+Each Microsoft 365 group comes equipped with a dedicated mailbox that stores the emails received on the group. The group mailbox is also used by applications like SharePoint Online, Yammer, Teams etc. The group mailbox is equipped with initial storage quota of 50 GB. If the group mailbox quota is reached, people sending emails to the group receive a non-delivery report. Hence, itΓÇÖs a good practice to remove the older content from group mailboxes, to ensure the group mailbox doesnΓÇÖt reach its quota.

+- **Translation**: This view automatically converts alert message text to the language configured in the *Displayed language* setting in the Microsoft 365 subscription for each reviewer. This includes the text for the policy match as well as everything included in the conversation view (up to five messages before and five messages after the policy match). The *Translation* view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft translation services, communication compliance automatically detects if the text is in a different language than the user's current system setting and will display alert message text accordingly. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the *Translator Language List* are supported in the *Translation* view.

+Alternatively to using this default role, you can create a new role group and add the **Retention Management** role to this group. For a read-only role, use **View-Only Retention Management**.

+To enable multi-segment support for organizations in *SingleSegment* mode, run the following cmdlet.

+Set-PolicyConfig -InformationBarrierMode 'MultiSegment'

+> If you enable multiple segments and have configured IB in your organization, you should not revert to single segment support.

+- If the label is configured as the default label in one or more label policies, and Outlook isn't configured with its own default label in the same policy, you can't remove the scope for **Email**. As a workaround, remove this label as the default label, and then you can remove the email scope.

+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Current Channel: Rolling out to 2302+ | Under review | Under review | Under review | Under review |

+|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)| Current Channel: Rolling out to 2302+ | Under review | Under review | Under review | Under review |

+- **General availability (GA)**: Now rolling out in general availability for built-in labeling for Windows, support for a [default sublabel for a parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label) as a parity feature for the AIP add-in.

+ - **Removal of restrictions for prevent copying chat for protected meetings**: The label setting that [prevents copying chat to the clipboard](sensitivity-labels-meetings.md#prevent-copying-chat-to-the-clipboard-label-setting) now supports users outside your organization and also users who join a chat but weren't invited to the meeting.

+- The configuration and management of [adaptive policy scopes](retention.md#adaptive-or-static-policy-scopes-for-retention) is moving to a new location in the Microsoft Purview compliance portal: **Roles & Scopes** \> **Adaptive scopes**.

+Cross-Tenant Identity Mapping is a feature that can be used during Cross-Tenant User Data Migrations from one Microsoft 365 organization to another. It provides a secure method of establishing one-to-one object relationships across organization boundaries, and automatically prepares the target objects for a successful migration.

+Using Cross-Tenant Identity Mapping will reduce mistakes when configuring target objects for a migration by automatically configuring values such as _ExchangeGuid_, _ArchiveGuid_, and all necessary _X500 proxy addresses_.

+- The feature is only intended to be used with [Cross-tenant mailbox migration](cross-tenant-mailbox-migration.md), and not with any third-party non-Microsoft migration solutions.

+- Data processing (storage, compute, transfer, etc.) is currently within the European Union, and within the Exchange Online home region of the organizations participating in the migration.

+- Cross-Tenant Identity Mapping does **not** create the Mail Enabled User objects in the target tenant for you. These objects must still be created with a minimal attribute set. Once created, then Cross-Tenant Identity Mapping will decorate their attributes correctly for a mailbox migration to proceed.

+- Target organizations in a hybrid configuration will require Microsoft supported on-premises object management tools to modify any Mail Enabled User objects synchronized from the on-premises directory.

+The Cross-Tenant User Content Migration feature and licenses are currently only available to Enterprise Agreement customers. If you are an Enterprise Agreement customer who will be purchasing Cross-Tenant User Content Migration licenses, and you would like to evaluate Cross-Tenant Identity Mapping to improve your migration experience, then please email [CTIMPreview@service.microsoft.com](mailto:CTIMPreview@service.microsoft.com) and provide some basic information about the migration you are performing. The team will respond to you within a couple business days with some additional questions. For more information on licensing, please see [Cross-Tenant User Content Migration Licensing](cross-tenant-mailbox-migration.md?#licensing) and contact your Microsoft account team.

+- [Review Cross-Tenant Mailbox Migration](cross-tenant-mailbox-migration.md#prepare-target-user-objects-for-migration)

+|[Windows 10 lab environment](https://download.microsoft.com/download/a/5/0/a505dbce-6cc8-4f92-a777-cda556da9266/Win10_21H2_Lab_v2.zip)|[Windows 11 lab environment](https://download.microsoft.com/download/1/0/3/103138e0-b22c-4c7a-a404-e73220954309/Win11_22H2_Lab_2.28.zip)|

+|[Windows 10 lab guides](https://download.microsoft.com/download/a/5/0/a505dbce-6cc8-4f92-a777-cda556da9266/Win10_21H2_Lab_Guides_v2.zip)|[Windows 11 lab guides](https://download.microsoft.com/download/1/0/3/103138e0-b22c-4c7a-a404-e73220954309/Win11_22H2_Guides_02.28.zip)|

+### Manage Windows

+- Device Management for Windows 11 using Microsoft Intune

+- Dynamic Management with Windows 11

+- Deploying Windows apps (Win32) with Intune

+- Remote Help

+### Deploy Microsoft 365 Apps for enterprise

+- Servicing Microsoft 365 Apps for enterprise using Configuration Manager

+- Servicing Microsoft 365 Apps for enterprise using Intune

+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published on or before May 28, 2023.

+| Microsoft Subsidiary <br>Personnel Locations |&nbsp;|&nbsp;|&nbsp;|

+| Contract Staff <br>Personnel Locations |&nbsp;|&nbsp;|&nbsp;|

+> [!NOTE]

+PATCH https://api.securitycenter.microsoft.com/api/machines/{id}/tags

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink).

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> [!NOTE]

+> Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.

+> Users need to enable location permission (which is an optional permission); this enables Defender for Endpoint to scan their networks and alert them when there are WiFi-related threats. If the location permission is denied by the user, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates.

+[Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Anti-phishing and custom indicators (URL and IP addresses) are supported as part of web protection. Web content filtering is currently not supported on mobile platforms.

+> Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This VPN is not a regular VPN. Instead, it's a local/self-looping VPN that does not take traffic outside the device.

+>

+This feature provides protection against rogue Wi-Fi related threats and rogue certificates, which are the primary attack vector for Wi-Fi networks. Admins can list the root Certificate Authority (CA) and private root CA certificates in Microsoft Intune admin center and establish trust with endpoints. It provides the user a guided experience to connect to secure networks and also notifies them if a related threat is detected.

+It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center and add trusted certificates. Admins can also enable [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to configure the data that's sent by Defender for Endpoint from Android devices.

+1. If your organization uses root CAs that are private in nature, you need to establish explicit trust between Intune (MDM solution) and user devices so Defender doesn't flag them as rogue certificates.

+ To establish trust for the root CAs, use **'Trusted CA certificate list for Network Protection'** as the key. In the value, add the **'comma separated list of certificate thumbprints (SHA 1)'**.

+ **Example of Thumbprint format to add**: `50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31, 503006091d97d4f5ae39f7cbe7927d7d652d3431`

+ > [!IMPORTANT]

+ > Certificate SHA-1 Thumbprint characters should be with either white space separated, or non separated.

+ >

+ > This format is invalid: `50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31`

+ Any other separation characters are invalid.

+ > 

+1. For other configurations related to Network protection, add the following keys and appropriate corresponding value.

+ |Enable Network protection in Microsoft Defender|1: Enable <br/> 0: Disable (default) <br/><br/> This setting is used by the IT admin to enable or disable the network protection capabilities in the Defender app.|

+ |Enable Network Protection Privacy|1: Enable (default) <br/> 0: Disable <br/><br/> This setting is managed by IT admins to enable or disable privacy in network protection.|

+ |Enable Users to Trust Networks and Certificates|1 <br/> Enable <br/> 0:Disable (default) <br/><br/> This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks and malicious certificates.|

+ |Automatic Remediation of Network Protection Alerts|1: Enable (default) <br/> 0: Disable <br/><br/> This setting is used by IT admins to enable or disable the remediation alerts that are sent when a user does remediation activities. For example, the user switches to a safer Wi-Fi access point or deletes suspicious certificates that were detected by Defender.|

+ |Manage Network Protection detection for Open Networks|0: Disable (default) <br/> 1: Audit Mode <br/><br/> This setting is managed by IT Admin to enable or disable open network detection.|

+ |Manage Network protection Detection for Certificates|0: Disable <br/> 1: Audit mode (default) <br/> 2: Enable <br/><br/> When network protection is enabled, Audit mode for certificate detection is enabled by default. In audit mode, notification alerts are sent to SOC admins, but no end user notifications are shown when Defender detects a bad certificate. Admins can disable this detection with the value 0 or enable full feature functionality by setting the value 2. When the value is 2, end user notifications are sent to users and alerts are sent to SOC admins when Defender detects a bad certificate.|

+1. Add the required groups on which the policy will have to be applied. Review and create the policy.

+> Users need to enable location permission (which is an optional permission); this enables Defender for Endpoint to scan their networks and alert them when there are WIFI-related threats. If the location permission is denied by the user, Defender for Endpoint will only be able to provide limited protection against network threats and will only protect the users from rogue certificates.

+Admins can now enable privacy control for the phish report, malware report and network report sent by Microsoft Defender for Endpoint on android. This configuration ensures that the domain name, app details and network details respectively are not sent as part of the alert whenever a corresponding threat is detected.

+4. In Settings page, select **Use configuration designer** and add click on **Add**.

+### End user privacy controls

+> Vulnerability assessment is part of [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md) in Microsoft Defender for Endpoint.

+Use the following steps to **enable vulnerability assessment of apps** from devices in **device administrator** mode for targeted users.

+Defender for Endpoint supports vulnerability assessment of apps in the work profile. However, in case you want to turn off this feature for targeted users, you can use the following steps:

+1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** \> **App configuration policies** \\> **Add** > **Managed devices**.

+2. Give the policy a name; **Platform \> Android Enterprise**; select the profile type.

+Privacy control for phish report can be used to disable the collection of domain name or website information in the phish threat report. This setting gives organizations the flexibility to choose whether they want to collect the domain name when a malicious or phish website is detected and blocked by Defender for Endpoint.

+Privacy control for malware threat report can be used to disable the collection of app details (name and package information) from the malware threat report. This setting gives organizations the flexibility to choose whether they want to collect the app name when a malicious app is detected.

+> [!IMPORTANT]

+> This issue has been resolved. Please update to the latest app version to complete the onboarding process. If the issue persists, please send an **[in-app feedback](/microsoft-365/security/defender-endpoint/android-support-signin#send-in-app-feedback)**.

+> [!IMPORTANT]

+> Microsoft Defender for Endpoint's **Anti malware engine** is now generally available. All the users are required to have a Microsoft Defender for Endpoint version above **1.0.3815.0000** to utilize this new malware protection capability. Users on Microsoft Defender for Endpoint version below 1.0.3815.0000 will be sent notifications and in-app overlay messages to update their Microsoft Defender for Endpoint application. Users can click on the link provided in the overlay message to go to the managed play store and update the application.

+> If users can't access the play store, the app can be updated through the company portal.

+It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that is sent by Defender for Endpoint from Android devices.

+> [!NOTE]

+> Microsoft Defender is no longer supported for versions below 1.0.3011.0302. Users are requested to upgrade to latest versions to keep their devices secure.

+> 1. On your work profile, go to Managed Play Store.

+> 2. Tap on the profile icon on the top right corner and select "Manage apps and device".

+> 3. Locate MDE under updates available and select update.

+>

+> If you encounter any issues, [submit in-app feedback](/security/defender-endpoint/android-support-signin#send-in-app-feedback).

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+ Powershell.exe -ExecutionPolicy ByPass -File install.ps1 -RemoveMMA <workspace ID> -OnboardingScript .\WindowsDefenderATPOnboardingScript.cmd

+ > [!TIP]

+ > The registry key value was obtained by running the Powershell command shown below on a device that has the unified solution installed. Other creative methods of detection can also be used. The goal is to identify whether the unified solution has already been installed on a specific device. You can leave the Value and Data Type fields as blank.

+ get-wmiobject Win32_Product | Sort-Object -Property Name |Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize

+ > [!TIP]

+ > The maximum allowed runtime can be lowered from (default) 120 minutes to 60 minutes.

+12. Add any additional requirements then select **Next**.

+13. Under the Dependencies section, select **Next**.

+ > [!NOTE]

+ > There are variations in some ASR rules mode listings; _Blocked_ and _Enabled_ provide the same functionality.

+ > [!NOTE]

+10. Review your settings in the **Review + create** pane. Click **Create** to apply the rules.

+ > [!div class="mx-imgBorder"]

+ > :::image type="content" source="images/asr-mem-review-create.png" alt-text="The Create profile page" lightbox="images/asr-mem-review-create.png":::

+> [!NOTE]

+> There are some variations in ASR rules reports. Microsoft is in the process of updating the behavior of the ASR rules reports to provide a consistent experience.

+> [!NOTE]

+> If you have a Microsoft Microsoft 365 Security E5 or A5, Windows E5 or A5 license, the following link opens the Microsoft Defender 365 Reports > [Attack surface reductions](https://security.microsoft.com/asr?viewid=detections) > Detections tab.

+> [!NOTE]

+> If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Configurations](https://security.microsoft.com/asr?viewid=configuration) tab.

+> [!NOTE]

+> [!NOTE]

+> If you have a Microsoft Defender 365 E5 (or Windows E5?) license, this link will open the Microsoft Defender 365 Reports > Attack surface reductions > [Exclusions](https://security.microsoft.com/asr?viewid=exclusions) tab.

+Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would affect your organization if enabled. Run all rules in audit mode first so you can understand how they affect your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they might perform tasks in ways that seem similar to malware.

+By monitoring audit data and [adding exclusions](attack-surface-reduction-rules-deployment-test.md) for necessary applications, you can deploy attack surface reduction rules without reducing productivity.

+ > [!NOTE]

+ > Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016) for this feature to work.

+You can query Defender for Endpoint data in [Microsoft 365 Defender](microsoft-defender-endpoint.md) by using [advanced hunting](/microsoft-365/security/defender/advanced-hunting-query-language).

+**Applies to:**

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> [!NOTE]

+> Around August 29, 2022, previously supported alert determination values ('Apt' and 'SecurityPersonnel') will be deprecated and no longer available via the API.

+| Set tamper protection settings for some, but not all, devices | Use endpoint security policies and profiles that are applied to specific devices. See the following articles:<br/>- [Manage tamper protection using Microsoft Intune](manage-tamper-protection-intune.md)<br/>- [Manage tamper protection using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md)|

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+> [!NOTE]

+> Consider doing the following optional items, even though they are not Microsoft Defender for Endpoint specific, they tend to improve performance in Linux systems.

+ > [!NOTE]

+ > You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an allow rule specifically for them.

+**Recommendations**:

+- [Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on Linux](troubleshoot-auditd-performance-issues.md).

+> Standard discovery uses various PowerShell scripts to actively probe devices in the network. Those PowerShell scripts are Microsoft signed and are executed from the following location: `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps`. For example, `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\UnicastScannerV1.1.0.ps1`.

+> If you are using 'TelemetryProxyServer' setting on devices that are otherwise **completely offline**, meaning the operating system is unable to connect for the online certificate revocation list or Windows Update, then it is required to add the additional registry setting `PreferStaticProxyForHttpRequest` with a value of `1`.<br>

+If a proxy or firewall is blocking anonymous traffic from the Defender for Endpoint sensor and it's connecting from system context, it's important to make sure anonymous traffic is permitted in your proxy or firewall for the previously listed URLs.

+ Title: Delete a file from the live response library

+# Delete a file from the live response library

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)

+1. Rate limitations for this API are 100 calls per minute and 1500 calls per

+- If file exists in library and deleted successfully 204 No Content.

+- If specified file name was not found 404 Not Found.

+ > [!NOTE]

+ > Currently up to date reporting is only available for Windows devices. Cross platform devices such as Mac and Linux are listed under "No data available"/Unknown.

+> You can use the information gathered using Performance analyzer to better assess performance issues and apply remediation actions.

+ > [!NOTE]

+## Add a domain controller

+> [!NOTE]

+> Domain support is only available in the Microsoft 365 Defender portal (security.microsoft.com).

+2. Select **Windows Server 2019**, then select **Set as domain controller**.

+3. When your domain controller has been provisioned, you'll be able to create domain-joined devices by clicking **Add device**. Then select Windows 10 / Windows 11, and select **Join to domain**.

+> [!NOTE]

+> Only one domain controller can be live at a time. The domain controller device will remain live as long as there is a live device connected to it.

+ For **Linux devices**: you'll need to use a local SSH client and the provided command.

+2. Enter the password that was displayed during the device creation step.

+3. Run Do-it-yourself attack simulations on the device.

+> The download URLs are only valid for 3 hours; otherwise you can use the parameter.

+> To maximize download speeds, make sure you are downloading the data from the same Azure region where your data resides.

+> Some additional columns might be returned in the response. These columns are temporary and might be removed. Only use the documented columns.

+ "exportFiles":

+## How do I turn tamper protection on or off?

+If you're an organization using [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint), you can choose from several options to manage tamper protection:

+- The [Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md) (turn tamper protection on or off, tenant wide)

+- [Intune](manage-tamper-protection-intune.md) (turn tamper protection on or off, and/or configure tamper protection for some or all users)

+- [Configuration Manager](manage-tamper-protection-configuration-manager.md) (with tenant attach, you can configure tamper protection for some or all devices by using the Windows Security experience profile)

+- [Windows Security app](manage-tamper-protection-individual-device.md) (for an individual device used at home or that isn't centrally managed by a security team)

+For more information, see [How do I configure or manage tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md#how-do-i-configure-or-manage-tamper-protection)?

+## Tamper protection is preventing my security team from managing a device. What should we do?

+If tamper protection prevents your IT or security team from performing a necessary task on a device, consider using [troubleshooting mode](enable-troubleshooting-mode.md). We recommend keeping tamper protection turned on for your organization.

+## Can I change individual tamper-protected settings?

+If tamper protection is turned on for your organization, you won't be able to make changes to individual settings that are tamper protected. However, if you're managing tamper protection and devices in Intune, you can edit exclusions for Microsoft Defender Antivirus. See [Tamper protection for exclusions](manage-tamper-protection-intune.md#tamper-protection-for-exclusions).

+## Will tamper protection affect non-Microsoft antivirus registration in the Windows Security app?

+No. Non-Microsoft antivirus offerings will continue to register with the Windows Security application.

+## What happens if Microsoft Defender Antivirus isn't active on a device?

+Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. In these cases, tamper protection will continue to protect the service and its features.

+Currently, configuring tamper protection in Intune is only available for customers whose subscriptions include [Microsoft Defender for Endpoint Plan 1 or Plan 2](/microsoft-365/security/defender-endpoint).

+## Does tamper protection require cloud protection?

+

+Depending on the method or management tool you use to enable tamper protection, there might be a dependency on [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md). Cloud-delivered protection is also referred to as cloud protection, or Microsoft Advanced Protection Service (MAPS). The following table summarizes whether there's a dependency on cloud protection.

+| How tamper protection is enabled | Dependency on cloud protection? |

+|||

+| Microsoft Intune | No |

+| Microsoft Configuration Manager with Tenant Attach | No |

+| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Yes |

+## See also

+- [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)

+- [Manage tamper protection for your organization using Microsoft Intune](manage-tamper-protection-intune.md)

+- [Manage tamper protection for your organization using Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md)

+If you're looking for Antivirus related information for other platforms, see:

+- [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+- [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+GET /api/Machines/BrowserExtensionsInventoryByMachine

+GET /api/machines/browserextensionsinventoryExport

+GET https://api.securitycenter.microsoft.com/api/machines/browserextensionsinventoryExport

+GET /api/machines/SoftwareInventoryNonCpeExport

+**Applies to:**

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+GET /api/Software/{Id}/machineReferences

+If successful, this method returns 200 OK and a list of devices with the software installed in the body.

+**Applies to:**

+> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)

+ > [!NOTE]

+ > Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016) for this feature to work.

+> In situations when Microsoft Defender Antivirus is set to **Block**, but Defender for Endpoint - Indicators - File hash or Certificate is set to **Allow**, the policy will default to **Allow**.

+- If the IP, URL/Domain is allowed

+- If the IP, URL/Domain is not allowed

+- If the IP, URL/Domain is allowed

+> [!NOTE]

+> There may be up to 2 hours of latency between the time a policy is created and the URL or IP being blocked on the device.

+> - `Beta Channel` was named `InsiderFast` (Insider Fast)

+> - `Current Channel` (Preview) was named `External` (Insider Slow)

+> - `Current Channel` was named `Production`

+1. On a Windows device, select **Start**, and start typing *Security*. In the search results, select **Windows Security**.

+> [!NOTE]

+> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.

+>

+> To help ensure that tamper protection doesn't interfere with non-Microsoft security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)

+>

+> After you've made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.

+ Title: Manage tamper protection for your organization using Microsoft Intune

+description: Turn tamper protection on or off for your organization in Microsoft Intune.

+keywords: malware, defender, antivirus, tamper protection, Microsoft Intune

+ms.localizationpriority: medium

+audience: ITPro

+- nextgen

+- admindeeplinkDEFENDER

+- m365-security

+- tier2

+search.appverid: met150

+# Manage tamper protection for your organization using Microsoft Intune

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 1 and Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Microsoft Defender Antivirus

+**Platforms**

+- Windows

+[Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps protect your security settings from being disabled or changed. If your organization uses [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), you manage tamper protection for your organization in the [Intune admin center](https://endpoint.microsoft.com). With Intune, you can enable tamper protection on some, but not all devices. You can also tamper protect exclusions that are defined for Microsoft Defender Antivirus.

+Tamper protection is part of anti-tampering capabilities that include [standard protection attack surface reduction rules](attack-surface-reduction-rules-reference.md).

+> [!IMPORTANT]

+> If you're using Microsoft Intune to manage Defender for Endpoint settings, we recommend setting [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp#configurationdisablelocaladminmerge) to true on devices.

+>

+> When tamper protection is turned on, tamper protected settings cannot be changed from their default value. Changes might appear to be successful in Intune, but will not actually be allowed by tamper protection. For the most current list of tamper protected settings, contact support.

+## Requirements for managing tamper protection in Intune

+- You must have appropriate [permissions](/microsoft-365/security/defender-endpoint/assign-portal-access) assigned, such as global admin, security admin, or security operations.

+- Your organization uses [Intune to manage devices](/mem/endpoint-manager-getting-started). (Intune licenses are required; Intune is included in Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5, Microsoft 365 Business Premium, Microsoft 365 F1/F3, Microsoft 365 Government G3/G5, and corresponding education licenses.)

+- Your Windows devices must be running Windows 10 [version 1709 or later](/lifecycle/announcements/revised-end-of-service-windows-10-1709) or Windows 11. (For more information about releases, see [Windows release information](/windows/release-health/release-information).)

+- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).

+- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version `1.1.15500.X` (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)

+- Your Intune and Defender for Endpoint tenants must share the same Microsoft Entra (Azure Active Directory) infrastructure.

+- Your devices must be onboarded to Defender for Endpoint.

+> [!NOTE]

+> If your devices are not enrolled in Microsoft Defender for Endpoint, tamper protection will show as **Not Applicable** until the onboarding process completes.

+> Tamper protection can prevent changes to security settings from occurring. If you see an error code with Event ID 5013, see [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md).

+## Turn tamper protection on (or off) in Microsoft Intune

+1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** \> **Antivirus**, and then choose **+ Create Policy**.

+ - In the **Platform** list, select **Windows 10, Windows 11, and Windows Server**.

+ - In the **Profile** list, select **Windows Security experience**.

+2. Create a profile that includes the following setting:

+ - **TamperProtection (Device): Enable**

+3. Assign the profile to one or more groups.

+## How to tell if a Windows device is managed by Intune

+You can use a registry key to confirm whether a Windows device is managed by Intune, or co-managed by Intune and Configuration Manager.

+1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)

+2. Go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender` (or `HKLM\SOFTWARE\Microsoft\Windows Defender`), and look for a `REG_DWORD` entry called **ManagedDefenderProductType**.

+ - If **ManagedDefenderProductType** has a value of `6`, then the device is managed by Intune.

+ - If **ManagedDefenderProductType** has a value of `7`, then the device is [co-managed](/mem/configmgr/comanage/overview) by Intune and Configuration Manager.

+> [!CAUTION]

+> Do not change the value of **ManagedDefenderProductType**. Use the preceding procedure for information only. Changing the key will have no effect on how the device is managed.

+## Tamper protection for exclusions

+If your organization has [exclusions defined for Microsoft Defender Antivirus](configure-exclusions-microsoft-defender-antivirus.md), tamper protection will protect those exclusions, provided all of the following conditions are met:

+- Tamper protection is deployed and managed by using Intune, and devices are managed by Intune.

+- `DisableLocalAdminMerge` is enabled. (See [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp).)

+- Microsoft Defender Antivirus exclusions are managed in Microsoft Intune. (See [Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices](/mem/intune/protect/antivirus-microsoft-defender-settings-windows).)

+- Devices are running Windows Defender platform `4.18.2211.5` or later. (See [Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions).)

+- Functionality to protect exclusions is enabled on devices. (See [How to determine whether the functionality is enabled on a Windows device](#how-to-determine-whether-the-functionality-to-protect-exclusions-is-enabled-on-a-windows-device).)

+> [!TIP]

+> For more detailed information about exclusions, see [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md).

+### How to determine whether the functionality to protect exclusions is enabled on a Windows device

+You can use a registry key to determine whether the functionality to protect Microsoft Defender Antivirus exclusions is enabled. Note that the following procedure describes how to view, but not change, tamper protection status.

+1. On a Windows device open Registry Editor. (Read-only mode is fine; you won't be editing the registry key.)

+2. To confirm that the device is managed by Intune only, go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender` (or `HKLM\SOFTWARE\Microsoft\Windows Defender`), and look for a `REG_DWORD` entry called **ManagedDefenderProductType**.

+ - If **ManagedDefenderProductType** has a value of `6`, then the device is managed by Intune only (*this value is required for exclusions to be tamper protected*).

+ - If **ManagedDefenderProductType** has a value of `7`, then the device is co-managed, such as by Intune and Configuration Manager.

+3. To confirm that tamper protection is deployed and that exclusions are tamper protected, go to `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features` (or `HKLM\SOFTWARE\Microsoft\Windows Defender\Features`), and look for the `REG_DWORD` entries that are listed in the following table:

+ | REG_DWORD | Value | What it means |

+ |:|:|:|

+ | **TamperProtection** | 5 | Tamper protection is deployed to the device. |

+ | **TamperProtectionSource** | 64 | Tamper protection is managed by Intune. |

+ | **TPExclusions** | 1 | Required conditions are met, and the new functionality to protect exclusions is enabled on the device. In this case, exclusions are tamper protected. |

+ | **TPExclusions** | 0 | Tamper protection isn't currently protecting exclusions on the device. |

+> [!CAUTION]

+> Do not change the value of the registry keys. Use the preceding procedure for information only. Changing keys will have no effect on whether tamper protection applies to exclusions.

+> [!TIP]

+> If you're looking for Antivirus related information for other platforms, see:

+> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)

+> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)

+> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)

+> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)

+> - [Configure Defender for Endpoint on Android features](android-configure.md)

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+[Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps protect your security settings from being disabled or changed. Tamper protection is part of anti-tampering capabilities that include [standard protection attack surface reduction rules](attack-surface-reduction-rules-reference.md). Tamper protection is an important part of your security strategy, as it helps prevent important security settings from being disabled or turned off.

+You can turn tamper protection on (or off) tenant wide by using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).

+## Important points to keep in mind

+- When you manage tamper protection in the Microsoft 365 Defender portal, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows 10 Enterprise multi-session, Windows 11, Windows 11 Enterprise multi-session, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 or Windows Server 2022. To turn tamper protection on for some devices but off for others, use either [Manage tamper protection for your organization using Microsoft Intune](manage-tamper-protection-intune.md) or [Manage tamper protection using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md).

+- Currently, the option to manage tamper protection in the Microsoft 365 Defender portal is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis. To opt in, in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, choose **Settings** \> **Endpoints** \> **Advanced features** \> **Tamper protection**.

+- If you're using the Microsoft 365 Defender portal to manage tamper protection, you don't have to use Intune or the tenant attach method.

+- If your organization is currently using Microsoft Intune to manage security settings (such as tamper protection), turning tamper protection on or off in the Microsoft 365 Defender portal won't override settings managed in Intune.

+- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft 365 Defender portal.

+(<a id="fn5">5</a>) When Microsoft Defender Antivirus is in passive mode, scans aren't scheduled. Note that scan tasks that are enabled in Windows Task Scheduler will continue to run according to their schedule. If you have such scheduled tasks, you can remove these if preferred.

+- [Microsoft Defender for Endpoint Plan 1 and Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+## What is tamper protection?

+Tamper protection is a capability in Microsoft Defender for Endpoint that helps protect certain security settings from being disabled or changed. During some kinds of cyber attacks, bad actors try to disable security features, such as antivirus protection, on devices. Disabling security features provides bad actors with easier access to your data, the ability to install malware, and the ability to exploit your data, identity, and devices. Tamper protection helps guard against these types of activities.

+Tamper protection is part of anti-tampering capabilities that include [standard protection attack surface reduction rules](attack-surface-reduction-rules-reference.md). Tamper protection is an important part of [built-in protection](built-in-protection.md).

+## What happens when tamper protection is turned on?

+When tamper protection is turned on, tamper protected settings cannot be changed from their default values.

+- Virus and threat protection are enabled.

+- Real-time protection is turned on.

+- Behavior monitoring is turned on.

+- Antivirus protection, including IOfficeAntivirus (IOAV) is enabled.

+- Cloud protection is enabled.

+- Security intelligence updates occur.

+- Automatic actions are taken on detected threats.

+- Notifications are visible in the Windows Security app on Windows devices.

+- Archives and network files can be scanned.

+Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team. (See [How do I configure or manage tamper protection](#how-do-i-configure-or-manage-tamper-protection)?)

+## On what devices can tamper protection be enabled?

+Tamper protection is available for devices that are running one of the following versions of Windows:

+- Windows 10 and 11 (including Enterprise multi-session)

+- Windows Server 2022, Windows Server 2019, and Windows Server, version 1803 or later

+- Windows Server 2016 and Windows Server 2012 R2 (using the modern, unified solution)

+Tamper protection is also available for Mac. For more information, see [Protect macOS security settings with tamper protection](tamperprotection-macos.md).

+> [!IMPORTANT]

+> Built-in protection includes turning tamper protection on by default. To learn more about built-in protection, see:

+> - [Built-in protection helps guard against ransomware](built-in-protection.md) (article)

+> - [Tamper protection will be turned on for all enterprise customers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/tamper-protection-will-be-turned-on-for-all-enterprise-customers/ba-p/3616478) (Tech Community blog post)

+## How do I configure or manage tamper protection?

+You can use Microsoft Intune and other methods to configure or manage tamper protection, as listed in the following table:

+| Method | Description |

+|:|:|

+| The [Microsoft 365 Defender portal](https://security.microsoft.com) | Turn tamper protection on (or off), tenant wide. Note that this method won't override settings managed in Microsoft Intune. <br/><br/>For more information, see [Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md). |

+| The [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) | Turn tamper protection on (or off), tenant wide, or all or some devices. Using this method, you can also [tamper protect exclusions](manage-tamper-protection-intune.md#tamper-protection-for-exclusions) for Microsoft Defender Antivirus. <br/><br/>For more information, see [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md). |

+| Configuration Manager | Turn tamper protection on or off by using Configuration Manager (with tenant attach). Note that this method won't override settings managed in Intune. <br/><br/>For more information, see [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). |

+| Windows Security app | Turn tamper protection on (or off) on an individual device that is not managed by a security team (such as devices for home use). Note that this method won't override settings managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. <br/><br/>For more information, see [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). |

+> [!IMPORTANT]

+> When tamper protection is turned on, tamper-protected settings cannot be changed from their default values. It might appear that changes made were successful, but changes are not actually allowed by tamper protection.

+## What about exclusions?

+Under certain conditions, tamper protection will protect exclusions that are defined for Microsoft Defender Antivirus. For more information, see [Tamper protection for exclusions](manage-tamper-protection-intune.md#tamper-protection-for-exclusions).

+Tamper protection integrates with [Microsoft Defender Vulnerability Management](next-gen-threat-and-vuln-mgt.md) capabilities. [Security recommendations](tvm-security-recommendation.md) include making sure tamper protection is turned on. For example, in your [Vulnerability Management dashboard](/microsoft-365/security/defender-vulnerability-management/tvm-dashboard-insights#vulnerability-management-dashboard), you can search on *tamper*. In the results, you can select **Turn on Tamper Protection** to learn more and turn it on.

+- [Protect macOS security settings with tamper protection](tamperprotection-macos.md)

+- [Frequently asked questions on tamper protection](faqs-tamper-protection.md)

+|[Device isolation](respond-machine-alerts.md) |  |  |  ^{[[2](#fn2)][[3](#fn3)]} |  |

+5. Review the summary and save the policy.

+> - There may be up to 2 hours of latency between the time a policy is created and the policy being enforced on the device.

+This document outlines the key infrastructure requirements you must meet and important information on data access and compliance you must know before purchasing the Microsoft Defender Experts for Hunting service. Microsoft understands that customers who use our managed services entrust us with their most valued asset, their data.

+> [!IMPORTANT]

+> Microsoft Defender Experts for Hunting is sold separately from other Microsoft 365 Defender products. If you're a Microsoft 365 Defender customer and are interested in purchasing Defender Experts for Hunting, complete a [customer interest form](https://aka.ms/DEX4HuntingCustomerInterestForm).

+Microsoft Defender Experts for Hunting was created for customers who have a robust security operations center but want Microsoft to help them proactively hunt threats using Microsoft Defender data. Defender Experts for Hunting is a proactive threat hunting service that goes beyond the endpoint to hunt across endpoints, Office 365, cloud applications, and identity. Our experts will investigate anything they find, then hand off the contextual alert information along with remediation instructions, so you can quickly respond.

+

+You can set up Microsoft 365 Defender to notify you or your staff with an email about new incidents or updates to existing incidents, including those observed by Microsoft Defender Experts. [Learn more about getting incident notifications by email](/microsoft-365/security/defender/incidents-overview#get-incident-notifications-by-email)

+2. Update your existing email notification rules or create a new one. [Learn more about creating a rule for email notifications](/microsoft-365/security/defender/incidents-overview#create-a-rule-for-email-notifications)

+## Collaborate with Experts on Demand

+### Sample questions you can ask from Defender Experts

+**Alert information**

+**Possible device compromise**

+**Threat intelligence details**

+**Microsoft Defender Experts for Hunting alert communications**

+- The new version of Microsoft Defender Experts for Hunting report is now available. The report's new interface now lets customers have more contextual details about the suspicious activities Defender Experts have observed in their environments. It also shows which suspicious activities have been continuously trending from month to month. For details, see [Understand the Defender Experts for Hunting report in Microsoft 365 Defender](defender-experts-report.md).

+|**Retention Management**|Manage retention policies, retention labels, and retention label policies. Includes permissions to add and remove adaptive scopes from these policies, and to create, delete, and modify adaptive scopes.|Compliance Administrator <br/><br/> Compliance Data Administrator <br/><br/> Organization Management <br/><br/> Records Management|

+When you use Microsoft Syntex pay-as-you-go, services are billed using Syntex meters in the Azure subscription that you specified when you set up Microsoft Syntex. The table below describes each meter, its pricing, and how it measures usage. When you connect your Azure subscription to Microsoft Syntex, users in your organization will be able to take advantage of Syntex services right away. Your tenant will be billed according to the details shown in this article.

+|Service|What's counted?|What's billed?|

+[Licensing for Microsoft Syntex](syntex-licensing.md)

+ Title: Microsoft Syntex video library

+audience: admin

+search.appverid:

+ - enabler-strategic

+ - m365initiative-syntex

+ms.localizationpriority: medium

+description: Watch videos to learn about some of the different features in Microsoft Syntex.

+# Microsoft Syntex video library

+|Overview of model types |Create a content center |

+|||

+|[:::image type="content" source="../medi) |

+|Unstructured document processing |Apply a model to a document library |

+|||

+|[:::image type="content" source="../medi) |

+|Create and train a classifier |Import a training set |

+|||

+|[:::image type="content" source="../medi#add-your-example-files) |

+|Create and train an extractor |Apply a retention label |

+|||

+|[:::image type="content" source="../medi) |

+|Model usage analytics |Manage contracts solution |

+|||

+|[:::image type="content" source="../medi) |

+|Leverage term store taxonomy |Push content types to a hub |

+|||

+|[:::image type="content" source="../medi) |

+> Scripts should not reboot the machine, if a reboot is necessary please specify this during the upload of your scripts.

+> [!IMPORTANT]

+> The maximum disc space available is 127 Gb. Packages that consume more than this amount of space will not be executed.

+> [!IMPORTANT]

+> Packages that interact with the Windows UI must have the Autologon Credentials enabled to execute properly.

+**Q: How long does KB installation take?**

+**A:** The KB installation time can vary, the KB installation happens in between the install and launch scripts for OOB tests.

+### Transferring whiteboard when a user leaves the company

+To preserve a former user's OneDrive files, including .whiteboard files, first give yourself access to their OneDrive, and then move the files you want to keep.

+- In the admin center, go to the **Users** > [Active users](https://go.microsoft.com/fwlink/p/?linkid=834822) page.

+- Select a user.

+- On the user properties page, select **OneDrive**. Under Get access to files, select **Create link to files**.

+- Select the link to open the file location.

+- Select the files or folders that you want to move, and then selectΓÇ»**Move to**.

+Learn more about preserving former userΓÇÖs content: [Step 5 - Give another employee access to OneDrive and Outlook data - Microsoft 365 admin | Microsoft Learn](/admin/add-users/remove-former-employee-step-5)

+### Managing moved whiteboards

+Once the .whiteboard file appears in the OneDrive for Business of the new owner, they can open, edit, rename or delete the files.

+- Open office.com and in the app launcher, select OneDrive.

+- In the left-hand navigation pane, select My Files.

+- Open the folder called Whiteboards.

+- In the list of files, select the moved file and click the ... button to get rename, delete and other options.