.fr>|<https://www.prizemons.com>|<https://www.techniel.it>|
- |<https://www.doctrings.it>|<https://www.prizesforall.com>|<https://www.templateau.com>|
- |<https://www.doctrings.org>|<https://www.prizewel.com>|<https://www.templatent.com>|
- |<https://www.exportants.com>|<https://www.prizewings.com>|<https://www.templatern.com>|
- |<https://www.exportants.de>|<https://www.resetts.de>|<https://www.windocyte.com>|
- |<https://www.exportants.es>|<https://www.resetts.es>||
- |<https://www.exportants.fr>|<https://www.resetts.fr>||
+ - **Phishing link** or **Link for attachment** sections:
+ - The **Phishing link** section is available only in the **Credential Harvest**, **Link in Attachment**, **Drive-by URL**, or **OAuth Consent Grant** techniques.
+ - The **Link for attachment** section is available only in the **Link to Malware** technique.
+
+ Select **Select URL**. In the details flyout that opens, select one of the available URLs, and then select **Confirm**.
+
+ To change the URL, select **Change URL**.
> [!NOTE]
- > A URL reputation service might identify one or more of these URLs as unsafe. Check the availability of the URL in your supported web browsers before you use the URL in a simulation. For more information, see [Phishing simulation URLs blocked by Google Safe Browsing](attack-simulation-training-faq.md#phishing-simulation-urls-blocked-by-google-safe-browsing).
+ > The available URLs are listed in [Simulations](attack-simulation-training-get-started.md#simulations).
+ >
+ > Check the availability of the simulated phishing URL in your supported web browsers before you use the URL in a phishing campaign. For more information, see [Phishing simulation URLs blocked by Google Safe Browsing](attack-simulation-training-faq.md#phishing-simulation-urls-blocked-by-google-safe-browsing).
- **Attachment content** section (**Link in Attachment** technique only).
- A rich text editor is available to create the login page. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
+ A rich text editor is available to create the attachment content. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
- Use the **Phishing link** control to add the previously selected phishing URL into the attachment.
+ Select the **Phishing link** box. In the **Name phishing URL** dialog that opens, enter a **Name** value for the URL that you selected in the **Phishing link** section, and then select **Confirm**.
- - Common settings for all techniques on the **Configure payload** page:
+ The name value that you entered is added to the attachment content as a link to the phishing URL.
+ - Common settings for all techniques on the **Configure payload** page:
- **Add tag(s)**-
- - **Theme**: The available values are: **Account Activation**, **Account Verification**, **Billing**, **Clean up Mail**, **Document Received**, **Expense**, **Fax**, **Finance Report**, **Incoming Messages**, **Invoice**, **Item Received**, **Login Alert**, **Mail Received**, **Other**, **Password**, **Payment**, **Payroll**, **Personalized Offer**, **Quarantine**, **Remote Work**, **Review Message**, **Security Update**, **Service Suspended**, **Signature Required**, **Upgrade Mailbox Storage**, **Verify mailbox**, or **Voicemail**.
-
- - **Brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, or **Other**.
-
- - **Industry**: The available values are: **Banking**, **Business services**, **Consumer services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real estate**, or **Other**.
-
+ - **Theme**: The available values are: **Account Activation**, **Account Verification**, **Billing**, **Clean up Mail**, **Document Received**, **Expense**, **Fax**, **Finance Report**, **Incoming Messages**, **Invoice**, **Item Received**, **Login Alert**, **Mail**, **Password**, **Payment**, **Payroll**, **Personalized Offer**, **Quarantine**, **Remote Work**, **Review Message**, **Security Update**, **Service Suspended**, **Signature Required**, **Upgrade Mailbox Storage**, **Verify mailbox**, **Voicemail**, or **Other**.
+ - **Brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, **Other**.
+ - **Industry**: The available values are: **Banking**, **Business Services**, **Consumer Services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial Services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier Services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real Estate**, or **Other**.
- **Current event**: The available values are **Yes** or **No**.- - **Controversial**: The available values are **Yes** or **No**.
+ - **Language** section: Select the language for the payload. The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.
- - **Language** section: Select the language for the payload. The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.
+ - **Email message** section:
+ - You can select **Import email** and then **Choose file** to import an existing plain text message file. Two tabs are available:
+ - **Text** tab: A rich text editor is available to create the payload. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
- - **Email message** section:
+ The following controls are also available on the **Text** tab:
- - You can select **Import email** and then **Choose file** to import an existing plain text message file.
+ - **Dynamic tag**: Select from the following tags:
- - Two tabs are available:
- - **Text** tab: A rich text editor is available to create the payload. To see the typical font and formatting settings, toggle **Formatting controls** to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
+ |Tag name|Tag value|
+ |||
+ |**Insert User name**|`${userName}`|
+ |**Insert First name**|`${firstName}`|
+ |**Insert Last name**|`${lastName}`|
+ |**Insert UPN**|`${upn}`|
+ |**Insert Email**|`${emailAddress}`|
+ |**Insert Department**|`${department}`|
+ |**Insert Manager**|`${manager}`|
+ |**Insert Mobile phone**|`${mobilePhone}`|
+ |**Insert City**|`${city}`|
+ |**Insert Date**|`${date|MM/dd/yyyy|offset}`|
- The following controls are also available on the **Text** tab:
+ - The **Phishing link** or **Malware attachment** control is available:
+ - **Phishing link** is available only in the **Credential Harvest**, **Drive-by URL**, or **OAuth Consent Grant** techniques.
+ - **Malware attachment link** is available only in the **Link to Malware**.
- - **Dynamic tag**: Select from the following tags:
+ After you select the control, a **Name phishing URL** dialog opens. Enter a **Name** value for the URL that you selected in the **Phishing link** or **Link for attachment** section, and then select **Confirm**.
- |Tag name|Tag value|
- |||
- |**Insert User name**|`${userName}`|
- |**Insert First name**|`${firstName}`|
- |**Insert Last name**|`${lastName}`|
- |**Insert UPN**|`${upn}`|
- |**Insert Email**|`${emailAddress}`|
- |**Insert Department**|`${department}`|
- |**Insert Manager**|`${manager}`|
- |**Insert Mobile phone**|`${mobilePhone}`|
- |**Insert City**|`${city}`|
- |**Insert Date**|`${date|MM/dd/yyyy|offset}`|
+ The name value that you entered is added to the message body as a link to the phishing URL. On the **Code** tab, the link value is `<a href="${phishingUrl}" target="_blank">Name value you specified</a>`.
- - **Phishing link** (**Credential Harvest**, **Drive-by URL**, or **OAuth Consent Grant** techniques only): Use this control to name and insert the URL that you previously selected in the **Phishing link** section.
+ - **Code** tab: You can view and modify the HTML code directly.
- - **Malware attachment link** (**Link to Malware** technique only): Use this control to name and insert the URL that you previously selected in the **Link for attachment** section.
+ - **Replace all links in the email message with the phishing link** (**Credential Harvest**, **Link to Malware**, **Drive-by URL**, or **OAuth Consent Grant** techniques only): This toggle can save time by replacing all links in the message with the previously selected **Phishing link** or **Link for attachment** URL. To take this action, toggle the setting to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
- When you select **Phishing link** or **Malware attachment link**, a dialog opens that asks you to name the link. When you're finished, select **Confirm**.
-
- The name value that you specified is added to the message body as a link. On the **Code** tab, the link value is `<a href="${phishingUrl}" target="_blank">Name value you specified</a>`.
-
- - **Code** tab: You can view and modify the HTML code directly.
-
- - **Replace all links in the email message with the phishing link** (**Credential Harvest**, **Link to Malware**, **Drive-by URL**, or **OAuth Consent Grant** techniques only): This toggle can save time by replacing all links in the message with the previously selected **Phishing link** or **Link for attachment** URL. To take this action, toggle the setting to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+ - **Predicted compromised rate** section: Select **Predict compromise rate** to calculate the predicted success rate of the payload. For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
When you're finished on the **Configure payload** page, select **Next**.
+ > [!TIP]
+ > For the **How-to Guide** technique, you go directly to the **Review payload** page.
+ 6. The **Add indicators** page is available only if you selected **Credential Harvest**, **Link in Attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the **Select technique** page. Indicators help employees identify the tell-tale signs of phishing messages.
- On the **Add indicators** page, select :::image type="icon" source="../../media/m365-cc-sc-add-internal-icon.png" border="false"::: **Add indicator**. In the flyout that opens, configure the following settings:
+ On the **Add indicators** page, select :::image type="icon" source="../../media/m365-cc-sc-add-internal-icon.png" border="false"::: **Add indicator**. In the **Add indicator** flyout that opens, configure the following settings:
- **Select and indicator you would like to use** and **Where do you want to place this indicator on the payload?**:
To see payloads that have been archived (the **Status** value is **Archive**), u
This list is curated to contain the most common clues that appear in phishing messages.
- If you select the email message subject or the message body as the location for the indicator, a **Select text** button appears. Select this button to select the text in the message subject or message body where you want the indicator to appear. When you're finished, select **Select**.
+ If you select the email message subject or the message body as the location for the indicator, **Select text** appears. In the **Select required text** flyout that opens, select (highlight) the text in the message subject or message body where you want the indicator to appear. When you're finished, select **Select**.
:::image type="content" source="../../media/attack-sim-training-payloads-add-indicators-select-location.png" alt-text="The Selected text location in the message body to add to an indicator in the new payload wizard in Attack simulation training" lightbox="../../media/attack-sim-training-payloads-add-indicators-select-location.png":::
- - **Indicator description**: You can accept the default description for the indicator or you can customize it.
+ Back on the **Add indicator** flyout, the selected text appears in the **Text selected** section.
+
+ - **Indicator description**: You can accept the default description for the indicator or you can customize it.
- - **Indicator preview**: To see what the current indicator looks like, click anywhere within the section.
+ - **Indicator preview**: To see what the current indicator looks like, click anywhere within the section.
When you're finished in the **Add indicator** flyout, select **Add**
To see payloads that have been archived (the **Status** value is **Archive**), u
## Take action on payloads
-All actions on existing payloads start on the **Payloads** page. To get there, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> **Payloads** \> **Tenant payloads** tab. To go directly to the **Content library** tab where you can select **Payloads** and the **Tenant payloads** or **Global payloads** tabs, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
+All actions on existing payloads start on the **Payloads** page. To go there, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> **Payloads** \> **Tenant payloads** tab. To go directly to the **Content library** tab where you can select **Payloads** and the **Tenant payloads** or **Global payloads** tabs, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
> [!TIP] > To see the **Γï«** (**Actions**) control on the **Global payloads** or **Tenant payloads** tabs, you likely need to do one or more of the following steps:
security Attack Simulation Training Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-settings.md
To remove the training threshold and always assign training, regardless of wheth
To view completed simulations that have been excluded from reporting on the **Settings** tab, select the **View all** link in the **Simulations excluded from reporting** section. This link takes you to the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations> where **Show excluded simulations** is automatically toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
-On the **Simulations** tab, both excluded _and_ included completed simulations are shown on the **Simulations** tab together. You can tell the difference by the **Status** values (**Excluded** vs. **Completed**)
+On the **Simulations** tab, both excluded _and_ included completed simulations are shown on the **Simulations** tab together. You can tell the difference by the **Status** values (**Excluded** vs. **Completed**).
If you go directly to the **Simulations** tab and manually toggle **Show excluded simulations** on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::, _only_ excluded simulations are shown.
security Attack Simulation Training Simulation Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md
description: Admins can learn how to create automated simulations that contain specific techniques and payloads that launch when the specified conditions are met in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 6/14/2023 Last updated : 3/14/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
appliesto:
[!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, simulation automations allow you to run multiple benign cyberattack simulations in your organization. Simulation automations can contain multiple social engineering techniques and payloads, and can start on an automated schedule. Creating a simulation automation is very similar to [creating an individual simulation](attack-simulation-training-simulations.md), except for the ability to select multiple techniques, payloads, and the automation schedule.
+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, simulation automations allow you to run multiple benign cyberattack simulations in your organization. Simulation automations can contain multiple social engineering techniques and payloads, and can start on an automated schedule. Creating a simulation automation is similar to [creating an individual simulation](attack-simulation-training-simulations.md), except for the ability to select multiple techniques, payloads, and the automation schedule.
For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). To see any existing simulation automations that you created, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> and then select **Simulation automations**. To go directly to the **Automations** tab where you can select **Simulation automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.
-By default, the following information is shown for each simulation automation:
+The following information is shown for each simulation automation. You can sort the simulation automations by clicking on an available column header.
-- **Automation name**
+- **Name campaign**
- **Status**: **Active**, **Inactive**, or **Draft**. - **Next launch time** - **Last modified** - **Created by**
-Select a column header to sort by that column.
-
-Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to search for the name of an existing simulation.
-
-When you select a simulation automation from the list, a details flyout appears with the following information:
--- **General** tab: Displays basic information about the simulation automation.-- **Run history** tab: This tab is available only for simulation automations with the **Status** value **Active** or **Inactive**.- ## Create simulation automations To create a simulation automation, do the following steps:
On the **Select social engineering techniques** page, select one or more of the
- **Credential Harvest**: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password. - **Malware Attachment**: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. - **Link in Attachment**: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.-- **Link to Malware**: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.
+- **Link to Malware**: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file. Opening the file helps the attacker compromise the target's device.
- **Drive-by URL**: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. - **OAuth Consent Grant**: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
When you're finished on the **Select social engineering techniques** page, selec
## Select payloads and login pages
-On the **Select payloads and login page** page, you need to select an existing payload from the list, or create a new payload.
+On the **Select payloads and login page** page, you need to select at least one existing payload for each social engineering technique you selected, or you can create new payloads to use.
For the **Credential Harvest** or **Link in Attachment** social engineering techniques, you can also view the login page that's used in the payload, select a different login page to use, or create a new login page to use.
For the **Credential Harvest** or **Link in Attachment** social engineering tech
On the **Select payloads and login page** page, select one of the following options: -- **Manually select**: The rest of this section describes the available options for payloads. - **Randomize**: There's nothing else to configure on this page, so select **Next** to continue.
+- **Manually select**: The following details are shown for each payload. Select a column header to sort by that column:
+ - **Payload name**
+ - **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**.
+ - **Technique**: You need to select at least one payload per technique that you selected on the **Select social engineering techniques** page.
+ - **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 29+ languages as described in :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**.
+ - **Predicted compromise rate (%)**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
-The following details are shown for each payload:
--- **Payload name**-- **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**.-- **Technique**: You need to select at least one payload per technique that you selected on the **Select social engineering techniques** page.-- **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 29+ languages as described in :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**.-- **Click rate**: How many people have clicked on this payload.-- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).-- **Simulations launched** counts the number of times this payload was used in other simulations.-
-Select a column header to sort by that column.
-
-Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to search for the name of an existing payload.
-
-If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**, the following filters are available:
--- **Source**: The available values are: **Global**, **Tenant**, and **All**.--- **Complexity**: Calculated based on the number of indicators in the payload that indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier to identify as an attack and indicate lower complexity. The available values are: **High**, **Medium**, and **Low**.
+ Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to search for the name of an existing payload.
-- **Language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.
+ If you select a payload from the list by clicking anywhere in the row other than the check box next to the name, details about the payload are shown in a flyout:
-- **Add tag(s)**
+ - The **Overview** tab (named **Payload** in **Credential Harvest** and **Link in Attachment** payloads) contains details about the payload, include a preview.
+ - The **Login page** tab is available only for **Credential Harvest** or **Link in Attachment** payloads and is described in the [Select login pages](#select-login-pages) subsection.
+ - The **Attachment** tab is available only for **Malware Attachment**, **Link in Attachment**, and **Oauth Consent Grant** payloads. This tab contains details about the attachment, including a preview.
+ - The **Simulations launched** tab contains the **Simulation name**, **Click rate**, **Compromised rate**, and **Action**.
-- **Filter by theme**: The available values are: **Account activation**, **Account verification**, **Billing**, **Clean up mail**, **Document received**, **Expense**, **Fax**, **Finance report**, **Incoming messages**, **Invoice**, **Items received**, **Login alert**, **Mail received**, **Password**, **Payment**, **Payroll**, **Personalized offer**, **Quarantine**, **Remote work**, **Review message**, **Security update**, **Service suspended**, **Signature required**, **Upgrade mailbox storage Verify mailbox**, **Voicemail**, and **Other**.
+ > [!TIP]
+ > To see details about other payloads without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-- **Filter by brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, and **Other**.
+ Leave the payload details flyout open to change the login page or create a new login page to use as described in the following subsections.
-- **Filter by industry**: The available values are: **Banking**, **Business services**, **Consumer services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real estate**, and **Other**.
+ Or, if you're finished in the payload details flyout, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Close** to return to the **Select payloads and login page** page, verify one or more of the required payloads are selected and then select **Next** to continue.
-- **Current event**: The available values are **Yes** or **No**.--- **Controversial**: The available values are **Yes** or **No**.-
-When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-
-If you select a payload from the list by clicking anywhere in the row other than the check box next to the name, details about the payload are shown in a flyout:
--- The **Overview** tab (named **Payload** in **Credential Harvest** and **Link in Attachment** payloads) contains details about the payload, include a preview.-- The **Login page** tab is available only for **Credential Harvest** or **Link in Attachment** payloads and is described in the [Select login pages](#select-login-pages) subsection.-- The **Attachment** tab is available only for **Malware Attachment**, **Link in Attachment**, and **Oauth Consent Grant** payloads. This tab contains details about the attachment, include a preview.-- The **Simulations launched** tab contains the **Simulation name**, **Click rate**, **Compromised rate**, and **Action**.-
+ :::image type="content" source="../../media/attack-sim-training-simulations-select-payload-details-payload-tab.png" alt-text="The Payload tab in the payload details flyout in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-details-payload-tab.png":::
### Select login pages > [!NOTE] > The **Login page** tab is available only in the details flyout of **Credential Harvest** or **Link in Attachment** payloads.
-On the **Select payload and login page** page, select the **Credential Harvest** or **Link in Attachment** payload from the list by clicking anywhere in the row other than the check box to open the details flyout for the payload.
+On the **Select payload and login page** page, select the **Credential Harvest** or **Link in Attachment** payload from the list by clicking anywhere in the row other than the check box next to the name to open the details flyout for the payload.
In the details flyout of the payload, the **Login page** tab shows the login page that's currently selected for the payload.
To view the complete login page, use the **Page 1** and **Page 2** links at the
:::image type="content" source="../../media/attack-sim-training-simulations-select-payload-details-login-page-tab.png" alt-text="The login page tab in the payload details flyout in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-details-login-page-tab.png":::
-To change the login page that's used in the payload, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Change login page**.
+Use one of the following procedures to change the login page that's used in the payload or to create a new login page to use in the flyout:
-On the **Select login page** flyout that opens, The following information is shown for each login page:
+- Change the login page that's used in the payload: Select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Change login page** on the **Login page** tab of the payload details flyout.
-- **Name**-- **Language**-- **Source**: For built-in login pages, the value is **Global**. For custom login pages, the value is **Tenant**.-- **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page.-- **Last modified**-- **Actions**: Select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to preview the login page.
+ On the **Select login page** flyout that opens, The following information is shown for each login page:
+
+ - **Name**
+ - **Language**
+ - **Source**: For built-in login pages, the value is **Global**. For custom login pages, the value is **Tenant**.
+ - **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page.
+ - **Last modified**
+ - **Actions**: Select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **Preview** to preview the login page.
+
+ Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find a login page in the list by typing part of the login name, and then pressing the ENTER key.
+
+ Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the login pages by **Source** or **Language**.
+
+ When you're finished in the **Filter** flyout, select **Apply**. To clear the filters, select :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-To find a login page in the list, type part of the login name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
+ :::image type="content" source="../../media/attack-sim-training-simulations-select-payload-select-login-page.png" alt-text="The Select login page flyout from the Login page tab in payload details flyout in Attack simulation training in the Microsoft Defender portal." lightbox="../../media/attack-sim-training-simulations-select-payload-select-login-page.png":::
-Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the login pages by **Source** or **Language**.
+ On the **Select login page** flyout, select the check box next to the name of the login page to use, and then select **Save**. Back on the **Login page** tab of the payload details flyout, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Close** to return to the **Select payloads and login page** page.
+- Create a new login page to use in the payload: Select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Change login page** on the **Login page** tab of the payload details flyout.
-To create a new login page, select :::image type="icon" source="../../medi#create-login-pages).
+ On the **Select login page** flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Create new**.
-Back on the **Select login page**, verify the new login page you created is selected, and then select **Save**.
+ The creation steps are the same as at **Attack simulation training** \> **Content library** tab \> **Login pages** \> **Tenant login pages** tab. For instructions, see [Create login pages](attack-simulation-training-login-pages.md#create-login-pages).
-Back on the payload details flyout, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close**.
+ Back on the **Select login page** flyout, select the check box next to the name of the login page to use, and then select **Save**. Back on the **Login page** tab of the payload details flyout, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Close** to return to the **Select payloads and login page** page.
+
+On the **Select payloads and login page** page, verify the payloads that you configured and/or want to use are selected.
When you're finished on the **Select a payload and login page** page, select **Next**.
When you're finished on the **Select a payload and login page** page, select **N
On the **Configure OAuth payload** page, configure the following settings: - **App name**: Enter a name for the payload.--- **App logo**: Select **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you've selected it, select **Remove**.-
+- **App logo**: Select **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you selected it, select **Remove**.
- **Select app scope**: Choose one of the following values: - **Read user calendars** - **Read user contacts**
When you're finished on the **Configure OAuth payload** page, select **Next**.
On the **Target users** page, select who receives the simulation. Use the following options to select users: -- **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** icon on the page to find specific users.
+- **Include all users in your organization**: **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use **Next** and **Previous** below the list of users to scroll through the list. You can also use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** on the page to find specific users.
- **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the simulation, choose one of the following options:
On the **Target users** page, select who receives the simulation. Use the follow
The number of results appears in the **Selected (0/x) users** label. > [!NOTE]
- > Clicking the **Add filters** button clears and replaces any results the **User list** section with the **Filter users by categories**.
+ > Selecting **Add filters** clears and replaces any results the **User list** section with **Filter users by categories**.
- When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select **Add x users** to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- **Filter users by categories**: Use the following options: - **Suggested user groups**: Select from the following values:
- - **All suggested user groups**
+ - **All suggested user groups**: The same result as selecting **Users not targeted by a simulation in the last three months** and **Repeat offenders**.
- **Users not targeted by a simulation in the last three months** - **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold). - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
- - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag name and then press Enter. You can select some or all of the results.
- Select **All user tags** - Select existing user tags. If the link is available, select **See all user tags** to see the complete list of available tags.
On the **Target users** page, select who receives the simulation. Use the follow
- **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, select the **See all** link to see all filter values - **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label.
- When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
On the **Assign training** page, you can assign trainings for the simulation. We
Use the following options on the page to assign trainings as part of the simulation: -- **Select training content preference**: Choose one of the following options in the dropdown list:
+- **Preferences** section: In **Select training content preference**, choose one of the following options in the dropdown list:
- - **Microsoft training experience (Recommended)**: This is the default value that has the following associated options to configure on the page:
- - Select one of the following options:
+ - **Microsoft training experience (Recommended)**: This is the default value. This value has the following associated options to configure on the page:
+ - Select one of the following values:
- **Assign training for me (Recommended)**: This is the default value. We assign training based on a user's previous simulation and training results.
- - **Select training courses and modules myself**: If you select this value, the next step in the wizard will be **Training assignment** where you find and select trainings. The steps are described in the [Training assignment](#training-assignment) subsection.
- - **Due date**: Choose one of the following values:
- - **30 days after simulation ends**: This is the default value.
+ - **Select training courses and modules myself**: If you select this value, the next step in the wizard is **Training assignment** where you find and select trainings. The steps are described in the [Training assignment](#training-assignment) subsection.
+ - **Due date** section: In **Select a training due date**, choose one of the following values:
+ - **30 days after simulation ends** (this is the default value)
- **15 days after simulation ends** - **7 days after simulation ends**
Use the following options on the page to assign trainings as part of the simulat
- **Custom training URL** (required) - **Custom training name** (required) - **Custom training description**
- - **Custom training duration (in minutes)**: The default value is 0, which means there is no specified duration for the training.
- - **Due date**: Choose one of the following values:
- - **30 days after simulation ends**: This is the default value.
+ - **Custom training duration (in minutes)**: The default value is 0, which means there's no specified duration for the training.
+ - **Due date** section: In **Select a training due date**, choose one of the following values:
+ - **30 days after simulation ends** (this is the default value)
- **15 days after simulation ends** - **7 days after simulation ends**
- - **No training**: If you select this value, the only option on the page is the **Next** button.
+ - **No training**: If you select this value, the only option on the page is **Next**.
When you're finished on the **Assign training** page, select **Next**.
When you're finished on the **Assign training** page, select **Next**.
> [!NOTE] > This page is available only if you selected **Select training courses and modules myself** on the **Assign training** page.
-On the **Training assignment** page, select the trainings that you want to add to the simulation by clicking :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add trainings**.
+On the **Training assignment** page, select the trainings that you want to add to the simulation by selecting :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add trainings**.
-On the **Add training** flyout that opens, use the following tabs to select trainings to include in the simulation:
+In the **Add training** flyout that opens, use the following tabs to select trainings to include in the simulation:
-- **Recommended** tab: Shows the recommended built-in trainings based on the simulation configuration. These are the same trainings that would have been assigned if you selected **Assign training for me (Recommended)** on the previous page.
+- **Recommended** tab: Shows the recommended built-in trainings based on the simulation configuration. These trainings are the same trainings that would have been assigned if you selected **Assign training for me (Recommended)** on the previous page.
- **All trainings** tab: Shows all built-in trainings that are available. :::image type="content" source="../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png" alt-text="The option to add the recommended training on the Training assignment page in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png":::
On either tab, the following information is shown for each training:
- **Training name** - **Source**: The value is **Global**. - **Duration (mins)**-- **Preview**: Select the **Preview** button to see the training.
+- **Preview**: Select **Preview** to see the training.
On either tab, you can use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find trainings. Type part of the training name and press the ENTER key.
-On either tab, select one or more trainings by clicking in the blank area next to the **Training name** column. When you're finished, select **Add**.
+On either tab, select one or more trainings by selecting the check box next to the training name. To select all trainings, select the check box in the **Training name** column header. When you're finished, select **Add**.
Back on the **Training assignment** page, the selected trainings are now listed. The following information is shown for each training: - **Training name** - **Source** - **Duration (mins)**-- **Assign to**: For each training in the list, you need to select who gets the training by selecting from the following values:
+- **Assign to**: For each training, select who gets the training by selecting from the following values:
- **All users** - One or both of the values **Clicked payload** or **Compromised**. - **Delete**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** to remove the training from the simulation.
When you're finished on the **Training assignment** page, select **Next**.
### Select a landing page
-On the **Selecting phish landing page** page, you configure the web page that users are taken to if they open the payload in the simulation.
+On the **Select phish landing page** page, configure the web page that users are taken to if they open the payload in the simulation.
Select one of the following options: - **Use landing pages from library**: The following options are available:
- - **Payload indicators**: Select **Add payload indicators to email** to help users learn how do identify phishing email.
- - This setting is not available if you selected **Malware Attachment** or **Link to Malware** on the [Select one or more techniques](#select-one-or-more-social-engineering-techniques) page.
- - For landing pages that you create on the **Tenant landing pages** tab, this setting is meaningful only if you use the **Dynamic tag** named **Insert Payload content** in the landing page content as described in the **Create a landing page** subsection.
+ - **Payload indicators** section: Select **Add payload indicators to email** to help users learn how do identify phishing email.
+ - This setting isn't available if you selected **Malware Attachment** or **Link to Malware** on the [Select one or more techniques](#select-one-or-more-social-engineering-techniques) page.
+ - For landing pages that you create on the **Tenant landing pages** tab, this setting is meaningful only if you use the **Dynamic tag** named **Insert Payload content** in the landing page content as described in the [Create landing pages](attack-simulation-training-landing-pages.md#create-landing-pages) subsection.
- **Show the interstitial page before the landing page**: This setting is available only if you selected **Drive-by URL** on the [Select one or more techniques](#select-one-or-more-social-engineering-techniques) page. You can show the overlay that comes up for drive-by URL attacks. To hide the overlay and go directly to the landing page, don't select this option. The remainder of the **Selecting phish landing page** page has two tabs where you select the landing page to use: - **Global landing pages** tab: Contains the built-in landing pages. When you select a built-in landing page to use by selecting the check box next to name, an **Edit layout** section appears with the following options: - **Add logo**: Select **Browse logo image** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, select **Remove uploaded logo image**.
- - **Select default language**: This setting is required. Select one of the following values: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, and **Dutch**.
-
- - **Tenant landing pages** tab: Contains any custom landing pages that you've created. To create a new landing page, select :::image type="icon" source="../../medi#create-landing-pages).
+ - **Select default language**: This setting is required. Select one of the following values: **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **Dutch**, **English**, **Spanish**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese, or **Russian**.
- On both tabs, the following information is shown for each landing page:
+ - **Tenant landing pages** tab: Contains any custom landing pages that you created. To create a new landing page, select :::image type="icon" source="../../medi#create-landing-pages).
- - **Name**
- - **Language**: If the landing page contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).
- - **Default language**
- - **Status**
- - **Linked simulation**
+ On both tabs, the following information is shown for each landing page. You can sort the landing pages by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default columns are marked with an asterisk (<sup>\*</sup>):
- Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, the only available columns that aren't selected are **Source** and **Created by**.
+ - **Name**<sup>\*</sup>
+ - **Language**<sup>\*</sup>: If the landing page contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).
+ - **Source**
+ - **Default language**<sup>\*</sup>
+ - **Status**<sup>\*</sup>
+ - **Linked simulations**<sup>\*</sup>
+ - **Created by**
+ - **Created time**<sup>\*</sup>
+ - **Modified by**<sup>\*</sup>
+ - **Last modified**<sup>\*</sup>
To find a landing page in the list, type part of the landing page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the landing pages by language.
- When you select a landing page by clicking on the name, a details flyout opens that shows more information about the landing page:
+ When a landing page is selected, if you click anywhere in the row, a details flyout opens that shows more information about the landing page:
- The **Preview** tab shows what the landing page looks like to users. - The **Details** tab shows the properties of the landing page.
+ > [!TIP]
+ > To see details about other landing pages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+ When you're finished in the landing page details flyout, select **Close**. On the **Selecting phish landing page** page, select a landing page to use by selecting the check box next to the **Name** column. -- **Use a custom URL**: This setting is not available if you selected **Malware Attachment** or **Link to Malware** on the [Select one or more social engineering techniques](#select-one-or-more-social-engineering-techniques) page.
+- **Use a custom URL**: This setting isn't available if you selected **Malware Attachment** or **Link to Malware** on the [Select social engineering techniques](#select-one-or-more-social-engineering-techniques) page.
If you select **Use a custom URL**, you need to add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the **Selecting phish landing page** page.
When you're finished on the **Selecting phish landing page** page, select **Next
On the **Select end user notification** page, select from the following notification options: -- **Do not deliver notifications**: No other configuration options are available on the page. Users will not receive **Training assignment notifications**, **Training reminder notifications** or **Positive reinforcement notifications** from the simulation.--- **Microsoft default notification (recommended)**: The notifications that users will receive are shown on the page:
+- **Do not deliver notifications**: No other configuration options are available on the page. Users don't receive **Training assignment notifications**, **Training reminder notifications** or **Positive reinforcement notifications** from the simulation. Select **Proceed** in the warning dialog.
+- **Microsoft default notification (recommended)**: The notifications that users receive are shown on the page:
- **Microsoft default positive reinforcement notification** - **Microsoft default training assignment notification** - **Microsoft default training reminder notification**
- Select the default language to use in **Select default language**. The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Romanian**, **Russian**, **Spanish**, or **Dutch**.
+ Select the default language to use in **Select default language**. The available values are: **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, **Dutch**, **Polish**, **Arabic**, **Finnish**, **Greek**, **Hungarian**, **Indonesian**, **Norwegian Bokmål**, **Romanian**, **Slovak**, **Swedish**, **Thai**, **Turkish**, **Vietnamese**, **Catalan**, **Croatian**, or **Slovenian**.
For each notification, the following information is available:
On the **Select end user notification** page, select from the following notifica
- For **Microsoft default positive reinforcement notification**, select **Do not deliver**, **Deliver after campaign ends**, or **Deliver during campaign**. - For **Microsoft default training reminder notification**, select **Twice a week** or **Weekly**. - **Actions**: If you select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View**, a **Review notification** page opens with the following information:
- - **Preview** tab: View the notification message as users will see it.
+ - **Preview** tab: View the notification message as users see it.
- To view the message in different languages, use the **Select language** box. - Use the **Select payload to preview** box to select the notification message for simulations that contain multiple payloads. - **Details** tab: View details about the notification:
On the **Select end user notification** page, select from the following notifica
When you're finished on the **Review notification** page, select **Close** to return to the **Select end user notification** page. -- **Customized end user notifications**: No other configuration options are available on the page. When you select **Next**, you'll need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
+- **Customized end user notifications**: No other configuration options are available on the page. When you select **Next**, you need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
When you're finished on the **Select end user notification** page, select **Next**.
The **Training assignment notification** page shows the following notifications
- **Microsoft default training only campaign-training assignment notification** - Any custom training assignment notifications that you previously created.
-These notifications are also available at **Attack simulation training** \> **Content library tab** \> **End user notifications**:
+These notifications are also available at **Attack simulation training** \> **Content library** tab \> **End user notifications**:
- Built-in training assignment notifications are available on the **Global notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>. - Custom training assignment notifications are available on the **Tenant notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>.
For more information, see [End-user notifications for Attack simulation training
Do one of the following steps: -- **Select an existing notification to use**:
+- Select an existing notification to use:
- To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification:
+ - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification:
- The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
Do one of the following steps:
On the **Training assignment notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
+- Create a new notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type.
The **Training reminder notification** page shows the following notifications an
- **Microsoft default training only campaign-training reminder notification** - Any custom training reminder notifications that you previously created.
-These notifications are also available at **Attack simulation training** \> **Content library tab** \> **End user notifications**:
+These notifications are also available at **Attack simulation training** \> **Content library** tab \> **End user notifications**:
- Built-in training reminder notifications are available on the **Global notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>. - Custom training reminder notifications are available on the **Tenant notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
-In **Set frequency for reminder notification**, select **Weekly** or **Twice a week**, and then do one of the following steps:
+In **Set frequency for reminder notification**, select **Weekly** (the default value) or **Twice a week**, and then do one of the following steps:
-- **Select an existing notification to use**:
+- Select an existing notification to use:
- To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users.
When you're finished on the **Training reminder notification** page, select **Ne
> [!NOTE] > This page is available only if you selected **Customized end user notifications** on the [Select end user notifications](#select-end-user-notifications) page.
-You have the following options for positive reinforcement notifications:
--- Don't use positive reinforcement notifications: Select **Do not deliver** in the **Delivery preferences** section.
+You have the following options in the **Delivery preferences** section for positive reinforcement notifications:
- There's nothing else to configure on the page, so you're taken to the [simulation schedule](#simulation-schedule) page when you select **Next**.
+- Don't use positive reinforcement notifications: Select **Do not deliver**. There's nothing else to configure on the page, so you go to the [simulation schedule](#simulation-schedule) page when you select **Next**.
-- Use an existing positive reinforcement notification: Select **Deliver after the user reports a phish and campaign ends** or **Deliver immediately after the user reports a phish** in the **Delivery preferences** section.
+- Use an existing positive reinforcement notification: Select one of the remaining values:
+ - **Deliver after the user reports a phish and campaign ends**
+ - **Deliver immediately after the user reports a phish**.
The following notifications and their configured languages appear on the page: - **Microsoft default positive reinforcement notification** - Any custom positive reinforcement notifications that you previously created.
- These notifications are also available at **Attack simulation training** \> **Content library tab** \> **End user notifications**:
+ These notifications are also available at **Attack simulation training** \> **Content library** tab \> **End user notifications**:
- Built-in positive reinforcement notifications are available on the **Global notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>. - Custom positive reinforcement notifications are available on the **Tenant notifications** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>.
You have the following options for positive reinforcement notifications:
When you're finished in the notification details flyout, select **Close**.
- On the **Positive reinforcement notification** page, select an existing notification to use by clicking the check box next to the name.
+ On the **Positive reinforcement notification** page, select an existing notification to use by selecting the check box next to the name.
- Create a new positive reinforcement notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
When you're finished on the **Schedule details** page, select **Next**.
On the **Launch details** page, configure the following additional settings for the automation: -- **Use unique payloads across simulations within an automation** section: By default, **Unique payloads** is not selected.
+- **Use unique payloads across simulations within an automation** section: By default, **Unique payloads** isn't selected.
-- **Target all selected users in every simulation run** section: By default, **Target all selected users in every simulation run** is not selected.
+- **Target all selected users in every simulation run** section: By default, **Target all selected users in every simulation run** isn't selected.
- **Target repeat offenders** section: By default, **Target repeat offenders**is not selected. If you select it, use **Enter the maximum number of times a user can be targeted within this automation** that appears to enter a value from 1 to 10. -- **Send simulation email based upon the user's current time zone setting from Outlook web app** section: By default, **Enable region aware delivery** is not selected.
+- **Send simulation email based upon the user's current time zone setting from Outlook web app** section: By default, **Enable region aware delivery** isn't selected.
When you're finished on the **Launch details** page, select **Next**.
To turn off an **Active** simulation automation, select it from the list by clic
To remove a simulation automation, select the simulation automation from the list by clicking the check box next to the name. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Confirm** in the dialog.
+## View simulation automation details
+
+For simulation automations with the **Status** value **Active** or **Inactive**, select the simulation from the **Simulation automations** page by clicking anywhere in the row other than the check box next to the name. The details flyout that opens contains the following information:
+
+- The simulation automation name and the number of items collected.
+- **General** tab:
+ - **Type**: The value is **Simulation**.
+ - **Name**
+ - **Description**
+ - **Run conditions** sections: Select **Edit** to open the simulation automation wizard on the related page.
+- **Run history** tab: This tab is available only for simulation automations with the **Status** value **Active** or **Inactive**.
+
+ Shows information about the run history of the simulation.
+
+> [!TIP]
+> To see details about other simulation automations without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+ ## Frequently asked questions (FAQ) for simulations automations This section contains some of the most common questions about Simulation automations. ### Why does the Status value under Automations show Completed, but the Status value under Simulations show In progress?
-**Completed** on the **Simulation automations** page means the job of simulation automation is complete, and no more simulations will be created by it. Simulation is a separate entity that will complete after 30 days of simulation launch time.
+**Completed** on the **Simulation automations** page means the job of simulation automation is complete, and no more simulations are created by it. Simulation is a separate entity that will complete after 30 days of simulation launch time.
### Why is the simulation end date 30 days after creation, even though I selected an automation end date of one week?
-A one week end date for the simulation automation means no new simulations will be created by it after one week. For simulations created by a simulation automation, the default end date is 30 days after the creation of the simulation.
+A one week end date for the simulation automation means no new simulations are created by it after one week. For simulations created by a simulation automation, the default end date is 30 days after the creation of the simulation.
### If we have multiple social engineering techniques and related payloads (for example, Credential harvest, Link to Malware, and Drive by URL) that target 300 users, how are the payloads sent to users? Do all payload types go to all users, or is the selection random?
-If you don't select **Target all selected users in every simulation run** on the [Launch details](#launch-details) page, all targeted users will be distributed over the maximum number of simulations that are created by the simulation automation.
+If you don't select **Target all selected users in every simulation run** on the [Launch details](#launch-details) page, all targeted users are distributed over the maximum number of simulations that are created by the simulation automation.
-If you select **Target all selected users in every simulation run** on the [Launch details](#launch-details) page, all targeted users will be part of every simulation that's created by the simulation automation.
+If you select **Target all selected users in every simulation run** on the [Launch details](#launch-details) page, all targeted users are part of every simulation that's created by the simulation automation.
### How does the Randomize option on the Simulation schedule page work?
This number is the maximum number of runs that can be created by this automation
### If I select only one specific day between two days (for example, Wednesday), how many simulations will I see on the Simulation tab?
-If there's only one Wednesday between the start date and end date, the automation will have only one valid day to send out the simulation. Even if you selected a higher value for **Max number of simulations**, this value will get overwritten to one.
+If there's only one Wednesday between the start date and end date, the automation has only one valid day to send out the simulation. Even if you selected a higher value for **Max number of simulations**, this value gets overwritten to one.
### How does randomize send times currently work?
-Randomize send time works in batches of 1000 users and is meant to be used with a large number of targeted users. If less than 1000 users are involved in simulations created by automations, batches of 100 users are created for randomized send times.
+Randomize send time works in batches of 1,000 users and is meant to be used with a large number of targeted users. If less than 1,000 users are involved in simulations created by automations, batches of 100 users are created for randomized send times.
+
+## Related links
+
+[Get started using Attack simulation training](attack-simulation-training-get-started.md)
+
+[Simulation automations for Attack simulation training](attack-simulation-training-simulation-automations.md)
+
+[Gain insights through Attack simulation training](attack-simulation-training-insights.md)
security Attack Simulation Training Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulations.md
description: Admins can learn how to simulate phishing attacks and train their users on phishing prevention using Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 3/8/2024 Last updated : 3/15/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
To launch a simulated phishing attack, do the following steps:
The following sections describe the steps and configuration options to create a simulation. > [!NOTE]
- > At any point after you name the simulation during the new simulation wizard, you can select **Save and close** to save your progress and continue later. The incomplete simulation has the **Status** value **Draft**. You can pick up where you left off by selecting the simulation and then clicking the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit simulation** action that appears.
+ > At any point after you name the simulation during the new simulation wizard, you can select **Save and close** to save your progress and continue later. The incomplete simulation has the **Status** value **Draft**. You can pick up where you left off by selecting the simulation and then selecting the :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit simulation** action that appears.
## Select a social engineering technique
-On the **Select technique** page, select an available social engineering technique, which was curated from the [MITRE ATT&CK® framework](https://attack.mitre.org/techniques/enterprise/). Different payloads are available for different techniques. The following social engineering techniques are available:
+On the **Select technique** page, select an available social engineering technique:
-- **Credential Harvest**: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.-- **Malware Attachment**: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.-- **Link in Attachment**: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.-- **Link to Malware**: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file. Opening the file helps the attacker compromise the target's device.-- **Drive-by URL**: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.-- **OAuth Consent Grant**: The malicious URL asks users to grant permissions to data for a malicious Azure Application.
+- **Credential Harvest**
+- **Malware Attachment**
+- **Link in Attachment**
+- **Link to Malware**
+- **Drive-by URL**
+- **OAuth Consent Grant**
+- **How-to Guide**
If you select the **View details** link in the description, a details flyout opens that describes the technique and the simulation steps that result from the technique.
+For more information about the different social engineering techniques, see [Simulations](attack-simulation-training-get-started.md#simulations).
+ :::image type="content" source="../../media/attack-sim-training-simulations-select-technique-sim-steps.png" alt-text="The Details flyout for the credential harvest technique on the Select technique page" lightbox="../../media/attack-sim-training-simulations-select-technique-sim-steps.png"::: When you're finished on the **Select technique** page, select **Next**.
When you're finished on the **Name simulation** page, select **Next**.
## Select a payload and login page
-On the **Select payload and login page** page, you need to select an existing payload or create a new payload.
+On the **Select payload and login page** page, you need to select an existing payload or create a new payload to use.
For the **Credential Harvest** or **Link in Attachment** social engineering techniques, you can also view the login page that's used in the payload, select a different login page to use, or create a new login page to use. ### Select a payload
-The following details are shown for each payload:
+The **Select payload and login page** page has two tabs:
+
+- **Global payloads**: Contains built-in payloads.
+- **Tenant payloads**: Contains custom payloads.
+
+The following information is shown for each payload:
- **Payload name**-- **Source**: For built-in payloads, the value is **Global**. For custom payloads, the value is **Tenant**. - **Language**: The language of the payload content. Microsoft's payload catalog (global) provides payloads in 29+ languages as described in :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**.-- **Click rate**: How many people have clicked on this payload.-- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).-- **Simulations launched** counts the number of times this payload was used in other simulations.
+- **Predicted compromise rate**: Historical data across Microsoft 365 that predicts the percentage of people who should be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
+
+You can sort the entries by clicking on an available column header.
To find a payload in the list, type part of the payload name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
-If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false":::, the following filters are available:
+To filter the payloads, select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**. The following filters are available in the **Filters** flyout that opens:
- **Source**: The available values are: **Global**, **Tenant**, and **All**. - **Complexity**: Calculated based on the number of indicators in the payload that indicate a possible attack (spelling errors, urgency, etc.). More indicators are easier to identify as an attack and indicate lower complexity. The available values are: **High**, **Medium**, and **Low**. -- **Language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.--- **Add tag(s)**
+- **Language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, and **Other**.
-- **Filter by theme**: The available values are: **Account activation**, **Account verification**, **Billing**, **Clean up mail**, **Document received**, **Expense**, **Fax**, **Finance report**, **Incoming messages**, **Invoice**, **Items received**, **Login alert**, **Mail received**, **Password**, **Payment**, **Payroll**, **Personalized offer**, **Quarantine**, **Remote work**, **Review message**, **Security update**, **Service suspended**, **Signature required**, **Upgrade mailbox storage Verify mailbox**, **Voicemail**, and **Other**.
+- **Filter by theme**: The available values are: **Account Activation**, **Account Verification**, **Billing**, **Clean up Mail**, **Document Received**, **Expense**, **Fax**, **Finance Report**, **Incoming Messages**, **Invoice**, **Item Received**, **Login Alert**, **Mail Received**, **Password**, **Payment**, **Payroll**, **Personalized Offer**, **Quarantine**, **Remote Work**, **Review Message**, **Security Update**, **Service Suspended**, **Signature Required**, **Upgrade Mailbox Storage**, **Verify mailbox**, **Voicemail**, and **Other**.
- **Filter by brand**: The available values are: **American Express**, **Capital One**, **DHL**, **DocuSign**, **Dropbox**, **Facebook**, **First American**, **Microsoft**, **Netflix**, **Scotiabank**, **SendGrid**, **Stewart Title**, **Tesco**, **Wells Fargo**, **Syrinx Cloud**, and **Other**. -- **Filter by industry**: The available values are: **Banking**, **Business services**, **Consumer services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier services**, **IT**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real estate**, and **Other**.
+- **Filter by industry**: The available values are: **Banking**, **Business Services**, **Consumer Services**, **Education**, **Energy**, **Construction**, **Consulting**, **Financial Services**, **Government**, **Hospitality**, **Insurance**, **Legal**, **Courier Services**, **Healthcare**, **Manufacturing**, **Retail**, **Telecom**, **Real Estate**, and **Other**.
- **Current event**: The available values are **Yes** or **No**.
If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.pn
When you're finished configuring filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
-If you select a payload by selecting the check box next to the name, a :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Send a test** button appears above the list of payloads. You can use this button to send a copy of the payload email to yourself (the currently logged in user) for inspection.
+If you select a payload by selecting the check box next to the name, a :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Send a test** action appears above the list of payloads. Use this action to send a copy of the payload email to yourself (the currently logged in user) for inspection.
-If no payloads are available or if you want to create your own payload, select :::image type="icon" source="../../medi#create-payloads).
+On the **Tenant payloads** tab, if no payloads are available or if you want to create your own payload, select :::image type="icon" source="../../medi#create-payloads).
-If you select a payload by clicking anywhere in the row other than the check box next to the name, details about the payload are shown in a flyout:
-- The **Overview** tab (named **Payload** in **Credential Harvest** and **Link in Attachment** payloads) contains details about the payload, include a preview.
+If you select a payload by clicking anywhere in the row other than the check box next to the name, details about the payload are shown in a flyout that opens:
+
+- The **Overview** tab (named **Payload** in **Credential Harvest** and **Link in Attachment** payloads) contains details about the payload, including a preview.
- The **Login page** tab is available only for **Credential Harvest** or **Link in Attachment** payloads and is described in the [Select a login page](#select-a-login-page) subsection.-- The **Attachment** tab is available only for **Malware Attachment**, **Link in Attachment**, and **Oauth Consent Grant** payloads. This tab contains details about the attachment, include a preview.
+- The **Attachment** tab is available only for **Malware Attachment**, **Link in Attachment**, and **Oauth Consent Grant** payloads. This tab contains details about the attachment, including a preview.
- The **Simulations launched** tab contains the **Simulation name**, **Click rate**, **Compromised rate**, and **Action**. :::image type="content" source="../../media/attack-sim-training-simulations-select-payload-details-payload-tab.png" alt-text="The Payload tab in the payload details flyout in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-simulations-select-payload-details-payload-tab.png":::
To view the complete login page, use the **Page 1** and **Page 2** links at the
To change the login page that's used in the payload, select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Change login page**.
-On the **Select login page** flyout that opens, The following information is shown for each login page:
+On the **Select login page** flyout that opens, the following information is shown for each login page:
- **Name** - **Language**
When you're finished on the **Select a payload and login page** page, select **N
On the **Configure OAuth payload** page, configure the following settings: - **App name**: Enter a name for the payload.- - **App logo**: Select **Browse** to select a .png, .jpeg, or .gif file to use. To remove a file after you've selected it, select **Remove**.- - **Select app scope**: Choose one of the following values: - **Read user calendars** - **Read user contacts**
When you're finished on the **Configure OAuth payload** page, select **Next**.
On the **Target users** page, select who receives the simulation. Use the following options to select users: -- **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** icon on the page to find specific users.
+- **Include all users in your organization**: The unmodifiable list of users is show in groups of 10. You can use **Next** and **Previous** below the list of users to scroll through the list. You can also use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** on the page to find specific users.
> [!TIP] > Although you can't remove users from the list on this page, you can use the next **Exclude users** page to exclude specific users.
On the **Target users** page, select who receives the simulation. Use the follow
- :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to receive the simulation. **Dynamic distribution groups are not supported**. The following search tools are available: - **Search for users or groups**: If you click in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
- - Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name** and **Email**.
+
+ - Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name**, **Email**, **Job title**, and **Type**.
- Type less than three characters or no characters and then press the ENTER key. No users are shown in the **User list** section, but you can type three or more characters in the **Search** box to search for users and groups. The number of results appears in the **Selected (0/x) users** label.
- > [!NOTE]
- > Clicking the **Add filters** button clears and replaces any results the **User list** section with the **Filter users by categories**.
+ > [!TIP]
+ > Selecting **Add filters** clears and replaces any results the **User list** section with **Filter users by categories**.
- When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ Select **Add x users** to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- **Filter users by categories**: Use the following options: - **Suggested user groups**: Select from the following values:
- - **All suggested user groups**
+ - **All suggested user groups**: The same result as selecting **Users not targeted by a simulation in the last three months** and **Repeat offenders**.
- **Users not targeted by a simulation in the last three months** - **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold). - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
- - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag name and then press Enter. You can select some or all of the results.
- Select **All user tags** - Select existing user tags. If the link is available, select **See all user tags** to see the complete list of available tags.
On the **Target users** page, select who receives the simulation. Use the follow
- **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, select the **See all** link to see all filter values - **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label.
- When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
The methods to find and select users are the same as described in the previous s
When you're finished on the **Exclude users** page, select **Next**.
+> [!TIP]
+> If you selected **How-to Guide** as the [social engineering technique](#select-a-social-engineering-technique), you go directly to the [Select end user notification](#select-end-user-notifications) page.
+ ## Assign training On the **Assign training** page, you can assign trainings for the simulation. We recommend that you assign training for each simulation, as employees who go through training are less susceptible to similar attacks. Use the following options on the page to assign trainings as part of the simulation: -- **Select training content preference**: Choose one of the following options in the dropdown list:
+- **Preferences** section: In **Select training content preference**, choose one of the following options in the dropdown list:
- - **Microsoft training experience (Recommended)**: This is the default value that has the following associated options to configure on the page:
- - Select one of the following options:
+ - **Microsoft training experience (Recommended)**: This is the default value. This value has the following associated options to configure on the page:
+ - Select one of the following values:
- **Assign training for me (Recommended)**: This is the default value. We assign training based on a user's previous simulation and training results.
- - **Select training courses and modules myself**: If you select this value, the next step in the wizard will be **Training assignment** where you find and select trainings. The steps are described in the [Training assignment](#training-assignment) subsection.
- - **Due date**: Choose one of the following values:
- - **30 days after simulation ends**: This is the default value.
+ - **Select training courses and modules myself**: If you select this value, the next step in the wizard is **Training assignment** where you find and select trainings. The steps are described in the [Training assignment](#training-assignment) subsection.
+ - **Due date** section: In **Select a training due date**, choose one of the following values:
+ - **30 days after simulation ends** (this is the default value)
- **15 days after simulation ends** - **7 days after simulation ends**
Use the following options on the page to assign trainings as part of the simulat
- **Custom training URL** (required) - **Custom training name** (required) - **Custom training description**
- - **Custom training duration (in minutes)**: The default value is 0, which means there is no specified duration for the training.
- - **Due date**: Choose one of the following values:
- - **30 days after simulation ends**: This is the default value.
+ - **Custom training duration (in minutes)**: The default value is 0, which means there's no specified duration for the training.
+ - **Due date** section: In **Select a training due date**, choose one of the following values:
+ - **30 days after simulation ends** (this is the default value)
- **15 days after simulation ends** - **7 days after simulation ends**
- - **No training**: If you select this value, the only option on the page is the **Next** button.
+ - **No training**: If you select this value, the only option on the page is **Next**.
When you're finished on the **Assign training** page, select **Next**.
When you're finished on the **Assign training** page, select **Next**.
> [!NOTE] > This page is available only if you selected **Select training courses and modules myself** on the **Assign training** page.
-On the **Training assignment** page, select the trainings that you want to add to the simulation by clicking :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add trainings**.
+On the **Training assignment** page, select the trainings that you want to add to the simulation by selecting :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add trainings**.
-On the **Add training** flyout that opens, use the following tabs to select trainings to include in the simulation:
+In the **Add training** flyout that opens, use the following tabs to select trainings to include in the simulation:
-- **Recommended** tab: Shows the recommended built-in trainings based on the simulation configuration. These are the same trainings that would have been assigned if you selected **Assign training for me (Recommended)** on the previous page.
+- **Recommended** tab: Shows the recommended built-in trainings based on the simulation configuration. These trainings are the same trainings that would have been assigned if you selected **Assign training for me (Recommended)** on the previous page.
- **All trainings** tab: Shows all built-in trainings that are available. :::image type="content" source="../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png" alt-text="The option to add the recommended training on the Training assignment page in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-simulations-assign-training-add-recommended-training.png":::
On either tab, the following information is shown for each training:
- **Training name** - **Source**: The value is **Global**. - **Duration (mins)**-- **Preview**: Select the **Preview** button to see the training.
+- **Preview**: Select **Preview** to see the training.
On either tab, you can use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to find trainings. Type part of the training name and press the ENTER key.
-On either tab, select one or more trainings by clicking in the blank area next to the **Training name** column. When you're finished, select **Add**.
+On either tab, select one or more trainings by selecting the check box next to the training name. To select all trainings, select the check box in the **Training name** column header. When you're finished, select **Add**.
Back on the **Training assignment** page, the selected trainings are now listed. The following information is shown for each training: - **Training name** - **Source** - **Duration (mins)**-- **Assign to**: For each training, you need to select who gets the training by selecting from the following values:
+- **Assign to**: For each training, select who gets the training by selecting from the following values:
- **All users** - One or both of the values **Clicked payload** or **Compromised**. - **Delete**: Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** to remove the training from the simulation. :::image type="content" source="../../media/attack-sim-training-training-assignment.png" alt-text="The Training assignment page in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-training-assignment.png"::: - When you're finished on the **Training assignment** page, select **Next**. ## Select a landing page
-On the **Selecting phish landing page** page, you configure the web page that users are taken to if they open the payload in the simulation.
+On the **Select phish landing page** page, configure the web page that users are taken to if they open the payload in the simulation.
Select one of the following options: - **Use landing pages from library**: The following options are available:
- - **Payload indicators**: Select **Add payload indicators to email** to help users learn how do identify phishing email.
- - This setting is not available if you selected **Malware Attachment** or **Link to Malware** on the [Select a social engineering technique](#select-a-social-engineering-technique) page.
- - For landing pages that you create on the **Tenant landing pages** tab, this setting is meaningful only if you use the **Dynamic tag** named **Insert Payload content** in the landing page content as described in the **Create a landing page** subsection.
+ - **Payload indicators** section: Select **Add payload indicators to email** to help users learn how do identify phishing email.
+ - This setting isn't available if you selected **Malware Attachment** or **Link to Malware** on the [Select a social engineering technique](#select-a-social-engineering-technique) page.
+ - For landing pages that you create on the **Tenant landing pages** tab, this setting is meaningful only if you use the **Dynamic tag** named **Insert Payload content** in the landing page content as described in the [Create landing pages](attack-simulation-training-landing-pages.md#create-landing-pages) subsection.
- **Show the interstitial page before the landing page**: This setting is available only if you selected **Drive-by URL** on the [Select a social engineering technique](#select-a-social-engineering-technique) page. You can show the overlay that comes up for drive-by URL attacks. To hide the overlay and go directly to the landing page, don't select this option. The remainder of the **Selecting phish landing page** page has two tabs where you select the landing page to use: - **Global landing pages** tab: Contains the built-in landing pages. When you select a built-in landing page to use by selecting the check box next to name, an **Edit layout** section appears with the following options: - **Add logo**: Select **Browse logo image** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, select **Remove uploaded logo image**.
- - **Select default language**: This setting is required. Select one of the following values: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, and **Dutch**.
-
- - **Tenant landing pages** tab: Contains any custom landing pages that you've created. To create a new landing page, select :::image type="icon" source="../../medi#create-landing-pages).
+ - **Select default language**: This setting is required. Select one of the following values: **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **Dutch**, **English**, **Spanish**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese, or **Russian**.
- On both tabs, the following information is shown for each landing page:
+ - **Tenant landing pages** tab: Contains any custom landing pages that you created. To create a new landing page, select :::image type="icon" source="../../medi#create-landing-pages).
- - **Name**
- - **Language**: If the landing page contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).
- - **Default language**
- - **Status**
- - **Linked simulation**
+ On both tabs, the following information is shown for each landing page. You can sort the landing pages by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default columns are marked with an asterisk (<sup>\*</sup>):
- Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, the only available columns that aren't selected are **Source** and **Created by**.
+ - **Name**<sup>\*</sup>
+ - **Language**<sup>\*</sup>: If the landing page contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).
+ - **Source**
+ - **Default language**<sup>\*</sup>
+ - **Status**<sup>\*</sup>
+ - **Linked simulations**<sup>\*</sup>
+ - **Created by**
+ - **Created time**<sup>\*</sup>
+ - **Modified by**<sup>\*</sup>
+ - **Last modified**<sup>\*</sup>
To find a landing page in the list, type part of the landing page name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the landing pages by language.
- When you select a landing page by clicking on the name, a details flyout opens that shows more information about the landing page:
+ When a landing page is selected, if you click anywhere in the row, a details flyout opens that shows more information about the landing page:
- The **Preview** tab shows what the landing page looks like to users. - The **Details** tab shows the properties of the landing page.
+ > [!TIP]
+ > To see details about other landing pages without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+ When you're finished in the landing page details flyout, select **Close**. On the **Selecting phish landing page** page, select a landing page to use by selecting the check box next to the **Name** column. -- **Use a custom URL**: This setting is not available if you selected **Malware Attachment** or **Link to Malware** on the [Select technique](#select-a-social-engineering-technique) page.
+- **Use a custom URL**: This setting isn't available if you selected **Malware Attachment** or **Link to Malware** on the [Select technique](#select-a-social-engineering-technique) page.
If you select **Use a custom URL**, you need to add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the **Selecting phish landing page** page.
When you're finished on the **Selecting phish landing page** page, select **Next
On the **Select end user notification** page, select from the following notification options: -- **Do not deliver notifications**: No other configuration options are available on the page. Users will not receive **Training assignment notifications**, **Training reminder notifications** or **Positive reinforcement notifications** from the simulation.
+- **Do not deliver notifications**: No other configuration options are available on the page. Users don't receive **Training assignment notifications**, **Training reminder notifications** or **Positive reinforcement notifications** from the simulation. Select **Proceed** in the warning dialog.
-- **Microsoft default notification (recommended)**: The notifications that users will receive are shown on the page:-
- - **Microsoft default positive reinforcement notification**
+- **Microsoft default notification (recommended)**: The notifications that users receive are shown on the page:
+ - **Microsoft default positive reinforcement notification** (for the **How-to Guide** [social engineering technique](#select-a-social-engineering-technique), this is the only available notification)
- **Microsoft default training assignment notification** - **Microsoft default training reminder notification**
- Select the default language to use in **Select default language**. The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Romanian**, **Russian**, **Spanish**, or **Dutch**.
+ Select the default language to use in **Select default language**. The available values are: **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, **Dutch**, **Polish**, **Arabic**, **Finnish**, **Greek**, **Hungarian**, **Indonesian**, **Norwegian Bokmål**, **Romanian**, **Slovak**, **Swedish**, **Thai**, **Turkish**, **Vietnamese**, **Catalan**, **Croatian**, or **Slovenian**.
For each notification, the following information is available:
On the **Select end user notification** page, select from the following notifica
- For **Microsoft default positive reinforcement notification**, select **Do not deliver**, **Deliver after campaign ends**, or **Deliver during campaign**. - For **Microsoft default training reminder notification**, select **Twice a week** or **Weekly**. - **Actions**: If you select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View**, a **Review notification** page opens with the following information:
- - **Preview** tab: View the notification message as users will see it.
- - To view the message in different languages, use the **Select language** box.
- - Use the **Select payload to preview** box to select the notification message for simulations that contain multiple payloads.
+ - **Preview** tab: View the notification message as users see it. To view the message in different languages, use the **Select notification language** box.
- **Details** tab: View details about the notification: - **Notification description** - **Source**: For built-in notifications, the value is **Global**. For custom notifications, the value is **Tenant**.
On the **Select end user notification** page, select from the following notifica
When you're finished on the **Review notification** page, select **Close** to return to the **Select end user notification** page. -- **Customized end user notifications**: No other configuration options are available on the page. When you select **Next**, you'll need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
+- **Customized end user notifications**: No other configuration options are available on the page. When you select **Next**, you need to select a **Training assignment notification**, a **Training reminder notification**, and (optionally) a **Positive reinforcement notification** to use for the simulation as described in the next three subsections.
+
+ > [!TIP]
+ > For the **How-to Guide** [social engineering technique](#select-a-social-engineering-technique), you can only configure a [Positive reinforcement notification.](#select-a-positive-reinforcement-notification).
When you're finished on the **Select end user notification** page, select **Next**.
For more information, see [End-user notifications for Attack simulation training
Do one of the following steps: -- **Select an existing notification to use**:
+- Select an existing notification to use:
- To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
- - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification:
+ - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification:
- The **Preview** tab shows what the notification looks like to users. - The **Details** tab shows the properties of the notification.
Do one of the following steps:
On the **Training assignment notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
+- Create a new notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type.
These notifications are also available at **Attack simulation training** \> **Co
For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
-In **Set frequency for reminder notification**, select **Weekly** or **Twice a week**, and then do one of the following steps:
+In **Set frequency for reminder notification**, select **Weekly** (the default value) or **Twice a week**, and then do one of the following steps:
-- **Select an existing notification to use**:
+- Select an existing notification to use:
- To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users.
In **Set frequency for reminder notification**, select **Weekly** or **Twice a w
On the **Training reminder notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
+- Create a new notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training reminder notification** for the notification type.
When you're finished on the **Training reminder notification** page, select **Ne
> [!NOTE] > This page is available only if you selected **Customized end user notifications** on the [Select end user notifications](#select-end-user-notifications) page.
-You have the following options for positive reinforcement notifications:
--- Don't use positive reinforcement notifications: Select **Do not deliver** in the **Delivery preferences** section.
+You have the following options in the **Delivery preferences** section for positive reinforcement notifications:
- There's nothing else to configure on the page, so you're taken to the [Launch details](#configure-the-simulation-launch-details) page when you select **Next**.
+- Don't use positive reinforcement notifications: Select **Do not deliver** . There's nothing else to configure on the page, so you go to the [Launch details](#configure-the-simulation-launch-details) page when you select **Next**.
-- Use an existing positive reinforcement notification: Select **Deliver after the user reports a phish and campaign ends** or **Deliver immediately after the user reports a phish** in the **Delivery preferences** section.
+- Use an existing positive reinforcement notification: Select one of the remaining values:
+ - **Deliver after the user reports a phish and campaign ends**
+ - **Deliver immediately after the user reports a phish**.
The following notifications and their configured languages appear on the page:
You have the following options for positive reinforcement notifications:
When you're finished in the notification details flyout, select **Close**.
- On the **Positive reinforcement notification** page, select an existing notification to use by clicking the check box next to the name.
+ On the **Positive reinforcement notification** page, select an existing notification to use by selecting the check box next to the name.
- Create a new positive reinforcement notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
When you're finished on the **Positive reinforcement notification** page, select
## Configure the simulation launch details
-On the **Launch details** page, you choose when to start and end the simulation. We'll stop capturing interaction with this simulation after the end date you specify.
+On the **Launch details** page, you choose when to start and end the simulation. We stop capturing interaction with this simulation after the end date you specify.
Choose one of the following values:
Choose one of the following values:
- **Select launch time minute** - **Select time format**: Select **AM** or **PM**.
-The default value for **Configure number of days to end simulation after** is 2 days, which is also the minimum value. The maximum value is 30 days.
+Configure the remaining options on the page:
-If you select **Enable region aware time zone delivery**, the simulated attack messages are delivered to users during their regional working hours.
+- **Configure number of days to end simulation after**: The default value is two days, which is also the minimum value. The maximum value is 30 days.
+- **Enable region aware time zone delivery**: If you select this value, the simulated attack messages are delivered to users during their regional working hours.
When you're finished on the **Launch details** page, select **Next**.
Back on the **Simulations** tab, the simulation that you created is now listed.
## View simulations
-The **Simulations** tab in Attack simulation training shows any simulations that you've created.
+The **Simulations** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator> shows any simulations that you created.
-By default, the following information is shown for each simulation<sup>\*</sup>:
+The following information is shown for each simulation. You can sort the simulations by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all columns are selected:
- **Simulation name** - **Type**
By default, the following information is shown for each simulation<sup>\*</sup>:
- **Launch date** - **End date** - **Actual compromise rate (%)**: The percentage of people who were compromised by your simulation (users compromised / total number of users who receive the simulation).-- **Predicted compromise rate (%)**: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
+- **Predicted compromise rate (%)**: Historical data across Microsoft 365 that predicts the percentage of people who should be compromised by this payload (users compromised / total number of users who receive the payload). For more information, see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate).
- **Technique**: The [social engineering technique](#select-a-social-engineering-technique) that's used in the simulation. - **Status**: One of the following values: - **Draft**
By default, the following information is shown for each simulation<sup>\*</sup>:
- **Excluded** - **Γï«** (**Actions** control): Take action on the simulation. The available actions depend on the **Status** value of the simulation as described in the procedure sections. This control always appears at the end of the row.
-Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
-
-<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
--- Horizontally scroll in your web browser.-- Narrow the width of appropriate columns.-- Remove columns from the view.-- Zoom out in your web browser.
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+>
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Remove columns from the view.
+> - Zoom out in your web browser.
Use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box to search for the name of an existing simulation.
When you're finished configuring filters, select **Apply**, **Cancel**, or :::im
To see simulations that have been excluded from reporting (the **Status** value is **Excluded**), use the **Show excluded simulations** toggle on the **Simulations** tab.
-### View simulation details
+## View simulation reports
-To view details about a simulation, use either of the following methods on the **Simulations** tab:
+For simulations with the **Status** value **In progress** or **Completed**, you can view the report for the simulation by using either of the following methods on the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>:
- Select the simulation by clicking anywhere in the row other than the check box next to the name. - Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **View report**.
-The title of the details page that opens shows the name of the simulation and other information (for example, the status, social engineering technique, and delivery status).
+The title of the report page that opens shows the name of the simulation and other information (for example, the status, social engineering technique, and delivery status).
+
+> [!TIP]
+> In the following scenarios, the report page opens, but no other information or actions are available on the page:
+>
+> - The **Status** value is **Scheduled**.
+> - During the first few minutes after you create a simulation when the **Status** value is **In progress**.
You can select :::image type="icon" source="../../media/m365-cc-sc-view-activity-timeline-icon.png" border="false"::: **View activity timeline** to see date/time information about the simulation (simulation scheduled, simulation launched, simulation ended, and training due dates).
-The rest of the details page contains the following tabs:
--- **Report** tab: For a description of what's on this tab, see [Attack simulation report](attack-simulation-training-insights.md#attack-simulation-report).--- **Users** tab: Shows the following information for all targeted users in the simulation:
- - **Name**
- - **Compromised**
- - **Reported**
- - **Training status**
- - **Other actions**
- - **Compromised on**
- - **Reported on**
- - **Failed deliveries**
- - **Username**
-
- Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. The following additional columns are available:
-
- - **Days out of office**
- - **Message read on**
- - **Message forwarded on**
- - **Message deleted on**
- - **Replied to message**
- - **Department**
- - **Company**
- - **Job title**
- - **Office**
- - **City**
- - **Country**
- - **Manager**
-
- To change the list of users from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
-
- If you select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter**, the following filters are available:
-
- - **Compromised**: Select **Yes** or **No**.
- - **Reported message**: Select **Yes** or **No**.
- - **Simulation message delivery**: Select **Delivered** or **Failed to deliver**.
- - **Other actions**: *Select one or more of the following values: **Replied to message**, **Forwarded message**, and **Deleted messages**.
- - **Training status**: Select **Completed**, **In progress**, **Not started**, or **Not assigned**.
- - **Assigned trainings**: Select one or more of the following values: **Mass Market Phishing**, **Report Message**, **Web Phishing**, **Anatomy of a Spear Phishing Attack**.
-
- To find a user in the list, type part of the name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key.
--- **Details** tab: Contains details about the simulation in the following sections:
- - **Description** section:
- - **Delivery platform**
- - **Type**
- - **Landing page**
- - **Technique**
- - **Launch details**
- - **Payload & login page**
- - **Target users**: Include excluded users or groups.
- - **Training information** section:
+The rest of the report page contains tabs as described in the following subsections.
+
+To close the simulation report, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Close**.
+
+### Report tab
+
+For a description of what's on the **Report** tab for simulations, see [Simulation report for simulations](attack-simulation-training-insights.md#simulation-report-for-simulations).
+
+### Users tab
+
+The **Users** tab contains the following information for each user in the simulation. You can sort the users by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default columns are marked with an asterisk (<sup>\*</sup>):
+
+- **Name**<sup>\*</sup> (you can't deselect this value)
+- **Compromised**<sup>\*</sup>
+- **Reported**<sup>\*</sup>
+- **Training status**<sup>\*</sup>
+- **Other actions**<sup>\*</sup>
+- **Compromised on**<sup>\*</sup>
+- **Reported on**<sup>\*</sup>
+- **Days out of office**
+- **Message read on**
+- **Message forwarded on**
+- **Message deleted on**
+- **Replied to message**
+- **Failed deliveries**<sup>\*</sup>
+- **Username**<sup>\*</sup> (you can't deselect this value)
+- **Department**
+- **Company**
+- **Job title**
+- **Office**
+- **City**
+- **Country/region**
+- **Manager**
+
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+>
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Remove columns from the view.
+> - Zoom out in your web browser.
+
+To change the list of users from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png" border="false"::: **Filter** to filter the targeted users by selecting one or more of the following values in the flyout that opens:
+
+- **Compromised**: Select **Yes** or **No**.
+- **Reported message**: Select **Yes** or **No**.
+- **Simulation message delivery**: Select **Delivered** or **Failed to deliver**.
+- **Other actions**: *Select one or more of the following values: **Replied to message**, **Forwarded message**, and **Deleted messages**.
+- **Training status**: Select **Completed**, **In progress**, **Not started**, or **Not assigned**.
+- **Assigned trainings**: Select one or more of the assigned trainings.
+
+When you're finished configuring the filters, select **Apply**, **Cancel**, or :::image type="icon" source="../../media/m365-cc-sc-clear-filters-icon.png" border="false"::: **Clear filters**.
+
+Use the :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Search** box to find a user in the list by typing part of the name, and then press the ENTER key.
+
+### Details tab
+
+The **Details** tab contains details about the simulation in the following sections:
+
+- **Description** section:
+ - **Delivery platform**
+ - **Type**
+ - **Technique**
+ - **Launch details**
+ - **Payload & login page**: Select **Preview payload & login page** to preview the payload and login page in a details flyout.
+ - **Target users**: Select **View excluded users or groups** to see excluded users or groups in a details flyout.
+ - **Landing page**: Select **Preview landing page** to preview the landing page.
+ - **Training information** section: Contains a table with the following columns:
- **Training name** - **Assign to** - **Actions**: Select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View** to see the training.
- - **Notifications** section:
+ - **Notifications** section: Contains a table with the following columns:
- **Notification name** - **Notification type** - **Delivery frequency**
The rest of the details page contains the following tabs:
## Take action on simulations
-All actions on existing simulations start on the **Simulations** tab. To get there, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulations** tab. Or, to go directly to the **Simulations** tab, use <https://security.microsoft.com/attacksimulator?viewid=simulations>.
+All actions on existing simulations start on the **Simulations** tab. To go there, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulations** tab. Or, to go directly to the **Simulations** tab, use <https://security.microsoft.com/attacksimulator?viewid=simulations>.
> [!TIP] > To see the **Γï«** (**Actions**) control that's required to act on simulations on the **Simulations** tab, you likely need to do one or more of the following steps:
All actions on existing simulations start on the **Simulations** tab. To get the
### Copy simulations
-You can copy an existing simulation and modify it to suit your needs. This will save you time and effort when creating new simulations based on previous ones.
+You can copy an existing simulation and modify it to suit your needs. This action saves time and effort when you create new simulations based on previous ones.
-You can copy any simulation that you created and that's available in the **Simulations** tab, regardless of the **Status** value. You can then modify the copy. For example, change the simulation name, description, technique, payload, target users, etc.
+You can copy any simulation that's available in the **Simulations** tab, regardless of the **Status** value. When you copy the simulation, you can change the setting in the new copy of the simulation . For example, change the simulation name, description, technique, payload, and target users.
-- We don't recommend copying **Failed** simulations, because the reasons for failure could recur in the duplicated simulation.-- When you copy a simulation, the most recent version of the content in the original simulation is used in the new copy. For example, the payload, landing page, and end-user notifications. If any content is deleted, you're prompted to select the respective content again.-- The latest target and excluded users at the time of simulation launch will be used when groups are added from the search bar - **Search for users or groups**. The target and excluded users will remain unchanged in the following scenarios:
- - when the user list was imported as a CSV.
- - when users were added from the search bar.
- - When users were added for different categories: All users, Suggested user groups, User tags, City, Country, Department, Title.
-- If the scheduled simulation launch time in the original simulation is in the future, it's copied as is. For launch times in the past, the value **Launch this simulation as soon as I'm done** is selected.
+- We don't recommend copying **Failed** simulations, because the reasons for failure could recur in the copied simulation.
+- When you copy a simulation, the most recent settings are used in the copy (for example, the payload, landing page, and end-user notifications). If any content is deleted, you're prompted to select the respective content again.
+- The latest targeted and excluded users at the time of simulation launch are used when groups are added from the search bar (**Search for users or groups**). The targeted and excluded users are unchanged in the following scenarios:
+ - The user list was imported from a CSV file.
+ - Users were added from the search bar.
+ - Users were added for different categories: **All users**, **Suggested user groups**, **User tags**, **City**, Country, Department, Title.
+- Future scheduled launch times in the original simulation are copied and used as-is. Past launch times in the original simulation result in the default value **Launch this simulation as soon as I'm done** in the copy.
-To copy a simulation, follow these steps:
+To copy a simulation, do the following steps:
-1. Select the **Simulations** tab and find the simulation that you want to copy.
-2. Select the checkbox next to the simulation name, and then select :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy simulation**.
-3. The simulation configuration wizard opens with all the original settings and a simulation name containing the suffix **_Copy**.
+1. On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, find and select the simulation to copy by selecting the check box next to the name.
+2. Select the :::image type="icon" source="../../media/m365-cc-sc-copy-icon.png" border="false"::: **Copy simulation** action that appears on the tab.
+3. The simulation wizard opens with all the settings from the original simulation. The default simulation name on the **Name simulation** page is the original name plus the the suffix **_Copy**.
4. Review and modify the simulation configuration as needed. Select **Submit** to launch it or **Save and close** to review it later. If you select **Cancel**, the copied simulation isn't saved. ### Cancel simulations You can cancel simulations with the **Status** value **In progress** or **Scheduled**.
-To cancel a simulation on the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Cancel simulation**, and then select **Confirm** in the confirmation dialog.
+To cancel a simulation, do the following steps:
+
+1. On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, find and select the in-progress or scheduled simulation to cancel by selecting **Γï«** (**Actions**) at the end of the row.
+2. Select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Cancel simulation**, and then select **Confirm** in the confirmation dialog.
After you cancel the simulation, the **Status** value changes to **Canceled**.
After you cancel the simulation, the **Status** value changes to **Canceled**.
You can't remove simulations with the **Status** value **In progress**.
-To remove a simulation from the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Cancel simulation**, and then select **Confirm** in the confirmation dialog.
+To remove a simulation, do the following steps:
+
+1. On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, find and select the simulation to remove by selecting **Γï«** (**Actions**) at the end of the row.
+2. Select :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete**, and then select **Confirm** in the confirmation dialog.
After you remove the simulation, it no longer appears on the **Simulations** tab.
After you remove the simulation, it no longer appears on the **Simulations** tab
The **Exclude** action is available only for simulations with the **Status** value **Competed**.
-To remove a simulation from the **Simulations** tab, select the simulation by clicking **Γï«** (**Actions**) at the end of the row, select :::image type="icon" source="../../media/m365-cc-sc-exclude-icon.png" border="false"::: **Exclude**, and then select **Confirm** in the confirmation dialog.
+By default, all completed simulations are included in reporting. To exclude a completed simulation from reporting, do the following steps:
+
+1. On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, find and select the completed simulation to exclude from reporting by selecting **Γï«** (**Actions**) at the end of the row.
+2. Select :::image type="icon" source="../../media/m365-cc-sc-exclude-icon.png" border="false"::: **Exclude**, and then select **Confirm** in the confirmation dialog.
After you exclude the completed simulation from reporting, the **Status** value changes to **Excluded**, and the simulation is no longer visible on the **Simulations** tab when the **Show excluded simulations** toggle is off :::image type="icon" source="../../media/scc-toggle-off.png" border="false":::.
To see completed simulations that have been excluded from reporting, use either
### Include completed simulations in reporting
-By default, all completed simulations are included in reporting. A simulation is excluded from reporting only if you exclude it as described in the previous section.
-
-The **Include** action is available only for simulations with the **Status** value **Excluded**, which are visible on the **Simulations** tab only when **Show excluded simulations** is toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+A simulation is excluded from reporting only if you exclude it as described in the previous section. The **Include** action is available only for simulations with the **Status** value **Excluded**, which are visible on the **Simulations** tab only when **Show excluded simulations** is toggled on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
To include a completed session in reporting after it has been excluded, do the following steps:
-1. On the **Simulations** tab, set the **Show excluded simulations** toggle to on :::image type="icon" source="../../media/scc-toggle-on.png" border="false":::.
+1. On the **Simulations** tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, set the **Show excluded simulations** toggle to :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **On**.
2. Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-include-icon.png" border="false"::: **Exclude**.
-After you've included the excluded simulation, the **Status** value changes to **Completed**. Toggle **Show excluded simulations** to off :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: to see the simulation.
-
-### View simulation reports
-
-For simulations with the **Status** value **In progress** or **Completed**, you can view the report for the simulation by using either of the following methods on the **Simulations** tab:
--- Select the simulation by clicking anywhere in the row other than the check box next to the name.-- Select the simulation by clicking **Γï«** (**Actions**) at the end of the row, and then select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **View report**.-
-The report page for the simulation opens and contains the following information:
--- **Report** tab: Show the following information
- **Simulation impact**
+After you included the excluded simulation, the **Status** value changes to **Completed**. Toggle **Show excluded simulations** to off :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: to see the simulation.
security Attack Simulation Training Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-teams.md
description: Admins can learn about the addition of Microsoft Teams in delivering simulated phishing attacks in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 11/3/2023 Last updated : 3/15/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
appliesto:
# Microsoft Teams in Attack simulation training > [!IMPORTANT]
-> Microsoft Teams in Attack simulation training is currently available only in a Private Preview.
+> Currently, Microsoft Teams in Attack simulation training is in Private Preview. The information in this article is subject to change.
In organizations with Microsoft Defender for Office 365 Plan 2 or Microsoft Defender XDR, admins can now use Attack simulation training to deliver simulated phishing messages in Microsoft Teams. For more information about attack simulation training, see [Get started using Attack simulation training in Defender for Office 365](attack-simulation-training-get-started.md).
The addition of Teams in Attack simulation training affects the following featur
## Teams simulation configuration
-**If your organization is enrolled in Attack simulation training for Teams Private Preview**, carry out the following configuration steps.
+> [!NOTE]
+> Currently, the steps in this section apply only if your organization is enrolled in the Private Preview of **Attack simulation training for Teams**.
In addition to having user reporting for Teams messages turned on as described in [User reported message settings in Microsoft Teams](submissions-teams.md), you also need to configure the Teams accounts that can be used as sources for simulation messages in Attack simulation training. To configure the accounts, do the following steps:
In addition to having user reporting for Teams messages turned on as described i
4. In the **Teams simulation configuration** flyout that opens, select **Generate token**. Read the information in the confirmation dialog, and then select **I agree**. 5. Back on the **Settings** tab, select **Manager user accounts** in the **Teams simulation configuration** section again to reopen the **Teams simulation configuration** flyout. The user account that you were logged in as now appears in the **User accounts available for Teams phishing** section.
-To remove a user from the list, select the round check box that appears next to the user's **Display name** without clicking anywhere else in the row. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Delete** in the confirmation dialog.
+To remove a user from the list, select the check box next to the display name value without clicking anywhere else in the row. Select the :::image type="icon" source="../../media/m365-cc-sc-delete-icon.png" border="false"::: **Delete** action that appears, and then select **Delete** in the confirmation dialog.
-Or, to prevent the account from being used in Teams simulations but keep the linked simulations history for the account, you can block the account from signing in as described [here](/microsoft-365/admin/add-users/remove-former-employee-step-1).
+To prevent the account from being used in Teams simulations but keep the linked simulations history for the account, select the check box next to the display name value without clicking anywhere else in the row. Select the :::image type="icon" source="../../media/m365-cc-sc-block-sender-icon.png" border="false"::: **Deactivate** action that appears.
## Changes in simulations for Microsoft Teams
Teams introduces the following changes to viewing and creating simulations as de
- If you select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Launch a simulation** on the **Simulations** tab to create a simulation, the first page of the new simulation wizard is **Select delivery platform** where you can select **Microsoft Teams**. Selecting **Microsoft Teams** introduces the following changes to the rest of the new simulation wizard:
- - On the **[Select technique](attack-simulation-training-simulations.md#select-a-social-engineering-technique)** page, the **Malware Attachment** and **Link in Attachment** social engineering techniques aren't available.
+ - On the **[Select technique](attack-simulation-training-simulations.md#select-a-social-engineering-technique)** page, the following social engineering techniques aren't available:
+ - **Malware Attachment**
+ - **Link in Attachment**
+ - **How-to Guide**
- On the **[Name simulation](attack-simulation-training-simulations.md#name-and-describe-the-simulation)** page, a **Select sender's Microsoft Teams account** section and **Select user account** link are present. Select **Select user account** to find and select the account to use as the source for the Teams message.
+ The list of users comes from the **Teams simulation configuration** section on the **Settings** tab of Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=setting>. Configuring accounts is described in the [Teams simulation configuration](#teams-simulation-configuration) section earlier in this article.
+ - On the **[Select payload and login page](attack-simulation-training-simulations.md#select-a-payload-and-login-page)**, no payloads are listed by default because there are no built-in payloads for Teams. You need to create a payload for the combination of Teams and the social engineering technique that you selected. The differences in creating payloads for Teams are described in the [Changes in payloads for Microsoft Teams](#changes-in-payloads-for-microsoft-teams) section in this article. - On the **[Target users](attack-simulation-training-simulations.md#target-users)** page, the following settings are different for Teams: - As noted on the page, guest users in Teams are excluded from simulations.
- - If you select **Include only specific users and groups**, **City** isn't an available filter in the **Filter users by category** section.
Other settings related to simulations are the same for Teams messages as described in the existing content for email messages.
security Attack Simulation Training Training Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns.md
description: Admins can learn how to create training campaigns in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 6/14/2023 Last updated : 3/11/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
A Training campaign contains one or more built-in Training modules that you sele
For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md).
-To see the existing Training campaigns, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. To go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
+To see the existing Training campaigns, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. Or, to go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
-The **Training** tab lists the Training campaigns that you've created. The list includes the following information for each Training campaign<sup>\*</sup>:
+The **Training** tab sows the following information for each Training campaign that you created. You can sort the Training campaigns by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Campaign name** - **Description** - **Total duration (mins)**-- **Training completion** (date/time)
+- **Training completion date**
- **Training completion**: The number of users who were included in the Training campaign and how many of them completed the training. The information is shown as a fraction (for example, **2/5**) and in a corresponding horizontal bar graph. - **No. of training modules**: The number of training modules that are included in the Training campaign. - **Created by**
The **Training** tab lists the Training campaigns that you've created. The list
For more information about the **Status** values, see the [Set the training threshold](#set-the-training-threshold) section later in this article.
-Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
-
-<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
--- Horizontally scroll in your web browser.-- Narrow the width of appropriate columns.-- Remove columns from the view.-- Zoom out in your web browser.
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+>
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Remove columns from the view.
+> - Zoom out in your web browser.
Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Filter** to filter the information on the page by the **Status** value of the Training campaign.
Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: *
To find a Training campaign in the list, type part of the campaign name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box and then press the ENTER key.
-To see details about a Training campaign, see the [View Training campaign details](#view-training-campaign-details) section.
+To see details about in-progress or completed Training campaigns, see the [View Training campaign reports](#view-training-campaign-reports) section.
## Create Training campaigns
When you're finished on the **Name Training campaign** page, select **Next**.
On the **Target users** page, select who receives the Training campaign. Use the following options to select users: -- **Include all users in my organization**: The unmodifiable list of users is show in groups of 10. You can use the **Next** and **Previous** buttons directly below the list of users to scroll through the list. You can also use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** icon on the page to find specific users.
+- **Include all users in my organization**: The unmodifiable list of users is show in groups of 10. You can use **Next** and **Previous** directly below the list of users to scroll through the list. You can also use :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** to find specific users.
> [!TIP] > Although you can't remove users from the list on this page, you can use the next **Exclude users** page to exclude specific users. - **Include only specific users and groups**: At first, no users or groups are shown on the **Targeted users** page. To add users or groups to the Training campaign, choose one of the following options:
- - **Search for users or groups**: If you click in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
- - Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name** and **Email**.
- - Type fewer than three characters or no characters and then press the ENTER key. No users are shown in the **User list** section, but you can type three or more characters in the **Search** box to search for users and groups.
+ - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add users**: In the **Add users** flyout that opens, you find and select users and groups to include in the Training campaign. **Dynamic distribution groups are not supported**. The following search tools are available:
- The number of results appears in the **Selected (0/x) users** label.
+ - **Search for users or groups**: If you click in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and do one of the following actions, the **Filter users by categories** options on the **Add users** flyout are replaced by a **User list** section:
- > [!NOTE]
- > Only Microsoft 365 groups are eligible to be selected.
- >
- > Clicking the **Add filters** button clears and replaces any results the **User list** section with the **Filter users by categories**.
+ - Type three or more characters and then press the ENTER key. Any users or group names that contain those characters are shown in the **User list** section by **Name**, **Email**, **Job title**, and **Type**.
+ - Type less than three characters or no characters and then press the ENTER key. No users are shown in the **User list** section, but you can type three or more characters in the **Search** box to search for users and groups.
- When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+ The number of results appears in the **Selected (0/x) users** label.
- Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ > [!TIP]
+ > Selecting **Add filters** clears and replaces any results the **User list** section with the **Filter users by categories**.
- - **Filter users by categories**: Use the following options:
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
- - **Suggested user groups**: Select from the following values:
- - **All suggested user groups**
- - **Users not targeted by a simulation in the last three months**
- - **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold).
+ Select **Add x users** to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
- - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag and then press Enter. You can select some or all of the results.
- - Select **All user tags**
- - Select existing user tags. If the link is available, select **See all user tags** to see the complete list of available tags.
+ - **Filter users by categories**: Use the following options:
- - **City**: Use the following options:
- - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
- - Select **All City**
- - Select existing City values. If the link is available, select **See all Cities** to see the complete list of available City values.
+ - **Suggested user groups**: Select from the following values:
+ - **All suggested user groups**: The same result as selecting **Users not targeted by a simulation in the last three months** and **Repeat offenders**.
+ - **Users not targeted by a simulation in the last three months**
+ - **Repeat offenders**: For more information, see [Configure the repeat offender threshold](attack-simulation-training-settings.md#configure-the-repeat-offender-threshold).
- - **Country**: Use the following options:
- - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Country**, you can type part of the Country value and then press Enter. You can select some or all of the results.
- - Select **All Country**
- - Select existing City values. If the link is available, select **See all Countries** to see the complete list of available Country values.
+ - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md). Use the following options:
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by user tags**, you can type part of the user tag name and then press Enter. You can select some or all of the results.
+ - Select **All user tags**
+ - Select existing user tags. If the link is available, select **See all user tags** to see the complete list of available tags.
- - **Department**: Use the following options:
- - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
- - Select **All Department**
- - Select existing Department values. If the link is available, select **See all Departments** to see the complete list of available Department values.
+ - **City**: Use the following options:
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by City**, you can type part of the City value and then press Enter. You can select some or all of the results.
+ - Select **All City**
+ - Select existing City values. If the link is available, select **See all Cities** to see the complete list of available City values.
- - **Title**: Use the following options:
- - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
- - Select **All Title**
- - Select existing Title values. If the link is available, select **See all Titles** to see the complete list of available Title values.
+ - **Country**: Use the following options:
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Country**, you can type part of the Country/region value and then press Enter. You can select some or all of the results.
+ - Select **All Country**
+ - Select existing City values. If the link is available, select **See all Countries** to see the complete list of available Country/region values.
- :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
+ - **Department**: Use the following options:
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Department**, you can type part the Department value and then press Enter. You can select some or all of the results.
+ - Select **All Department**
+ - Select existing Department values. If the link is available, select **See all Departments** to see the complete list of available Department values.
- You can use some or all of the search categories to find users and groups. If you select multiple categories, the AND operator is used. Any users or groups must match both values to be returned in the results (which is virtually impossible if you use the value **All** in multiple categories).
+ - **Title**: Use the following options:
+ - **Search**: In :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search by Title**, you can type part of the Title value and then press Enter. You can select some or all of the results.
+ - Select **All Title**
+ - Select existing Title values. If the link is available, select **See all Titles** to see the complete list of available Title values.
- The number of values that were used as the search criteria by a specific category is shown next to the category tile (for example, **City 50** or **Priority accounts 10**).
+ :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The User filtering on the Target users page in Attack simulation training in the Microsoft Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::
- When you're finished searching by category, select the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
+ You can use some or all of the search categories to find users and groups. If you select multiple categories, the AND operator is used. Any users or groups must match both values to be returned in the results (which is virtually impossible if you use the value **All** in multiple categories).
- - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, select the **See all** link to see all filter values
- - **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label.
+ The number of values that were used as the search criteria by a specific category is shown next to the category tile (for example, **City 50** or **Priority accounts 10**).
- When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the round check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+ When you're finished searching by category, select the **Apply(x)** button. The previous **Filter users by categories** options on the **Add users** flyout are replaced by the following information:
- Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
+ - **Filters** section: Show how many filter values you used and the names of the filter values. If it's available, select the **See all** link to see all filter values
+ - **User list** section: Shows the users or groups that match your category searches. The number of results appears in the **Selected (0/x) users** label.
+
+ When you have a list of users or groups in the **User list** section, select some or all of the results by selecting the check box next to the **Name** column. The number of selected results appears in the **Selected (y/x) users** label.
+
+ Select the **Add x users** button to add the selected users or groups on the **Target users** page and to return to the **Target users** page.
- :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Import**: In the dialog that opens, specify a CSV file that contains one email address per line.
On the **Select training modules** page, select one of the following options:
- **Training catalog**: Select :::image type="icon" source="../../media/m365-cc-sc-filter-icon.png"::: **Add trainings**.
- In the **Add Training** flyout that opens, select one or more Training modules to include in the Training campaign by selecting the round check box that appears in the blank area next to the module name, and then clicking **Add**.
+ In the **Add Training** flyout that opens, select one or more Training modules to include in the Training campaign by selecting the check box next to the module name, and then select **Add**.
The modules that are available in the **Add Training** flyout are identical to the modules that are available at **Training modules** on the **Content library** tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>. For more information, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md).
On the **Select end user notification** page, select from the following notifica
- **Microsoft default training only campaign-training assignment notification** - **Microsoft default training only campaign-training reminder notification**
- Select the default language to use in **Select default language**. The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Romanian**, **Russian**, **Spanish**, or **Dutch**.
+ Select the default language to use in **Select default language**. The available values are: **Chinese (Simplified)**, **Chinese (Traditional, Taiwan)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, **Dutch**, **Polish**, **Arabic**, **Finnish**, **Greek**, **Hungarian**, **Indonesian**, **Norwegian Bokmål**, **Romanian**, **Slovak**, **Swedish**, **Thai**, **Turkish**, **Vietnamese**, **Catalan**, **Croatian, or **Slovenian**.
For each notification, the following information is available:
For more information, see [End-user notifications for Attack simulation training
Do one of the following steps: -- **Select an existing notification to use**:
+- Select an existing notification to use:
- To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users.
Do one of the following steps:
On the **Training assignment notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
+- Create a new notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training assignment notification** for the notification type.
- When you're finished creating the notification, you return to the **Training assignment notification** page where the new notification now appears in the list for you to select
+ When you're finished creating the notification, you return to the **Training assignment notification** page where the new notification now appears in the list for you to select.
When you're finished on the **Training assignment notification** page, select **Next**.
These notifications are also available at **Attack simulation training** \> **Co
For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).
-In **Set frequency for reminder notification**, select **Weekly** or **Twice a week**, and then do one of the following steps:
+In **Set frequency for reminder notification**, select **Weekly** (the default value) or **Twice a week**, and then do one of the following steps:
-- **Select an existing notification to use**:
+- Select an existing notification to use:
- To search for an existing notification in the list, type part of the notification name in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box and then press the ENTER key. - When you select a notification by clicking anywhere in the row other than the check box, a details flyout opens that shows more information about the notification: - The **Preview** tab shows what the notification looks like to users.
In **Set frequency for reminder notification**, select **Weekly** or **Twice a w
On the **Training reminder notification** page, select a notification to use by selecting the check box next to the name. -- **Create a new notification to use**: Select :::image type="icon" source="../../medi#create-end-user-notifications).
+- Create a new notification to use: Select :::image type="icon" source="../../medi#create-end-user-notifications).
> [!NOTE] > On the **Define details** page of the new notification wizard, be sure to select the value **Training reminder notification** for the notification type.
Back on the **Training campaign** tab, the Training campaign that you created is
## Take action on Training campaigns
-All actions on existing Training campaigns start on the **Training** tab. To get there, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. Or, to go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
-
-### View Training campaign details
-
-To view the details and reports for a Training campaign on the **Training** tab, select the Training campaign by clicking anywhere in the row other than the check box next to the name.
-
-A details page for the Training campaign opens with the following tabs:
--- **Report**-- **Users**-- **Details**-
-These tabs are described in the following sections.
-
-#### Report tab
-
-The **Report** tab of the Training campaign shows the following information:
--- **Training completion classification** section.--- **Training completion summary** section:
- - Each Training module in the Training campaign is shown with a bar graph and a fraction that shows how many people have completed the module (number of users / total number of users).
- - From the previous data, the top of the section shows:
- - The percentage of users who completed all modules in the campaign.
- - The percentage of users who completed some of the modules in the campaign.
- - The percentage of users who haven't started any of the modules in the campaign.
--- **All user activity** section:
- - **Successfully received training notification**: A bar graph and a fraction that shows how main people received notifications for the modules in the campaign.
-
-#### Users tab
-
-The **Users** tab shows the following information about the users who were assigned the Training campaign:
--- **Name**-- **Training status**: One of the following values:
- - **Not started**: The user hasn't started any Training modules in the campaign.
- - **In progress**: The user has completed some Training modules in the campaign.
- - **Completed**: The user has completed all Training modules in the campaign.
- - **Overdue**: The user hasn't completed all Training modules by the campaign end date/time.
-- **Training completion date**-- **Username**-
-To remove the **Training status** column, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png"::: **Customize columns**. By default, the only available column that's not shown is **Department**.
-
-To download the displayed results to a RecordExport.csv file in the local Downloads folder, select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png"::: **Export**.
-
-If you select a user from the list by clicking anywhere in the row other than the round check box that appears in the blank area next to the name, the following user information appears in a details flyout:
--- **User details** section:
- - **Company**
- - **IP address**
- - **Job title**
- - **Department**
- - **Location**
- - **Manager**
-- Status information for Training modules in the Training campaign for the user:
- - **Training name**: The training module name.
- - **Training status**: **Not started**, **In progress**, **Completed**, **Training Previously Assigned**, **Overdue**, or **Not Completed**.
- - **Training start date**
- - **Training completed date**
-
-> [!TIP]
-> To see details about other users in the Training campaign without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
-
-#### Details tab
-
-The **Details** tab of the Training campaign shows the following information:
--- **Description**-- **Schedule details**: The launch date/time and the end date/time.-- **Notifications**: Whether training assignment notifications and training reminder notifications are enabled, and their delivery frequency.-- **Selected modules**: The Training modules in the Training campaign are listed, along with their durations.
+All actions on existing Training campaigns start on the **Training** tab. To go there, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Training** tab. Or, to go directly to the **Training** tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>.
### Cancel Training campaigns
To set the training threshold on the **Settings** tab, do the following steps:
2. Set the value in days for the training threshold time period. The default value is 90 days. To remove the training threshold and always assign training, set value to 0. 3. When you're finished on the **Settings** tab, select **Save**.+
+## View Training campaign reports
+
+For Training campaigns with the **Status** value **In progress** or **Completed**, you can view the report for the Training campaign by using either of the following methods on the **Training campaigns** tab at <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>
+
+- Select the campaign by clicking anywhere in the row other than the check box next to the name.
+- Select the campaign by selecting the check box next to the name, and then select :::image type="icon" source="../../media/m365-cc-sc-eye-icon.png" border="false"::: **View report**.
+
+A details page for the Training campaign opens with the following tabs:
+
+- **Report**
+- **Users**
+- **Details**
+
+These tabs are described in the following subsections.
+
+To close the Training campaign report, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: **Close**.
+
+### Report tab
+
+For a description of what's on the **Report** tab for Training campaigns, see [Simulation report for Training campaigns](attack-simulation-training-insights.md#simulation-report-for-training-campaigns)
+
+### Users tab
+
+The **Users** tab contains the following information for each user in the campaign. You can sort the users by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default columns are marked with an asterisk (<sup>\*</sup>):
+
+- **Name**<sup>\*</sup> (you can't deselect this value)
+- **Training status**<sup>\*</sup>: One of the following values:
+ - **Not started**: The user hasn't started any Training modules in the campaign.
+ - **In progress**: The user has completed some Training modules in the campaign.
+ - **Completed**: The user has completed all Training modules in the campaign.
+ - **Overdue**: The user hasn't completed all Training modules by the campaign end date/time.
+- **Training completion date**<sup>\*</sup> (you can't deselect this value)
+- **Username**<sup>\*</sup> (you can't deselect this value)
+- **Department**
+
+To change the list of users from normal to compact spacing, select :::image type="icon" source="../../media/m365-cc-sc-standard-icon.png" border="false"::: **Change list spacing to compact or normal**, and then select :::image type="icon" source="../../media/m365-cc-sc-compact-icon.png" border="false"::: **Compact list**.
+
+Select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png"::: **Export** to download the displayed results to a RecordExport.csv file in the local Downloads folder.
+
+If you select a user from the list by clicking anywhere in the row other than the check box next to the name, the following user information appears in a details flyout:
+
+- **User details** section:
+ - **Company**
+ - **IP address**
+ - **Job title**
+ - **Department**
+ - **Location**
+ - **Manager**
+- Status information for Training modules in the Training campaign for the user:
+ - **Training name**: The training module name.
+ - **Training status**: **Not started**, **In progress**, **Completed**, **Training Previously Assigned**, **Overdue**, or **Not Completed**.
+ - **Training start date**
+ - **Training completed date**
+
+> [!TIP]
+> To see details about other users in the Training campaign without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
+
+### Details tab
+
+The **Details** tab the following information:
+
+- **Description**
+- **Schedule details**: The launch date/time and the end date/time.
+- **Notifications**: Whether training assignment notifications and training reminder notifications are enabled, and their delivery frequency.
+- **Selected modules**: The Training modules in the Training campaign are listed in a table:
+ - **Module name**
+ - **Content type**
+ - **Total duration (mins)**
security Attack Simulation Training Training Modules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-modules.md
description: Admins can learn about the Training modules that are available to use in Training campaigns in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 6/14/2023 Last updated : 3/11/2024 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison" target="_blank">Microsoft Defender for Office 365 plan 2</a>
In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Offi
To see the available Training modules, open the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Training modules**. Or, to go directly to the **Content library** tab where you can select **Training modules**, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>.
-The **Training modules** page shows the following information for each module<sup>\*</sup>:
+The **Training modules** page shows the following information for each module. You can sort the modules by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all available columns are selected.
- **Training name**-- **Languages**: The available values are: **Arabic**, **Chinese(Simplified)**, **Chinese(Traditional, Hong Kong), **Chinese(Traditional, Taiwan), **Czech**, **Danish**, **Dutch**, **English**, **English**, **Finnish**, **French**, **French**, **German**, **Hebrew**, **Hindi**, **Hungarian**, **Indonesian**, **Italian**, **Japanese**, **Korean**, **Malay**, **NorwegianBokmål**, **Persian**, **Polish**, **Portuguese**, **Portuguese**, **Russian**, **Slovakian**, **Spanish**, **Swedish**, **Thai**, **Turkish**, **Ukrainian**, **Vietnamese**
+- **Languages**: The available values are: **Turkish**, **Polish**, **Persian**, **Danish**, **Slovak**, **Korean**, **Portuguese**, **Italian**, **German**, **French**, **Swedish**, **Spanish**, **Arabic**, **Norwegian Bokmål**, **Russian**, **Portuguese**, **Japanese**, **Czech**, **Greek**, **Spanish**, **Thai**, **Romanian**, **French**, **Hungarian**, **Chinese (Simplified)**, **English**, **Indonesian**, **Finnish**, **Malay**, **English**, **Hindi**, **Chinese (Traditional**, **Hong Kong)**, **Chinese (Traditional**, **Taiwan)**, **Macedonian**, **Ukrainian**, **Vietnamese**, **Hebrew**, **Serbian (Cyrillic)/Serbian (Latin)**, and **Dutch**
- **Tags**: Training modules are organized into one or more of the following categories: - **AttachmentMalware** - **Basic**
The **Training modules** page shows the following information for each module<su
- **LinkToMalwareFile** - **OAuthConsentGrant** - **Phishing**
+ - **SocialEngineering**
- **Source**: All built-in modules have the value **Global**. - **Duration (mins)** - **Last assigned date**
The **Training modules** page shows the following information for each module<su
- **Completion rate** - **Preview**: Select the **Preview** button in this column to watch the training.
-Select a column header to sort by that column. To add or remove columns, select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**. By default, all available columns are selected.
-
-<sup>\*</sup> To see all columns, you likely need to do one or more of the following steps:
--- Horizontally scroll in your web browser.-- Narrow the width of appropriate columns.-- Remove columns from the view.-- Zoom out in your web browser.
+> [!TIP]
+> To see all columns, you likely need to do one or more of the following steps:
+>
+> - Horizontally scroll in your web browser.
+> - Narrow the width of appropriate columns.
+> - Remove columns from the view.
+> - Zoom out in your web browser.
To find a Training module in the list, type the name of the module in the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png" border="false"::: **Search** box, and then press the ENTER key.
When you select a Training module from the list by clicking anywhere in the row
- **Languages** - **Duration** - **Preview**: Select this button to watch the training.
+- **Tags**
- **Active Training campaigns and simulations**: This section shows the following information about active Training campaigns that are using the selected module: - **Name** - **Type** - **Status** - **End by**+
+> [!TIP]
+> To see details about other training modules without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout.
syntex Backup Billing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-billing.md
description: Learn how to set up pay-as-you-go billing for Microsoft 365 Backup.
As a first step to start using Microsoft 365 Backup, you should link an Azure subscription in Syntex pay-as-you-go, if you haven't already done so. Although Microsoft 365 Backup isn't part of the Microsoft Syntex product suite, this offering is still using the Syntex billing setup for consistency with other Microsoft 365 pay-as-you-go offerings.
+## Set up billing
+ Use these steps to set up pay-as-you-go billing for Microsoft 365 Backup. 1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/Adminportal/Home).
Use these steps to set up pay-as-you-go billing for Microsoft 365 Backup.
1. Review and accept the terms of service, and then select **Save**. You have successfully set up billing. You can proceed to [Step 2: Turn on Microsoft 365 Backup](backup-setup.md#step-2-turn-on-microsoft-365-backup).+
+## Manage consumption and invoices in the Azure portal
+
+You can view actual and accumulated cost breakdown by tenants and service type for OneDrive, SharePoint, and Exchange in Microsoft Cost Management in the Azure portal or access the information by using the [Cost Management public APIs](/rest/api/cost-management/operation-groups). Cost breakdown by application ID is coming soon.
+
+1. Sign in to the [Azure portal](https://portal.azure.com/).
+
+2. Search for *Cost Management + Billing*.
+
+3. Select **Cost analysis** to see:
+
+ - Accumulated cost and forecast cost.
+
+ - Select **+Add Filter** to see breakdown of cost by meters and tags.
+
+ ![Screenshot of the cost analysis page in Microsoft Cost Management.](../../media/content-understanding/backup-cost-analysis.png)
+
+### Billing attribution by tenants, service type, and applications
+
+You can see actual cost breakdown by tags in Azure portal. There are currently two tags available for Microsoft 365 Backup: **tenants** and **servicetype**.
+
+To view tags:
+
+1. Select **+Add Filter** to see breakdown of cost by meters and tags.
+
+2. Select the tag:
+
+ - In the key-value pair, select **tenants** or **servicetype**, and then select the respective tenant ID or service type.
+
+ - **tenants** shows a list of tenant IDs.
+
+ - **servicetype** is OneDrive, SharePoint, or Exchange.
+
+ - **applications** is coming soon.
+
+ - Azure cost analysis - filter by tag.
+
+4. In the left navigation, select **Billing** to see monthly invoices.
+
+5. Set up budget alerts on cost by following the steps in the [Cost Management public APIs](/rest/api/cost-management/operation-groups).
syntex Backup Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/backup/backup-overview.md
It will take on average less than one hour for the first full site or account pr
The following table summarizes expected performance for a normally distributed tenant, including tenants of large size and scale. During the preview period, actual performance might deviate from these general availability targets.
-|Scenario |First full-container restore completes |Restore of all containers complete |
-|:-|:-|:--|
-| 1,000 sites<br>(30-GB average site size) |Less than 1 hour |Less than 12 hours |
-| 1,000 mailboxes<br>(30-GB average mailbox size)| Less than 1 hour | Less than 12 hours |
+|Scenario |Restore of all protection units* complete |
+|:-|:--|
+| 1,000 accounts, sites, or mailboxes<br>(30-GB average size) |Less than 12 hours |
+
+<sup>*A *protection unit* is a OneDrive account, SharePoint site, or Exchange mailbox.</sup>
## General Data Protection Regulations (GDPR)
syntex Esignature Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-overview.md
With SharePoint eSignature, you can quickly and securely send documents for sign
## Before you begin
-Before you can enable SharePoint eSignature, an admin must [set up SharePoint eSignature](esignature-setup.md) in the Microsoft 365 admin center.
+## Legal considerations
+
+SharePoint eSignature uses simple electronic signatures. Determine whether this is appropriate for your needs and then read the [SharePoint eSignature terms of service](/legal/microsoft-365/esignature-terms-of-service).
++
+### Licensing
+
+Before you can use SharePoint eSignature, you must first link your Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). SharePoint eSignature is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md). Before you can enable SharePoint eSignature, an admin must [set up SharePoint eSignature](esignature-setup.md) in the Microsoft 365 admin center.
++
+### External sharing
SharePoint eSignature enables binding agreements between parties by allowing guests access to SharePoint to electronically sign documents. Certain external sharing must be enabled at a tenant or site level to allow this access. For more information, see [Set up SharePoint eSignature for external recipients](esignature-setup.md#external-recipients). Consider whether this meets your compliance and security requirements when enabling eSignature.
-When using eSignature, you must be signed in to SharePoint by using your work email address.
+ ## Release notes
syntex Esignature Send Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-send-requests.md
description: Learn how to use SharePoint eSignature to create and send electroni
## Create a signature request
-Use the following steps to start the SharePoint eSignature process.
+Use the following steps to start the SharePoint eSignature process. You must be signed in to SharePoint by using your work email address.
1. From a SharePoint document library, open the document for which you want to start the eSignature process.
syntex Esignature Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/esignature-setup.md
description: Learn how to set up and manage sites in SharePoint eSignature.
> [!NOTE] > SharePoint eSignature is currently rolling out to the US market. If a tenant's location is the United States, SharePoint eSignature will be available for that tenant. For US-located, multi-geo enabled tenants, eSignature will be available in the home geo only. SharePoint eSignature will roll out to other regions later this year.
-The SharePoint eSignature service is set up in the Microsoft 365 admin center. SharePoint eSignature uses simple electronic signatures. Before you begin, determine whether this feature is appropriate for your needs and then read the [SharePoint eSignature terms of service](/legal/microsoft-365/esignature-terms-of-service).
- ## Prerequisites
-### Licensing
-
-Before you can use SharePoint eSignature, you must first link your Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). SharePoint eSignature is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md).
-
-### Permissions
-
-You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up SharePoint eSignature.
+The SharePoint eSignature service is set up in the Microsoft 365 admin center. You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up SharePoint eSignature. Before you begin, determine whether this feature is appropriate for your needs by reading the [Before you begin section](esignature-overview.md#before-you-begin).
-### External sharing
-
- If you will be requesting signatures from external recipients, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) and [guest sharing](/microsoft-365/solutions/collaborate-in-site). External recipients are people outside your organization and would be onboarded as guests into your tenant. Microsoft Entra B2B provides authentication and management of guests. For more information, see [External recipients](#external-recipients) later in this article.
+> [!NOTE]
+> If you will be requesting signatures from external recipients, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration) and [guest sharing](/microsoft-365/solutions/collaborate-in-site). External recipients are people outside your organization and would be onboarded as guests into your tenant. Microsoft Entra B2B provides authentication and management of guests. For more information, see [External recipients](#external-recipients) later in this article.
## Set up SharePoint eSignature
You must have Global admin or SharePoint admin permissions to be able to access
4. For existing customers, read the [terms of service](/legal/microsoft-365/esignature-terms-of-service), and then select **Turn on** to enable the service.
-5. For new Syntex customers, the Syntex eSignature service is turned on once you enter your billing information and accepted the [terms of service](/legal/microsoft-365/esignature-terms-of-service). On the **eSignature** page:
+5. For new Syntex customers, the SharePoint eSignature service is turned on once you enter your billing information and accept the [terms of service](/legal/microsoft-365/esignature-terms-of-service). On the **eSignature** page:
- To turn off the service, select **Turn off**. - To manage which sites the service is available, see [Manage sites](#manage-sites).
By default, SharePoint eSignature is turned on for libraries in all SharePoint s
## External recipients
-### Conditional access
-
-Certain [conditional access](/entra/identity/conditional-access/overview) might determine whether external recipients (signers outside of your organization or Microsoft 365 tenant) will be able sign a document. Depending on the admin setup, external signers might not be able to access and read the document for signing. In some other cases, they might be able to access the document for signing, but the signing operation will be unsuccessful. One common way to resolve this is to add the **Microsoft eSignature Service** to the list of approved apps via the Microsoft Entra admin center.
- ### Microsoft Entra B2B Microsoft Entra B2B provides authentication and management of guests. External signers or recipients are considered as guests within your tenant. To be able to send requests to signers outside your organization, you need to enable [Microsoft Entra B2B integration for SharePoint and OneDrive](/sharepoint/sharepoint-azureb2b-integration).
Microsoft Entra B2B provides authentication and management of guests. External s
External recipients might need to authenticate before they're able to access a document for signing. The type of authentication required by the external recipients depends on the configuration for guest users at the SharePoint level or at the tenant level. Additionally, if the external user belongs to an organization with a Microsoft 365 tenant, it's possible for their organization's setup to affect their authentication experience when attempting to sign the document. For more information, see [Collaboration with guests in a site](/microsoft-365/solutions/collaborate-in-site).
+### Conditional access
+
+Certain [conditional access](/entra/identity/conditional-access/overview) might determine whether external recipients (signers outside of your organization or Microsoft 365 tenant) will be able sign a document. Depending on the admin setup, external signers might not be able to access and read the document for signing. In some other cases, they might be able to access the document for signing, but the signing operation will be unsuccessful. One common way to resolve this is to add the **Microsoft eSignature Service** to the list of approved apps via the Microsoft Entra admin center.
++ ## Document storage and retention ### Document storage