Docs update tracker

Updates from: 04/01/2023 01:36:48

Category	Microsoft Docs article	Related commit history on GitHub	Change details
admin	Turn Pronouns On Or Off	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/turn-pronouns-on-or-off.md	f1.keywords: CSH Previously updated : 02/07/2023 Last updated : 03/31/2023 audience: Admin +ms.localizationpriority: medium - Tier2 - M365-subscription-management - okr_smb - AdminTemplateSet search.appverid: MET150- description: "Learn how to turn the pronouns feature on or off in the Microsoft 365 admin center." # Turn pronouns on or off for your organization in the Microsoft 365 admin center -> [!IMPORTANT] -> -> This is prerelease documentation. The capabilities for this article are associated with [roadmap IDs 83382 and 115511](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=pronouns) and are not currently available in production environments. For availability information, refer to the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=pronouns). - As a Microsoft 365 administrator, you can turn on a feature that lets all users in your organization add their pronouns on their profile cards in Microsoft 365. The pronouns feature is off by default and requires configuration to turn on. Before you decide to turn the feature on or off, see [Pronouns on your profile in Microsoft 365](https://support.microsoft.com/topic/232c3bfb-a947-4310-86db-b22d63663d85), [Frequently asked questions about pronouns in Microsoft 365](https://support.microsoft.com/topic/48135f04-e822-49b5-ba6b-e9bae2ce503a), and [Pronouns best practices](https://support.microsoft.com/topic/ef1701ad-711d-4c6e-b664-64c3ee188d68). Pronouns are stored with other data in the user's Exchange mailbox. For more information, see [Data Residency for Exchange Online](../../enterprise/m365-dr-workload-exo.md#how-can-i-determine-customer-data-location). > [!IMPORTANT] > ->- Knowing someoneΓÇÖs pronouns doesn't always equate to knowing their gender identity. We encourage you to understand any applicable local laws, regulations, and cultural norms that might pose extra risk to employees should their pronouns be publicly displayed and take this into consideration when you decide whether to turn on this feature. +>- Knowing someone's pronouns doesn't always equate to knowing their gender identity. We encourage you to understand any applicable local laws, regulations, and cultural norms that might pose extra risk to employees should their pronouns be publicly displayed and take this into consideration when you decide whether to turn on this feature. >- If you decide to use the pronouns feature, we recommend that you engage with internal and/or external subject matter experts in transgender inclusion to consider how pronoun display can complement, not substitute, more comprehensive efforts to support transgender communities in your organization. ## Before you begin
admin	Servicenow Incidents	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/servicenow-incidents.md	The Microsoft 365 support integration app enables you to create ServiceNow incid :::image type="content" source="../../media/servicenowincident1.png" alt-text="image of m365 servicehealth dashboard"::: > [!NOTE] -> This article was partially generated using Azure OpenAI Service. Before publishing, an author reviewed and revised the content as needed. See [Our principles for using AI-generated content in Microsoft Learn](/azure/principles-for-ai-generated-content). +> This article was partially generated using Azure OpenAI Service. Before publishing, an author reviewed and revised the content as needed. See [Our principles for using AI-generated content in Microsoft Learn](https://aka.ms/ai-content-principles). When a Microsoft Service Health Incident is updated, the app posts the same updates to the ServiceNow incident. You can choose to have the app automatically close the ServiceNow incident when the Microsoft service health incident is resolved, or you can close it manually. If the ServiceNow incident is automatically resolved, the app stops posting upda - Resolution code: Closed/Resolved by Caller - Resolution note: The Microsoft service health incident was resolved on <date_time>. Please refer to the incident details in the Microsoft 365 Support tab for more information. -To automatically create ServiceNow incidents, configure the Assignment group and Category for the app. The Assigned to and Subcategory aren't required. Setting those values improves routing and reporting. +To automatically create ServiceNow incidents, configure the Assignment group and Category for the app. The Assigned to and Subcategory aren't required. Setting those values improves routing and reporting.
admin	Mailbox Not Found Error	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/mailbox-not-found-error.md	f1.keywords: Previously updated : 10/29/2020 audience: Admin ms.localizationpriority: high Last updated : 3/31/2023 - Tier2 - scotvorg
admin	Parity Between Azure Information Protection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/parity-between-azure-information-protection.md	f1.keywords: Previously updated : 02/18/2020 Last updated : 03/30/2023 audience: Admin This article covers the differences between Azure Information Protection (AIP) s While our goal is to deliver all commercial features and functionality to customers in China with our AIP for Office 365 operated by 21Vianet offer, there's some missing functionality that we'd like to highlight. -The following list includes the existing gaps between AIP for Office 365 operated by 21Vianet and our commercial offerings as of January 2021: +Following is a list of gaps between AIP for Office 365 operated by 21Vianet and our commercial offerings: - Active Directory Rights Management Services (AD RMS) encryption is supported only in Microsoft 365 Apps for enterprise (build 11731.10000 or later). Office Professional Plus doesn't support AD RMS.
compliance	Communication Compliance Reports Audits	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-reports-audits.md	f1.keywords: Previously updated : 02/09/2023 Last updated : 03/31/2023 audience: Admin f1_keywords: To create a new message details report, complete the following steps: 6. Select Create. 7. The report creation confirmation is displayed. -Depending on the number of items in the report, it can take a few minutes to hours before the report is ready to be downloaded. You can check progress on the Message details reports tab. Report status is In progress or Ready to download. You can have up to 15 separate reports processing simultaneously. To download a report, select a report in the Ready to download state and select Download report. +Depending on the number of items in the report, it can take a few minutes to hours before the report is ready to be downloaded. You can check progress on the Message details reports tab. Report status is In progress or Ready to download. You can have up to 15 separate reports processing simultaneously. To download a report, select a report in the Ready to download state and select Download report. > [!NOTE] > If your selected time period doesn't return any message results in the report, there were not any messages for the selected time period. The report will be blank. Message details reports contain the following information for each message item in the policy: -- Match ID: Unique ID for the message in the policy. +- Match ID: Unique ID for a copy of the message in communication compliance. +- Internet Message ID: Unique ID for the message across platforms. +- Conversation Family ID: Thread ID for the message. - Sender: Sender of the message. - Recipients: Recipients included for the message.-- Date Sent: Date the message was sent.-- Match Date: Date the message was a match for the policy conditions. +- Date: The date when the message was sent. +- Location: Channel that the message was sent on. This can be Exchange Online, Teams, Yammer, or any third-party channel supported by communication compliance. - Subject: Subject of the message. - Contains Attachments: Status of any attachments for the message. Values are either Yes or No. - Policy Name: Name of the policy associated with the message. This value will be the same for all messages in the report. - Item Status: Status of the message item in the policy. Values are Pending or Resolved. - Tags: Tags assigned to the message. Values are Questionable, Compliant, or Non-compliant. - Keyword Matches: Keyword matches for the message. +- Trainable Classifier ID: ID of the trainable classifier that was matched. +- Trainable Classifier Name and Matched Keywords: The name of the trainable classifier and the keywords that triggered the classifier match. - Reviewers: Reviewers assigned to message. - Pending for (days): Number of days the message has been in a pending state. For resolved messages, the value is 0.-- Comment for resolved: Comments for the message entered when resolved. +- Comment for Resolved: Comments for the message entered when resolved. - Resolved Date: Date and Coordinated Universal Time (UTC) the message was resolved. - Last Updated By: User name of the last updater. - Last Updated On: Date and Coordinated Universal Time (UTC) the message was last updated.-- History of comments: List of all comments for the message alert, including comment author and date and Coordinated Universal Time (UTC) of the comment. +- History of Comments: List of all comments for the message alert, including comment author and date and Coordinated Universal Time (UTC) of the comment. ## Audit
compliance	Compliance Manager Templates List	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-templates-list.md	f1.keywords: Previously updated : 01/01/2023 Last updated : 03/31/2023 audience: Admin The templates listed below may be purchased by your organization. Certain licens - Pakistan - Electronic Data Protection Act - DRAFT - Philippines BSP Information Security Management Guidelines - Philippines Data Privacy Act of 2012 +- Saudi Arabia - Saudi Arabia Monetary Authority (SAMA) +- Saudi Arabia - National Cybersecurity Authority (NCA) - Singapore - ABS Guidelines on Control Objectives and Procedures for Outsourced Service Providers - Singapore - Banking Act (Cap.19) - Singapore - Cybersecurity 2018
compliance	Endpoint Dlp Getting Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md	Here are the virtual operating systems that are supported by virtualization envi \|\|\|\| \|Azure virtual desktop (AVD)\|<ul><li>Single session supported for 20H2, 21H1, 21H2</li><li>Multi session supported for 20H2, 21H1, 21H2</li></ul>\|<ul><li>Single session supported for 22H2</li><li>Multi session supported for 22H2</li></ul>\| \|Citrix Virtual Apps and Desktops 7 (2209)\|<ul><li>Single session supported for 20H2, 21H1, 21H2</li><li>Multi session supported for 20H2, 21H1, 21H2\|<ul><li>Single session supported for 21H2 (Gen2)</li><li>Multi session supported for 21H2 (Gen 2)</li></ul>\| -\|Azure virtual desktop (AVD)\|<ul><li>Single session supported for 20H2, 21H1, 21H2</li><li>Multi session supported for 20H2, 21H1, 21H2</li></ul>\|<ul><li>Single session supported for 22H2</li><li>Multi session supported for 22H2</li></ul>\| +\|Amazon workspaces\|<ul><li>Single session supported for 20H2, 21H1, 21H2\|N/A\| \|Hyper-V\|<ul><li>Single session supported for 20H2, 21H1, 21H2</li><li>Multi session with Hybrid AD join supported for 20H2, 21H1, 21H2</li></ul>\|<ul><li>Single session supported for 22H2</li><li>Multi session with Hybrid AD join supported for 22H2</li></ul>\| #### Known issues
compliance	Retention Policies Teams	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md	For other workloads, see: Teams chats messages, channel messages, and private channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: [Video clips](https://support.microsoft.com/office/record-a-video-clip-in-teams-0c57dae5-2974-4214-9c46-7a2136386f1c), embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). -Newly created call data records, which are system-generated messages that contain [metadata for meetings and calls](/MicrosoftTeams/ediscovery-investigation#teams-metadata) are also supported. +Call data records, which are system-generated messages that contain [metadata for meetings and calls](/MicrosoftTeams/ediscovery-investigation#teams-metadata) are supported. + +The control message events for naming and for renaming a chat are supported. Control messages are system-generated messages that contain [information about actions taken in Teams](/graph/system-messages#supported-system-message-events). These chat messages and private channel messages include all the names of the people in the conversation, and channel messages include the team name and the message title (if supplied).
compliance	Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md	f1.keywords: Previously updated : 03/30/2023 Last updated : 03/31/2023 audience: Admin Whether it be adding new solutions to the [Microsoft Purview compliance portal]( - General availability (GA): Rolling out in general availability, [Microsoft Graph Records Management APIs](/graph/api/resources/security-recordsmanagement-overview) to support the management of retention labels and event-based retention. - In preview: Auto-labeling retention policies for [cloud attachments](apply-retention-labels-automatically.md#auto-apply-labels-to-cloud-attachments) that were already in preview are now gradually rolling out support for URL text links. +- Improvements for Teams retention policies: Now rolling out, support for existing call data records as well as newly created call data records, and support for the control message events that name and rename a chat. - Improvements that support Power Automate flows: Now rolling out to support the scenario of [customizing what happens at the end of the retention period](retention-label-flow.md), the existing Power Automate compliance actions have been renamed to more accurately describe their purpose. Apply label on the item is renamed Relabel an item at the end of retention, and Deletes the item is renamed Deletes an item at the end of retention. Additionally: - New compliance action to [improve the resilience of your flow](retention-label-flow.md#add-resilience-to-your-flow). - The trigger action When the retention period expires is renamed When an item reaches the end of its retention period. - New compliance action of Apply a retention label on the item to apply a retention label independently from this scenario, as if manually applying a label. The label doesn't need to be published and the retention label is applied immediately. +### Data loss prevention + +- General availability (GA): [Learn about the Microsoft Purview Firefox extension](dlp-firefox-extension-learn.md) and [Get started with the Microsoft Purview Firefox extension](dlp-firefox-extension-get-started.md) +- In preview: + - [Endpoint DLP Aggregated most restrictive actions applied to endpoints](dlp-policy-reference.md#for-endpoints-preview) + - [Just in time protection for endpoints and network shares](endpoint-dlp-learn-about.md#just-in-time-protection-preview) + - [Display of conditions matched when an item matches a policy](dlp-configure-view-alerts-policies.md#other-matched-conditions-preview) + - [Endpoint DLP policies can be applied to network shares](dlp-configure-endpoint-settings.md#network-share-coverage-and-exclusions-preview) + - Support for [endpoint DLP policies in Azure virtual desktop, Citrix Virtual Apps and Desktops 7, Amazon virtual workspaces and Hyper-v environments](endpoint-dlp-getting-started.md#endpoint-dlp-support-for-virtualized-environments-preview) + - [Show policy tips as an oversharing popup](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview) + +### Device onboarding +- In preview: Device configuration and policy sync status is now viewable in the onboarded devices list for [Windows 10/11](device-onboarding-overview.md#device-configuration-and-policy-sync-status-preview) and [macOS](device-onboarding-macos-overview.md#device-configuration-and-policy-sync-status-preview) devices + ### eDiscovery - Updates for [hold type values](/microsoft-365/compliance/ediscovery-identify-a-hold-on-an-exchange-online-mailbox#review-the-results-of-the-mailbox-diagnostics-logs) in the Mailbox diagnostic logs.
enterprise	Microsoft 365 Exo Archive Advisory	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-exo-archive-advisory.md	# Service advisories for auto-expanding archive utilization in Exchange Online monitoring -We've released a new Exchange Online service advisory that informs you of auto-expanding archives attached to mailboxes that are at risk of reaching or exceeding the 1.5TB cumulative limit on auto-expanding archive size. These service advisories provide visibility to the mailboxes in your organization that may require admin intervention. +We've released a new Exchange Online service advisory that informs you of auto-expanding archives attached to mailboxes at risk of reaching the 1.5TB limit on total auto-expanding archive size. These service advisories provide visibility to the mailboxes in your organization that may require admin intervention. These service advisories are displayed in the Microsoft 365 admin center. To view these service advisories, go to Health \> Service health \> Exchange Online and then click the Active issues tab. ## What do these service advisories indicate? -This service advisory informs you of potential data storage limits being reached in your organization. Mailboxes with archive mailboxes that have the auto-expanding archive feature enabled may store a maximum of 1.5TB of data in the auto-expanding archive. The service advisory contains a table with information about the mailboxes nearing this limit in your organization. Here's an example of the table: +This service advisory informs you of potential data storage limits being reached in your organization. Mailboxes with archive mailboxes that have the auto-expanding archive feature enabled may store a maximum of 1.5 TB of data in the auto-expanding archive. The service advisory contains a link under "User Impact" that shows a flyout window listing impacted mailbox GUIDs for your tenant. -\| mailboxGuid \| Status \| SizeInGB \| -\| \| \| \| -\| b47c25fd-3d78-481c-970b-6799bc454275 \| Warning \| 1312 \| -\| faf1c53e-9214-48aa-b91e-f908f3c1c762 \| Warning \| 1316 \| -\| c874b925-989a-4119-aa39-b6280a456b9e \| Critical \| 1499 \| + +Here is an example of the flyout: + The following list describes each column in the previous example. - mailboxGuid : The GUID of the main archive for the mailbox or one of the additional storage units in the auxiliary archive ("AuxArchive").-- Status : _Warning_ if the auto-expanding archive total size is over 1.2TB but less than 1.4TB; _Critical_ if the auto-expanding archive total size is over 1.4TB. +- Status : _Warning_ if the auto-expanding archive total size is over 1.2 TB but less than 1.4 TB; _Critical_ if the auto-expanding archive total size is over 1.4TB. - SizeInGB : The total size of the auto-expanding archive associated with the mailbox. +### Identifying affected users + +Use PowerShell to determine the user associated with the archive: `Get-Mailbox yourtenantdomain.onmicrosoft.com\GUID-of-archive` + ## More information For more information about auto-expanding archive limits and considerations, see the following articles:
lighthouse	M365 Lighthouse Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-whats-new.md	Previously updated : 02/28/2023 Last updated : 03/31/2023 audience: Admin Microsoft 365 Lighthouse also provides who, where, and when details about This insight helps you effectively engage fellow tenant admins—either in your organization or in the customer's organization—to educate them about the impact of their activity and how to mitigate future risks associated with configuration drift. -### Enhanced deployment insights for licensingΓÇ» - -Microsoft 365 Lighthouse now provides insights around which deployment tasks can't be completed for which users due to insufficient licensing. These insights help you adjust the licensing or the deployment plan accordingly to complete your deployment. -- ### Deployment insights Home page card The Microsoft 365 Lighthouse Home page now includes a Deployment insights card that provides actionable insights around the deployment state of the tenants you manage. These insights can help identify where to focus deployment activities to optimize tenant health and security.
security	Attack Surface Reduction Rules Deployment	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md	- m365solution-asr-rules - highpri - tier1 Previously updated : 12/18/2022 Last updated : 03/31/2023 search.appverid: met150 As outlined in [Use attack surface reduction rules to prevent malware infection] \| Polymorphic threats \| Lateral movement & credential theft \| Productivity apps rules \| Email rules \| Script rules \| Misc rules \| \|:\|:\|:\|:\|:\|:\| -\| Block executable files from running unless they meet a prevalence (1000 machines), age (24 hrs), or trusted list criteria \| Block process creations originating from PSExec and WMI commands \| Block Office apps from creating executable content \| Block executable content from email client and webmail \| Block obfuscated JS/VBS/PS/macro code \| Block abuse of exploited vulnerable signed drivers <sup>[[1](#fn1)]<sup></sup> \| +\| Block executable files from running unless they meet a prevalence (1000 machines), age, or trusted list criteria \| Block process creations originating from PSExec and WMI commands \| Block Office apps from creating executable content \| Block executable content from email client and webmail \| Block obfuscated JS/VBS/PS/macro code \| Block abuse of exploited vulnerable signed drivers <sup>[[1](#fn1)]<sup></sup> \| \| Block untrusted and unsigned processes that run from USB \| Block credential stealing from the Windows local security authority subsystem (lsass.exe)<sup>[[2](#fn1)]<sup></sup> \| Block Office apps from creating child processes \| Block only Office communication applications from creating child processes \| Block JS/VBS from launching downloaded executable content \| \| \| Use advanced protection against ransomware \| Block persistence through WMI event subscription \| Block Office apps from injecting code into other processes \| Block Office communication apps from creating child processes \| \| \| \| \| \| Block Adobe Reader from creating child processes \| \| \| \|
security	Configure Server Exclusions Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md	In addition to server role-defined automatic exclusions, you can add or remove c - Custom exclusions take precedence over automatic exclusions. - Automatic exclusions only apply to [real-time protection (RTP)](configure-protection-features-microsoft-defender-antivirus.md) scanning. -- Automatic exclusions aren't honored during a [full, quick, or on-demand scan](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan). +- Automatic exclusions aren't honored during a [quick scan, full scan, and custom scan](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). - Custom and duplicate exclusions don't conflict with automatic exclusions. - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. - Appropriate exclusions must be set for software that isn't included with the operating system.
security	Defender Endpoint Antivirus Exclusions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md	Microsoft Defender Antivirus exclusions can apply to antivirus scans and/or to r ### Automatic exclusions -[Automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#the-list-of-automatic-exclusions) include operating system files and server roles and features. These exclusions won't be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan). The following table provides some examples and includes links to learn more. +[Automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#the-list-of-automatic-exclusions) include operating system files and server roles and features. These exclusions won't be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). The following table provides some examples and includes links to learn more. \| Automatic exclusion type \| Examples \| \|:\|:-\| Microsoft Defender Antivirus exclusions can apply to antivirus scans and/or to r ### Custom exclusions -[Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) include files and folders that you specify. Exclusions for files, folders, and processes will be skipped by scheduled scans, on-demand scans, and real-time protection. Exclusions for process-opened files won't be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan). +[Custom exclusions](configure-exclusions-microsoft-defender-antivirus.md) include files and folders that you specify. Exclusions for files, folders, and processes will be skipped by scheduled scans, on-demand scans, and real-time protection. Exclusions for process-opened files won't be scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). ### Custom remediation actions
security	Edr In Block Mode	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md	Title: Endpoint detection and response in block mode description: Learn about endpoint detection and response in block mode -keywords: Microsoft Defender for Endpoint, mde, EDR in block mode, passive mode blocking -ms.pagetype: security - next-gen - edr - admindeeplinkDEFENDER Previously updated : 08/19/2022 Last updated : 03/31/2023 - m365-security - tier2 search.appverid: met150 -# Endpoint detection and response (EDR) in block mode +# Endpoint detection and response in block mode Applies to: search.appverid: met150 ## What is EDR in block mode? -[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus(MDAV) is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode allows Microsoft Defender Antivirus to take actions on post-breach, behavioral EDR detections. See the section, [Do I need to turn on EDR in block mode if I have Microsoft Defender Antivirus?](#do-i-need-to-turn-edr-in-block-mode-on-if-i-have-microsoft-defender-antivirus-running-on-devices) in the Frequently asked questions section. +[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. EDR in block mode allows Microsoft Defender Antivirus to take actions on post-breach, behavioral EDR detections. > [!IMPORTANT] > EDR in block mode does not provide all the protection that is available when Microsoft Defender Antivirus real-time protection is enabled. Some capabilities that depend on Microsoft Defender Antivirus to be the active antivirus solution will not work, such as the following examples: When EDR in block mode is turned on, and a malicious artifact is detected, Defen ## Enable EDR in block mode > [!IMPORTANT] -> Starting with platform version 4.18.2202.X, you can now set EDR in block mode to target specific device groups using Intune CSPs. You can continue to set EDR in block mode tenant-wide in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>. EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device). - -> [!TIP] > Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode. +> +> Starting with [platform version 4.18.2202.X](microsoft-defender-antivirus-updates.md), you can now set EDR in block mode to target specific device groups using Intune CSPs. You can continue to set EDR in block mode tenant-wide in the [Microsoft 365 Defender portal](https://security.microsoft.com). +> +> EDR in block mode is primarily recommended for devices that are running Microsoft Defender Antivirus in passive mode (a non-Microsoft antivirus solution is installed and active on the device). -> [!NOTE] -> Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2. - -### Security Portal +### Microsoft 365 Defender 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com/](https://security.microsoft.com/)) and sign in. -1. Choose Settings \> Endpoints \> General \> Advanced features. -1. Scroll down, and then turn on Enable EDR in block mode. + +2. Choose Settings \> Endpoints \> General \> Advanced features. + +3. Scroll down, and then turn on Enable EDR in block mode. ### Intune The following table lists requirements for EDR in block mode: \|Requirement\|Details\| \|\|\| \|Permissions\|You must have either the Global Administrator or Security Administrator role assigned in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). For more information, see [Basic permissions](basic-permissions.md).\| -\|Operating system\|Devices must be running one of the following versions of Windows: <ul><li>Windows 11</li><li>Windows 10 (all releases)</li><li>Windows Server 2019 or later</li><li>Windows Server, version 1803 or later</li><li>Windows Server 2016 and Windows Server 2012 R2 $with the [new unified client solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution)$</li></ul>\| -\|Microsoft Defender for Endpoint\|Devices must be onboarded to Defender for Endpoint. See the following articles: <br/>- [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)<br/>- [Onboard devices and configure Microsoft Defender for Endpoint capabilities](onboard-configure.md)<br/>- [Onboard Windows servers to the Defender for Endpoint service](configure-server-endpoints.md)<br/>- [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution (Preview)](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution) \| -\|Microsoft Defender Antivirus\|Devices must have Microsoft Defender Antivirus installed and running in either active mode or passive mode. [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode).\| +\|Operating system\|Devices must be running one of the following versions of Windows: <br/>- Windows 11<br/>- Windows 10 (all releases)<br/>- Windows Server 2019 or later<br/>- Windows Server, version 1803 or later<br/>- Windows Server 2016 and Windows Server 2012 R2 (with the [new unified client solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution))\| +\|Microsoft Defender for Endpoint\|Devices must be onboarded to Defender for Endpoint. See the following articles: <br/>- [Minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)<br/>- [Onboard devices and configure Microsoft Defender for Endpoint capabilities](onboard-configure.md)<br/>- [Onboard Windows servers to the Defender for Endpoint service](configure-server-endpoints.md)<br/>- [New Windows Server 2012 R2 and 2016 functionality in the modern unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution)<br/>(See [Is EDR in block mode supported on Windows Server 2016 and Windows Server 2012 R2?](edr-block-mode-faqs.yml)) \| +\|Microsoft Defender Antivirus\|Devices must have Microsoft Defender Antivirus installed and running in either active mode or passive mode. [Confirm Microsoft Defender Antivirus is in active or passive mode](edr-block-mode-faqs.yml).\| \|Cloud-delivered protection\|Microsoft Defender Antivirus must be configured such that [cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md).\| -\|Microsoft Defender Antivirus platform\|Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the AMProductVersion line, you should see 4.18.2001.10 or above. <p> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).\| -\|Microsoft Defender Antivirus engine\|Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the AMEngineVersion line, you should see 1.1.16700.2 or above. <p> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).\| - -(<a id="fn1">1</a>) See [Is EDR in block mode supported on Windows Server 2016 and Windows Server 2012 R2?](#is-edr-in-block-mode-supported-on-windows-server-2016-and-windows-server-2012-r2) +\|Microsoft Defender Antivirus platform\|Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the AMProductVersion line, you should see 4.18.2001.10 or above. <br/><br/> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).\| +\|Microsoft Defender Antivirus engine\|Devices must be up to date. To confirm, using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the AMEngineVersion line, you should see 1.1.16700.2 or above. <br/><br/> To learn more, see [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md).\| > [!IMPORTANT] > To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus, but not [indicators](manage-indicators.md) that are defined for Microsoft Defender for Endpoint. -## Frequently asked questions - -### Can I specify exclusions for EDR in block mode? - -In you get a false positive, you can submit the file for analysis at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/en-us/wdsi/filesubmission). - -You can also define an exclusion for Microsoft Defender Antivirus. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). - -### Do I need to turn EDR in block mode on if I have Microsoft Defender Antivirus running on devices? - -The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. There is minimal benefit in enabling EDR in block mode when Microsoft Defender Antivirus is in active mode, because real-time protection is expected to catch and remediate detections first. We recommend enabling EDR in block mode on endpoints where Microsoft Defender for Antivirus is running in passive mode. EDR detections can be automatically remediated by [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) or by [automated investigation & remediation capabilities](automated-investigations.md) in block mode. - -### Will EDR in block mode affect a user's antivirus protection? - -EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Microsoft Defender Antivirus in passive mode, except that EDR in block mode also blocks and remediates malicious artifacts or behaviors that are detected. - -### Why do I need to keep Microsoft Defender Antivirus up to date? - -Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](microsoft-defender-endpoint.md) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date. See [Manage Microsoft Defender Antivirus updates and apply baselines](microsoft-defender-antivirus-updates.md). - -### Why do we need cloud protection (MAPS) on? - -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](microsoft-defender-endpoint.md) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. - -### What is the difference between active and passive mode? - -For endpoints running Windows 10, Windows 11, Windows Server, version 1803 or later, Windows Server 2019, or Windows Server 2022 when Microsoft Defender Antivirus is in active mode, it is used as the primary antivirus on the device. When running in passive mode, Microsoft Defender Antivirus is not the primary antivirus product. In this case, threats are not remediated by Microsoft Defender Antivirus in real time. - -> [!NOTE] -> Microsoft Defender Antivirus can run in passive mode only when the device is onboarded to Microsoft Defender for Endpoint. - -For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md). - -### How do I confirm Microsoft Defender Antivirus is in active or passive mode? - -To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows. - -\|Method\|Procedure\| -\|\|\| -\|PowerShell\|1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.<br/><br/>2. Type `Get-MpComputerStatus`.<br/><br/>3. In the list of results, in the AMRunningMode row, look for one of the following values:<br/>- `Normal`<br/>- `Passive Mode`<br/><br/>To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus).\| -\|Command Prompt\|<ol><li>Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.</li><li>Type `sc query windefend`.</li><li>In the list of results, in the STATE row, confirm that the service is running.</li></ol>\| - -### How do I confirm that EDR in block mode is turned on with Microsoft Defender Antivirus in passive mode? - -You can use PowerShell to confirm that EDR in block mode is turned on with Microsoft Defender Antivirus running in passive mode. - -1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results. - -2. Type `Get-MPComputerStatus\|select AMRunningMode`. - -3. Confirm that the result, `EDR Block Mode`, is displayed. - - > [!TIP] - > If Microsoft Defender Antivirus is in active mode, you will see `Normal` instead of `EDR Block Mode`. To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus). - -### Is EDR in block mode supported on Windows Server 2016 and Windows Server 2012 R2? - -If Microsoft Defender Antivirus is running in active mode or passive mode, EDR in block mode is supported of the following versions of Windows: --- Windows 11-- Windows 10 (all releases)-- Windows Server, version 1803 or newer-- Windows Server 2022-- Windows Server 2019-- Windows Server 2016 and Windows Server 2012 R2 (with the [new unified client solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution))- -With the [new unified client solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution) for Windows Server 2016 and Windows Server 2012 R2, you can run EDR in block mode in either passive mode or active mode. - -> [!NOTE] -> Windows Server 2016 and Windows Server 2012 R2 must be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md) for this feature to work. - -### How much time does it take for EDR in block mode to be disabled? - -If you choose to disable EDR in block mode, it can take up to 30 minutes for the system to disable this capability. - ## See also - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) -- [Behavioral blocking and containment](behavioral-blocking-containment.md) +- [Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)](edr-block-mode-faqs.yml)
security	Mac Device Control Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-faq.md	+ + Title: macOS Device control policies frequently asked questions (FAQ) +description: Get answers to common questions about device control policies using JAMF or Intune. +keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, jamf, intune, faq, + +ms.mktglfcycl: security +ms.sitesec: library +ms.pagetype: security ++ +ms.localizationpriority: medium + +audience: ITPro + +- m365-security +- tier3 ++ +search.appverid: met150 Last updated : 03/31/2023++ +# macOS Device Control policies frequently asked questions (FAQ) ++ +Applies to: + +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +This article provides answers to frequently asked questions about Device Control capabilities in Microsoft Defender for Endpoint. + +## Questions \| Answers + +### How do I know whether the machine is Device Control enabled, and what is the Default Enforcement? + +Answer: Run _mdatp device-control policy preferences list_, you will see all the iOS policies on this machine: ++ +### How do I know whether the policy has been delivered to the client machine? + +Answer: Run _mdatp device-control policy rules list_, you will see all the iOS policies on this machine:ΓÇ» ++ +Answer 2: Run _mdatp device-control policy groups list_, you will see all the iOS groups on this machine:ΓÇ» ++ +## See also + +- [Device Control for macOS](mac-device-control-overview.md) +- [Deploy and manage Device Control using Intune](mac-device-control-intune.md) +- [Deploy and manage Device Control using jamf](mac-device-control-jamf.md)
security	Mac Device Control Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md	Title: Examples of device control policies for Intune -description: Learn how to use device control policies using examples that can be used with Intune. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, intune + Title: Deploy and manage Device Control using Intune +description: Learn how to deploy and manage device control policies using Intune. +keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, macOS, device, control, usb, removable, media, intune ms.mktglfcycl: security ms.sitesec: library search.appverid: met150 Previously updated : 03/22/2021 Last updated : 03/31/2023 -# Examples of device control policies for Intune +# Deploy and manage Device Control using Intune [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] Applies to:+ - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using Intune to manage devices in your enterprise. - -## Restrict access to all removable media - -The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be disallowed. - -```xml -<?xml version="1.0" encoding="utf-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1"> - <dict> - <key>PayloadUUID</key> - <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> - <key>PayloadType</key> - <string>Configuration</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender settings</string> - <key>PayloadDescription</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>PayloadRemovalDisallowed</key> - <true/> - <key>PayloadScope</key> - <string>System</string> - <key>PayloadContent</key> - <array> - <dict> - <key>PayloadUUID</key> - <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> - <key>PayloadType</key> - <string>com.microsoft.wdav</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadDescription</key> - <string/> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>none</string> - </array> - </dict> - </dict> - </dict> - </array> - </dict> -</plist> -``` - -## Set all removable media to be read-only - -The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed. +Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions. -```xml -<?xml version="1.0" encoding="utf-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1"> - <dict> - <key>PayloadUUID</key> - <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> - <key>PayloadType</key> - <string>Configuration</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender settings</string> - <key>PayloadDescription</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>PayloadRemovalDisallowed</key> - <true/> - <key>PayloadScope</key> - <string>System</string> - <key>PayloadContent</key> - <array> - <dict> - <key>PayloadUUID</key> - <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> - <key>PayloadType</key> - <string>com.microsoft.wdav</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadDescription</key> - <string/> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - </array> - </dict> - </dict> - </dict> - </array> - </dict> -</plist> -``` +## Licensing requirements -## Disallow program execution from removable media +Before you get started with Removable Storage Access Control, you must confirm yourΓÇ»[Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Removable Storage Access Control, you must have Microsoft 365 E3. -The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy. +## Deploy policy by using Intune -```xml -<?xml version="1.0" encoding="utf-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1"> - <dict> - <key>PayloadUUID</key> - <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> - <key>PayloadType</key> - <string>Configuration</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender settings</string> - <key>PayloadDescription</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>PayloadRemovalDisallowed</key> - <true/> - <key>PayloadScope</key> - <string>System</string> - <key>PayloadContent</key> - <array> - <dict> - <key>PayloadUUID</key> - <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> - <key>PayloadType</key> - <string>com.microsoft.wdav</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadDescription</key> - <string/> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - </array> - </dict> - </dict> - </dict> - </array> - </dict> -</plist> -``` +### Step 1: Build mobileconfig file -## Restrict all devices from specific vendors +Now, you have ΓÇÿgroupsΓÇÖ and ΓÇÿrulesΓÇÖ and ΓÇÿsettingsΓÇÖ, replace the mobileconfig file with those values and put it under the Device Control node, here is the demo file: [mdatp-devicecontrol/demo.mobileconfig at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/mobileconfig/demo.mobileconfig). Make sure validate your policy with the JSON schema to make sure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json). -The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute). +> [!NOTE] +> See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups. -```xml -<?xml version="1.0" encoding="utf-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1"> - <dict> - <key>PayloadUUID</key> - <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> - <key>PayloadType</key> - <string>Configuration</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender settings</string> - <key>PayloadDescription</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>PayloadRemovalDisallowed</key> - <true/> - <key>PayloadScope</key> - <string>System</string> - <key>PayloadContent</key> - <array> - <dict> - <key>PayloadUUID</key> - <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> - <key>PayloadType</key> - <string>com.microsoft.wdav</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadDescription</key> - <string/> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>vendors</key> - <dict> - <key>fff0</key> - <dict> - <key>permission</key> - <array> - <string>none</string> - </array> - </dict> - <key>4525</key> - <dict> - <key>permission</key> - <array> - <string>none</string> - </array> - </dict> - </dict> - </dict> - </dict> - </dict> - </array> - </dict> -</plist> -``` +### Deploy the mobileconfig file using Intune -## Restrict specific devices identified by vendor ID, product ID, and serial number +You can deploy the mobileconfig file through [https://endpoint.microsoft.com/](https://endpoint.microsoft.com/) > Devices > macOS: -The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted. +- select ΓÇÿCreate profileΓÇÖ +- select ΓÇÿTemplatesΓÇÖ and ΓÇÿCustomΓÇÖ -```xml -<?xml version="1.0" encoding="utf-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1"> - <dict> - <key>PayloadUUID</key> - <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string> - <key>PayloadType</key> - <string>Configuration</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender settings</string> - <key>PayloadDescription</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>PayloadRemovalDisallowed</key> - <true/> - <key>PayloadScope</key> - <string>System</string> - <key>PayloadContent</key> - <array> - <dict> - <key>PayloadUUID</key> - <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string> - <key>PayloadType</key> - <string>com.microsoft.wdav</string> - <key>PayloadOrganization</key> - <string>Microsoft</string> - <key>PayloadIdentifier</key> - <string>com.microsoft.wdav</string> - <key>PayloadDisplayName</key> - <string>Microsoft Defender configuration settings</string> - <key>PayloadDescription</key> - <string/> - <key>PayloadVersion</key> - <integer>1</integer> - <key>PayloadEnabled</key> - <true/> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>vendors</key> - <dict> - <key>fff0</key> - <dict> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>products</key> - <dict> - <key>1000</key> - <dict> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>serialNumbers</key> - <dict> - <key>04ZSSMHI2O7WBVOA</key> - <array> - <string>none</string> - </array> - <key>04ZSSMHI2O7WBVOB</key> - <array> - <string>none</string> - </array> - </dict> - </dict> - </dict> - </dict> - </dict> - </dict> - </dict> - </dict> - </array> - </dict> -</plist> -``` -## Related topics +## See also -- [Overview of device control for macOS](mac-device-control-overview.md) +- [Device Control for macOS](mac-device-control-overview.md) +- [Deploy and manage Device Control using jamf](mac-device-control-jamf.md) +- [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
security	Mac Device Control Jamf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md	Title: Examples of device control policies for JAMF -description: Learn how to use device control policies using examples that can be used with JAMF. + Title: Deploy and manage device control using JAMF +description: Learn how to use device control policies using JAMF. keywords: microsoft, defender, endpoint, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media, jamf ms.mktglfcycl: security search.appverid: met150 Previously updated : 03/22/2021 Last updated : 03/31/2023 -# Examples of device control policies for JAMF +# Deploy and manage Device Control using JAMF [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] Applies to:+ - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -This document contains examples of device control policies that you can customize for your own organization. These examples are applicable if you are using JAMF to manage devices in your enterprise. - -## Restrict access to all removable media - -The following example restricts access to all removable media. Note the `none` permission that is applied at the top level of the policy, meaning that all file operations will be prohibited. - -```xml -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>none</string> - </array> - </dict> - </dict> -</dict> -</plist> -``` - -## Set all removable media to be read-only - -The following example configures all removable media to be read-only. Note the `read` permission that is applied at the top level of the policy, meaning that all write and execute operations will be disallowed. - -```xml -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - </array> - </dict> - </dict> -</dict> -</plist> -``` - -## Disallow program execution from removable media - -The following example shows how program execution from removable media can be disallowed. Note the `read` and `write` permissions that are applied at the top level of the policy. - -```xml -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - </array> - </dict> - </dict> -</dict> -</plist> -``` - -## Restrict all devices from specific vendors - -The following example restricts all devices from specific vendors (in this case identified by `fff0` and `4525`). All other devices will be unrestricted, since the permission defined at the top level of the policy lists all possible permissions (read, write, and execute). - -```xml -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>vendors</key> - <dict> - <key>fff0</key> - <dict> - <key>permission</key> - <array> - <string>none</string> - </array> - </dict> - <key>4525</key> - <dict> - <key>permission</key> - <array> - <string>none</string> - </array> - </dict> - </dict> - </dict> - </dict> -</dict> -</plist> -``` - -## Restrict specific devices identified by vendor ID, product ID, and serial number - -The following example restricts two specific devices, identified by vendor ID `fff0`, product ID `1000`, and serial numbers `04ZSSMHI2O7WBVOA` and `04ZSSMHI2O7WBVOB`. At all other levels of the policy the permissions include all possible values (read, write, and execute), meaning that all other devices will be unrestricted. - -```xml -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>deviceControl</key> - <dict> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>block</string> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>vendors</key> - <dict> - <key>fff0</key> - <dict> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>products</key> - <dict> - <key>1000</key> - <dict> - <key>permission</key> - <array> - <string>read</string> - <string>write</string> - <string>execute</string> - </array> - <key>serialNumbers</key> - <dict> - <key>04ZSSMHI2O7WBVOA</key> - <array> - <string>none</string> - </array> - <key>04ZSSMHI2O7WBVOB</key> - <array> - <string>none</string> - </array> - </dict> - </dict> - </dict> - </dict> - </dict> - </dict> - </dict> -</dict> -</plist> -``` - -## Related topics --- [Overview of device control for macOS](mac-device-control-overview.md) +Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions. + +## Licensing requirements + +Before you get started with Removable Storage Access Control, you must confirm yourΓÇ»[Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=3). To access and use Removable Storage Access Control, you must have Microsoft 365 E3. + +## Deploy policy by using JAMF + +### Step 1: Create policy JSON + +Now, you have ΓÇÿgroupsΓÇÖ and ΓÇÿrulesΓÇÖ and ΓÇÿsettingsΓÇÖ, combine ΓÇÿsettingsΓÇÖ and ΓÇÿgroupsΓÇÖ and rules into one JSON, here is the demo file: [mdatp-devicecontrol/deny_removable_media_except_kingston.json at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/examples/deny_removable_media_except_kingston.json). Make sure to validate your policy with the JSON schema to make ensure your policy format is correct: [mdatp-devicecontrol/device_control_policy_schema.json at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/device_control_policy_schema.json). + +See [Device Control for macOS](mac-device-control-overview.md) for information about settings, rules and groups. + +### Step 2: Update MDE Preferences Schema + +The [MDE Preferences schema](https://github.com/microsoft/mdatp-xplat/blob/master/macOS/schemE Preferences configuration profile should be updated to use the new schema fileΓÇÖs content. ++ +### Step 3: Add Device Control Policy to MDE Preferences + +A new ΓÇÿDevice ControlΓÇÖ property will now be available to add to the UX. + +1. Select the topmost Add/Remove properties button, then select Device Control and press Apply. ++ +2. Next, scroll down until you see the Device Control property (it will be the bottommost entry), and select Add/Remove properties directly underneath it. + +3. Select Device Control Policy, and then click Apply. ++ +4. To finish, copy and paste the Device Control policy JSON into the text box, and save your changes to the configuration profile. ++ +## See also + +- [Device Control for macOS](mac-device-control-overview.md) +- [Deploy and manage Device Control using Intune](mac-device-control-intune.md) +- [macOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
security	Mac Device Control Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md	Title: Device control for macOS description: Learn how to configure Microsoft Defender for Endpoint on Mac to reduce threats from removable storage such as USB devices. -keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, device, control, usb, removable, media +keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, macOS, device, control, usb, removable, media ms.mktglfcycl: security ms.sitesec: library search.appverid: met150 Previously updated : 03/22/2021 Last updated : 03/31/2023 -# Device control for macOS +# Device Control for macOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] Applies to:+ - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) Last updated 03/22/2021 ## Requirements -Device control for macOS has the following prerequisites: +Device Control for macOS has the following prerequisites: > [!div class="checklist"] > Device control for macOS has the following prerequisites: > - Minimum OS version: macOS 11 or higher > - Minimum product version: 101.34.20 -## Device control policy - -To configure device control for macOS, you must create a policy that describes the restrictions you want to put in place within your organization. +## Overveiw -The device control policy is included in the configuration profile used to configure all other product settings. For more information, see [Configuration profile structure](mac-preferences.md#configuration-profile-structure). +Microsoft Defender for Endpoint Device Control feature enables you to audit, allow, or prevent the read, write, or execute access to removable storage, and allows you to manage iOS and Portable device and Bluetooth media with or without exclusions. -Within the configuration profile, the device control policy is defined in the following section: +## Prepare your endpoints -<br> +- Microsoft Defender for Endpoint entitlement (can be trial) +- Minimum OS version: macOS 11 or higher +- Deploy Full Disk Access: you may already have been previously created and deployed this [https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) for other MDE features. You need to grant additional Full Disk Access permission for a new application: com.microsoft.dlp.daemon. +- Enable Device Control on the MDE Preference setting: -** + Data Loss Prevention (DLP)/Features/ -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|deviceControl\| -\|Data type\|Dictionary (nested preference)\| -\|Comments\|See the following sections for a description of the dictionary contents.\| -\| + For Feature Name, enter "DC_in_dlp" -The device control policy can be used to: + For State, enter "enabled" -- [Customize the URL target for notifications raised by device control](#customize-url-target-for-notifications-raised-by-device-control)-- [Allow or block removable devices](#allow-or-block-removable-devices) +Example 1: JAMF using [schema.json](https://github.com/microsoft/mdatp-xplat/tree/master/macos/schema) -### Customize URL target for notifications raised by device control -When the device control policy that you have put in place is enforced on a device (for example, access to a removable media device is restricted), a notification is displayed to the user. +Example 2: [demo.mobileconfig](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macos/mobileconfig) +```json + <key>dlp</key> + <dict> + <key>features</key> + <array> + <dict> + <key>name</key> + <string>DC_in_dlp</string> + <key>state</key> + <string>enabled</string> + </dict> + </array> + </dict> +``` -When end users click this notification, a web page is opened in the default browser. You can configure the URL that is opened when end users click the notification. +- Minimum product version: 101.91.92 or higher + - Run _mdatp version_ through Terminal, you will see product version on your client machine: -<br> - +## Device Control for macOS properties -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|navigationTarget\| -\|Data type\|String\| -\|Comments\|If not defined, the product uses a default URL pointing to a generic page explaining the action taken by the product.\| -\| +The Device Control for macOS includes global setting, group creation and access policy rule creation: -### Allow or block removable devices +- Global setting called ΓÇÿsettingsΓÇÖ allows you to define the global environment. +- Group called ΓÇÿgroupsΓÇÖ allows you to create media groups. For example, authorized USB group or encrypted USB group. +- Access policy rule called ΓÇÿrulesΓÇÖ allows you to create policy to restrict each group. For example, only allow authorized user to Write access-authorized USB group. -The removable media section of the device control policy is used to restrict access to removable media. +Here are the properties you can use when you create the group and policy. > [!NOTE] -> The following types of removable media are currently supported and can be included in the policy: USB storage devices. - -<br> - - - -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|removableMediaPolicy\| -\|Data type\|Dictionary (nested preference)\| -\|Comments\|See the following sections for a description of the dictionary contents.\| -\| - -This section of the policy is hierarchical, allowing for maximum flexibility and covering a wide range of use cases. At the top level are vendors, identified by a vendor ID. For each vendor, there are products, identified by a product ID. Finally, for each product there are serial numbers denoting specific devices. - -```text -\|-- policy top level - \|-- vendor 1 - \|-- product 1 - \|-- serial number 1 - ... - \|-- serial number N - ... - \|-- product N - ... - \|-- vendor N -``` +> We recommend you use the examples on the GitHub to understand the properties: [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy). You can also use the scripts at [mdatp-devicecontrol/Removable Storage Access Control Samples/macOS/policy/scripts at main ┬╖ microsoft/mdatp-devicecontrol (github.com)](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples/macOS/policy/scripts) to translate Windows Device Control policy to macOS Device Control policy or translate macOS Device Control V1 policy to this V2 policy. -For information on how to find the device identifiers, see [Look up device identifiers](#look-up-device-identifiers). +### Settings -The policy is evaluated from the most specific entry to the most general one. Meaning, when a device is plugged in, the product tries to find the most specific match in the policy for each removable media device and apply the permissions at that level. If there is no match, then the next best match is applied, all the way to the permission specified at the top level, which is the default when a device does not match any other entry in the policy. +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| features \| Feature specific configurations \| You can set ΓÇÿdisableΓÇÖ false/true for following features: <br> <ul><li>removableMedia</li><li>appleDevice</li><li>portableDevice, including camera or PTP media</li><li>bluetoothDevice</li></ul> <br> Default is true, so if you do not configure this value, even you create custom policy for removableMedia, system will not apply because it is disabled by default. \| +\| global \| Set default enforcement \| You can set defaultEnforcement: <br> <ul><li>allow: _default_</li><li>deny</li></ul> \| +\| ux \| You can set hyperlink on notification. \| navigationTarget: string, for example, "http://www.microsoft.com". \| -#### Policy enforcement level +### Group + +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| $type \| The kind of group \| ΓÇ£deviceΓÇ¥ \| +\| id \| GUID, a unique ID, represents the group and will be used in the policy. \| You can generate ID through [New-Guid (Microsoft.PowerShell.Utility) - PowerShell](/powershell/module/microsoft.powershell.utility/new-guid?view=powershell-7.2&preserve-view=true) or the uuidgen command on macOS \| +\| name \| Friendly name for the group. \| string \| +\| query \| The media coverage under this group \| See the query properties tables below for details. \| + +### Query + +Device Control supports two kinds of queries: -Under the removable media section, there is an option to set the enforcement level, which can take one of the following values: +Query type 1 is as follows: -- `audit` - Under this enforcement level, if access to a device is restricted, a notification is displayed to the user, however the device can still be used. This enforcement level can be useful to evaluate the effectiveness of a policy.-- `block` - Under this enforcement level, the operations that the user can perform on the device are limited to what is defined in the policy. Furthermore, a notification is raised to the user. +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| $type \| Identify the logical operation to perform on the clauses \| all: Any attributes under the clauses will be an _And_ relationship. For example, if the administrator puts `vendorId` and `serialNumber`, for every connected USB, the system will check to see whether the USB meets both values.<br> and: is equivalent to _all_ <br> any: The attributes under the clauses will be _Or_ relationship. For example, if administrator puts `vendorId` and `serialNumber`, for every connected USB, system will do the enforcement as long as the USB has either an identical `vendorId` or `serialNumber` value. <br> or: is equivalent to _any_ \| +\| clauses \| Use media device property to set group condition. \| An array of clause objects which are evaluated to determine group membership. See the [Clause](#clause) section below. \| -> [!NOTE] -> By default, the enforcement level is set to `audit`. +Query type 2 is as follows: -<br> +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| $type \| Identify the logical operation to perform on the subquery \| not: logical negation of a query \| +\| query \| A subquery \| A query which will be negated. \| - +### Clause -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|enforcementLevel\| -\|Data type\|String\| -\|Possible values\|audit (default) <p> block\| -\| +#### Clause properties -#### Default permission level +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| $type \| The type of clause \| See the following table for supported clauses. \| +\| value \| $type specific value to use \| \| -At the top level of the removable media section, you can configure the default permission level for devices that do not match anything else in the policy. +#### Supported clauses -This setting can be set to: +\| clause $type \| value \| Description \| +\|:\|:\|:\| +\| primaryId \| One of: <br>- apple_devices <br>-removable_media_devices <br>- portable_devices <br>- bluetooth_devices \| \| +\| vendorId \| 4 digit hexadecimal string \| Matches a deviceΓÇÖs vendor ID \| +\| productId \| 4 digit hexadecimal string \| Matches a deviceΓÇÖs product ID \| +\| serialNumber \| string \| Matches a deviceΓÇÖs serial number. Will not match if device does not have a serial number. \| +\| groupId \| UUID string \| Match if a device is a member of another group. ΓÇÿvalueΓÇÖ represents the UUID of the group to match against. <br> Note: The group must be defined within the policy prior to the clause. \| -- `none` - No operations can be performed on the device-- A combination of the following values: - - `read` - Read operations are permitted on the device - - `write` - Write operations are permitted on the device - - `execute` - Execute operations are permitted on the device +### Access policy rule -> [!NOTE] -> If `none` is present in the permission level, any other permissions (`read`, `write`, or `execute`) will be ignored. -> -> The `execute` permission only refers to execution of Mach-O binaries. It does not include execution of scripts or other types of payloads. +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| id \| GUID, a unique ID, represents the rule and will be used in the policy. \| New-Guid (Microsoft.PowerShell.Utility) - PowerShell <br> uuidgen \| +\| name \| String, the name of the policy and will display on the toast based on the policy setting. \| \| +\| includeGroups \| The group(s) that the policy will be applied to. If multiple groups are specified, the policy will be applied to any media in all those groups. If not specified, the rule will be applied to all devices. \| The id value inside the group must be used at this instance. If there are multiple groups in the `includeGroups`, it will be _AND_. <br> `"includeGroups": ["3f082cd3-f701-4c21-9a6a-ed115c28e217"]` \| +\| excludeGroups \| The group(s) that the policy will not be applied to. \| The id value inside the group must be used at this instance. If there are multiple groups in the excludeGroups, it will be _OR_. \| +\| entries \| One rule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.\| See entry properties table below to get details. \| -<br> +The following table lists the properties you can use inΓÇ»entry: - +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| $type \| \| Includes: <br> <ul><li>removableMedia</li><li>appleDevice</li><li>PortableDevice</li><li>bluetoothDevice</li><li>generic</li></ul> \| +\| enforcement \| \| <ul><li>$type:</li><ul><li>allow</li><li>deny</li><li>auditAllow</li><li>auditDeny</li></ul></ul><br> When $type allow is selected, options value supports: <br> <ul><li>`disable_audit_allow`: Even if Allow happens and the auditAllow is setting configured, the system won't send event.</li></ul> <br> When $type deny is selected, options value supports: <br> <ul><li>`disable_audit_deny`: Even if Block happens and the auditDeny is setting configured, the system won't show notification or send event.</li></ul><br> When $type auditAllow is selected, options value supports: <br> <ul><li>send_event</li></ul> <br> When $type auditDeny is selected, options value supports: <br> <ul><li>send_event</li><li>show_notification</li></ul> \| +\| access\| \|Specify one or more access rights for this rule. These may include either device specific granular permissions, or broader generic permissions. See table below for more details on the valid access types for a given entry $type. \| +\| id\| UUID\| \| -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|permission\| -\|Data type\|Array of strings\| -\|Possible values\|none <p> read <p> write <p> execute\| -\| +The following table lists the properties you can use inΓÇ»entry: -#### Restrict removable media by vendor, product, and serial number +### Enforcement -As described in [Allow or block removable devices](#allow-or-block-removable-devices), removable media such as USB devices can be identified by the vendor ID, product ID, and serial number. +#### Enforcement property name -At the top level of the removable media policy, you can optionally define more granular restrictions at the vendor level. +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\| $type \| The type of enforcement \| See table below for supported enforcements \| +\| options \| $type specific value to use \| An array of options for the entry. May be omitted if not options are desired. \| -The `vendors` dictionary contains one or more entries, with each entry being identified by the vendor ID. +#### Enforcement type -<br> +\| Property name \| Description \| Options \| +\|:\|:\|:\| +\|Enforcement $type \| ΓÇÿoptionsΓÇÖ values [string] \| Description \| +\| allow \| disable_audit_allow \| Even if Allow happens and the auditAllow is setting configured, the system won't send event. \| +\| deny \| disable_audit_deny \| Even if Block happens and the auditDeny is setting configured, the system won't show notification or send event. \| +\| auditAllow \| send_event \| Send telemetry \| +\| auditDeny \| <ol><li>send_event</li><li>show_notification/li></ol> \| <ol><li>Send telemetry</li><li>Display Block UX to user/li></ol> \| -** +### Access types -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|vendors\| -\|Data type\|Dictionary (nested preference)\| -\| +\|entry $type \| ΓÇÿaccessΓÇÖ values [string] \| Generic Access \| Description \| +\|:\|:\|:\|:\| +\| appleDevice \| backup_device \| generic_read \| \| +\| appleDevice \| update_device \| generic_write \| \| +\| appleDevice \| download_photos_from_device \| generic_read \| download photo(s) from the specific iOS device to local machine \| +\| appleDevice \| download_files_from_device \| generic_read \| download file(s) from the specific iOS device to local machine \| +\| appleDevice \| sync_content_to_device \| generic_write \| sync content from local machine to specific iOS device \| +\| portableDevice\| download_files_from_device \| generic_read \| \| +\| portableDevice \| send_files_to_device \| generic_write \| \| +\| portableDevice \| download_photos_from_device \| generic_read \| \| +\| portableDevice \| debug \| generic_execute \| ADB tool control \| +\| removableMedia\| read \| generic_read \| \| +\| removableMedia \| write \| generic_write \| \| +\| removableMedia \| execute \| generic_execute \| generic_read \| +\| bluetoothDevice* \| download_files_from_device \| \| \| +\| bluetoothDevice \| send_files_to_device \| generic_write \| \| +\| generic \| generic_read \| \| Equivalent to setting all access values denoted in this table that map to generic_read. \| +\| generic \| generic_write \| \| Equivalent to setting all access values denoted in this table that map to generic_write. \| +\| generic \| generic_execute \| \| Equivalent to setting all access values denoted in this table that map to generic_execute. \| -For each vendor, you can specify the desired permission level for devices from that vendor. +## Enduser experience -<br> +Once Deny happens and the notification is enabled in the policy, the end user will see a dialog: -** -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|permission\| -\|Data type\|Array of strings\| -\|Possible values\|Same as [Default permission level](#default-permission-level)\| -\| - -Furthermore, you can optionally specify the set of products belonging to that vendor for which more granular permissions are defined. The `products` dictionary contains one or more entries, with each entry being identified by the product ID. - -<br> - - - -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|products\| -\|Data type\|Dictionary (nested preference)\| -\| - -For each product, you can specify the desired permission level for that product. - -<br> - - - -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|permission\| -\|Data type\|Array of strings\| -\|Possible values\|Same as [Default permission level](#default-permission-level)\| -\| - -Furthermore, you can specify an optional set of serial numbers for which more granular permissions are defined. - -The `serialNumbers` dictionary contains one or more entries, with each entry being identified by the serial number. - -<br> - - - -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|serialNumbers\| -\|Data type\|Dictionary (nested preference)\| -\| - -For each serial number, you can specify the desired permission level. - -<br> - - - -\|Section\|Value\| -\|\|\| -\|Domain\|`com.microsoft.wdav`\| -\|Key\|permission\| -\|Data type\|Array of strings\| -\|Possible values\|Same as [Default permission level](#default-permission-level)\| -\| - -#### Example device control policy - -The following example shows how all of the above concepts can be combined into a device control policy. In the following example, note the hierarchical nature of the removable media policy. - -```xml -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> -<plist version="1.0"> -<dict> - <key>deviceControl</key> - <dict> - <key>navigationTarget</key> - <string>[custom URL for notifications]</string> - <key>removableMediaPolicy</key> - <dict> - <key>enforcementLevel</key> - <string>[enforcement level]</string> <!-- audit / block --> - <key>permission</key> - <array> - <string>[permission]</string> <!-- none / read / write / execute --> - <!-- other permissions --> - </array> - <key>vendors</key> - <dict> - <key>[vendor id]</key> - <dict> - <key>permission</key> - <array> - <string>[permission]</string> <!-- none / read / write / execute --> - <!-- other permissions --> - </array> - <key>products</key> - <dict> - <key>[product id]</key> - <dict> - <key>permission</key> - <array> - <string>[permission]</string> <!-- none / read / write / execute --> - <!-- other permissions --> - </array> - <key>serialNumbers</key> - <dict> - <key>[serial-number]</key> - <array> - <string>[permission]</string> <!-- none / read / write / execute --> - <!-- other permissions --> - </array> - <!-- other serial numbers --> - </dict> - </dict> - <!-- other products --> - </dict> - </dict> - <!-- other vendors --> - </dict> - </dict> - </dict> -</dict> -</plist> -``` +## Reporting + +You will be able to see the policy event on Advanced hunting and Device Control report. For more details, see [Protect your organization's data with Device Control](device-control-report.md). + +## Scenarios -We have included more examples of device control policies in the following documents: +Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint and Microsoft Defender for Endpoint Device Control. -- [Examples of device control policies for Intune](mac-device-control-intune.md)-- [Examples of device control policies for JAMF](mac-device-control-jamf.md) +### Scenario 1: Deny any removable media but allow specific USBs -#### Look up device identifiers +In this scenario, you need to create two groups: one group for any removable medias, and another group for approved USBs group. You also need to create an access policy rule. -To find the vendor ID, product ID, and serial number of a USB device: +#### Step 1: Settings: enable Device Control and set Default Enforcement -1. Log into a Mac device. -1. Plug in the USB device for which you want to look up the identifiers. -1. In the top-level menu of macOS, select About This Mac. +```json + "settings": { - :::image type="content" source="images/mac-device-control-lookup-1.png" alt-text="The About this Mac page" lightbox="images/mac-device-control-lookup-1.png"::: + "features": { -1. Select System Report. + "removableMedia": { - :::image type="content" source="images/mac-device-control-lookup-2.png" alt-text="The system report" lightbox="images/mac-device-control-lookup-2.png"::: + "disable": false -1. From the left column, select USB. + } - :::image type="content" source="images/mac-device-control-lookup-3.png" alt-text="The view of all the USB devices" lightbox="images/mac-device-control-lookup-3.png"::: - + }, -1. Under USB Device Tree**, navigate to the USB device that you plugged in. + "global": { - :::image type="content" source="images/mac-device-control-lookup-4.png" alt-text="The details of a USB device" lightbox="images/mac-device-control-lookup-4.png"::: + "defaultEnforcement": "allow" -1. The vendor ID, product ID, and serial number are displayed. When adding the vendor ID and product ID to the removable media policy, you must only add the part after `0x`. For example, in the below image, vendor ID is `1000` and product ID is `090c`. + }, -#### Discover USB devices in your organization + "ux": { -You can view mount, unmount, and volume change events originating from USB devices in Microsoft Defender for Endpoint advanced hunting. These events can be helpful to identify suspicious usage activity or perform internal investigations. + "navigationTarget": "http://www.deskhelp.com" -```bash -DeviceEvents - \| where ActionType == "UsbDriveMounted" or ActionType == "UsbDriveUnmounted" or ActionType == "UsbDriveDriveLetterChanged" - \| where DeviceId == "<device ID>" + } + + } ``` -## Device control policy deployment +#### Step 2: Groups: Create any removable media group and approved-USBs group -The device control policy must be included next to the other product settings, as described in [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md). +-1. Create a group to cover any removable media devices +-1. Create a group for approved USBs +-1. Combine those groups into one ΓÇÿgroupsΓÇÖ -This profile can be deployed using the instructions listed in [Configuration profile deployment](mac-preferences.md#configuration-profile-deployment). +```json +"groups": [ -## Troubleshooting tips + { -After pushing the configuration profile through Intune or JAMF, you can check if it was successfully picked up by the product by running the following command from the Terminal: + "type": "device", -```bash -mdatp device-control removable-media policy list -``` + "id": "3f082cd3-f701-4c21-9a6a-ed115c28e211", + + "name": "All Removable Media Devices", + + "query": { + + "$type": "all", + + "clauses": [ + + { -This command will print to standard output the device control policy that the product is using. In case this prints `Policy is empty`, make sure that (a) the configuration profile has indeed been pushed to your device from the management console, and (b) it is a valid device control policy, as described in this document. + "$type": "primaryId", -On a device where the policy has been delivered successfully and where there are one or more devices plugged in, you can run the following command to list all devices and the effective permissions applied to them. + "value": "removable_media_devices" -```bash -mdatp device-control removable-media devices list + } + + ] + + } + + }, + + { + + "type": "device", + + "id": "3f082cd3-f701-4c21-9a6a-ed115c28e212", + + "name": "Kingston Devices", + + "query": { + + "$type": "all", + + "clauses": [ + + { + + "$type": "vendorId", + + "value": "0951" + + } + + ] + + } + + } + + ] ``` -Example of output: +#### Step 3: Rules: Create Deny policy for unallowed USBs + +Create access policy rule and put into ΓÇÿrulesΓÇÖ: + +```json + "rules": [ + + { + + "id": "772cef80-229f-48b4-bd17-a69130092981", + + "name": "Deny RWX to all Removable Media Devices except Kingston", + + "includeGroups": [ + + "3f082cd3-f701-4c21-9a6a-ed115c28e211" + + ], + + "excludeGroups": [ + + "3f082cd3-f701-4c21-9a6a-ed115c28e212" + + ], + + "entries": [ + + { + + "$type": "removableMedia", + + "id": "A7CEE2F8-CE34-4B34-9CFE-4133F0361035", + + "enforcement": { + + "$type": "deny" + + }, + + "access": [ + + "read", + + "write", + + "execute" + + ] + + }, + + { + + "$type": "removableMedia", + + "id": "18BA3DD5-4C9A-458B-A756-F1499FE94FB4", + + "enforcement": { + + "$type": "auditDeny", + + "options": [ + + "send_event", + + "show_notification" + + ] + + }, + + "access": [ + + "read", + + "write", + + "execute" + + ] + + } + + ] + + } -```Output -.Device(s) -\|-o Name: Untitled 1, Permission ["read", "execute"] -\| \|-o Vendor: General "fff0" -\| \|-o Product: USB Flash Disk "1000" -\| \|-o Serial number: "04ZSSMHI2O7WBVOA" -\| \|-o Mount point: "/Volumes/TESTUSB" + ] ``` -In the above example, there is only one removable media device plugged in and it has `read` and `execute` permissions, according to the device control policy that was delivered to the device. +In this case, only have one access rule policy, but if you have multiple, make sure add all into ΓÇÿrulesΓÇÖ. -## Related topics +## See also -- [Examples of device control policies for Intune](mac-device-control-intune.md)-- [Examples of device control policies for JAMF](mac-device-control-jamf.md) +- [Deploy Device Control by using Intune](mac-device-control-intune.md) +- [Deploy Device Control by using JAMF](mac-device-control-jamf.md) +- [MacOS Device Control frequently asked questions (FAQ)](mac-device-control-faq.md)
security	Manage Outdated Endpoints Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md	The process for enabling this feature is: This feature can be enabled for both full and quick scans. > [!TIP] -> We recommend using quick scans for most situations. To learn more, see [Quick scan, full scan, and custom scan](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan). +> We recommend using quick scans for most situations. To learn more, see [Quick scan, full scan, and custom scan](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). You can use one of several methods to set up catch-up scans:
security	Microsoft Defender Antivirus Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md	For more information, see [Manage the sources for Microsoft Defender Antivirus p > - To learn more about the gradual rollout process, and to see more information about the next release, see [Manage the gradual rollout process for Microsoft Defender updates](manage-gradual-rollout.md). > - To learn more about security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates). > - If you're looking for a list of Microsoft Defender processes, **[download the mde-urls workbook](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaef). +> - Platform updates can be temporarily postponed if other protection features (such as [Endpoint DLP](../../compliance/endpoint-dlp-getting-started.md) or [Device Control](device-control-report.md)) are actively monitoring running processes. Platform updates will be retried after a reboot or when all monitored services are stopped. ## Monthly platform and engine versions
security	Printer Protection Frequently Asked Questions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-frequently-asked-questions.md	DeviceFileEvents :::image type="content" source="media/details.png" alt-text="This is details screenshot." lightbox="media/details.png"::: -## How do I find Sid or ComputerSid for Azure AD group? +## How do I find Sid for Azure AD group? -Different from AD group, the Sid or ComputerSid is using Object ID for Azure AD group. You can find the Object ID from Azure portal. +Different from AD group, the Sid is using Object ID for Azure AD group. You can find the Object ID from Azure portal. :::image type="content" source="media/device-control-user-group.png" alt-text="This is device control user group screenshot." lightbox="media/device-control-user-group.png"::: + + +## Why do I see duplicate events from RemovableStoragePolicyTriggered and PrintJobBlocked? + +PrintJobBlocked is designed for [Printer Protection V1](printer-protection.md). Because the new Printer Protection solution is built based on the V1 solution, the system will still use PrintJobBlocked. If you are using the [new Printer Protection](printer-protection-overview.md), RemovableStoragePolicyTriggered is used to track the event. +
security	Run Scan Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md	search.appverid: met150 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. When you run a scan, you can choose from among three types: Quick scan, full scan, and custom scan. In most cases, use a quick scan. A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. -Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. In most cases, a quick scan is sufficient and is the recommended option for scheduled or on-demand scans. [Learn more about scan types](schedule-antivirus-scans.md#quick-scan-full-scan-and-custom-scan). +Combined with always-on, real-time protection, which reviews files when they are opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware. In most cases, a quick scan is sufficient and is the recommended option for scheduled or on-demand scans. [Learn more about scan types](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan). > [!IMPORTANT] > Microsoft Defender Antivirus runs in the context of the [LocalSystem](/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
security	Schedule Antivirus Scans	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md	ms.localizationpriority: medium Previously updated : 11/21/2022 Last updated : 03/31/2023 search.appverid: met150 Platforms - Windows -In addition to always-on, real-time protection and [on-demand antivirus](run-scan-microsoft-defender-antivirus.md) scans, you can set up regular, scheduled antivirus scans. You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or when an endpoint isn't being used. You can also set up special scans to complete remediation actions if needed. +You can set up regular, scheduled antivirus scans on devices. These scheduled scans are in addition to always-on, real-time protection and [on-demand antivirus](run-scan-microsoft-defender-antivirus.md) scans. When you schedule a scan, you can specify the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or when a device isn't being used. You can also set up special scans to complete remediation actions if needed. -## What do you want to do? +- [Compare the quick scan, full scan, and custom scan](#comparing-the-quick-scan-full-scan-and-custom-scan) +- [Choose a scan type](#how-to-choose-a-scan-type) +- [Keep these important points](#important-points-to-keep-in-mind) +- [Try the scheduled quick scan performance optimization](#scheduled-quick-scan-performance-optimization) +- [Additional resources](#see-also) -- [Learn about quick scans, full scans, and custom scans](#quick-scan-full-scan-and-custom-scan)-- [Use Group Policy to schedule antivirus scans](schedule-antivirus-scans-group-policy.md)-- [Use Windows PowerShell to Schedule antivirus scans](schedule-antivirus-scans-powershell.md)-- [Use Windows Management Instrumentation to schedule antivirus scans](schedule-antivirus-scans-wmi.md) +## Comparing the quick scan, full scan, and custom scan -## Keep the following points in mind --- By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.--- If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.--- Scheduled scans run according to the local time zone of the device.- -## Quick scan, full scan, and custom scan - -When you set up scheduled scans, you can specify whether the scan should be a full or quick scan. In most cases, a quick scan is recommended; however, we also recommend that you run at least one full scan after installing or enabling Defender Antivirus. This scan provides an opportunity to find existing threats and helps populate the cache for future scans. +The following table describes the different types of scans you can configure. \| Scan type \| Description \| \|:\|:\| -\| Quick scan \| (Recommended) A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <br/><br/>Combined with always-on, real-time protection, which reviews files when they're opened and closed, and whenever a user navigates to a folder, a quick scan helps provide strong protection against malware that starts with the system and kernel-level malware.<br/><br/>In most cases, a quick scan is sufficient and is the recommended option for scheduled scans. \| -\| Full scan \| A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so).<br/><br/>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<br/><br/>When a full scan begins it uses the security intelligence definitions installed at the time the scan starts. If new security intelligence updates are made available during the full scan, another full scan is required in order to scan for new threat detections contained in the latest update.<br/><br/>Because of the time and resources involved in a full scan, in general, we do not recommend scheduling full scans.\| +\| Quick scan <br/>(recommended) \| A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <br/><br/>A quick scan helps provide strong protection against malware that starts with the system and kernel-level malware, together with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), which reviews files when they're opened and closed, and whenever a user navigates to a folder.<br/><br/>In most cases, a quick scan is sufficient and is the recommended option for scheduled scans. \| +\| Full scan \| A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so).<br/><br/>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<br/><br/>When a full scan begins, it uses the security intelligence definitions installed at the time the scan starts. If new security intelligence updates are made available during the full scan, another full scan is required in order to scan for new threat detections contained in the latest update.<br/><br/>Because of the time and resources involved in a full scan, in general, we don't recommend scheduling full scans.\| \| Custom scan \| A custom scan runs on files and folders that you specify. For example, you can choose to scan a USB drive or a specific folder on your device's local drive.\| > [!NOTE] > By default, quick scans run on mounted removable devices, such as USB drives. -## How do I know which scan type to choose? +## How to choose a scan type Use the following table to choose a scan type. \|Scenario\|Recommended scan type\| \|\|\| -\|You want to set up regular, scheduled scans\|Quick scan <p> A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they're opened and closed, and whenever a user navigates to a folder.\| -\|Threats, such as malware, are detected on an individual device\|Quick scan <p> In most cases, a quick scan will catch and clean up detected malware.\| +\|You want to set up regular, scheduled scans\|Quick scan <br/><br/> A quick scan checks the processes, memory, profiles, and certain locations on the device. Together with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they're opened and closed, and whenever a user navigates to a folder.\| +\|Threats, such as malware, are detected on an individual device\|Quick scan <br/><br/> In most cases, a quick scan will catch and clean up detected malware.\| \|You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md)\|Quick scan\| -\|You want to make sure a portable device, such as a USB drive, doesn't contain malware\|Custom scan <p> A custom scan enables you to select specific locations, folders, or files, and runs a quick scan.\| -\| You have just installed or re-enabled Microsoft Defender Antivirus \| Full scan <p>Running a full scan after you've just enabled or installed Microsoft Defender Antivirus helps populate the cache for future scans. The full scan can also help detect existing threats on the device. \| +\|You want to make sure a portable device, such as a USB drive, doesn't contain malware\|Custom scan <br/><br/> A custom scan enables you to select specific locations, folders, or files, and runs a quick scan.\| +\| You have installed or re-enabled Microsoft Defender Antivirus \| Quick scan or full scan <br/><br/>A quick scan checks the processes, memory, profiles, and certain locations on the device. If you prefer, you can choose to run a full scan after you have enabled or installed Microsoft Defender Antivirus. Just keep in mind it can take a while to run a full scan. \| -## What else do I need to know about quick and full scans? +## Important points to keep in mind -- Malicious files can be stored in locations that aren't included in a quick scan. However, always-on real-time protection reviews all files that are opened and closed, and any files that are in folders that are accessed by a user. The combination of real-time protection and a quick scan helps provide strong protection against malware. +- By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default. + +- If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time. + +- Scheduled scans run according to the local time zone of the device. + +- Malicious files can be stored in locations that aren't included in a quick scan. However, [always-on, real-time protection](configure-protection-features-microsoft-defender-antivirus.md) reviews all files that are opened & closed, and any files that are in folders that are accessed by a user. The combination of real-time protection and a quick scan helps provide strong protection against malware. - On-access protection with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) helps ensure that all the files accessed on the system are being scanned with the latest security intelligence and cloud machine learning models. - When real-time protection detects malware and the extent of the affected files isn't determined initially, Microsoft Defender Antivirus initiates a full scan as part of the remediation process. -- A full scan can detect malicious files that weren't detected by other scans, such as a quick scan. However, a full scan can take a while and use valuable system resources to complete.- - If a device is offline for an extended period of time, a full scan can take longer to complete. -## Scheduled Quick Scan Performance Optimization +## Scheduled quick scan performance optimization -As a performance optimization, Microsoft Defender Antivirus will skip running scheduled quick scans in some situations. This optimization only applies to a quick scan when initiated by a schedule ΓÇô it doesn't affect a quick scan initiated by an [on-demand antivirus](run-scan-microsoft-defender-antivirus.md) scan. This optimization reduces performance degradation by avoiding running a quick scan when it isn't necessary and won't affect protection. +As a performance optimization, Microsoft Defender Antivirus skips running scheduled quick scans in some situations. This optimization only applies to a quick scan when initiated by a schedule ΓÇô it doesn't affect a quick scan initiated by an [on-demand antivirus](run-scan-microsoft-defender-antivirus.md) scan. This optimization reduces performance degradation by avoiding running a quick scan when it isn't necessary and won't affect protection. -By default, if a qualified quick scan was run within the last seven days, a new quick scan won't be initiated. A quick scan is considered qualified if it occurs after the last [Security Intelligence Update](microsoft-defender-antivirus-updates.md) was installed, Real-Time Protection was not disabled during that period, and if the machine was rebooted. +By default, if a qualified quick scan ran within the last seven days, a new quick scan won't be initiated. A quick scan is considered to be qualified if: -This optimization doesn't apply to the following conditions: +- The scan occurs after the last [Security Intelligence Update](microsoft-defender-antivirus-updates.md) was installed; +- [Real-time protection](configure-protection-features-microsoft-defender-antivirus.md) wasn't disabled during that time period; and, +- The machine was rebooted. -- If Microsoft Defender for Endpoint is [Managed](configuration-management-reference-microsoft-defender-antivirus.md) +This optimization doesn't apply to the following conditions: +- If Microsoft Defender for Endpoint is [Managed](configuration-management-reference-microsoft-defender-antivirus.md) - If Microsoft Defender [Endpoint Detection and Response (EDR)](overview-endpoint-detection-response.md) is installed - - If the computer was restarted since the last quick scan--- If Microsoft Defender for Endpoint Real-Time Protection has been disabled since the last quick scan occurred, including if it's currently disabled - +- If [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) is disabled after the last quick scan occurred - If the last initiated quick scan wasn't completed This optimization applies to machines running Windows 10 Anniversary Update (version 1607) and all subsequent Windows releases, as well as Windows Server 2016 (version 1607) and subsequent Windows Server releases, but doesn't apply to Core Server installations. -> [!TIP] -> If you're looking for Antivirus related information for other platforms, see: -> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) -> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) -> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) -> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) -> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -> - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) - ## See also - [Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus](defender-endpoint-antivirus-exclusions.md) +- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
security	Mdo Support Teams About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md	The Teams Message Entity Panel is one single place to store all of Teams mes If you're interested in previewing the previously described features for ALL users in your tenant, you can use an Exchange Online PowerShell cmdlet to enable them. -After you [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell.md), run the following command to join the Teams preview: +After you [connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), run the following command to join the Teams preview: ```powershell Set-TeamsSecurityPreview -Enable $true
security	Submissions Error Messages	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-error-messages.md	If you encounter this error message, then either of the following conditions mig - You tried to submit an email message that was filtered by EOP or Defender for Office 365, but we're still in the process of collecting the required metadata (descriptive data) about the message. If you wait "a while" and submit the message again, the submission will be successful.+ +## We did not receive the submission, please fix the problem and resubmit + +If you encounter this error message, then either of the following conditions have occurred: + +- You're trying to submit an email that has been deleted or is no longer in the mailbox or quarantine. + +- You have Exchange mail flow rules (also known as transport rules), connectors, or data loss prevention (DLP) rules preventing the message from reaching us. + +Be sure to check that both of these conditions are false before submitting the message again.
syntex	Syntex Copilot	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-copilot.md	Title: Overview of Copilot in Microsoft Syntex + Title: Overview of Copilot for Microsoft Syntex - m365initiative-syntex ms.localizationpriority: medium -description: Learn how to use Copilot to streamline processes in Microsoft Syntex. +description: Learn how to use Microsoft 365 Copilot to easier find information in Microsoft Syntex. -# Overview of Copilot in Microsoft Syntex +# Overview of Copilot for Microsoft Syntex (Preview) + +> [!NOTE] +> The feature is currently in limited preview and subject to change. + +Microsoft Syntex is now integrated with Microsoft 365 Copilot to bring the power of assistive AI into your organization's intelligent document processing. + +Copilot for Syntex analyzes the text of a selected file in a SharePoint document library, in OneDrive for Business, or in Teams. It then generates a set of questions you can ask about the information in the file. The questions can be used to quickly identify the type of document, generate a summary of information in the document, and identify key points or other important information. You can also ask your own questions, such as "When does this contract expire?" or "What is the fee schedule for this project?" + +## To use Copilot for Syntex + +1. From a SharePoint document library, select a document. + +2. On the ribbon, select Copilot. + + ![Screenshot of a document library page showing a document selected and the Copilot button on the ribbon.](../media/content-understanding/copilot-document-selected.png) + +3. The Copilot panel opens. + + ![Screenshot of the Copilot panel.](../media/content-understanding/copilot-panel.png) + +4. On the Copilot panel, you can: + + - Select one of the questions Copilot has generated for you. + + ![Screenshot of the generated questions on the Copilot panel.](../media/content-understanding/copilot-generated-questions.png) + + - In the text box, enter your own specific question or make a request. + + ![Screenshot of the text box on the Copilot panel.](../media/content-understanding/copilot-text-box.png) + + - In the text box, select the starter prompt to see suggested actions tailored to the specific file. + + ![Screenshot of the text box on the Copilot panel with the starter prompt highlighted.](../media/content-understanding/copilot-starter-prompt.png) + +> [!NOTE] +> If you want to clear the current session, at the top of the Copilot panel, select More options (\*), and then select Clear session**. + +## Current limitations + +- Copilot for Syntex currently works on Word (.docx), PowerPoint (.pptx), and text-readable .pdf file types. More file types will be added in the future. + +- Copilot for Syntex is currently only available to customers in the United States, and currently only understands instructions in English. More languages and locales will be added in the future. + +- Copilot for Syntex works on a single selected file at a time, and it only processes the first 4,000 tokens (approximately six pages). + +- Copilot for Syntex won't process encrypted files or files stamped with "Confidential" or "Highly Confidential" sensitivity labels. + +- Copilot for Syntex doesn't save the context of your session, but you can copy the information if you want to save it. + +> [!IMPORTANT] +> It's important that you review any content the AI generates for you to make sure it has accurately produced what you wanted. -This article is in development.