-|**Office** and **OneDrive for Business**|Outlook </br>OneDrive </br>Word </br>Excel </br>PowerPoint|**On phones and tablets**:<br/>Outlook <br/> OneDrive <br/> Word <br/> Excel <br/> PowerPoint <br/> **On phones only:** <br/> Office Mobile|

-> - Users wonΓÇÖt be prompted to enroll and wonΓÇÖt be blocked or reported for policy violation if they use the mobile browser to access Microsoft 365 SharePoint sites, documents in Office Online, or email in Outlook Web App.

-|Mobile application protection |Enable your users to securely access corporate information using the Office mobile and line-of-business apps they know, while ensuring security of data by helping to restrict actions like copy, cut, paste, and save as, to only those apps managed approved for corporate data. Works even if the devices aren't enrolled to Basic Mobility and Security. See Protect app data using MAM policies. |No|Yes|

-In addition to features listed in the preceding table, Basic Mobility and Security and Intune both include a set of remote actions that send commands to devices over the internet. For example, you can remove Office data from an employeeΓÇÖs device while leaving personal data in place (retire), remove Office apps from an employee's device (wipe), or reset a device to its factory settings (full wipe).

-To connect and configure your iOS phone or tablet with the Company portal to Office 365, see [Set up iOS device access to your company resources](/mem/intune/user-help/enroll-your-device-in-intune-ios).

-After your device is enrolled in Basic Mobility and Security, you can start using Office apps on your device to work with email, calendar, contacts, and documents.

-2. In your browser, type: <https://protection.office.com/>.

- > [!IMPORTANT]

- > If this is the first time you're using Basic Mobility and Security for Microsoft 365 Business Standard, activate it here: [Activate Basic Security and Mobility](https://admin.microsoft.com/EAdmin/Device/IntuneInventory.aspx). After you've activated it, manage your devices with [Office 365 Security & Compliance](https://protection.office.com/).

-3. Go to **Data loss prevention** \> **Device management** \> **Device policies**, and select **Manage organization-wide device access settings**.

-4. Select **Access**.

- :::image type="content" source="../../media/basic-mobility-security/basic-mobility-access.png" alt-text="Basic Mobility and Security block access checkbox.":::

-5. Select **Save**.

-> For more steps to unblock devices if your organization devices are still in a blocked state, see the blog post [Removing Access Control from Mobile Device Management for Office 365](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Removing-Access-Control-from-Mobile-Device-Management-for-Office/ba-p/279934).

- |CNAME|sip|sipdir.online.lync.com. <br/> **This value MUST end with a period (.)**|1 Hour|

- |CNAME|lyncdiscover|webdir.online.lync.com. <br/> **This value MUST end with a period (.)**|1 Hour|

- |CNAME|enterpriseregistration|enterpriseregistration.windows.net. <br/> **This value MUST end with a period (.)**|1 Hour|

- |CNAME|enterpriseenrollment|enterpriseenrollment-s.manage.microsoft.com. <br/> **This value MUST end with a period (.)**|1 Hour|

-> [!NOTE]

-> This app is not supported in regulated or restricted environments.

-description: "Users with valid work or school accounts can get Cortana in Microsoft 365 experiences that meet Office 365 enterprise-level security promises."

-Cortana, your personal productivity assistant, offers AI-powered experiences to save time and focus attention on what matters most. Cortana is designed to deliver features that safely and securely process and reason over Office 365 data like emails, files, chats, etc., to save time, increase efficiency, and enhance your usersΓÇÖ productivity.

-When signed in with valid work or school accounts, users can get cloud-based assistance services with Cortana in Microsoft 365 experiences that meet Office 365ΓÇÖs enterprise-level privacy, security, and compliance promises (ΓÇ£**Cortana enterprise services**ΓÇ¥).

-Consistent with other Office 365 services, Cortana enterprise services are secured and subject to the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products). This includes a set of promises for protection of Customer Data against accidental loss, alteration, unauthorized disclosure or access, or unlawful destruction. Customer Data is also subject to strict access limitations. Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. See the table below for details.

-|**Storage**|Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. <br/><br/>Speech audio is not retained.|

-|**Stays in Geo**|Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant.|

-|**Usage**|Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud, and there is no human viewing, review or labeling of your Customer Data. <br/><br/>Your data is not used to target advertising.|

-Cortana voice assistance in the Teams mobile app and on Microsoft Teams display devices enables Microsoft 365 Enterprise users to streamline communication, collaboration, and meeting-related tasks using spoken natural language. Users can speak to Cortana by selecting the microphone button located in the upper right of the Teams mobile app, or by saying "Cortana" in the Microsoft Teams display. To quickly connect with their team hands-free and while on the go, users can say queries such as "call Megan" or "send a message to my next meeting". Users can also join meetings by saying "join my next meeting" and use voice assistance to share files, check their calendar, and more. These voice assistance experiences are delivered using Cortana enterprise-grade services that fully comply with Office 365's privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/licensing/product-licensing/products).

-Cortana voice assistance in Teams is delivered using services that fully comply with the Office 365 enterprise-level privacy, security, and compliance promises. For more information on data processing in Cortana enterprise services see, Cortana in Microsoft 365. Cortana is enabled by default in Teams Meetings Rooms for tenants. IT admins can opt out of voice assistance for Teams Meeting Room in the Microsoft 365 admin center.

-Play My Emails (as connected to through Outlook mobile) is a voice-driven, hands-free experience for users to listen to new messages in their Focused Inbox and changes to their day via the speakers on their phone, headphones, or connected audio device. Users can ask Cortana to read their recent emails aloud, and ask Cortana to take actions such as flag, archive, delete, and skip messages. This feature is especially helpful to catch up on your email while commuting, multitasking, or on the go. When the user talks to Cortana in Play My Emails, the speech audio request goes directly to Cortana enterprise services. A text to speech readout of the user's email is processed inside the Office 365 cloud. During this process, no Office 365 data is processed on the user's mobile device and no email data is saved. A transcript of spoken commands (i.e. "mark as read," "next," "flag," etc.) may be retained in accordance with the Data Protection Terms in the Microsoft [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products).

-4. IT admins will always have controls for optional connected experiences for Cortana, similar to optional connected experiences while using Office ProPlus applications.

-2. Tenant admins can control whether Cortana in Windows 10 (version 1909 and earlier) and the Cortana app on iOS and Android are able to allow Cortana to connect to Office 365 tenant data.

-4. Under **DNS settings**, select **Custom Records**; then select **New custom record**.

-[Check the system requirements](https://www.microsoft.com/microsoft-365/microsoft-365-and-office-resources) for Office to make sure your devices are compatible with the latest version of Office. For example, newer versions of Office can't be installed on computers running Windows XP or Windows Vista.

-To ensure a successful upgrade, we recommend identifying your Office applications--including VBA scripts, macros, third-party add-ins, and complex documents and spreadsheets--and assessing their compatibility with the latest version of Office.

-For example, if you're using third-party add-ins with your current Office install, contact the manufacture to make sure they're compatible with the latest version of Office.

-Some Microsoft 365 plans don't include the full desktop versions of Office and the steps to upgrade are different if your plan doesn't include Office.

-If your existing plan includes Office, move on to [Step 3 - Uninstall Office](#step-3uninstall-office).

-If your existing plan doesn't include Office, then select from the options below:

-### Upgrade options for plans that don't include Office

- **Option 1: Switch Office subscriptions**

-Switch to a subscription that includes Office. See [Switch to a different Microsoft 365 for business plan](../../commerce/subscriptions/switch-to-a-different-plan.md).

-Before installing the latest version of Office, we recommend you uninstall all older versions of Office. However, if you change your mind about upgrading Office, note the following instances where you won't be able to reinstall Office after uninstalling it.

-We recommend if you have third-party add-ins, contact the manufacturer to see if there's an update that will work with the latest version of Office.

-> If you run into issues while uninstalling Office, you can use the Microsoft Support and Recovery Assistant tool to help you remove Office: [Download and run the Microsoft Support and Recovery Assistant](https://go.microsoft.com/fwlink/?LinkID=2155008).

-### Known issues trying to reinstall older versions of Office after an uninstall

- **Office through a volume license** If you no longer have access to the source files of these volume license versions of Office, you won't be able to reinstall it.

- **Office pre-installed on your computer** If you no longer have a disc or product key (if Office came with one) you won't be able to reinstall it.

- **Non-supported subscriptions** If your copy of Office was obtained through discontinued subscriptions, such as Office 365 Small Business Premium or Office 365 Mid-size Business, you won't be able to install an older version of Office unless you have the product key that came with your subscription.

-If you'd prefer to install your older version of Office side-by-side with the latest version, you can see a list of versions where this is supported in, [Install and use different versions of Office on the same PC](https://support.microsoft.com/office/6ebb44ce-18a3-43f9-a187-b78c513788bf). A side-by-side installation might be the right choice for you, if for example, you've installed third-party add-ins you're using with your older version of Office and you're not yet sure they're compatible with the latest version.

-If you haven't already done so, assign licenses to any users in your organization who need to install Office, see [Assign licenses to users in Microsoft 365 for business](../manage/assign-licenses-to-users.md).

-## Step 5 - Install Office

-After you've verified the users you want to upgrade all have licenses, the final step is to have them install Office, see [Download and install or reinstall Office on your PC or Mac](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658).

-> If you don't want your users installing Office themselves, see [Manage software download settings in Office 365](/DeployOffice/manage-software-download-settings-office-365). You can use the [Office Deployment Tool](/DeployOffice/overview-office-deployment-tool) to download the Office software to your local network and then deploy Office by using the software deployment method you typically use.

-3. Uncheck the statement **In all reports, display de-identified names for users, groups, and sites**, and then save your changes.

-> [!TIP]

-> This article is designed for small and medium-sized businesses who have up to 300 users. If you're looking for information for enterprise organizations, see [Deploy ransomware protection for your Microsoft 365 tenant](../solutions/ransomware-protection-microsoft-365.md).

-Microsoft 365 for business plans, such as Microsoft 365 Business Basic, Standard, and Premium, include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection. This article describes how to secure your data with Microsoft 365 for business. This article also includes information to [compare capabilities across Microsoft 365 for business plans](#comparing-microsoft-365-for-business-plans).

-| **Desktop versions of Office apps**<br/>Word, Excel, PowerPoint, Publisher, and Access ^{[[See note 1](#fn1)]} | |  |  |

-| **Mobile device management** and mobile app management <br/>[Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | See note ^[[2](#fn2)] | See note ^[[2](#fn2)] |  |

-| **Advanced device security** with next-generation protection, firewall, attack surface reduction, automated investigation and response, and more <br/>[Defender for Business](../security/defender-business/mdb-overview.md) | See note ^[[3](#fn3)] | See note ^[[3](#fn3)] |  |

-| **Advanced protection for email and documents** with advanced anti-phishing, Safe Links, Safe Attachments, and real-time detections<br/>[Microsoft Defender for Office 365 Plan 1](../security/office-365-security/defender-for-office-365.md) | See note ^[[4](#fn4)] | See note ^[[4](#fn4)] |  |

-(<a id="fn1">1</a>) Microsoft Publisher and Microsoft Access run on Windows laptops and desktops only.

-(<a id="fn2">2</a>) Microsoft Intune is included with certain Microsoft 365 plans, such as Microsoft 365 Business Premium. Basic Mobility and Security capabilities are included in Microsoft 365 Business Basic and Standard. [Choose between Basic Mobility and Security or Intune](../admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md).

-(<a id="fn3">3</a>) Defender for Business is included in Microsoft 365 Business Premium. Defender for Business can also be added on to Microsoft 365 Business Basic or Standard. See [Get Defender for Business](/microsoft-365/security/defender-business/get-defender-business).

-(<a id="fn4">4</a>) Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Defender for Office 365 Plan 1 can also be added on to Microsoft 365 Business Basic or Standard. See [Defender for Office 365 Plan 1 and Plan 2](/microsoft-365/security/office-365-security/microsoft-defender-for-office-365-product-overview).

-> [!TIP]

-> For more information about what each plan includes, see [Reimagine productivity with Microsoft 365 and Microsoft Teams](https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products-b?ef_id=8c2a86ec9ea514a008c6e419e036519c:G:s&OCID=AIDcmmwf9kwzdj_SEM_8c2a86ec9ea514a008c6e419e036519c:G:s&lnkd=Bing_O365SMB_Brand&msclkid=8c2a86ec9ea514a008c6e419e036519c).

-| Users have normal access to Microsoft 365, files, and Microsoft 365 apps | Users have normal access to Microsoft 365, files, and Microsoft 365 apps | Users can't access Microsoft 365, files, or applications | Users can't access Microsoft 365, files, or Microsoft 365 apps |

-In this stage, your access decreases significantly. Your users can't sign in, or access services like email or SharePoint Online. Microsoft 365 apps eventually move into a read-only, reduced functionality mode and display [Unlicensed Product notifications](https://support.microsoft.com/office/0d23d3c0-c19c-4b2f-9845-5344fedc4380). You can still sign in and get to the admin center, but can't assign licenses to users. Your customer data, including all user data, email, and files on team sites, is available only to you and other admins.

-But for this scenario, we'll automatically generate the event from an external production system. The system is a simple SharePoint list that indicates whether a product is in production. A [Power Automate](/power-automate/getting-started) flow that's associated with the list will trigger the event. In a real-world scenario, you could use various systems to generate the event, such as an HR or CRM system. Power Automate contains many ready-to-use interactions and building block for Microsoft 365 workloads, such as Microsoft Exchange, SharePoint, Teams, and Dynamics 365, plus third-party apps such as Twitter, Box, Salesforce, and Workdays. This feature makes it easy to integrate Power Automate with various systems. For more information, see [Automate event-driven retention](./event-driven-retention.md#automate-events-by-using-a-rest-api).

-The following screenshot shows the SharePoint list that will be used the trigger the event:

-[  ](../media/SPRetention23.png#lightbox)

-There are two products currently in production, as indicated by the ***Yes*** in the **In Production** column. When the value in this column is set to ***No*** for a product, the flow associated with the list will automatically generate the event. The event triggers the start of the retention period for the retention label that was auto-applied to the corresponding product documents.

-For this scenario, we use the following flow to trigger the event:

-[  ](../media/SPRetention24.png#lightbox)

-To create this flow, start from a SharePoint connector and select the **When an item is created or modified** trigger. Specify the site address and list name. Then add a condition based on when the **In Production** list column value is set to ***No*** (or equal to *false* on the condition card). Then add an action based on the built-in HTTP template. Use the values in the following section to configure the HTTP action. You can copy the values for the **URI** and **Body** properties from the following section and paste them into the template.

- ```xml

- <?xml version='1.0' encoding='utf-8' standalone='yes'>

- <entry xmlns:d='http://schemas.microsoft.com/ado/2007/08/dataservices' xmlns:m='http://schemas.microsoft.com/ado/2007/08/dataservices/metadata' xmlns='https://www.w3.org/2005/Atom'>

- <category scheme='http://schemas.microsoft.com/ado/2007/08/dataservices/scheme' term='Exchange.ComplianceRetentionEvent'>

- <updated>9/9/2017 10:50:00 PM</updated>

- <content type='application/xml'>

- <m:properties>

- <d:Name>Cessation Production @{triggerBody()?['Product_x0020_Name']?['Value']}</d:Name>

- <d:EventType>Product Cessation&lt;</d:EventType>

- <d:SharePointAssetIdQuery>ProductName:&quot;@{triggerBody()?['Product_x0020_Name']?['Value']}<d:SharePointAssetIdQuery>

- <d:EventDateTime>@{formatDateTime(utcNow(),'yyyy-MM-dd')}</d:EventDateTime>

- </m:properties>

- </content&gt>

- </entry>

- ```

-This list describes the parameters in the **Body** property of the action that must be configured for this scenario:

- [  ](../media/SPRetention25.png#lightbox)

-### Putting it all together

-Now the retention label is created and auto-applied, and the flow is configured and created. When the value in the **In Production** column for the Spinning Widget product in the Products list is changed from ***Yes*** to ***No***, the flow is triggered to create the event. To see this event in the Microsoft Purview compliance portal, go to **Records management** > **Events**.

-Select the event to view the details on the flyout pane. Notice that even though the event is created, the event status shows that no SharePoint sites or documents have been processed.

-

-But after a delay, the event status shows that a SharePoint site and a SharePoint document have been processed.

-

-This shows that the retention period for the label applied to the Spinning Widget product document has been initiated, based on the event date of the *Cessation Production Spinning Widget* event. Assuming that you implemented the scenario in your test environment by configuring a one-day retention period, you can go to the document library for your product documents a few days after the event was created and verify that the document was deleted (after the deletion job in SharePoint has run).

-### Microsoft Graph API for records management (preview)

-Now rolling out, the first release of Graph APIs for records management support the management of retention labels, and event-based retention. Example scenarios:

-For more information about the Graph APIs for records management, see [Use the Microsoft Graph Records Management API](/graph/api/resources/security-recordsmanagement-overview?view=graph-rest-beta&preserve-view=true).

-> Advanced classification must be enabled to see contextual text (in preview) for DLP rule matched events in Activity explorer. Learn more about contextual text at [Contextual summary](dlp-learn-about-dlp.md#contextual-summary). Be sure that you have applied KB5016688 for Windows 10 devices and KB5016691 for Windows 11 devices.

-#### Windows 10 devices

-You can use this logic to construct your exclusion paths for Windows 10 devices:

-Similar to Windows 10 devices you can add your own exclusions for macOS devices.

-**Restricted apps** (previously called **Unallowed apps**) is a list of applications that you create. You configure what actions DLP will take when a user uses an app on the list to ***access*** a DLP protected file on a device. It's available for Windows 10 and macOS devices.

-> When you use the VPN list in defining the actions of a policy, you will also see **Corporate network** as an option. **Corporate network** connections are are all connections to your organizations resources.These connections can include VPNs.

-This is in preview for endpoint DLP. For endpoints, be sure that you have applied KB5016688 for Windows 10 devices and KB5016691 for Windows 11 devices.

-|Windows 10 devices |items |yes |yes |

-⁵ For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, **time\*** can expand to **"time OR timer OR times OR timex OR timeboxed OR ..."**. The limit of 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There's no upper limit for non-phrase terms.

-Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md). To learn more about Endpoint DLP, see [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)

-Article | Description

-:|:

-[Onboard Windows 10 or 11 devices using Group Policy](device-onboarding-gp.md) | Use Group Policy to deploy the configuration package on devices.

-[Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager](device-onboarding-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.

-[Onboard Windows 10 or 11 devices using Microsoft Intune](device-onboarding-mdm.md) | Use Microsoft Intune to deploy the configuration package on device.

-[Onboard Windows 10 or 11 devices using a local script](device-onboarding-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.

-[Onboard non-persistent virtual desktop infrastructure (VDI) devices](device-onboarding-vdi.md) | Learn how to use the configuration package to configure VDI devices.

-|Virtualization </br> platform |Windows 10 |Windows 11 |

-||||

-|Azure virtual desktop (AVD)|- Single session supported for 20H2, 21H1, 21H2</br>- Multi session supported for 20H2, 21H1, 21H2 |- Single session supported for 22H2</br>- Multi session supported for 22H2|1809 and higher supported |

-|Citrix Virtual Apps and Desktops 7 (2209)|- Single session supported for 20H2, 21H1, 21H2</br>- Multi session supported for 20H2, 21H1, 21H2|- Single session supported for 21H2 (Gen2)</br>- Multi session supported for 21H2 (Gen 2)|

-|Azure virtual desktop (AVD)|- Single session supported for 20H2, 21H1, 21H2</br>- Multi session supported for 20H2, 21H1, 21H2 |- Single session supported for 22H2</br>- Multi session supported for 22H2|

-|Hyper-V |- Single session supported for 20H2, 21H1, 21H2</br>- Multi session with Hybrid AD join supported for 20H2, 21H1, 21H2 |- Single session supported for 22H2</br>- Multi session with Hybrid AD join supported for 22H2|

-

-Article | Description

-:|:

-|[Intune](device-onboarding-offboarding-macos-intune.md)|For macOS devices that are managed through Intune

-|[Intune for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-intune-mde.md) |For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them

-|[JAMF Pro)](device-onboarding-offboarding-macos-jamfpro.md) | For macOS devices that are managed through JAMF Pro

-|[JAMF Pro for Microsoft Defender for Endpoint customers)](device-onboarding-offboarding-macos-jamfpro-mde.md)|For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them

->This experience is under license enforcement. Without the required license, data will not be visible or accessible.

-## Automate events by using a REST API

-You can use a REST API to automatically create the events that trigger the start of the retention time.

-> Now rolling out in preview, you can alternatively use [Microsoft Graph API for records management](compliance-extensibility.md#microsoft-graph-api-for-records-management-preview) to create the event, and also create event types and retention labels.

->

-> We encourage you to try these Graph APIs because the REST APIs in this section will soon be deprecated and stop working.

-A REST API is a service endpoint that supports sets of HTTP operations (methods), which provide create/retrieve/update/delete access to the service's resources. For more information, see [Components of a REST API request/response](/rest/api/gettingstarted/#components-of-a-rest-api-requestresponse). By using the Microsoft 365 REST API, events can be created and retrieved using the POST and GET methods.

-There are two options for using the REST API:

-Before you use the REST API, as a global administrator, confirm the URL to use for the retention event call. To do this, run a GET retention event call by using the REST API URL:

-```http

-https://ps.compliance.protection.outlook.com/psws/service.svc/ComplianceRetentionEvent

-```

-Check the response code. If it's 302, get the redirected URL from the Location property of the response header and use that URL instead of `https://ps.compliance.protection.outlook.com/psws/service.svc/ComplianceRetentionEvent` in the instructions that follow.

-The events that get automatically created can be confirmed by viewing them in the Microsoft Purview compliance portal > **Records management** > **Events**.

-### Use Microsoft Power Automate to create the event

-Create a flow that creates an event using the Microsoft 365 REST API:

-

-

-#### Create an event

-Sample code to call the REST API:

- ```xml

- <?xml version='1.0' encoding='utf-8' standalone='yes'?>

-

- <entry xmlns:d='http://schemas.microsoft.com/ado/2007/08/dataservices'

-

- xmlns:m='http://schemas.microsoft.com/ado/2007/08/dataservices/metadata'

-

- xmlns='http://www.w3.org/2005/Atom'>

-

- <category scheme='http://schemas.microsoft.com/ado/2007/08/dataservices/scheme' term='Exchange.ComplianceRetentionEvent' />

-

- <updated>9/9/2017 10:50:00 PM</updated>

-

- <content type='application/xml'>

-

- <m:properties>

-

- <d:Name>Employee Termination </d:Name>

-

- <d:EventType>99e0ae64-a4b8-40bb-82ed-645895610f56</d:EventType>

-

- <d:SharePointAssetIdQuery>1234</d:SharePointAssetIdQuery>

-

- <d:EventDateTime>2018-12-01T00:00:00Z </d:EventDateTime>

-

- </m:properties>

-

- </content>

-

- </entry>

- ```

-##### Available parameters

-|Parameters|Description|Notes|

-| | | |

-|<d:Name></d:Name>|Provide a unique name for the event,|Can't contain trailing spaces or the following characters: % * \ & < \> \| # ? , : ;|

-|<d:EventType></d:EventType>|Enter event type name (or Guid),|Example: "Employee termination". Event type has to be associated with a retention label.|

-|<d:SharePointAssetIdQuery></d:SharePointAssetIdQuery>|Enter "ComplianceAssetId:" + employee ID|Example: "ComplianceAssetId:12345"|

-|<d:EventDateTime></d:EventDateTime>|Event Date and Time|Format: yyyy-MM-ddTHH:mm:ssZ, Example: 2018-12-01T00:00:00Z

-|

-###### Response codes

-| Response Code | Description |

-| -- | |

-| 302 | Redirect |

-| 201 | Created |

-| 403 | Authorization Failed |

-| 401 | Authentication Failed |

-##### Get events based on a time range

-###### Response codes

-| Response Code | Description |

-| -- | |

-| 200 | OK, A list of events in atom+ xml |

-| 404 | Not found |

-| 302 | Redirect |

-| 401 | Authorization Failed |

-| 403 | Authentication Failed |

-##### Get an event by ID

-###### Response codes

-| Response Code | Description |

-| -- | - |

-| 200 | OK, The response body contains the event in atom+xml |

-| 404 | Not found |

-| 302 | Redirect |

-| 401 | Authorization Failed |

-| 403 | Authentication Failed |

-##### Get an event by name

-###### Response codes

-| Response Code | Description |

-| -- | - |

-| 200 | OK, The response body contains the event in atom+xml |

-| 404 | Not found |

-| 302 | Redirect |

-| 401 | Authorization Failed |

-| 403 | Authentication Failed |

-### Use PowerShell or any HTTP client to create the event

-PowerShell must be version 6 or later.

-In a PowerShell session, run the following script:

-```powershell

-param([string]$baseUri)

-$userName = "UserName"

-$password = "Password"

-$securePassword = ConvertTo-SecureString $password -AsPlainText -Force

-$credentials = New-Object System.Management.Automation.PSCredential($userName, $securePassword)

-$EventName="EventByRESTPost-$(([Guid]::NewGuid()).ToString('N'))"

-Write-Host "Start to create an event with name: $EventName"

-$body = "<?xml version='1.0' encoding='utf-8' standalone='yes'?>

-<entry xmlns:d='http://schemas.microsoft.com/ado/2007/08/dataservices'

-xmlns:m='http://schemas.microsoft.com/ado/2007/08/dataservices/metadata'

-xmlns='http://www.w3.org/2005/Atom'>

-<category scheme='http://schemas.microsoft.com/ado/2007/08/dataservices/scheme' term='Exchange.ComplianceRetentionEvent' />

-<updated>7/14/2017 2:03:36 PM</updated>

-<content type='application/xml'>

-<m:properties>

-<d:Name>$EventName</d:Name>

-<d:EventType>e823b782-9a07-4e30-8091-034fc01f9347</d:EventType>

-<d:SharePointAssetIdQuery>'ComplianceAssetId:123'</d:SharePointAssetIdQuery>

-</m:properties>

-</content>

-</entry>"

-$event = $null

-try

-{

-$event = Invoke-RestMethod -Body $body -Method 'POST' -Uri "$baseUri/ComplianceRetentionEvent" -ContentType "application/atom+xml" -Authentication Basic -Credential $credentials -MaximumRedirection 0

-}

-catch

-{

-$response = $_.Exception.Response

-if($response.StatusCode -eq "Redirect")

-{

-$url = $response.Headers.Location

-Write-Host "redirected to $url"

-$event = Invoke-RestMethod -Body $body -Method 'POST' -Uri $url -ContentType "application/atom+xml" -Authentication Basic -Credential $credentials -MaximumRedirection 0

-}

-}

-$event | fl *

-```

-| Programatically create and manage retention labels, event-based retention, and automate repetitive tasks for records management | [Microsoft Graph API for records management (preview)](compliance-extensibility.md#microsoft-graph-api-for-records-management-preview) |

-We hope to increase those limits in the future to ensure larger OneDrive accounts can be migrated via the process.

-description: Learn how to integrate your remote monitoring and management (RMM) tools and professional service automation (PSA) software with Defender for Business, Microsoft 365 Business Premium, Defender for Endpoint, and Microsoft 365 Lighthouse.

-# Resources for Microsoft partners using Microsoft Defender for Business and Microsoft 365 Business Premium

-Small and medium-sized businesses recognize security as a key component to their success, but often don't have the capacity or expertise to have a dedicated security operations team. Customers often need help with managing the security of their endpoints and network, and addressing alerts or detected threats. Microsoft partners can help!

-If you're a Microsoft partner, and you're working with customers who have or need [Defender for Business](mdb-overview.md), [Microsoft 365 Business Premium](../../business-premium/index.md), or [Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md), this article is for you.

-* Client error (400-code level) ΓÇô the client sent an invalid request or the request is not in accordance with definitions.

-OsPlatformNotSupported|BadRequest (400)|OS Platform {the client OS Platform} is not supported for this action.

-DisabledFeature|Forbidden (403)|Tenant feature is not enabled.

-ResourceNotFound|Not Found (404)|Resource {the requested resource} was not found.

-TooManyRequests|Too Many Requests (429)|Response will represent reaching quota limit either by number of requests or by CPU.

-Ignoring the 429 response or trying to resubmit HTTP requests in a shorter time frame will cause a return of the 429 error code.

-When contacting us about an error, attaching this ID will help find the root cause of the problem.

-3. Verify that the traffic isn't being inspected by SSL inspection (TLS inspection). This is the most common network related issue when setting up Microsoft Defender Endpoint, see [Verify SSL inspection is not being performed on the network traffic](#step-3-verify-ssl-inspection-isnt-being-performed-on-the-network-traffic).

-To prevent man-in-the-middle attacks, all Microsoft Azure hosted traffic uses certificate pinning. As a result, SSL inspections by major firewall systems aren't allowed. You'll have to bypass SSL inspection for Microsoft Defender for Endpoint URLs.

-Capture performance data from the endpoints that will have Defender for Endpoint installed. This includes disk space availability on all mounted partitions, memory usage, process list, and CPU usage (aggregate across all cores).

-Newer driver/firmware on a NIC's or NIC teaming software could help w/ performance and/or reliability.

-|CPU |If the Linux system is running only 1 vcpu, we recommend to be increased to 2 vcpu's<br> 4 cores are preferred |

-High I/O workloads such as Postgres, OracleDB, Jira, and Jenkins may require additional exclusions depending on the amount of activity that is being processed (which is then monitored by Defender for Endpoint). It is best to follow guidance from third party application providers for exclusions if you experience performance degredation after installing Defender for Endpoint. Also keep in mind [Common Exclusion Mistakes for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus).

-You can refer to these documents for more information if you experience performance degredation:

-Defender for Endpoint on Linux is designed to allow almost any management solution to easily deploy and manage Defender for Endpoint settings on Linux. A few common Linux management platforms are Ansible, Puppet, and Chef. Below are documents that contain examples on how to configure these management platforms to deploy and configure Defender for Endpoint on Linux.

-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either Beta or Preview.

-For more information see, [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](linux-support-events.md).

-|wdavdaemon unprivileged|N/A|AV engine| The following diagram shows the workflow and steps required in order to add AV exclusions. <br/><br/> :::image type="content" source="images/unprivileged-plugins.png" alt-text="Screenshot that shows This is unpriviledged sensors." lightbox="images/unprivileged-plugins.png"::: <br/><br/>**General troubleshooting guidance**<br/> - If you have in-house apps/scripts or a legitimate third-party app/script getting flagged, Microsoft security researchers analyze suspicious files to determine if they're threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware by using the unified submissions experience (for more information, see [Unified submissions experience](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/unified-submissions-in-microsoft-365-defender-now-generally/ba-p/3270770)) or [File submissions](https://www.microsoft.com/wdsi/filesubmission). <br/><br/> - See [troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](linux-support-perf.md).<br/><br/> - Download and run Microsoft Defender for Endpoint Client Analyzer. For more information, see [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md). <br/><br/> - Collect diagnostic data using the [Client analyzer tool](https://aka.ms/xMDEClientAnalyzerBinary).<br/><br/> - Open a CSS support case with Microsoft. For more information, see [CSS security support case](/mem/get-support).

-In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.

-To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it.

-2. Resolve active alerts on the device. This will remove the risk from the device.

-3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.

-4. The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.

-Microsoft Defender for Endpoint analyzes a network and determines if it's a corporate network that needs to be monitored or a non-corporate network that can be ignored. To identify a network as corporate, we correlate network identifiers across all tenant's clients and if the majority of the devices in the organization report that they are connected to the same network name, with the same default gateway and DHCP server address, we assume that this is a corporate network. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor non-corporate networks where onboarded devices are found.

-The list of monitored networks is sorted based upon the total number of devices seen on the network in the last 7 days.

-You control where device discovery takes place. Monitored networks are where device discovery will be performed and are typically corporate networks. You can also choose to ignore networks or select the initial discovery classification after modifying a state.

-Choosing the initial discovery classification means applying the default system-made network monitor state. Selecting the default system-made network monitor state means that networks that were identified to be corporate, will be monitored, and ones identified as non-corporate, will be ignored automatically.

-You can use the following advanced hunting query to get more context about each network name described in the networks list. The query lists all the onboarded devices that were connected to a certain network within the last 7 days.

-Keep the following points in mind when you are defining exclusions:

-Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team as this integration will allow the best ability for Defender Antivirus to detect and block exploitation of Exchange.

-Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommends to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Endpoint Configuration Manager.

-If exclusions cannot be removed for the Exchange processes and folders, running a Quick Scan in Defender Antivirus will scan the Exchange directories and files, regardless of exclusions.

-To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](/intune/security-baselines#q--a).

-The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, and settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:

-Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.

-## Related topics

-description: You can exclude files from scans if they have been opened by a specific process.

-You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.

-By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.

-See [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.

-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.

-In particular, you cannot use the question mark (`?`) wildcard, and the asterisk (`*`) wildcard can only be used at the end of a complete path. You can still use environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the process exclusion list.

-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Microsoft Defender Antivirus cmdlets](/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.

-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Microsoft Defender Antivirus cmdlets](/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.

-Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).

-On Windows Server 2016 or later, you should not need to define the following exclusions:

-Because Microsoft Defender Antivirus is built in, it does not require exclusions for operating system files on Windows Server 2016 or later. In addition, when you run Windows Server 2016 or later and install a role, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role.

-Operating system exclusions and server role exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).

-This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.

-See the following for more information and allowed parameters:

-The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added.

- - If you're using Defender for Endpoint, choose device groups to get notifications for. (If you're using [Defender for Business](../defender-business/mdb-overview.md), device groups do not apply.)

-**Problem:** Intended recipients report they are not getting the notifications.

-**Solution:** Make sure that the notifications are not blocked by email filters:

-1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk.

-2. Check that your email security product is not blocking the email notifications from Defender for Endpoint.

-## Related topics

-1. Turn on CFA using powershell command:

-The Potentially Unwanted Applications (PUA) protection feature in Microsoft Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use.

-3. After downloading the file, it is automatically blocked and prevented from running.

-A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring.

-Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service. By piloting a certain number of devices first, you can identify potential issues and mitigate potential risks that might arise.

-Identify a small number of test machines in your environment to onboard to the service. Ideally, these machines would be fewer than 50 endpoints.

-Microsoft Defender for Endpoint supports a variety of endpoints that you can onboard to the service. In this ring, identify several devices to onboard and based on the exit criteria you define, decide to proceed to the next deployment ring.

-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either Beta or Preview.

-This mode allows every Microsoft Defender for Endpoint onboarded device to collect network data and discover neighboring devices. Onboarded endpoints passively collect events in the network and extract device information from them. No network traffic will be initiated. Onboarded endpoints will simply extract data from every network traffic that is seen by an onboarded device. This data used to list unmanaged devices in your network.

-You have the option to turn off device discovery through the [Advanced features](advanced-features.md) page. However, you will lose visibility on unmanaged devices in your network. Note that even if device discovery is turned off, SenseNDR.exe will still be running on the onboarded devices.

-In this mode endpoints onboarded to Microsoft Defender for Endpoint can actively probe observed devices in the network to enrich collected data (with negligible amount of network traffic). Only devices that were observed by the basic discovery mode will be actively probed in standard mode. This mode is highly recommended for building a reliable and coherent device inventory. If you choose to disable this mode, and select Basic discovery mode, you will likely only gain limited visibility of unmanaged endpoints in your network.

-You can customize the list of devices that are used to perform Standard discovery. You can either enable Standard discovery on all the onboarded devices that also support this capability (currently Windows 10 or later and Windows Server 2019 or later devices only) or select a subset or subsets of your devices by specifying their device tags. In this case, all other devices will be configured to run Basic discovery only. The configuration is available in the device discovery settings page.

-The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. By correlating network identifiers across all tenant's clients, events are differentiated between ones that were received from private networks and corporate networks. For example, if the majority of the devices in the organization report that they are connected to the same network name, with the same default gateway and DHCP server address, it can be assumed that this network is likely a corporate network. Private network devices will not be listed in the inventory and will not be actively probed.

-If there are devices on your network which should not be actively probed, you can also define a list of exclusions to prevent them from being scanned. The configuration is available in the device discovery settings page.

- The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices, that also imply on the overall security score of the organization.

-Temporarily, unmanaged device health state will be "Active" during the standard retention period of the device inventory, regardless of their actual state.

-When considering Standard discovery, you may be wondering about the implications of probing, and specifically whether security tools might suspect such activity as malicious. The following subsection will explain why, in almost all cases, organizations should have no concerns around enabling Standard discovery.

-As opposed to malicious activity, which would typically scan the entire network from a small number of compromised devices, Microsoft Defender for Endpoint's Standard discovery probing is initiated from all onboarded Windows devices making the activity benign and non-anomalous. The probing is centrally managed from the cloud to balance the probing attempt between all the supported onboarded devices in the network.

-Standard discovery supports exclusion of devices or ranges (subnets) from active probing. If you have network lures deployed in place, you can use the Device Discovery settings to define exclusions based on IP addresses or subnets (a range of IP addresses). Defining those exclusions will ensure that those devices won't be actively probed and won't be alerted. Those devices will be discovered using passive methods only (similar to Basic discovery mode).

-Devices that have been discovered but have not yet been onboarded and secured by Microsoft Defender for Endpoint will be listed in the device inventory within the Computers and Mobile tab.

-Network devices are not managed as standard endpoints, as Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan will obtain the necessary information from the devices. To do this, a designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint's vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.

-This means that when a non-onboarded device attempts to communicate with an onboarded Microsoft Defender for Endpoint device, the attempt will generate a DeviceNetworkEvent and the non-onboarded device activities can be seen on the onboarded device timeline, and through the Advanced hunting DeviceNetworkEvents table.

-We recommend using ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint). However, if you have another license, such as Windows Professional or Windows E3 that don't include advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (for example, Event Forwarding).

-Enterprise-level management such as Intune or Microsoft Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.

-You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.

-You can specify individual files or folders (using folder paths or fully qualified resource names). An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.

-For information about per-rule exclusions, see the section titled **Configure ASR rules per-rule exclusions** in the topic [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md)

-1. If a conflicting policy is applied via MDM and GP, the setting applied from MDM will take precedence.

-2. Attack surface reduction rules for managed devices now support behavior for merger of settings from different policies, to create a superset of policy for each device. Only the settings that are not in conflict are merged, while those that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. Attack surface reduction rule merge behavior is as follows:

- - Settings that do not have conflicts are added to a superset of policy for the device.

- - When two or more policies have conflicting settings, the conflicting settings are not added to the combined policy, while settings that don't conflict are added to the superset policy that applies to a device.

- - In **OMA-URI**, type or paste the specific OMA-URI link for the rule that you are adding. Refer to the MDM section in this article for the OMA-URI to use for this example rule. For attack surface reduction rule GUIDS, see [Per rule descriptions](attack-surface-reduction-rules-reference.md#per-rule-descriptions) in the topic: Attack surface reduction rules.

- - 0 : Disable (Disable the ASR rule)

- - 1 : Block (Enable the ASR rule)

- - 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)

- - 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)

-10. Select **Next**. In step **6 Review + create**, review the settings and information you have selected and entered, and then select **Create**.

- - 0 : Disable (Disable the ASR rule)

- - 1 : Block (Enable the ASR rule)

- - 2 : Audit (Evaluate how the ASR rule would impact your organization if enabled)

- - 6 : Warn (Enable the ASR rule but allow the end-user to bypass the block)

-2. Type one of the following cmdlets. (Refer to [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md) for more details, such as rule ID.)

- - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.

-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.

-If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:

-The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied.

-The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.

- - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app.<br/>

-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.

-2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.

-|Do not allow child processes|App-level only|`DisallowChildProcessCreation`|`AuditChildProcess`|

-<a href="#t2" id="r2">\[2\]</a>: Audit for this mitigation is not available via PowerShell cmdlets.

-It is especially useful in helping protect against [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that attempts to encrypt your files and hold them hostage.

- 2. If the app is not listed at the top of the list select **Add program to customize**. Then, choose how you want to add the app.

-|Do not allow child processes|`AuditChildProcess`|

-If you configure exploit protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you.

-When the policy distributing the XML file is no longer enforced, settings deployed by this XML configuration file will not be automatically removed. To remove Exploit Protection settings, export the XML configuration from a clean Windows 10 or Windows 11 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as part of the Windows Security Baselines for resetting Exploit Protection settings.

-Arbitrary code guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary code guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED).

-Arbitrary code guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation.

-Block low integrity images prevents the application from loading files that are untrusted, typically because they have been downloaded from the internet from a sandboxed browser.

-This mitigation will block image loads if the image has an Access Control Entry (ACE) which grants access to Low IL processes and which does not have a trust label ACE. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a low integrity image, it will trigger a STATUS_ACCESS_DENIED error. For details on how integrity levels work, see [Mandatory Integrity Control](/windows/win32/secauthz/mandatory-integrity-control).

-Block low integrity images will prevent the application from loading files that were downloaded from the internet. If your application workflow requires loading images that are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation.

-This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error.

-Block remote images will prevent the application from loading images from remote devices. If your application loads files or plug-ins from remote devices, then it will not be compatible with this mitigation.

-This mitigation is implemented within GDI, which validates the location of the file. If the file is not in the system fonts directory, the font will not be loaded for parsing and that call will fail.

-The most common use of fonts outside of the system fonts directory is with [web fonts](/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365, which use font glyphs to display UI.

-Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process.

-This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process.

-This mitigation specifically blocks any binary that is not signed by Microsoft. As such, it will be incompatible with most third-party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected.

-**Also allow loading of images signed by Microsoft Store** - Applications that are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries that have gone through the store certification process to be loaded by the application.

-This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation.

-Since applications must be compiled to support CFG, they implicitly declare their compatibility with it. Most applications, therefore, should work with this mitigation enabled. Because these checks are compiled into the binary, the configuration you can apply is merely to disable checks within the Windows kernel. In other words, the mitigation is on by default, but you can configure the Windows kernel to always return "yes" if you later determine that there is a compatibility issue that the application developer did not discover in their testing, which should be rare.

-Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code.

-If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash.

-All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed.

-**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called *thunking*. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory that is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications that have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled.

-Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application.

-Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode component, it is frequently targeted as an escape vector for applications that are sandboxed. This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a GUI thread, which is then given access to invoke Win32k functions. A thread is non-GUI when created, but converted on first call to win32k.sys, or through an API call to [IsGuiThread](/windows/win32/api/winuser/nf-winuser-isguithread).

-This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation.

-## Do not allow child processes

-The mitigation protects the memory page in the [export directory that points to the [export address table](/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.

-When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-bottom-up-aslr).

-**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table that the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address).

-The memory pages for all protected APIs will have the [PAGE_GUARD](/windows/win32/memory/creating-guard-pages) protection applied to them. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated.

-Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled).

-Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice.

-This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that:

-If these validations fail, then exception handling is aborted, and the exception will not be handled.

-*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE).

-Applications that were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation.

-The *validate image dependency* mitigation helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH.

-Compatibility issues are uncommon. Applications that depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.

-This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated.

-Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications.

-When a mitigation is found on the device, a notification will be displayed from the Action Center. You can [customize the notification](attack-surface-reduction-rules-deployment-implement.md#customize-attack-surface-reduction-rules) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

-|NullPage Security Mitigation | Yes<br />Included natively in Windows 10 and Windows 11 <br/>See [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | Yes |

-|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection<br/>See [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | Yes |

-|Do not allow child processes | Yes | No |

-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10 and Windows 11, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.

-> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-If the timestamp is not in the past 30 days - 400 Bad Request.

-description: Find all devices that contain specifc tag

-> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-useStartsWithFilter|Boolean|When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**.

-Here is an example of the request.

-Any device that isn't in use for more than seven days will retain 'Inactive' status in the portal.

-If the device was offboarded, it will still appear in devices list. After seven days, the device health state should change to inactive.

-This status indicates that there is limited communication between the device and the service.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body. If alert with the specified ID was not found - 404 Not Found.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-> - The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-Here is an example of the request.

-Here is an example of the response.

-RbacGroupName|string|The role-based access control (RBAC) group. If this device is not assigned to any RBAC group, the value will be "Unassigned." If the organization doesn't contain any RBAC groups, the value will be "None."

-id|String| Scan id.

-orgId |String| Related organization id.

-intervalInHours|Int|The interval at which the scan will run.

-scannerAgent|Object|Set of scanner agent objects, contains: id, device id, device name, the date and time (in UTC) the device was last seen, assigned application id, scanner software version, and the date and time (in UTC) the scanner agent was last executed. See [Get all scan definitions](./get-all-scan-definitions.md).

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 200 OK with an prevalence set to 0.

-Here is an example of the request.

-Here is an example of the response.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-If successful and file exists - 200 OK with the [file](files.md) entity in the body. If file does not exist - 404 Not Found.

-Here is an example of the request.

-Here is an example of the response.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-> - Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file does not exist - 200 OK with an empty set.

-Here is an example of the request.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-> - Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file does not exist - 200 OK with an empty set.

-Here is an example of the request.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.

-Here is an example of the request.

-Here is an example of the response.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-If successful and ip exists - 200 OK with statistical data in the body. IP is valid but does not exist - organizationPrevalence 0, IP is invalid - HTTP 400.

-Here is an example of the request.

-Here is an example of the response.

-If successful, this method returns 200, Ok response code with object that holds the link to the command result in the *value* property. This link is valid for 30 minutes and should be used immediately for downloading the package to a local storage. An expired link can be re-created by another call, and there is no need to run live response again.

-Here is an example of the request.

-Here is an example of the response.

-## Related topics

-If successful and device exists - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found.

-Here is an example of the request.

-Here is an example of the response.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-If successful, this method returns 200, Ok response code with a [Machine Action](machineaction.md) entity. If machine action entity with the specified ID was not found - 404 Not Found.

-Here is an example of the request.

-> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)

-> - Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-Here is an example of the request.

-Here is an example of the response.

-## Related topics

-> - The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)

-> - The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)

-Here is an example of the request.

-Here is an example of the response.

-Once the Microsoft Defender for Endpoint team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.

-To have your company listed as a partner in the in-product partner page, you will need to provide the following information:

-4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender for Endpoint product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done.

-5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application.

-6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).

-Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.

-Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS).

-In the case were multiple different action types are set on the same indicator (for example, **block**, **warn**, and **allow**, action types set for Microsoft.com), the order those action types would take effect is:

-The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy that is correct but has lower investigation value.

-If you turn off network protection, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft 365 Defender.

-If you do not configure it, network blocking will be turned off by default.

-When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up.

-Using this simple query will show you all the relevant events:

-## Related topics

-A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.

-When you investigate a user account entity, you'll see:

-The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Microsoft Defender for Identity alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Microsoft Defender for Identity page, if you have enabled the Microsoft Defender for Identity feature, and there are alerts related to the user. The Microsoft Defender for Identity page will provide more information about the alerts.

-Selecting an item on the Observed in organization table will expand the item, revealing more details about the device. Directly selecting a link within an item will send you to the corresponding page.

-A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of devices it was observed logged on to in the last 30 days.

-## Related topics

- - However, for Unsupervised devices, the control will be displayed under the **Settings > Privacy**

- - This toggle is only visible if Admin has set **DefenderExcludeURLInReport = true**

- - In Settings page, select Use configuration designer and add **DefenderTVMPrivacyMode** as the key and value type as **String**

-Create a SaltState state file in your configuration repository (typically `/srv/salt`) that applies the necessary states to offboard and remove Defender for Endpoint. Before using the offboarding state file, you'll need to download the offboading package from the Security portal and extract it in the same way you did the onboarding package. The downloaded offboarding package is only valid for a limited period of time.

-Now apply the state to the minions. The below command will apply the state to machines with the name that begins with `mdetest`.

-See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.

-In enterprise environments, Defender for Endpoint on Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. If exclusions were added through the managed configuration profile, they can only be removed through the managed configuration profile. The command line works for exclusions that were added locally.

-Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting will trigger an antivirus scan on the running processes of the device.

-Specifies the degree of parallelism for on-demand scans. This corresponds to the number of threads used to perform the scan and impacts the CPU usage, as well as the duration of the on-demand scan.

-Configure filesystems to be unmonitored/excluded from Real Time Protection. The filesystems configured will be validated against Microsoft Defender's list of permitted filesystems that can be unmonitored. By default NFS and Fuse are unmonitored from RTP and Quick and Full scans.

-Enables or disables file hash computation feature. When this feature is enabled, Defender for Endpoint will compute hashes for files it scans. Note that enabling this feature might impact device performance. For more details, please refer to: [Create indicators for files](indicator-file.md).

-List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.

-Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.

-This setting determines how aggressive Defender for Endpoint will be in blocking and scanning suspicious files. If this setting is on, Defender for Endpoint will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. There are five values for setting cloud block level:

-The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:

-There is some information about events that is common to all events, regardless of category or data subtype.

-|features.\[optional feature name\]|List of preview features, along with whether they are enabled or not.|

-|ipc.connected|Whether there is any active connection to the kernel extension.|

- - Starting with this version, we are bringing Microsoft Defender for Endpoint support to the following distros:

- > :::image type="content" source="images/mdatp-6-systemconfigurationprofiles-3.png" alt-text="The completion of the custom configuration profile" lightbox="images/mdatp-6-systemconfigurationprofiles-3.png":::

-If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender for Endpoint on macOS.

-Microsoft Defender for Endpoint on macOS does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:

-Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender for Endpoint on macOS is not part of macOS.

-macOS requires that a user manually and explicitly approves certain functions that an application uses, for example system extensions, running in background, sending notifications, full disk access etc. Microsoft Defender for Endpoint relies on these functions, and cannot properly function until all these consents are received from a user.

-You will have to visit the above mentioned page, and publish new profiles once they became available.

-In enterprise organizations, Microsoft Defender for Endpoint on macOS can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.

-Enables or disables file hash computation feature. When this feature is enabled, Defender for Endpoint will compute hashes for files it scans to enable better matching against the indicator rules. On macOS, only the script and Mach-O (32 and 64 bit) files are considered for this hash computation (from engine version 1.1.20000.2 or higher). Note that enabling this feature might impact device performance. For more details, please refer to: [Create indicators for files](indicator-file.md).

-Specifies whether to start a process scan after new security intelligence updates are downloaded on the device. Enabling this setting will trigger an antivirus scan on the running processes of the device.

-|Wildcard|Description|Example|Matches|Does not match|

-Specify threats by name that are not blocked by Defender for Endpoint on Mac. These threats will be allowed to run.

-Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.

-Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.

-Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.

-There is some information about events that is common to all events, regardless of category or data subtype.

-|features.\[optional feature name\]|List of preview features, along with whether they are enabled or not.|

-|ipc.connected|Whether there is any active connection to the kernel extension.|

-While we do not display an exact error to the end user, we keep a log file with installation progress in `/Library/Logs/Microsoft/mdatp/install.log`. Each installation session appends to this log file. You can use `sed` to output the last installation session only:

-The installation failed because a downgrade between these versions is not supported.

-First, verify that an installation happened. Then analyze possible errors by querying macOS logs. It's helpful to do this in MDM deployments, when there is no client UI. We recommend that you use a narrow time window to run a query and filter by the logging process name, as there will be a huge amount of information.

-Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.

-|lastSeen|DateTimeOffset|Time and date of the last received full device report. A device typically sends a full report every 24 hours. <br> NOTE: This property does not correspond to the lastseen value in the UI. It is pertains to the last device update.|

-An Indicator of compromise (IoC) is a forensic artifact, observed on the network or host. An IoC indicates - with high confidence - a computer or network intrusion has occurred. IoCs are observable, which link them directly to measurable events. Some IoC examples include:

-False Positive (FP) refers to a SmartScreen false positive, Microsoft says it is malware / phish but it is actually a safe site, so customer wants to create an allow policy for this.

-Because each version of an application has a different file hash, using indicators to block hashes is not recommended.

-The cloud detection engine of Defender for Endpoint regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.

-The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender Antivirus is the primary Antivirus configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender Antivirus will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender Antivirus will not detect nor block the file from being run.

-The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".

-The `EnableFileHashComputation` setting computes the file hash for the cert and file IoC during file scans. It supports IoC enforcement of hashes and certs belong to trusted applications. It will be concurrently enabled and disabled with the allow or block file setting. `EnableFileHashComputation` is enabled manually through Group Policy, and is disabled by default.

-The functionality of pre-existing IoCs will not change. However, the indicators were renamed to match the current supported response actions:

-A false positive is an artifact, like a file or a process, that was detected as malicious, even though it isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is. False positives/negatives can occur with any endpoint protection solution, including Defender for Endpoint. However, there are steps you can take to address these kinds of issues and fine-tune your solution, as depicted in the following image:

- - `nfs`

-Beta versions of macOS are not supported.

-To test that a connection is not blocked, open <https://x.cp.wd.microsoft.com/api/report> and <https://cdn.x.cp.wd.microsoft.com/ping> in a browser.

-3. Enable one of the Microsoft Defender for Server plans on your [subscription(s)](/azure/defender-for-cloud/enable-enhanced-security). In case you're using Defender for Servers Plan 2, make sure to also enable it on the Log Analytics workspace your machines are connected to; it will enable you to use optional features like File Integrity Monitoring, Adaptive Application Controls and more.

- If you have any of these buttons in your environment, make sure to enable integration for both. On new subscriptions, both options will be enabled by default. In this case, you will not see these buttons in your environment.

-Once you've completed the relevant migration steps, Microsoft Defender for Cloud will deploy the `MDE.Windows` or `MDE.Linux` extension to your Azure VMs and non-Azure machines connected through Azure Arc (including VMs in AWS and GCP compute).

-The extension acts as a management and deployment interface, which will orchestrate and wrap the MDE installation scripts inside the operating system and reflect its provisioning state to the Azure management plane. The installation process will recognize an existing Defender for Endpoint installation and connect it to Defender for Cloud by automatically adding Defender for Endpoint service tags.

-In case you have Windows Server 2012 R2 or 2016 machines that are provisioned with the legacy, Log Analytics-based Microsoft Defender for Endpoint solution, Microsoft Defender for Cloud's deployment process will deploy the Defender for Endpoint [unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). After successful deployment, it will stop and disable the legacy Defender for Endpoint process on these machines.

-The standalone versions of [Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md), even when they are included as part of other Microsoft 365 plans, do not include server licenses. To onboard servers to those plans, you'll need either Microsoft Defender for Endpoint for Servers or Defender for Servers Plan 1 or Plan 2 as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).

-When components are up-to-date on Microsoft Windows operating systems, Microsoft Defender for Endpoint support will follow the respective operating system's lifecycle. For more information, see [Lifecycle FAQ](/lifecycle/faq/general-lifecycle). New features or capabilities are typically provided only on operating systems that have not yet reached the end of their lifecycle. Security intelligence updates (definition and engine updates) and detection logic will continue to be provided until at least:

-If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Configuration Manager (current branch), you'll need to ensure the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).

-Microsoft Defender for Endpoint on Android and iOS is our **mobile threat defense solution (MTD)**. Typically, companies are proactive in protecting PCs from vulnerabilities and attack while mobile devices often go unmonitored and unprotected. Where mobile platforms have built-in protection such as app isolation and vetted consumer app stores, these platforms remain vulnerable to web-based or other sophisticated attacks. As more employees use devices for work and to access sensitive information, it is imperative that companies deploy an MTD solution to protect devices and your resources from increasingly sophisticated attacks on mobiles.

-|Microsoft Defender Vulnerability Management (MDVM) |Vulnerability assessment of onboarded mobile devices. Includes OS and Apps vulnerabilites assessment for both Android and iOS. Visit this [page](next-gen-threat-and-vuln-mgt.md) to learn more about Microsoft Defender Vulnerability Management in Microsoft Defender for Endpoint.|

-While evaluating mobile threat defense with Microsoft Defender for Endpoint, you can verify that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria and ensure that they are satisfied before deploying widely.

-A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for Endpoint's Vulnerability Management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.

-Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.

-Network devices are not managed as standard endpoints since Defender for Endpoint doesn't have a sensor built into the network devices themselves. These types of devices require an agentless approach where a remote scan will obtain the necessary information from the devices. Depending on the network topology and characteristics, a single device or a few devices onboarded to Microsoft Defender for Endpoint will perform authenticated scans of network devices using SNMP (read-only).

-There will be two types of devices to keep in mind:

-Once the network devices are discovered and classified, security administrators will be able to receive the latest security recommendations and review recently discovered vulnerabilities on network devices deployed across their organizations.

-More networking vendors and OS will be added over time, based on data gathered from customer usage. Therefore, you are encouraged to configure all your network devices, even if they're not specified in this list.

-Your first step is to select a device that will perform the authenticated network scans.

-6. Obtain the SNMP credentials of the network devices (for example: Community String, noAuthNoPriv, authNoPriv, authPriv). You'll be required to provide the credentials when configuring a new scan job.

-3. When finished, you should see a message confirming you have signed in.

-The scanner has a scheduled task that, by default, is configured to look for updates on a regular basis. When the task runs, it compares the version of the scanner on the client device to the version of the agent on the update location. The update location is where Windows looks for updates, such as on a network share or from the internet.

-5. Select the **Scanning device:** The onboarded device you'll use to scan the network devices.

-6. Enter the **Target (range):** The IP address ranges or hostnames you want to scan. You can either enter the addresses or import a CSV file. Importing a file will override any manually added addresses.

-7. Select the **Scan interval:** By default, the scan will run every four hours, you can change the scan interval or have it only run once, by selecting 'Do not repeat'.

- - You can select to **Use azure KeyVault for providing credentials:** If you manage your credentials in Azure KeyVault you can enter the Azure KeyVault URL and Azure KeyVault secret name to be accessed by the scanning device to provide credentials. The secret value is dependent on the Authenticated Method you choose:

-Each scanning device can support up to 1,500 successful IP addresses scan. For example, if you scan 10 different subnets where only 100 IP addresses return successful results, you will be able to scan 1,400 IP additional addresses from other subnets on the same scanning device.

-If there are multiple IP address ranges/subnets to scan, the test scan results will take several minutes to show up. A test scan will be available for up to 1,024 addresses.

-Once the results show up, you can choose which devices will be included in the periodic scan. If you skip viewing the scan results, all configured IP addresses will be added to the network device authenticated scan (regardless of the device's response). The scan results can also be exported.

-Newly discovered devices will be shown under the new **Network devices** tab in the **Device inventory** page. It may take up to two hours after adding an scanning job until the devices are updated.

-As the authenticated scanner currently uses an encryption algorithm that is not compliant with [Federal Information Processing Standards (FIPS)](/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing/), the scanner can't operate when an organization enforces the use of FIPS compliant algorithms.

-To allow algorithms that are not compliant with FIPS, set the following value in the registry for the devices where the scanner will run:

-> Microsoft Defender for Endpoint does not support native compute workloads in Amazon Web Services (AWS) and Google Cloud Platform (GCP).

-The machine ID can be found in the URL when you select the device. Generally, it is a 40 digit alphanumeric number that can be found in the URL.

-Here is an example of the request. If there is no JSON comment added, it will error out with code **400**.

-description: Run the detection test script on a device recently onboarded to the Microsoft Defender for Endpoint service to verify that it is properly added.

-Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Defender for Endpoint service.

-The Command Prompt window will close automatically. If successful, a new alert will appear in the portal for the onboarded device in about ten minutes.

-2. 25 concurrently running sessions (requests exceeding the throttling limit will receive a "429 - Too many requests" response).

-3. If the machine is not available, the session will be queued for up to 3 days.

-5. Live response commands cannot be queued up and can only be executed one at a time.

-6. If the machine that you are trying to run this API call is in an RBAC device group that does not have an automated remediation level assigned to it, you'll need to at least enable the minimum Remediation Level for a given Device Group.

-7. Multiple live response commands can be run on a single API call. However, when a live response command fails all the subsequent actions will not be executed.

- Action entity. If machine with the specified ID was not found - 404 Not Found.

-Here is an example of the request.

-Here is an example of the response.

-keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level

-ms.pagetype: security

-ms.sitesec: library

-Cloud protection works together with Microsoft Defender Antivirus to deliver protection to your endpoints much faster than through traditional security intelligence updates. You can configure your level of cloud protection by using Microsoft Intune (recommended) or Group Policy.

-3. In the **Group Policy Management Editor** go to **Computer Configuration** \> **Administrative templates**.

-5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:

- - **Not configured**: Default state.

-6. Select **OK**.

-7. Deploy your updated Group Policy Object. See [Group Policy Management Console](/windows/win32/srvnodes/group-policy)

-> [!TIP]

-> If you're looking for Antivirus related information for other platforms, see:

-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

-> - [Configure Defender for Endpoint on Android features](android-configure.md)

-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

-

-[Why cloud protection should be enabled for Microsoft Defender Antivirus](why-cloud-protection-should-be-on-mdav.md)

-|Disabled|Tamper protection is completely off|

-|Audit|Tampering operations are logged, but not blocked (this is the default mode after installation)|

-|Block|Tamper protection is on, tampering operations are blocked|

-Use the following command:

-The result will show "block" if tamper protection is on:

-IOCs are individually known malicious events that indicate that a network or device has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not be able to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.

-Each IOC defines the concrete detection logic based on its type, value, and action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft 365 Defender console.

-Here is an example of an IOC:

-action|Enum|The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Warn", "Block", "Audit", "Alert", "AlertAndBlock", "BlockAndRemediate" and "Allowed".

-rbacGroupIds|List of strings|RBAC device group ID's where the indicator is exposed and active. Empty list in case it exposed to all devices.

-generateAlert|Enum|**True** if alert generation is required, **False** if this indicator should not generate an alert.

-Attack surface reduction rules will only work on devices with the following conditions:

-If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you'll need to use the steps below to address the issue.

-Live response leverages Defender for Endpoint sensor registration with WNS service in Windows. If you are having connectivity issues with live response, confirm the following details:

-1. WpnService (Windows Push Notifications System Service) is not disabled.

-2. WpnService connectivity with WNS cloud is not disabled via group policy or MDM setting. ['Turn off notifications network usage'](/windows/client-management/mdm/policy-csp-notifications) should not be set to '1'.

-If you encounter a server error when trying to access the service, you'll need to change your browser cookie settings.

-If some elements or data is missing on Microsoft 365 Defender it's possible that proxy settings are blocking it.

-If onboarding devices successfully completes but Microsoft Defender for Endpoint does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.

-Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5 K is displayed as 15.5 K.

-<dt>Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>

-The antimalware platform could not delete history of malware and other potentially unwanted software.

-<dt>Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt>

-Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:<ul>

-No action is necessary. Microsoft Defender Antivirus failed to complete a task related to the malware remediation. This is not a critical failure.

-The user can add the blocked process to the <i>Allowed Process</i> list for CFA, using Powershell or Windows Security Center.

-This error occurs when there is a problem updating definitions.

-The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is usually due to an interruption in network connectivity during an update.

-The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus will attempt to revert back to a known-good set of definitions.

-Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.

-Microsoft Defender Antivirus could not load antimalware engine because current platform version is not supported. Microsoft Defender Antivirus will revert back to the last known-good engine and a platform update will be attempted.

-<li>The default value for <b>EnableDynamicSignatureDroppedEventReporting</b> is <b>false</b>, which means <i>2011 events are not reported</i>. If it's set to true, 2011 events <i>are reported</i>.</li>

-<dt>Because 2010 signature events are timely distributed sporadically - and will not cause a spike - 2010 signature event behavior is unchanged.</dt>

-The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.

-The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system is not an adequate solution to protect against threats.

-The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

-You should restart the system then run a full scan because it's possible the system was not protected for some time.

-If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.

-Microsoft Defender Antivirus Real-time Protection has restarted a feature. It is recommended that you run a full system scan to detect any items that may have been missed while this agent was down.

-If Microsoft Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. This section provides the following information about Microsoft Defender Antivirus client errors.

-Note: The size of the definitions file downloaded from the site can exceed 60 MB and should not be used as a long-term solution for updating definitions.

-This error indicates that there might be an engine configuration error; commonly, this is related to input data that does not allow the engine to function properly.

-Microsoft Defender Antivirus is not able to remediate threats detected inside the archive. Consider manually removing the detected resources.

-This error indicates that Microsoft Defender Antivirus does not support the current version of the platform and requires a new version of the platform.

-This is an internal error. The cause is not clearly defined.

-This is an internal error. It might be triggered when malware removal is not successful.

-Before you start troubleshooting issues with onboarding tools, it is important to check if the minimum requirements are met for onboarding devices to the services. [Learn about the licensing, hardware, and software requirements to onboard devices to the service](minimum-requirements.md).

-If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.

-Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.

-If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, you can check the output of the script on the devices. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).

-If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.

-|`40`|SENSE service onboarding status is not set to **1**|The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).|

-If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment.

-||||Onboarding <p> Offboarding <p> SampleSharing|**Possible cause:** Microsoft Defender for Endpoint Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <p> **Troubleshooting steps:** Ensure that the following registry key exists: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` <p> If it doesn't exist, open an elevated command and add the key.|

-||||All|**Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU. <p> Currently supported platforms: <p> Enterprise, Education, and Professional.<p> Server is not supported.|

-|0x87D101A9|-2016345687|SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient.|All|**Possible cause:** Attempt to deploy Microsoft Defender for Endpoint on non-supported SKU/Platform, particularly Holographic SKU.<p> Currently supported platforms: <p> Enterprise, Education, and Professional.|

-|`3`|Device is non-compliant|**Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.|

-If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender for Endpoint agent.

-6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:

- |`6`|Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found. Failure code: _variable_|[Run the onboarding script again](configure-endpoints-script.md).|

- |`15`|Microsoft Defender for Endpoint cannot start command channel with URL: _variable_|[Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).|

- |`63`|Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4|Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.|

- If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.

-**Problem**: The Microsoft Defender for Endpoint service does not start after onboarding.

-> The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender for Endpoint](/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).

-To successfully register devices to Azure Active Directory, you'll need to ensure the following:

-In the list, if a device's enrollment status is not "Success", select the device to see troubleshooting details in the side panel, pointing to the root cause of the error, and corresponding documentation.

-For example, as part of the Security Management onboarding flow, it is required for the Azure Active Directory Tenant ID in your Microsoft Defender for Endpoint Tenant to match the SCP Tenant ID that appears in the reports' **Device Configuration Management Details** section. If relevant, the report output will recommend to perform this verification.

-If you weren't able to identify the onboarded device in Azure AD or in the Intune admin center, and did not receive an error during the enrollment, checking the registry key `Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SenseCM\\EnrollmentStatus` can provide additional troubleshooting information.

-The following table lists errors and directions on what to try/check in order to address the error. Note that the list of errors is not complete and is based on typical/common errors encountered by customers in the past:

-|`5-7`, `9`, `11-12`, `26-33`|General error|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow. This could be due to the device not meeting [prerequisites for Microsoft Defender for Endpoint management channel](security-config-management.md). Running the [Client Analyzer](https://aka.ms/BetaMDEAnalyzer) on the device can help identify the root cause of the issue. If this doesn't help, please contact support.|

-| `8`, `44` | Microsoft Intune Configuration issue | The device was successfully onboarded to Microsoft Defender for Endpoint. However, Microsoft Intune has not been configured through the Admin Center to allow Microsoft Defender for Endpoint Security Configuration. Make sure the [Microsoft Intune tenant is configured and the feature is turned on](/mem/intune/protect/mde-security-integration#configure-your-tenant-to-support-microsoft-defender-for-endpoint-security-configuration-management).|

-|`13-14`,`20`,`24`,`25`|Connectivity issue|The device was successfully onboarded to Microsoft Defender for Endpoint. However, there was an error in the security configuration management flow which could be due to a connectivity issue. Verify that the [Azure Active Directory and Microsoft Intune endpoints](security-config-management.md#connectivity-requirements) are opened in your firewall.|

-|`16`,`17`|Hybrid error - Service Connection Point|The device was successfully onboarded to Microsoft Defender for Endpoint. However, Service Connection Point (SCP) record is not configured correctly and the device couldn't be joined to Azure AD. This could be due to the SCP being configured to join Enterprise DRS. Make sure the SCP record points to AAD and SCP is configured following best practices. For more information, see [Configure a service connection point](/azure/active-directory/devices/hybrid-azuread-join-manual#configure-a-service-connection-point).|

-For Security Management for Microsoft Defender for Endpoint on Windows Server 2012 R2 domain joined computers, an update to Azure AD Connect sync rule "In from AD-Computer Join" is needed. This can be achieved by cloning and modifying the rule, which will disable the original "In from AD - Computer Join" rule. Azure AD Connect by default offers this experience for making changes to built-in rules.

-4. Select **Next** three times. This will navigate to the 'Transformations' section of the rule. Do not make any changes to the 'Scoping filter' and 'Join rules' sections of the rule. The 'Transformations' section should now be shown.

-You can configure definition retirement using Group Policy. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.

-Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.

-If machine with the specified ID was not found - 404 Not Found.

-While taking the remediation steps suggested by a security recommendation, security admins with the proper permissions can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s will be created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.

-The **block action** is intended to block all installed vulnerable versions of the application in your organization from running. For example, if there is an active zero-day vulnerability you can block your users from running the affected software while you determine work-around options.

-For both actions, you can customize the message the users will see. For example, you can encourage them to install the latest version. Additionally, you can provide a custom URL the users will navigate to when they select the notification. Note that the user must click the body of the toast notification in order to navigate to the custom URL. This can be used to provide additional details specific to the application management in your organization.

-7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it will be immediately applied.

-If additional vulnerabilities are found on a different version of an application, you'll get a new security recommendation, asking you to update the application, and you can choose to also block this different version.

-If you try to block an application and it doesn't work, you may have reached the maximum indicator capacity. If this is the case, you can delete old indicators [Learn more about indicators](../defender-endpoint/manage-indicators.md).

-When users try to access a blocked application, they'll receive a message informing them that the application has been blocked by their organization. This message is customizable.

-For applications where the warn mitigation option was applied, users will receive a message informing them that the application has been blocked by their organization, but the user has the option to bypass the block for subsequent launches, by choosing "Allow". This allow is only temporary, and the application will be blocked again after a while.

-A commonly asked question is how does an end-user update a blocked application? The block is enforced by blocking the executable file. Some applications, such as Firefox, rely on a separate update executable which, will not be blocked by this feature. In other cases when the application requires the main executable file to update, it is recommended to either implement the block in warn mode (so that the end-user can bypass the block) or the end-user can delete the application (if no vital information is stored on the client) and reinstalls the application.

-As an alternative to a remediation request when a recommendation is not relevant at the moment, you can create exceptions for recommendations. If your organization has device groups, you will be able to scope the exception to specific device groups. Exceptions can either be created for selected device groups, or for all device groups past and present.

-When an exception is created for a recommendation, the recommendation will not be active until the end of the exception duration. The recommendation state will change to **Full exception** or **Partial exception** (by device group).

-Apply the exception to all current device groups or choose specific device groups. Future device groups won't be included in the exception. Device groups that already have an exception will not be displayed in the list. If you only select certain device groups, the recommendation state will change from "active" to "partial exception." The state will change to "full exception" if you select all the device groups.

-If you have filtered by device group on any of the vulnerability management pages, only your filtered device groups will appear as options.

-A flyout will appear where you can search and choose device groups you want included. Select the check mark icon below Search to check/uncheck all.

-If you have global administrator permissions, you will be able to create and cancel a global exception. It affects **all** current and future device groups in your organization, and only a user with similar permission would be able to change it. The recommendation state will change from "active" to "full exception."

- - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced

- - Choosing this justification type will lower your exposure score and increase your secure score because your risk is reduced

-To cancel the exception for all device groups or for a global exception, select the **Cancel exception for all device groups** button. You will only be able to cancel exceptions for device groups you have permissions for.

-Select the specific device group to cancel the exception for it. A flyout will appear for the device group, and you can select **Cancel exception**.

-The exposed devices (after exceptions) column shows the remaining devices that are still exposed to vulnerabilities after exceptions are applied. Exception justifications that affect the exposure include 'third party control' and 'alternate mitigation'. Other justifications do not reduce the exposure of a device, and they are still considered exposed.

-The impact (after exceptions) shows remaining impact to exposure score or secure score after exceptions are applied. Exception justifications that affect the scores include 'third party control' and 'alternate mitigation.' Other justifications do not reduce the exposure of a device, and so the exposure score and secure score do not change.

-**Note**: If you have the Intune connection enabled, you get an option to create an Intune security task when creating a remediation request. This option does not appear if the connection is not set.

- 1. If you choose the "attention required" remediation option, selecting a due date will not be available since there is no specific action.

-4. Select **Submit request**. Submitting a remediation request creates a remediation activity item within vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices.

-If you chose the "attention required" remediation option, there will be no progress bar, ticket status, or due date since there is no actual action we can monitor.

-Microsoft 365 Defender contributes to a strong Zero Trust strategy and architecture by providing extended detection and response. Microsoft 365 Defender works together with other Microsoft extended detection and response (XDR) tools and can also be integrated with Microsoft Sentinel.

-| Verify explicitly | Microsoft 365 Defender provides extended detection and response across users, identities, devices, apps, and emails. |

-| Use least privileged access |If used with Azure Active Directory Identity Protection, Microsoft 365 Defender blocks users based on the level of risk posed by an identity. Azure AD Identity Protection is licensed separately from Microsoft 365 Defender. It is included with Azure Active Directory Premium P2. |

-To add Microsoft 365 Defender to your Zero Trust strategy and architecture, go to ***[Evaluate and pilot Microsoft 365 Defender](eval-overview.md)*** for a methodical guide to piloting and deploying Microsoft 365 Defender components. The following table summarizes what these topics include.

-|Set up the evaluation and pilot environment for all components: <ul><li>Defender for Identity</li><li>Defender for Office 365</li><li>Defender for Endpoint</li><li>Microsoft Defender for Cloud Apps</li></ul> <br> Protect against threats <br><br> Investigate and respond to threats|See the guidance to read about the architecture requirements for each component of Microsoft 365 Defender.| Azure AD Identity Protection is not included in this solution guide. It is included in [Step 1. Configure Zero Trust identity and device access protection](../microsoft-365-zero-trust.md#step-1-configure-zero-trust-identity-and-device-access-protection--starting-point-policies).|

-To learn more about other Microsoft 365 capabilities that contribute to a strong Zero Trust strategy and architecture, see [Zero Trust deployment plan with Microsoft 365](../Microsoft-365-zero-trust.md).

-To learn more about Zero Trust and how to build an enterprise-scale strategy and architecture, see the [Zero Trust Guidance Center](/security/zero-trust).

-Exploit kits are more comprehensive tools that contain a collection of exploits. These kits scan devices for different kinds of software vulnerabilities and, if any are detected, deploy additional malware to further infect a device. Kits can use exploits targeting a variety of software, including Adobe Flash Player, Adobe Reader, Internet Explorer, Oracle Java, and Sun Java.

-When our analysts research a particular threat, they'll determine what each of the components of the name will be.

-Using pirated content is not only illegal, it can also expose your device to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. Sometimes pirated software is bundled with malware and other unwanted software when downloaded, including intrusive browser plugins and adware.

-Users do not openly discuss visits to these sites, so any untoward experience are more likely to stay unreported.

-Only use removable drives that you are familiar with or that come from a trusted source. If a drive has been used in publicly accessible devices, like computers in a café or a library, make sure you have antimalware running on your computer before you use the drive. Avoid opening unfamiliar files you find on suspect drives, including Office and PDF documents and executable files.

-At the time they are launched, whether inadvertently by a user or automatically, most malware run under the same privileges as the active user. This means that by limiting account privileges, you can prevent malware from making consequential changes any devices.

-By default, Windows uses [User Account Control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview.md) to provide automatic, granular control of privilegesΓÇöit temporarily restricts privileges and prompts the active user every time an application attempts to make potentially consequential changes to the system. Although UAC helps limit the privileges of admin users, users can override this restriction when prompted. As a result, it is quite easy for an admin user to inadvertently allow malware to run.

-To help ensure that everyday activities do not result in malware infection and other potentially catastrophic changes, it is recommended that you use a non-administrator account for regular use. By using a non-administrator account, you can prevent installation of unauthorized apps and prevent inadvertent changes to system settings. Avoid browsing the web or checking email using an account with administrator privileges.

-Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects.

-Malware authors use rootkits to hide malware on your device, allowing malware to persist as long as possible. A successful rootkit can potentially remain in place for years if it's undetected. During this time, it will steal information and resources.

-Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware.

-It is also important to keep the following in mind:

-* Microsoft does not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to fix your computer.

-* Run a full scan with Microsoft Defender Antivirus to remove any malware. Apply all security updates as soon as they are available.

-* Call your credit card provider to reverse the charges, if you have already paid.

-* Monitor anomalous logon activity. Use Windows Defender Firewall to block traffic to services that you would not normally access.

-In Microsoft Defender for Office 365, remediation actions are not taken automatically. Instead, remediation actions are taken only upon approval by your organization's security operations team.

-Microsoft Defender for Office 365 includes remediation actions to address various threats. Automated investigations often result in one or more remediation actions to review and approve. In some cases, an automated investigation does not result in a specific remediation action. To further investigate and take appropriate actions, use the guidance in the following table.

-|Email|Volume anomaly <br> (Recent email quantities exceed the previous 7-10 days for matching criteria.)|Automated investigation does not result in a specific pending action. <p>Volume anomaly is not a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. <p>Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered).|

-|Email|No threats found <br> (The system did not find any threats based on files, URLs, or analysis of email cluster verdicts.)|Automated investigation does not result in a specific pending action. <p>Threats found and [zapped](zero-hour-auto-purge.md) after an investigation is complete are not reflected in an investigation's numerical findings, but such threats are viewable in [Threat Explorer](threat-explorer-about.md).|

-|User|A user clicked a malicious URL <br> (A user navigated to a page that was later found to be malicious, or a user bypassed a [Safe Links warning page](safe-links-about.md#warning-pages-from-safe-links) to get to a malicious page.)|Automated investigation does not result in a specific pending action. <p> Block URL (time-of-click) <p> Use Threat Explorer to [view data about URLs and click verdicts](threat-explorer-about.md#view-phishing-url-and-click-verdict-data). <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) to determine if their account is compromised.|

-|User|A user is sending malware/phish|Automated investigation does not result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-phishing-protection-spoofing-about.md) as part of an attack. Use [Threat Explorer](threat-explorer-about.md) to view and handle email containing [malware](threat-explorer-views.md#email--malware) or [phish](threat-explorer-views.md#email--phish).|

-|User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](../../compliance/dlp-learn-about-dlp.md) |Automated investigation does not result in a specific pending action. <p> [View DLP reports and take action](../../compliance/view-the-dlp-reports.md).|

-|User|Anomalous email sending <br> (A user recently sent more email than during the previous 7-10 days.)|Automated investigation does not result in a specific pending action. <p> Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use the [New users forwarding email insight in the EAC](/exchange/monitoring/mail-flow-insights/mfi-new-users-forwarding-email-insight) and [Outbound message report in the EAC](/exchange/monitoring/mail-flow-reports/mfr-inbound-messages-and-outbound-messages-reports) to determine what's going on and take action.|

- - We recommend that you do not separate the angle brackets with spaces.

-You can't use the value `From: <>` to suppress auto-replies. Instead, you need to set up a null MX record for your custom domain. Auto-replies (and all replies) are naturally suppressed because there is no published address that the responding server can send messages to.

-You can't override the From address requirements for outbound email that you send from Microsoft 365. In addition, Outlook.com will not allow overrides of any kind, even through support.

- - **What if mode**: If impersonation protection is not enabled and configured in any active anti-phishing policies, the insight shows you how many messages *would* have been detected by our impersonation protection capabilities over the past seven days.

- - Test mode is not available for the following ASF settings:

-|**SPF record: hard fail** <p> *MarkAsSpamSpfRecordHardFail*|Messages sent from an IP address that isn't specified in the SPF Sender Policy Framework (SPF) record in DNS for the source email domain are marked as high confidence spam. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF Record Fail`|

-|**Sender ID filtering hard fail** <p> *MarkAsSpamFromAddressAuthFail*|Messages that hard fail a conditional Sender ID check are marked as spam. <p> This setting combines an SPF check with a Sender ID check to help protect against message headers that contain forged senders. <p> Test mode is not available for this setting.|`X-CustomSpam: SPF From Record Fail`|

-|**Backscatter** <p> *MarkAsSpamNdrBackscatter*|*Backscatter* is useless non-delivery reports (also known as NDRs or bounce messages) caused by forged senders in email messages. For more information, see [Backscatter messages and EOP](anti-spam-backscatter-about.md). <p> You don't need to configure this setting in the following environments, because legitimate NDRs are delivered, and backscatter is marked as spam: <ul><li>Microsoft 365 organizations with Exchange Online mailboxes.</li><li>On-premises email organizations where you route *outbound* email through EOP.</li></ul> <br/> In standalone EOP environments that protect inbound email to on-premises mailboxes, turning this setting on or off has the following result: <ul><li> **On**: Legitimate NDRs are delivered, and backscatter is marked as spam.</li><li>**Off**: Legitimate NDRs and backscatter go through normal spam filtering. Most legitimate NDRs will be delivered to the original message sender. Some, but not all, backscatter is marked as spam. By definition, backscatter can only be delivered to the spoofed sender, not to the original sender.</li></ul> <br/> Test mode is not available for this setting.|`X-CustomSpam: Backscatter NDR`|

-|0, 1|Spam filtering determined the message was not spam.|Deliver the message to the recipients' inbox.|

-To see the available end-user notifications, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **End user notifications**. To go directly to the **Simulation content library** tab where you can select **End user notifications**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

-**End user notifications** has two tabs:

-The following information is shown for each notification:

-To find a notification in the list, use the  **Search** box to find the name of the notification.

-To remove one or more columns that are displayed, click  **Customize columns**.

- - **Simulations**

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **End user notifications**. To go directly to the **Simulation content library** tab where you can select **End user notifications**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

-2. On the **Tenant notifications** tab, click  **Create new** to start the end user notification wizard.

- > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the notification later. You can pick up where you left off by selecting the notification on the **Tenant notifications** tab in **End user notifications**, and then clicking  **Edit automation**. The partially-completed notification will have the **Status** value **Draft**.

- When you're finished, click **Next**.

-4. On the **Define content** page, the only setting that's available is the **Add content in business language** button. When you click it, an **Add content in default language** flyout appears that contains the following settings:

- - **From display name**

- - **From email address**

- - **Mark this as the default language**: Because this is the first and only language for the notification, this value is selected and you can't change it.

- - **Subject**: The default value is **Thanks for reporting phish**, but you can change it.

- - **Text** tab: A rich text editor is available to create your notification email. In addition to the typical font and formatting settings, the following settings are available:

- - **Insert first name**

- - **Insert last name**

- - **Insert UPN**

- - **Insert email address**

- - **Insert payload**

- When you're finished, click **Save**.

- You're taken back to the **Define content** page where the notification that you just created is summarized with the following information:

- - **Language**

- - **Subject**

- - **Category**

- - **Actions**: The following icons are available:

- -  **Edit**

- -  **View**

- -  **Delete**: If there's only language version of the notification, you can't delete it.

- To add a version of the notification in a different language, click . In the **Add translation** flyout that appears, the same settings are available as in the **Add content in default language** flyout that was previously described. The only difference is you can select **Mark this as the default language** in additional translations.

- When you're finished, click **Save**

- You can repeat this steps as many times as necessary to create translated versions of the notification in the 12 supported languages.

- When you're finished, click **Next**

- When you're finished, click **Submit**.

- On the **New simulation notification created** page, you can use the links to create a new notification, launch a simulation, or view all notifications.

- When you're finished, click **Done**.

-Back on the **Tenant notifications** tab in **End user notifications**, the notification that you created is now list.

-When you copy a custom notification on the **Tenant notifications** tab, a copy of the notification named "\<OriginalName\> - Copy" is available in the list.

-> [!NOTE]

-> The **Use from default** control on the **Add content in default language** flyout in the notification wizard allows you to copy the contents of a built-in notification.

-## Remove notifications

-You can't remove built-in notifications from the **Global notifications** tab. You can only remove custom notifications on the **Tenant notifications** tab.

-Note that this issue does not affect Microsoft Edge.

-Attack simulation training comes with rich, actionable insights that keep you informed of the threat readiness progress of your employees. If Attack simulation training reports are not populated with data, verify that audit log search is turned on in your organization (it's on by default).

-Detailed simulation reports are not updated immediately after you launch a campaign. Don't worry; this behavior is expected.

-While a simulation is in the **Scheduled** state, the simulation reports will be mostly empty. During this stage, the simulation engine is resolving the target user email addresses, expanding distribution groups, removing guest users from the list, etc.:

-Once the simulation enters the **In progress** stage, you will notice information starting to trickle into the reporting:

-Managing a large CSV file or adding many individual recipients can be cumbersome. Using Azure AD groups will simplify the overall management of the simulation.

-A: Currently, there are 40+ localized payloads available in 10+ languages: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish and Dutch. We've noticed that any direct or machine translations of existing payloads to other languages will lead to inaccuracies and decreased relevance.

-A: Yes you can! On the very last **Review Simulation** page in the wizard to create a new simulation, there's an option to **Send a test**. This option will send a sample phishing simulation message to the currently logged in user. After you validate the phishing message in your Inbox, you can submit the simulation.

-A: No. Currently, cross-tenant simulations are not supported. Verify that all of your targeted users are in the same tenant. Any cross-tenant users or guest users will be excluded from the simulation campaign.

-At 9:00 AM on the same day, the simulation message is sent to UserB. With region-aware delivery, the message is not sent to UserA on the same day, because 9:00 AM Pacific time is 12:00 PM Eastern time. Instead, the message is sent to UserA at 9:00 AM Eastern time on the following day.

-So, on the initial run of a campaign with region aware delivery enabled, it might appear that the simulation message was sent only to users in a specific time zone. But, as time passes and more users come into scope, the targeted users will increase.

-A: No. Any information entered at the credential harvest login page is discarded silently. Only the 'click' is recorded to capture the compromise event. Microsoft does not collect, log or store any details that users enter at this step.

- > NOR, ZAF, ARE and DEU are the latest additions. All features except reported email telemetry will be available in these regions. We are working to enable this and will notify our customers as soon as reported email telemetry becomes available.

-Insights and reports are available in the following locations in Attack simulation training in the Microsoft 365 Defender portal:

-Selecting **Launch a simulation** starts the simulation creation wizard. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md).

-### Behavior impact on compromise rate card

-The **Behavior impact on compromise rate** card on the **Overview** tab shows how your users responded to your simulations as compared to the historical data in Microsoft 365. You can use these insights to track progress in users threat readiness by running multiple simulations against the same groups of users.

-The chart data itself shows the following information:

-If you hover over a data point in the chart, the actual percentage values are shown.

-The following summary information is also shown on the card:

-To see a more detailed report, click **View simulations and training efficacy report**. This report is explained [later in this article](#training-efficacy-tab-for-the-attack-simulation-report).

-Selecting **Launch simulation for non-simulated users** starts the simulation creation wizard where the users who didn't receive the simulation are automatically selected on the **Target user** page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md).

-### Recommendations card

-The **Recommendations** card on the **Overview** tab suggests different types of simulations to run.

-Selecting **Launch now** starts the simulation creation wizard with the specified simulation type automatically selected on the **Select technique** page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md).

-You can open the **Attack simulation report** from the **Overview** tab by clicking on the **View ... report** buttons that are available in many of the cards that are described in this article. To go directly to the report, use <https://security.microsoft.com/attacksimulationreport>

-You can sort the results by clicking on an available column header.

-Click **Customize columns** to remove the columns that are shown. When you're finished, click **Apply**.

-You can sort the results by clicking on an available column header.

-Click **Customize columns** to remove the columns that are shown. When you're finished, click **Apply**.

-Click  **Filter** to filter the chart and details table by one or more of the following values:

-You can sort the results by clicking on an available column header.

-Click **Customize columns** to remove the columns that are shown. When you're finished, click **Apply**.

-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, login pages are shown to users in simulations that use **Credential harvest** and **Link in attachment** [social engineering techniques](attack-simulation-training-simulations.md#select-a-social-engineering-technique).

-To see the available login pages, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Login pages**. To go directly to the **Simulation content library** tab where you can select **Login pages**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

-**Login pages** has two tabs:

-To find a login page in the list, use the  **Search** box to find the name of the login page.

-Click  **Filter** to filter the login pages by **Language** or **Status**.

-To remove one or more columns that are displayed, click  **Customize columns**.

-When you select a login page from the list, a details flyout appears with the following information:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Login pages**. To go directly to the **Simulation content library** tab where you can select **Login pages**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

-You can create custom login pages in the following locations:

- Click  **Create new** to start the create end user login page wizard.

- > .

- > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the login page later. You can pick up where you left off by selecting the login page on the **Tenant login pages** tab in **Login pages**, and then clicking  **Edit**. The partially-completed login page will have the **Status** value **Draft**.

-2. On the **Define details for login page** page, configure the following settings:

- When you're finished, click **Next**.

-3. On the **Configure login page** page, configure the following settings:

- - **Make this the default login page**: If you select this option, the login page will be the default selection in **Credential harvest** or **Link in attachment** [payloads](attack-simulation-training-payloads.md) or [payload automations](attack-simulation-training-payload-automations.md).

- - On the **Text** tab, a rich text editor is available for you to create your login page.

- - Use the **Dynamic tag** control to customize the login page by inserting the available tags:

- - **Insert user name**: The value that's added in the message body is `${userName}`.

- - **Insert email**: The value that's added in the message body is `${emailAddress}`.

- - **Insert date**: The value that's added in the message body is `${date|MM/dd/yyyy|offset}`.

- - Use the **Use from default** control to select a built-in login page to start with as a template.

- - The **Add Next button** control is available only on **Page 1** of two-page logins. The default text on the button is **Next** but you can change it.

- - The **Add compromise button** control in available on one-page logins or on **Page 2** of two-page logins. The default text on the button is **Submit**, but you can change it.

- - On the **Code** tab, you can view and modify the HTML code directly. Formatting and other controls like **Dynamic tag** and **Use from default** or **Add compromise button** aren't available.

- - Use the **Preview login page** button at the top of the page to review the login page.

- When you're finished, click **Next**.

-4. On the **Review login page** page, you can review the details of your login page.

- When you're finished, click **Submit**.

-5. On the **New login page \<Name\> created** page, you can use the links to create a new login page, launch a simulation, or view all login pages.

- When you're finished, click **Done**.

-Back on the **Tenant login pages** tab in **Login pages**, the login page that you created is now list.

-You can't remove built-in login pages from the **Global login pages** tab. You can only remove custom login pages on the **Tenant login pages** tab.

-The default login page is the default selection that's used in **Credential harvest** or **Link in attachment** [payloads](attack-simulation-training-payloads.md) or [payload automations](attack-simulation-training-payload-automations.md).

-> 

-To see the available payload automations, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> and then select **Payload automations**. To go directly to the **Automations** tab where you can select **Payload automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.

-The following information is shown for each payload automation:

- Click  **Create automation**.

- > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the payload automation later. You can pick up where you left off by selecting the payload automation in **Payload automations**, and then clicking  **Edit automation**. The partially-completed payload automation will have the **Status** value **Draft**.

-2. On the **Automation name** page, configure the following settings:

- When you're finished, click **Next**.

-3. On the **Run conditions** page, select the conditions of the real phishing attack that determines when the automation will run.

- Click  **Add condition** and select from one of the following conditions:

- - **No. of users targeted in the campaign**: Configure the following settings:

- - **Campaigns with a specific phish technique**: Select one of the available values:

- - **Credential harvest**

- - **Malware attachment**

- - **Link in attachment**

- - **Link to malware**

- - **Drive-by URL**

- - **Specific sender domain**: Enter a sender email domain value (for example, contoso.com).

- - **Specific sender name**: Enter a sender name value.

- - **Specific sender email**: Enter a sender email address.

- - **Specific user and group recipients**: Start typing the name or email address of the user or group. When it appears, select it.

- When you're finished, click **Next**.

-4. On the **Review automation** page, you can review the details of your payload automation.

- When you're finished, click **Submit**.

-5. On the **New automation created** page, you can use the links to turn on the automation or go to the **Simulations** page.

-Back on the **Payload automations** in **Automations**, the login page that you created is now list.

-You can only turn on or turn off payload automations where the **Status** value is **Ready**. You can't turn on or turn off incomplete payload automations where the **Status** value is **Draft**.

-To turn on a payload automation, select it from the list by clicking the check box. Click the  **Turn on** icon that appears, and then click **Confirm** in the dialog.

-To turn off a payload automation, select it from the list by clicking the check box. Click the  **Turn on** icon that appears, and then click **Confirm** in the dialog.

-To modify an existing payload automation in **Payload automations**, do one of the following steps:

-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, a _payload_ is the phishing email message and links or attachment content that's are presented to users in simulations. Attack simulation training offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that will work better for your organization.

-To see the available payloads, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Payloads**. To go directly to the **Simulation content library** tab where you can select **Payloads**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

-**Payloads** in the **Simulation content library** tab has two tabs:

-The following information is shown for each payload:

- - **Credential harvest**

- - **Malware attachment**

- - **Link in attachment**

- - **Link to malware**

- - **OAuth consent grant**

-To find a payload in the list, use the  **Search** box to find the name of the payload.

-To remove one or more columns that are displayed, click  **Customize columns**. By default, the only column that's not shown is **Platform**, and that value is currently always **Email**.

-When you select a payload from the list, a details flyout appears with the following information:

- - **Action**

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> **Payloads** \> **Tenant payloads** tab. To go directly to the **Simulation content library** tab where you can select **Payloads** and the **Tenant payloads** tab, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

- Click  **Create a payload** on the **Tenant payloads** tab in **Payloads** to start the create payload wizard.

- 

- > .

- > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the payload later. You can pick up where you left off by selecting the notification on the **Tenant payloads** tab in **Payloads**, and then clicking  **Edit payload**. The partially-completed payload will have the **Status** value **Draft**.

- Click **Next**.

-3. On the **Select technique** page, the available options are the same as on the **Select technique** page in the simulation creation wizard:

- - **Credential harvest**

- - **Malware attachment**

- - **Link in attachment**

- - **Link to malware**

- When you're finished, click **Next**.

- When you're finished, click **Next**.

- - **Attachment details** section: This section is available only if you selected **Malware attachment**, **Link in attachment**, or **Link to malware** on the **Select technique** page. Configure the following settings:

- - **Name your attachment**

- - **Select an attachment type**: Currently, the only available value is **Docx**.

- - **Link for attachment** section: This section is available only if you selected **Link to malware** on the **Select technique** page. In the **Select a URL you want to be your malware attachment link** box, select one of the available URLs (the same URLs that are described for the **Phishing link** section).

- Later, you'll embed the URL in the body of the message.

- - **Phishing link** section: This section is available only if you selected **Credential harvest**, **Link in attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the **Select technique** page.

- For **Credential harvest**, **Drive-by URL**, or **OAuth Consent Grant**, the name of the box is **Select a URL you want to be your phishing link**. Later, you'll embed the URL in the body of the message.

- For **Link in attachment**, the name of the box is **Select a URL in this attachment that you want to be your phishing link**. Later, you'll embed the URL in the attachment.

- - **Attachment content** section: This section is available only if you selected **Link in attachment** on the **Select technique** page.

- A rich text editor is available for you to create the content in your file attachment payload.

- - Common settings on the **Configure payload** page:

- - **Language** section: Select the language for the payload. The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.

- - On the **Text** tab, a rich text editor is available for you to create your email message payload.

- - Use the **Dynamic tag** control to personalize the email message for each user by inserting the available tags:

- - **Insert user name**: The value that's added in the message body is `${userName}`.

- - **Insert first name**: The value that's added in the message body is `${firstName}`.

- - **Insert last name**: The value that's added in the message body is `${lastName}`.

- - **Insert UPN**: The value that's added in the message body is `${upn}`.

- - **Insert email**: The value that's added in the message body is `${emailAddress}`.

- - **Insert Department**: The value that's added in the message body is `${department}`.

- - **Insert Manager**: The value that's added in the message body is `${manager}`.

- - **Insert Mobile phone**: The value that's added in the message body is `${mobilePhone}`.

- - **Insert City**: The value that's added in the message body is `${city}`.

- - **Insert date**: The value that's added in the message body is `${date|MM/dd/yyyy|offset}`.

- :::image type="content" source="../../media/attack-sim-training-payloads-configure-payload-email-message.png" alt-text="The Email message section on the Configure payload page in the payload creation wizard in Attack simulation training in Microsoft Defender for Office 365" lightbox="../../media/attack-sim-training-payloads-configure-payload-email-message.png":::

- - **Phishing link** control: This control is available only if you selected **Credential harvest**, **Link in attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the **Select technique** page. Use this control to name and insert the URL that you previously selected in the **Phishing link** section.

- - **Malware attachment link** control: This control is available only if you selected **Link to malware** on the **Select technique** page. Use this control to name and insert the URL that you previously selected in the **Link for attachment** section.

- The value that's added in the message body (visible on the **Code** tab) is `<a href="${phishingUrl}" target="_blank">Name value you specified</a>`.

- - On the **Code** tab, you can view and modify the HTML code directly. Formatting and other controls like **Dynamic tag** and **Phishing link** or **Malware attachment link** aren't available.

- - The **Replace all links in the email message with the phishing link** toggle is available only if you selected **Credential harvest**, **Link to malware**, **Drive-by URL**, or **OAuth Consent Grant** on the **Select technique** page. This toggle can save time by replacing all links in the message with the previously selected **Phishing link** or **Link for attachment** URL. To do this, toggle the setting to on .

- When you're finished, click **Next**.

-6. The **Add indicators** page is available only if you selected **Credential harvest**, **Link in attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the **Select technique** page.

- On the **Add indicators** page, click **Add indicator**. In the flyout that appears, configure the following settings:

- :::image type="content" source="../../media/attack-sim-training-payloads-add-indicators-select-location.png" alt-text="The Selected text location in the message body to add to an indicator in the payload creation wizard in Attack simulation training" lightbox="../../media/attack-sim-training-payloads-add-indicators-select-location.png":::

- When you're finished, click **Add**

- When you're finished, click **Next**.

- On the main **Review payload** page, you can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

- When you're finished, click **Submit**. On the confirmation page that appears, click **Done**.

-To copy an existing payload on the **Tenant payloads** or **Global payloads** tabs, select the payload from the list by clicking the check box, and then click the  **Copy payload** icon that appears.

-Select the payload from the list by clicking the check box, and then click the  **Send a test** button that appears.

-In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, simulation automations allow you to run multiple benign cyberattack simulations in your organization. Simulation automations can contain multiple payloads and start on an automated schedule. Creating a simulation automation is very similar to [creating an individual simulation](attack-simulation-training-simulations.md), except you also select the payloads and the automation schedule.

-To create a simulation automation, do the following steps:

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com/>, go to **Email & collaboration** \> **Attack simulation training** \> **Automations** tab \> **Simulation automations**.

- To go directly to the **Automations** tab where you can select **Simulation automations**, use <https://security.microsoft.com/attacksimulator?viewid=automations>.

-2. On **Simulation automations**, select  **Create automation**.

-3. The creation wizard opens. The rest of this article describes the pages and the settings they contain.

-> [!NOTE]

-> At any point during the simulation creation wizard, you can click **Save and close** to save your progress and continue configuring the simulation later. The incomplete simulation has the **Status** value **Draft** on the **Simulations** tab. You can pick up where you left off by selecting the simulation and clicking  **Edit** simulation.## Name and describe the simulation.

-When you're finished, click **Next**.

-When you're finished, click **Next**.

-On the **Select payload and login** page, you need to select an existing payload from the list, or create a new payload.

-You can also view the login page that's used in the payload, select a different login page to use, or create a new login page to use.

-### Payload

-On the **Select payloads** page, select one of the following options:

-If you select **Randomize**, there's nothing to configure on this page, so click **Next** to continue.

-If you select **Manually select**, you need to select one or more payloads from the list. The following details are shown for each payload:

-In the  **Search** box, you can type part of the payload name and press Enter to filter the results.

- - **High**

- - **Medium**

- - **Low**

-When you're finished configuring the filters, click **Apply**, **Cancel**, or  **Clear filters**.

-If you select a payload from the list by clicking anywhere in the row other than the check box, details about the payload are shown in a flyout:

-### Login page

-> The **Login page** tab is available only in **Credential Harvest** or **Link in attachment** payloads.

-Select the payload from the list by clicking anywhere in the row other than the check box to open the details flyout.

-The **Login page** tab in the payload details flyout shows the login page that's currently selected for the payload.

-On the **Select login page** flyout that appears, The following information is shown for each login page:

-To find a login page in the list, use the  **Search** box to find the name of the login page.

-To create a new login page, click [Create new icon.](../../medi#create-login-pages).

-When you're finished on the **Select a payload and login page**, click **Next**.

-## Configure OAuth Payload

-> This page is available only if you selected **OAuth Consent Grant** on the [Select social engineering techniques](#select-one-or-more-social-engineering-techniques) page. Otherwise, you're taken to the **Target users** page.

-When you're finished on the **Configure OAuth payload** page, click **Next**.

-On the **Target users** page, select who will receive the simulation. Configure one of the following settings:

- -  **Add users**: In the **Add users** flyout that appears, you can find users and groups based on the following criteria:

- - **Users or groups**: In the  **Search for users and groups** box, you can type part of the **Name** or **Email address** of the user or group, and then press Enter. You can select some or all of the results. When you're finished, click **Add x users**.

- > Clicking the **Add filters** button to return to the **Filter users by categories** options will clear any users or groups that you selected in the search results.

- - **Filter users by categories**: Select from none, some, or all of the following options:

- - **Search**: In the  **Search by Department** box, you can type part of the Department value, and then press Enter. You can select some or all of the results.

- - Select existing Department values.

- - **Search**: In the  **Search by Title** box, you can type part of the Title value, and then press Enter. You can select some or all of the results.

- - Select existing Title values.

- :::image type="content" source="../../media/attack-sim-training-simulations-target-users-filter-by-category.png" alt-text="The user filtering on the Target users page in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-simulations-target-users-filter-by-category.png":::

- After you identify your criteria, the affected users are shown in the **User list** section that appears, where you can select some or all of the discovered recipients.

- When you're finished, click **Apply(x)**, and then click **Add x users**.

- Back on the main **Target users** page, you can use the  **Search** box to find affected users. You can also click  **Delete** to remove specific users.

- After you find and select the CSV file, the list of users are imported and shown on the **Targeted users** page. You can use the  **Search** box to find affected users. You can also click  **Delete** to remove specific users.

-When you're finished, click **Next**.

-On the **Assign training** page, you can assign trainings for the simulation. We recommend that you assign training for each simulation, as employees who go through training are less susceptible to similar attacks. The following settings are available:

- - **Microsoft training experience**: This is the default value that has the following associated options to configure:

- - **Assign training for me**: This is the default and recommended value. We assign training based on a user's previous simulation and training results, and you can review the selections in the next steps of the wizard.

- - **Select training courses and modules myself**: If you select this value, you'll still be able to see the recommended content as well as all available courses and modules in the next step of the wizard.

- - **Redirect to a custom URL**: This value has the following associated options to configure:

- - **No training**: If you select this value, the only option on the page is the **Next** button that takes you to the [**Landing page**](#landing-page) page.

-> The **Training assignment** page is available only if you selected **Microsoft training experience** \> **Select training courses and modules myself** on the previous page.

-On the **Add training** flyout that appears, you can select the trainings to use on the following tabs that are available:

- The following information is shown for each training:

- - **Training name**

- - **Source**: The value is **Global**.

- - **Duration (mins)**

- - **Preview**: Click the **Preview** button to see the training.

- In the  **Search** box, you can type part of the training name and press Enter to filter the results on the current tab.

- Select all trainings that you want to include from the current tab, and then click **Add**.

-Back on the main **Training assignment** page, the trainings that you selected are shown. The following information is shown for each training:

-For each training in the list, select one or more of the following values in the **Assign to** column to configure who gets the training:

-If you don't want to use a training that's shown, click  **Delete**.

-When you're finished, click **Next**.

-### Landing page

-On the **Landing page** page, you configure the web page that users are taken to if they open the payload in the simulation.

- |Payload selection|Available values for Select landing page preference|

- |||

- |Manually select|Use Microsoft default landing page <br><br> Create your own landing page <p> Use a custom URL <p> **Note**: The **Use a custom URL** value is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select social engineering techniques](#select-one-or-more-social-engineering-techniques) page.|

- |Randomize|Use Microsoft default landing page|

- The available **Select landing page preference** values and their associated settings are described in the following list:

- - **Use Microsoft default landing page**. This is the default value, and results in one Microsoft default template, logo, and payload indicator action that's applicable to all payloads.

- You need to configure the following additional settings on the **Landing page** page:

- - **Select landing page layout**: Select one of the 5 available landing page templates.

- - **Add logo**: Click **Browse** to find and select a .png, .jpeg, or .gif file to add to all payloads that are selected by Microsoft. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, click **Remove**.

- - **Payload indicators**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select social engineering techniques](#select-one-or-more-social-engineering-techniques) page.

- Select **Add payload indicators to email** to help users learn how to identify phishing messages.

- You can preview the results by clicking the **Open preview panel** button in the middle of the page. In the preview flyout that appears, you can use **Select payload to preview** to see what each payload looks like.

- - **Create your own landing page**: This value results in a single payload indicator action that's applied to the selected payloads.

- You need to configure the following additional settings on the **Landing page** page:

- - **Add payload indicators to email**: This setting is available to select only if both of the following statements are true:

- - You selected **Credential harvest**, **Link in attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the [Select social engineering techniques](#select-one-or-more-social-engineering-techniques) page.

- - You've added the **Dynamic tag** named **Insert Payload content** in the landing page content on this page.

- - Landing page content: Two tabs are available:

- - **Text**: A rich text editor is available to create your landing page. In addition to the typical font and formatting settings, the following settings are available:

- - **Dynamic tag**: Select from the following tags:

- |Tag name|Tag value|

- |||

- |**Insert User name**|`${userName}`|

- |**Insert First name**|`${firstName}`|

- |**Insert Last name**|`${lastName}`|

- |**Insert UPN**|`${upn}`|

- |**Insert Email**|`${emailAddress}`|

- |**Insert Department**|`${department}`|

- |**Insert Manager**|`${manager}`|

- |**Insert Mobile phone**|`${mobilePhone}`|

- |**Insert City**|`${city}`|

- |**Insert sender name**|`${FromName}`|

- |**Insert sender email**|`${FromEmail}`|

- |**Insert Payload subject**|`${EmailSubject}`|

- |**Insert Payload content**|`${EmailContent}`|

- |**Insert Date**|`${date|MM/dd/yyyy|offset}`|

- - **Use from default**: Select one of the 5 available landing page templates to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, click **Reset to default**.

- - **Training link**: In the **Name training URL** dialog that appears, enter a link title for the training link, and then click **Confirm** to add the link to the landing page.

- - **Code**: You can view and modify the HTML code directly.

- You can preview the results by clicking the **Open preview panel** button in the middle of the page. In the preview flyout that appears, you can use **Select payload to preview** to see what each payload looks like.

- - **Use a custom URL**: Add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the page.

-When you're finished, click **Next**.

-## Select end user notification

- - **Select default language**: The available values are: **Chinese (Simplified)**, **Chinese (Traditional)**, **English**, **French**, **German**, **Italian**, **Japanese**, **Korean**, **Portuguese**, **Russian**, **Spanish**, and **Dutch**.

- - By default, the following notifications are included:

- - **Microsoft positive reinforcement notification**

- - **Microsoft default training assignment notification**

- - **Microsoft default training reminder notification**

- For each notification, the following information is available:

- - **Notifications**: The name of the notification.

- - **Language**: If the notification contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).

- - **Type**: One of the following values:

- - **Positive reinforcement notification**

- - **Training assignment notification**

- - **Training reminder notification**

- - **Delivery preferences**: For **Positive reinforcement notification** and **Training reminder notification** types, the following values are available

- - **Do not deliver**

- - **Deliver after campaign ends**

- - **Deliver during campaign**

- - **Actions**: If you click on the  **View** icon, the **Review notification** page appears with the following information:

- - **Preview** tab: View the notification message as users will see it.

- - To view the message in different languages, use the **Select language** box.

- - Use the **Select payload to preview** box to select the notification message for simulations that contain multiple payloads.

- - **Details** tab: View details about the notification:

- - **Notification description**

- - **Source**: For built-in notifications, the value is **Global**. For custom notifications, the value is **Tenant**.

- - **Notification type**: One of the following types base on the notification you originally selected:

- - **Positive reinforcement notification**

- - **Training assignment notification**

- - **Training reminder notification**

- - **Modified by**

- - **Last modified**

- When you're finished, click **Close**.

- You're taken to the [Simulation schedule](#simulation-schedule) page when you click **Next**.

-### Training assignment notification

-The **Training assignment notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.

-This page shows the following notifications and their configured languages:

- These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default training assignment notification** is available on the **Global notifications** tab. Custom training assignment notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

-You can select an existing training assignment notification or create a new notification to use:

- Select the notification that you want to use, and then click **Next**.

-#### Create new training assignment notification wizard

-If you clicked  **Create new** on the **Training assignment notification** page, a notification creation wizard opens.

-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).

-> On the **Define details** page, be sure to select the value **Training assignment notification** for **Select notification type**.

-When you're finished, you're taken back to the **Training assignment notification** page where the notification that you just created now appears in the list.

-Select the notification that you want to use, and then click **Next**.

-### Training reminder notification

-The **Training reminder notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.

- - **Microsoft default training reminder notification**

- - Any custom training reminder notifications that you previously created.

- These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default training reminder notification** is available on the **Global notifications** tab. Custom training reminder notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

- You can select an existing training reminder notification or create a new notification to use:

- - To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.

- - To search for an existing notification, use the  **Search** box to search for the name.

- Select the notification that you want to use, and then click **Next**.

- - To create and use a new notification, click  **Create new**.

-#### Create new training reminder notification wizard

-If you clicked  **Create new** on the **Training reminder notification** page, a notification creation wizard opens.

-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).

-> On the **Define details** page, be sure to select the value **Training reminder notification** for **Select notification type**.

-When you're finished, you're taken back to the **Training reminder notification** page where the notification that you just created now appears in the list.

-Select the notification that you want to use, and then click **Next**.

-### Positive reinforcement notification

-The **Positive reinforcement notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.

- - **Do not deliver**: If you select this option, you're taken to the [Simulation schedule](#simulation-schedule) page when you click **Next**.

- - **Deliver after the user reports a phish and campaign ends** or **Deliver immediately after the user reports a phish**: These sections show the following notifications and their configured languages in the **Select a positive reinforcement notification** section that appears:

- These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default positive reinforcement notification** is available on the **Global notifications** tab. Custom positive reinforcement notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

- You can select an existing positive reinforcement notification or create a new notification to use:

- - To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.

- - To search for an existing notification, use the  **Search** box to search for the name.

- Select the notification that you want to use, and then click **Next**.

- - To create and use a new notification, click  **Create new**.

-#### Create new positive reinforcement notification wizard

-If you clicked  **Create new** on the **Positive reinforcement notification** page, a notification creation wizard opens.

-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).

-> [!NOTE]

-> On the **Define details** page, be sure to select the value **Positive reinforcement notification** for **Select notification type**.

-When you're finished, you're taken back to the **Positive reinforcement notification** page where the notification that you just created now appears in the list.

-Select the notification that you want to use, and then click **Next**.

-What you see on the **Schedule details** page depends on whether you selected **Randomized** or **Fixed** on the previous page.

- - **Simulation start** section: Configure the following setting:

- - **Select the date you want the simulations to start from**

- - **Simulation scoping** section: Configure the following settings:

- - **Randomize send times**: Select this setting to randomize the send times.

- - **Simulation end** section: Configure the following setting:

- - **Select the date you want the simulations to end**

- - **Simulation start** section: Configure the following setting:

- - **Select the date you want the simulations to start from**

- - **Simulation recurrence** section: Configure the following settings:

- - **Select if you want simulations to launch weekly or monthly**: Select one of the following values:

- - **Weekly**: This is the default value.

- - **Monthly**

- - **Enter how often in weeks you want the simulations to recur for**: Enter a value from 1 to 99 weeks.

- - **Select the day of the week you want the simulations to start from**

- - **Simulation end** section: Selection one of the following values:

- - **Select the date you want the simulations to end**

- - **Enter the number of occurrences of the simulations to run before ending**: Enter a value from 1 to 10.

-When you're finished, click **Next**.

- - **Enter the maximum number of times a user can be targeted within this automation**: Enter a value from 1 to 10.

-When you're finished, click **Submit**.

-## Frequently asked questions (FAQ)

-### Why is the Status value under Automation showing Completed, but the Status value under Simulation showing In progress?

-**Completed** on the **Simulation automation** page means the job of simulation automation is complete, and no more simulations will be created by it. Simulation is a separate entity that will complete after 30 days of simulation launch time.

-### If we have multiple payload techniques (for example, Credential harvest, Link to Malware, and Drive by URL) targeting 300 users, how are the techniques sent to users? Do all payload techniques go to all users, or is the selection random?

-If you don't select the **Target All Selected Users In Every Run** option, all targeted users will be distributed over the maximum number of simulations that are created by the simulation automation.

-If you select **Target All Selected Users In Every Run**, all targeted users will be part of every simulation that's created by the simulation automation.

-The **Randomize launch&& option optimally selects a day within the start date and end date range to launch simulations.

-### How does the Randomize option on the Select payloads page work?

-For every run, a technique from the list of selected techniques is chosen, and then a random payload from both Tenant and Global payloads will be chosen. This behavior helps to ensure that the selected payload wasn't part of any previous run for this particular automation.

-1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulations** tab.

- To go directly to the **Simulations** tab, use <https://security.microsoft.com/attacksimulator?viewid=simulations>.

-2. On the **Simulations** tab, select  **Launch a simulation**.

-3. The simulation creation wizard opens. The rest of this article describes the pages and the settings they contain.

-> [!NOTE]

-> At any point during the simulation creation wizard, you can click **Save and close** to save your progress and continue configuring the simulation later. The incomplete simulation has the **Status** value **Draft** on the **Simulations** tab. You can pick up where you left off by selecting the simulation and clicking  **Edit** simulation.

-When you're finished, click **Next**.

-When you're finished, click **Next**.

-On the **Select payload and login** page, you need to select an existing payload from the list, or create a new payload.

-You can also view the login page that's used in the payload, select a different login page to use, or create a new login page to use.

-### Payload

-In the  **Search** box, you can type part of the payload name and press Enter to filter the results.

-If you click **Filter**, the following filters are available:

- - **High**

- - **Medium**

- - **Low**

-When you're finished configuring the filters, click **Apply**, **Cancel**, or  **Clear filters**.

-If you select a payload from the list by selecting the check box, a  **Send a test** button appears on the main page where you can send a copy of the payload email to yourself (the currently logged in user) for inspection.

-To create your own payload, click .

-If you select a payload from the list by clicking anywhere in the row other than the check box, details about the payload are shown in a flyout:

-### Login page

-> The **Login page** tab is available only in **Credential Harvest** or **Link in attachment** payloads.

-Select the payload from the list by clicking anywhere in the row other than the check box to open the details flyout.

-The **Login page** tab in the payload details flyout shows the login page that's currently selected for the payload.

-On the **Select login page** flyout that appears, The following information is shown for each login page:

-To find a login page in the list, use the  **Search** box to find the name of the login page.

-To create a new login page, click [Create new icon.](../../medi#create-login-pages).

-When you're finished on the **Select a payload and login page**, click **Next**.

-## Configure OAuth Payload

-> This page is available only if you selected **OAuth Consent Grant** on the [Select technique](#select-a-social-engineering-technique) page. Otherwise, you're taken to the **Target users** page.

-On the **Target users** page, select who will receive the simulation. Configure one of the following settings:

- -  **Add users**: In the **Add users** flyout that appears, you can find users and groups based on the following criteria:

- > [!NOTE]

- > You can't use dynamic distribution groups to target users.

- - **Search for users or groups**: In box, you can type part of the **Name** or **Email address** of the user or group and then press Enter. You can select some or all of the results. When you're finished, click **Add x users**.

- > Clicking the **Add filters** button to return to the **Filter users by categories** options will clear any users or groups that you selected in the search results.

- - **Filter users by categories**: Select from none, some, or all of the following options:

- - **User tags**: User tags are identifiers for specific groups of users (for example, Priority accounts). For more information, see [User tags in Microsoft Defender for Office 365](user-tags-about.md).

- Use the following options:

- - Select existing user tags.

- - Select existing Department values.

- - Select existing Title values.

- After you identify your criteria, the affected users are shown in the **User list** section that appears, where you can select some or all of the discovered recipients.

- When you're finished, click **Apply(x)**, and then click **Add x users**.

- Back on the main **Target users** page, you can use the  **Search** box to find affected users. You can also click  **Delete** to remove specific users.

- After you find a select the CSV file, the list of users are imported and shown on the **Targeted users** page. You can use the  **Search** box to find affected users. You can also click  **Delete** to remove specific users.

-When you're finished, click **Next**.

-On the **Assign training** page, you can assign trainings for the simulation. We recommend that you assign training for each simulation, as employees who go through training are less susceptible to similar attacks. The following settings are available:

- - **Microsoft training experience**: This is the default value that has the following associated options to configure:

- - **Assign training for me**: This is the default and recommended value. We assign training based on a user's previous simulation and training results, and you can review the selections in the next steps of the wizard.

- - **Select training courses and modules myself**: If you select this value, you'll still be able to see the recommended content as well as all available courses and modules in the next step of the wizard.

- - **Redirect to a custom URL**: This value has the following associated options to configure:

- - **No training**: If you select this value, the only option on the page is the **Next** button that takes you to the [**Landing page**](#landing-page) page.

-> The **Training assignment** page is available only if you selected **Microsoft training experience** \> **Select training courses and modules myself** on the previous page.

-On the **Add training** flyout that appears, you can select the trainings to use on the following tabs that are available:

- The following information is shown for each training:

- - **Training name**

- - **Source**: The value is **Global**.

- - **Duration (mins)**

- - **Preview**: Click the **Preview** button to see the training.

- In the  **Search** box, you can type part of the training name and press Enter to filter the results on the current tab.

- Select all trainings that you want to include from the current tab, and then click **Add**.

-Back on the main **Training assignment** page, the trainings that you selected are shown. The following information is shown for each training:

-For each training in the list, you need to select who gets the training by selecting values in the **Assign to** column:

- or one or both of the following values:

-If you don't want to use a training that's shown, click  **Delete**.

-When you're finished, click **Next**.

-### Landing page

-On the **Landing page** page, you configure the web page that users are taken to if they open the payload in the simulation.

-Microsoft-curated landing pages are available in 12 languages: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Dutch.

- - **Use Microsoft default landing page**: This is the default value that has the following associated options to configure:

- - **Select landing page layout**: Select one of the available templates.

- - **Add logo**: Click **Browse** to find and select a .png, .jpeg, or .gif file. The logo size should be a maximum of 210 x 70 to avoid distortion. To remove the logo, click **Remove**.

- - **Add payload indicators to email**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select technique](#select-a-social-engineering-technique) page.

- You can preview the results by clicking the **Open preview panel** button at the bottom of the page.

- - **Use a custom URL**: This setting is not available if you previously selected **Malware attachment** or **Link to malware** on the [Select technique](#select-a-social-engineering-technique) page.

- If you select **Use a custom URL**, you need to add the URL in the **Enter the custom landing page URL** box that appears. No other options are available on the page.

- - **Create your own landing page**: This value has the following associated options to configure:

- - **Add payload indicators to email**:This setting is available to select only if both of the following statements are true:

- - You selected **Credential harvest**, **Link in attachment**, **Drive-by URL**, or **OAuth Consent Grant** on the [Select technique](#select-a-social-engineering-technique) page.

- - You've added the **Dynamic tag** named **Insert Payload content** in the landing page content on this page.

- - Landing page content: Two tabs are available:

- - **Text**: A rich text editor is available to create your landing page. In addition to the typical font and formatting settings, the following settings are available:

- - **Dynamic tag**: Select from the following tags:

- |Tag name|Tag value|

- |||

- |**Insert User name**|`${userName}`|

- |**Insert First name**|`${firstName}`|

- |**Insert Last name**|`${lastName}`|

- |**Insert UPN**|`${upn}`|

- |**Insert Email**|`${emailAddress}`|

- |**Insert Department**|`${department}`|

- |**Insert Manager**|`${manager}`|

- |**Insert Mobile phone**|`${mobilePhone}`|

- |**Insert City**|`${city}`|

- |**Insert sender name**|`${FromName}`|

- |**Insert sender email**|`${FromEmail}`|

- |**Insert Payload subject**|`${EmailSubject}`|

- |**Insert Payload content**|`${EmailContent}`|

- |**Insert Date**|`${date|MM/dd/yyyy|offset}`|

- - **Use from default**: Select an available template to start with. You can modify the text and layout in the editing area. To reset the landing page back to the default text and layout of the template, click **Reset to default**.

- - **Code**: You can view and modify the HTML code directly.

- You can preview the results by clicking the **Open preview panel** button in the middle of the page.

-When you're finished, click **Next**.

-> [!NOTE]

-> Certain trademarks, logos, symbols, insignias and other source identifiers receive heightened protection under local, state and federal statutes and laws. Unauthorized use of such indicators can subject the users to penalties, including criminal fines. Though not an extensive list, this includes the Presidential, Vice Presidential, and Congressional seals, the CIA, the FBI, Social Security, Medicare and Medicaid, the United States Internal Revenue Service, and the Olympics. Beyond these categories of trademarks, use and modification of any third-party trademark carries an inherent amount of risk. Using your own trademarks and logos in a payload would be less risky, particularly where your organization permits the use. If you have any further questions about what is or is not appropriate to use when creating or configuring a payload, you should consult with your legal advisors.

-## Select end user notification

-On the **Select end user notification** page, select from the following notification options:

- - **Select default language**: The available values are: **English**, **Spanish**, **German**, **Japanese**, **French**, **Portuguese**, **Dutch**, **Italian**, **Swedish**, **Chinese (Simplified)**, **Norwegian Bokmål**, **Polish**, **Russian**, **Finnish**, **Korean**, **Turkish**, **Hungarian**, **Hebrew**, **Thai**, **Arabic**, **Vietnamese**, **Slovak**, **Greek**, **Indonesian**, **Romanian**, **Slovenian**, **Croatian**, **Catalan**, or **Other**.

- - By default, the following notifications are included:

- - **Microsoft positive reinforcement notification**

- - **Microsoft default training assignment notification**

- - **Microsoft default training reminder notification**

- For each notification, the following information is available:

- - **Notifications**: The name of the notification.

- - **Language**: If the notification contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, **+10**).

- - **Type**: One of the following values:

- - **Positive reinforcement notification**

- - **Training assignment notification**

- - **Training reminder notification**

- - **Delivery preferences**: For **Positive reinforcement notification** and **Training reminder notification** types, the following values are available

- - **Do not deliver**

- - **Deliver after campaign ends**

- - **Deliver during campaign**

- - **Actions**: If you click on the  **View** icon, the **Review notification** page appears with the following information:

- - **Preview** tab: View the notification message as users will see it.

- - To view the message in different languages, use the **Select language** box.

- - Use the **Select payload to preview** box to select the notification message for simulations that contain multiple payloads.

- - **Details** tab: View details about the notification:

- - **Notification description**

- - **Source**: For built-in notifications, the value is **Global**. For custom notifications, the value is **Tenant**.

- - **Notification type**: One of the following types base on the notification you originally selected:

- - **Positive reinforcement notification**

- - **Training assignment notification**

- - **Training reminder notification**

- - **Modified by**

- - **Last modified**

- When you're finished, click **Close**.

- You're taken to the [Launch details](#launch-details) page when you click **Next**.

-### Training assignment notification

-The **Training assignment notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.

-This page shows the following notifications and their configured languages:

- These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default training assignment notification** is available on the **Global notifications** tab. Custom training assignment notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

-You can select an existing training assignment notification or create a new notification to use:

- Select the notification that you want to use, and then click **Next**.

-#### Create new training assignment notification wizard

-If you clicked  **Create new** on the **Training assignment notification** page, a notification creation wizard opens.

-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).

-> [!NOTE]

-> On the **Define details** page, be sure to select the value **Training assignment notification** for **Select notification type**.

-When you're finished, you're taken back to the **Training assignment notification** page where the notification that you just created now appears in the list.

-Select the notification that you want to use, and then click **Next**.

-### Training reminder notification

-The **Training reminder notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.

- - **Microsoft default training reminder notification**

- - Any custom training reminder notifications that you previously created.

- These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default training reminder notification** is available on the **Global notifications** tab. Custom training reminder notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

- You can select an existing training reminder notification or create a new notification to use:

- - To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.

- - To search for an existing notification, use the  **Search** box to search for the name.

- Select the notification that you want to use, and then click **Next**.

- - To create and use a new notification, click  **Create new**.

-#### Create new training reminder notification wizard

-If you clicked  **Create new** on the **Training reminder notification** page, a notification creation wizard opens.

-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).

-> [!NOTE]

-> On the **Define details** page, be sure to select the value **Training reminder notification** for **Select notification type**.

-When you're finished, you're taken back to the **Training reminder notification** page where the notification that you just created now appears in the list.

-Select the notification that you want to use, and then click **Next**.

-### Positive reinforcement notification

-The **Positive reinforcement notification** page is available only if you selected **Customized end user notifications** on the **[Select end user notification](#select-end-user-notification)** page.

- - **Do not deliver**: If you select this option, you're taken to the [Launch details](#launch-details) page when you click **Next**.

- - **Deliver after the user reports a phish and campaign ends** or **Deliver immediately after the user reports a phish**: These sections show the following notifications and their configured languages in the **Select a positive reinforcement notification** section that appears:

- These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. **Microsoft default positive reinforcement notification** is available on the **Global notifications** tab. Custom positive reinforcement notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

- You can select an existing positive reinforcement notification or create a new notification to use:

- - To select an existing notification, click in the blank area next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification.

- - To search for an existing notification, use the  **Search** box to search for the name.

- Select the notification that you want to use, and then click **Next**.

- - To create and use a new notification, click  **Create new**.

-#### Create new positive reinforcement notification wizard

-If you clicked  **Create new** on the **Positive reinforcement notification** page, a notification creation wizard opens.

-The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications).

-> [!NOTE]

-> On the **Define details** page, be sure to select the value **Positive reinforcement notification** for **Select notification type**.

-When you're finished, you're taken back to the **Positive reinforcement notification** page where the notification that you just created now appears in the list.

-Select the notification that you want to use, and then click **Next**.

-## Launch details

-On the **Launch details** page, you choose when to launch the simulation and when to end the simulation. We'll stop capturing interaction with this simulation after the end date you specify.

-The following settings are available:

- - **Launch this simulation as soon as I'm done**

- - **Schedule this simulation to be launched later**: This value has the following associated options to configure:

- - **Select launch date**

- - **Select launch time**

-When you're finished, click **Next**.

-## Review simulation

-On the **Review simulation** page, you can review the details of your simulation.

-You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

-When you're finished, click **Submit**.

-To find a Training campaign in the list, use the :::image type="icon" source="../../media/m365-cc-sc-search-icon.png"::: **Search** box to find the name of the Training campaign.

-When you're finished, click **Next**.

-When you're finished, select **Next**.

-When you're finished, select **Next**.

-What you see and what you can do in the **Add Training** flyout is identical to what's available at **Training modules** on the **Content library** tab at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. For more information, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md).

-When you're finished, click **Next**.

- These notifications are also available in **End user notifications** on the **Content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. The built-in notifications are available on the **Global notifications** tab. Custom training assignment notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

-If you select :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create new** on the **Training assignment notification** page or select a custom notification and then click :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png"::: **Edit notification**, a notification creation wizard opens.

-> On the **Define details** page, be sure to select the value **Training assignment notification** for **Select notification type**.

- These notifications are also available in **End user notifications** on the **Simulation content library** tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. The build-it notifications available on the **Global notifications** tab. Custom training reminder notifications are available on the **Tenant notifications** tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md).

-If you click :::image type="icon" source="../../media/m365-cc-sc-create-icon.png"::: **Create new** on the **Training reminder notification** page or select a custom notification and then click :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png"::: **Edit notification**, a notification creation wizard opens.

-> On the **Define details** page, be sure to select the value **Training reminder notification** for **Select notification type**.

-When you're finished, you're taken back to the **Training reminder notification** page where the notification that you just created now appears in the list.

-When you're finished, click **Next**.

-When you're finished, click **Submit**.

-To see the available Training modules, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Content library** tab \> and then select **Training modules**. To go directly to the **Content library** tab where you can select **Training modules**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

-To find a Training module in the list, use the  **Search** box to find the name of the module.

-To help with the initial step in protecting your information, starting July 2018 all Azure Information Protection eligible tenants will have the protection features in Azure Information Protection turned on by default. The protection features in Azure Information Protection were formerly known in Office 365 as Rights Management or Azure RMS. If your organization has an Office E3 service plan or a higher service plan you will now get a head start protecting information through Azure Information Protection when we roll out these features.

-Office 365 Message Encryption leverages the protection capabilities in Azure Information Protection. At the heart of the recent improvements to Office 365 Message Encryption and our broader investments to information protection in Microsoft 365, we are making it easier for organizations to turn on and use our protection capabilities, as historically, encryption technologies have been difficult to set up. By turning on the protection features in Azure Information Protection by default, you can quickly get started to protect your sensitive data.

-No. This is not a supported deployment scenario. Without taking the additional opt-out steps, some computers might automatically start using the Azure Rights Management service and also connect to your AD RMS cluster. This scenario isn't supported and has unreliable results, so it's important that you opt out of this change within the next 30 days before we roll out these new features. For information on how to opt-out, see "I use AD RMS, how do I opt out?" later in this article. If you prefer to migrate, see [Migrating from AD RMS to Azure Information Protection.](/azure/information-protection/plan-design/migrate-from-ad-rms-to-azure-rms)

-2. If you are not using an SCP, Windows computers that connect to an AD RMS cluster must be configured for client-side service discovery or licensing redirection by using the Windows registry: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSIPC\ServiceLocation or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MSIPC\ServiceLocation`.

-Once this is enabled, provided you haven't opted out, you can start using the new version of Office 365 Message Encryption which was announced at [Microsoft Ignite 2017](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Email-Encryption-and-Rights-Protection/ba-p/110801) and leverages the encryption and protection capabilities of Azure Information Protection.

-Now that you're fully aware of the potential issues, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from these IP addresses will skip spam filtering:

-If you encounter either of these scenarios, you can create a mail flow rule with the following settings (at a minimum) to ensure that messages from the problematic IP addresses will skip spam filtering:

- - If **Sender IP** matches with your organization's on-prem IP address.

-If you're a Microsoft 365 customer with mailboxes in Exchange Online or a standalone Exchange Online Protection (EOP) customer without Exchange Online mailboxes, EOP offers multiple ways of ensuring that users will receive email from trusted senders. Collectively, you can think of these options as _safe sender lists_.

- This condition checks the email authentication status of the sending email domain to ensure that the sending domain is not being spoofed. For more information about email authentication, see [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md).

- Use this setting if the sending domain does not use email authentication. Be as restrictive as possible when it comes to the source IP addresses in the IP Allow List. We recommend an IP address range of /24 or less (less is better). Do not use IP address ranges that belong to consumer services (for example, outlook.com) or shared infrastructures.

- If you have more than one domain in the rule, you can customize the header text as appropriate.

-This method is not desirable in most situations since senders will bypass parts of the filtering stack. Although you trust the sender, the sender can still be compromised and send malicious content. You should let our filters check every message and then [report the false positive/negative to Microsoft](submissions-report-messages-files-to-microsoft.md) if we got it wrong. Bypassing the filtering stack also interferes with [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).

- - **Move messages to Junk Email folder**: Domain entries and sender email address entries are honored. Messages from those senders are not moved to the Junk Email folder.

- - **Quarantine**: Domain entries are not honored (messages from those senders are quarantined). Email address entries are honored (messages from those senders are not quarantined) if either of the following statements are true:

- - The message is not identified as malware or high confidence phishing (malware and high confidence phishing messages are quarantined).

- - The email address is not also in a block entry in the [Tenant Allow/Block List](tenant-allow-block-list-about.md) (messages from those senders will be quarantined).

-The maximum limit for these lists is approximately 1000 entries; although, you will only be able to enter 30 entries into the portal. You must use PowerShell to add more than 30 entries.

-3. Look for rules that the user did not create, or any unexpected rules or rules with suspicious names.

-You will need to have global administrator rights to run the script because the script connects to every mailbox in the tenancy to read the rules and forms.

-1. Sign in to the machine that you will run the script from with local administrator rights.

-2. Download or copy the Get-AllTenantRulesAndForms.ps1 script from GitHub to a folder from which you will run it. The script will create two date stamped files to this folder, MailboxFormsExport-yyyy-mm-dd.csv, and MailboxRulesExport-yyyy-mm-dd.csv.

-1. Identify all the devices that the user has used with Outlook. They will all need to be cleaned of potential malware. Do not allow the user to sign on and use email until all the devices are cleaned.

-3. If you are unsure about the presence of other malware, you can format and reinstall all the software on the device. For mobile devices, you can follow the manufacturers steps to reset the device to the factory image.

-5. Once all offline copies of the mailbox have been removed, reset the user's password (use a high quality one) and follow the steps in [Setup multi-factor authentication for users](../../admin/security-and-compliance/set-up-multi-factor-authentication.md) if MFA has not already been enabled. This ensures that the user's credentials are not exposed via other means (such as phishing or password re-use).

-The Rules and Forms exploits are only used by an attacker after they have stolen or breached one of your user's accounts. So, your first step to preventing the use of these exploits against your organization is to aggressively protect your user accounts. Some of the most common ways that accounts are breached are through phishing or [password spray attacks](https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/).

-Fully updated and patched versions of Outlook 2013, and 2016 disable the "Start Application" rule/form action by default. This will ensure that even if an attacker breaches the account, the rule and form actions will be blocked. You can install the latest updates and security patches by following the steps in [Install Office updates](https://support.microsoft.com/office/2ab296f3-7f03-43a2-8e50-46de917611c5).

-Note that even with the patches and updates installed, it is possible for an attacker to change the local machine configuration to re-enable the "Start Application" behavior. You can use [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) to monitor and enforce local machine policies on your clients.

-Look for the key EnableUnsafeClientMailRules. If it is there and is set to 1, the Outlook security patch has been overridden and the computer is vulnerable to the Form/Rules attack. If the value is 0, the "Start Application" action is disabled. If the updated and patched version of Outlook is installed and this registry key is not present, then a system is not vulnerable to these attacks.

-Customers with on-premises Exchange installations should consider blocking older versions of Outlook that do not have patches available. Details on this process can be found in the article [Configure Outlook client blocking](/exchange/configure-outlook-client-blocking-exchange-2013-help).

-IP addresses not previously used to send email typically don't have any reputation built up in our systems. As a result, emails from new IPs are more likely to experience delivery issues. Once the IP has built a reputation for not sending spam, EOP will typically allow for a better email delivery experience.

-For instructions about how to create and maintain DNS records, including the MX record required for mail routing, you will need to contact your DNS hosting provider.

-Some delivery issues are the result of the sender's IP address being blocked by Microsoft or because the user account is identified as banned sender due to previous spam activity. If you believe that you have received the NDR in error, first follow any instructions in the NDR message to resolve the issue.

-If a message was incorrectly identified as spam by EOP, you can work with the recipient to submit this false positive message to the Microsoft Spam Analysis Team, who will evaluate and analyze the message. For more information, see [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).

-You received the NDR because suspicious activity has been detected from the IP address and it has been temporarily restricted while it is being further evaluated. If the suspicion is cleared through evaluation, this restriction will be lifted shortly.

-The easier you make it for people to know who you are and what you are doing, the less difficulty you will have delivering through most spam filters.

-Some senders include this option by requiring recipients to send an email to a certain alias with "Unsubscribe" in the subject. This is not preferable to the one-click example above. If you do choose to require recipients to send a mail, ensure that when they click the link, all the required fields are pre-populated.

-During the registration process, if the "Yes, please send me your newsletter" or "Yes, please send me special offers" checkbox is selected by default, users who do not pay close attention may unintentionally sign up for marketing email or newsletters that they do not want to receive.

-Just as important as the way the emails are sent is the content they contain. When creating email content, use the following best practices to ensure that your emails will not be flagged by email filtering

-To protect data across your collection of SaaS apps, the following diagram illustrates the necessary Azure AD conditional access policy plus suggested policies you can create in Defender for Cloud Apps. In this example, the policies created in Defender for Cloud Apps apply to all SaaS apps you are managing. These are designed to apply appropriate controls based on whether devices are managed as well as sensitivity labels that are already applied to files.

-You might want to apply additional monitoring and controls to specific SaaS apps in your environment. Defender for Cloud Apps allows you to accomplish this. For example, if an app like Box is used heavily in your environment, it makes sense to apply additional controls. Or, if your legal or finance department is using a specific SaaS app for sensitive business data, you can target extra protection to these apps.

-These are examples. Additional policy templates are added on a regular basis. For examples of how to apply additional protection to specific apps, see [Protecting connected apps](/cloud-app-security/protect-connected-apps).

-|Enterprise|Protect downloads of files containing this sensitive information type ("Credit card number") to managed devices <p> Block downloads of files containing this sensitive information type ("Credit card number") to unmanaged devices <p> Alert when a file with on of these labels is uploaded to OneDrive for Business or Box (Customer data, Human Resources: Salary Data,Human Resources, Employee data)|

-1. The email fly-out for that mail will open.

-1. You'll see **Open email entity**.

-2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through **Explorer** will also be available through email entity page.

-The tabs along the top of the entity page will allow you to investigate email efficiently.

-2. **Analysis**: Analysis shows fields that help admins analyze an email in depth. For cases where admins need to understand more about detection, sender / recipient, and email authentication details, they should use the Analysis tab. Links for Attachments and URLs are also found on this page, under 'Related Entities'. Both attachments and identified threats are numbered here, and clicking will take you straight to the Attachments and URL pages. This tab also has a View header option to *show the email header*. Admins can compare any detail from email headers, side by side with information on the main panel, for clarity.

-4. **URLs**: This tab lists URLs found in the email with other details about the URLs. The number of URLs is limited to 10 right now, but these 10 are prioritized to show *malicious URLs first*. Prioritization saves you time and guess-work. The URLs that were found to be malicious and detonated will also be shown here.

-Users will see enriched detonation details for known malicious attachments or URLs found in their emails, which got detonated for their specific tenant. It will include the Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.

-*Tags*: These are tags applied to users. If the user is a recipient, admins will see a *recipient* tag. Likewise, if the user is a sender, a *sender* tag. This will appear in the left side of the email entities page (in the part that's described as *sticky* and, thus, anchored to the page).

- - Neutral: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.

- - Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.

- - None: Indicates that the message wasn't signed. This may or may not indicate that the domain has a DKIM record or the DKIM record doesn't evaluate to a result, only that this message was not signed.

-You will be able to select **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need.

-In the Action wizard you can take email actions, email submissions, block sender and sender domain, investigative actions and two step approval (add to remediation) in the same side pane. This follows a consistent flow for ease of use. The Action wizard uses the same system as is used by Explorer actions (for Delete, Submissions, and Investigation actions), for example. You will be able to see and track these actions in the

-We are also bringing Tenant level block URL and attachment to the respective Email entity URL and Attachments tabs. Upon approval, all the Tenant Allow and Block Lists (or TABL) block URL and block attachments can be tracked under TABL/URL and TABL/file pages.

-In addition to the above sections, you will also see sections specific to few experiences that are integrated with the summary panel:

- - Expires: The date/time when the message will be automatically and permanently deleted from quarantine.

- - Not yet released to: All email addresses (if any) to which the message has not yet been released.

-If you are interested in previewing the features listed above, for ALL users in your tenant, you can enable them using the Exchange Online PowerShell cmdlet. For more details on how to connect to Exchange Online with PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). Once connected, you can enable teams preview as follows:

- ```powershell

- Set-TeamsSecurityPreview -Enable $true

- ```

-To check the status for your tenant run the following cmdlet:

- ```powershell

- Get-TeamsSecurityPreview

- ```

-Note: This cmdlet is used to inform Microsoft that you want to preview the Teams preview. By Running this cmdlet, your tenant will be added to the rollout schedule. The features will be enabled over time during the preview period.

- After you've entered the search criteria, press ENTER to filter the results.

- After you've entered the search criteria, press ENTER to filter the results.

-File information sent by Safe Documents are not retained in Defender for Endpoint beyond the time needed for analysis (typically, less than 24 hours).

- Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  **Clear search**.

-> For entries added via submission, if you select the entry by clicking anywhere in the row other than the check box, you can select  **View submission** in the details flyout that opens, which takes you to the submission details that added the entry.

- Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  **Clear search**.

- Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  **Clear search**.

- Click  **Search**, enter all or part of a value, and then press ENTER to find a specific value. When you're finished, click  to clear the search.

-For this tier of protection, we create a sensitivity label that can be used across your organization for highly sensitive teams and files. Only members of your organization and guests that you have specified will be able to decrypt files that use this label. If you need to further isolate permissions so that only members of a specific team can decrypt files, see [Deploy a team with security isolation](secure-teams-security-isolation.md).

-Next, create a conditional access policy that applies to that authentication context and that requires guests to agree to terms of use as a condition of access.

-Further configuration of the highly sensitive scenario is done in the SharePoint site associated with the team, so the next step is to create a team.

-1. In Teams, click **Teams** on the left side of the app, then click **Join or create a team** at the bottom of the teams list.

-2. Click **Create team** (first card, top left corner).

-3. Choose **Build a team from scratch**.

-4. In the **Sensitivity** list, choose the **Highly sensitive** label that you just created.

-5. Under **Privacy**, click **Private**.

-6. Type a name for the team, and then click **Create**.

-7. Add users to the team, and then click **Close**.

-1. In the team, click **More options**, and then click **Manage team**.

-2. On the **Settings** tab, expand **Member permissions**.

-3. Clear the **Allow members to create private channels** check box.

-You can also use [teams policies](/MicrosoftTeams/teams-policies) to control who can create private channels.

-## Shared channel settings

-## SharePoint settings

-### Restrict site access to team members

-### Choose a default sensitivity label for files

-Further configuration of the sensitive scenario is done in the SharePoint site associated with the team, so the next step is to create a team.

-1. In Teams, click **Teams** on the left side of the app, then click **Join or create a team** at the bottom of the teams list.

-2. Click **Create team** (first card, top left corner).

-3. Choose **Build a team from scratch**.

-4. In the **Sensitivity** list, choose the **sensitive** label that you just created.

-5. Under **Privacy**, click **Private**.

-6. Type a name for the team, and then click **Create**.

-7. Add users to the team, and then click **Close**.

-1. In the team, click **More options**, and then click **Manage team**.

-2. On the **Settings** tab, expand **Member permissions**.

-3. Clear the **Allow members to create private channels** check box.