Updates from: 04/14/2021 03:15:27
Category Microsoft Docs article Related commit history on GitHub Change details
admin Activity Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/activity-reports.md
Watch this video for on overview: on how you can use the reports:
1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page. - ::: moniker-end ::: moniker range="o365-germany"
Depending on your subscription, here are the available reports.
- [Skype for Business Online conference participant activity](/SkypeForBusiness/skype-for-business-online-reporting/conference-participant-activity-report) - [Skype for Business Online peer-to-peer activity](/SkypeForBusiness/skype-for-business-online-reporting/peer-to-peer-activity-report)
-
- [Yammer activity](yammer-activity-report-ww.md) -- - [Yammer activity for US Government](yammer-activity-report.md) -- - [Yammer device usage](yammer-device-usage-report-ww.md) -- - [Yammer device usage for US Government](yammer-device-usage-report.md) -- - [Yammer groups activity report](yammer-groups-activity-report-ww.md) -- - [Yammer groups activity report for US Government](yammer-groups-activity-report.md) -- - [Microsoft Teams user activity](microsoft-teams-user-activity-preview.md) -- - [Microsoft Teams user activity for US Government](microsoft-teams-user-activity.md) -- - [Microsoft Teams device usage](microsoft-teams-device-usage-preview.md) -- - [Microsoft Teams device usage for US Government](microsoft-teams-device-usage.md) - ## How to view licensing information - To see how many licenses you have assigned and unassigned, in the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
If you get a message in the admin center telling you that you don't have permiss
## Commonly used Microsoft 365 admin center roles - In the Microsoft 365 admin center, you can go to **Roles**, and then select any role to open its detail pane. Select the **Permissions** tab to view the detailed list of what admins assigned that role have permissions to do. Select the **Assigned** or **Assigned admins** tab to add users to roles. - You'll probably only need to assign the following roles in your organization. By default, we first show roles that most organizations use. If you can't find a role, go to the bottom of the list and select **Show all by Category**. (For detailed information, including the cmdlets associated with a role, see [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles).) |Admin role |Who should be assigned this role? |
admin Add Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/add-users.md
Last updated 07/01/2020
# Add users and assign licenses at the same time -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see [About the new Microsoft 365 admin center](../microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- The people on your team each need a user account before they can sign in and access [Microsoft 365 for business](https://www.microsoft.com/microsoft-365/business). The easiest way to add user accounts is to add them one at a time in the Microsoft 365 admin center. After you do this step, your users have Microsoft 365 licenses, sign in credentials, and Microsoft 365 mailboxes. ## Before you begin
You must be a global, license, or a user admin to add users and assign licenses.
## Add users one at a time
+ ::: moniker range="o365-worldwide"
-1. Go to the admin center at <https://admin.microsoft.com>.
-2. Go to **Users** > **Active users**, and select **Add a user**.
-3. In the **Set up the basics** pane, fill in the basic user information, and then select **Next**.
- - **Name** Fill in the first and last name, display name, and username.
- - **Domain** Choose the domain for the user's account. For example, if the user's username is Jakob, and the domain is contoso.com, they'll sign in by using jakob@contoso.com.
- - **Password settings** Choose to use the autogenerated password or to create your own strong password for the user.
- - The user must change their password after 90 days. Or you can choose to **Require this user to change their password when they first sign in**.
- - Choose whether you want to send the password in email when the user is added.
-4. In the **Assign product licenses** pane, select the location and the appropriate license for the user. If you don't have any licenses available, you can still add a user and buy additional licenses. Expand **Apps** and select or deselect apps to limit the apps the user has a license for. Select **Next**.
-5. In the **Optional settings** pane, expand **Roles** to make this user an admin. Expand **Profile info** to add additional information about the user.
-6. Select **Next**, review your new user's settings, make any changes you like, then select **Finish adding**, then **Close**.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.
::: moniker-end ::: moniker range="o365-germany"
-1. Go to the admin center at <https://portal.office.de/adminportal>.
-2. Go to **Users** > **Active users**, and select **Add a user**.
-3. In the **New user** pane, fill in the following information. When you're finished, select **Add**.
- - **Name** Fill in first, last, display name, and user name.
- - **Domain** For example, if the user's username is Jakob, and the domain is contoso.com, they'll sign in to by typing jakob@contoso.com.
- - **Contact information** Expand to fill in a mobile phone number, address, and so on.
- - **Password** Use the autogenerated password or expand to specify a strong password for the user. They must change their password after 90 days. Or you can choose to **Make this user change their password when they first sign in**.
- - **Roles** Expand if you need to make this user an admin.
- - **Product licenses** Expand this section and select the appropriate license. If you don't have any licenses available, you can still add a user and buy additional licenses.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">https://portal.office.de</a>.
::: moniker-end ::: moniker range="o365-21vianet"
-1. Go to the admin center at <https://portal.partner.microsoftonline.cn>.
-2. Go to **Users** > **Active users**, and select **Add a user**.
-3. In the **New user** pane, fill in the following information. When you're finished, select **Add**.
- - **Name** Fill in first, last, display name, and user name.
- - **Domain** For example, if the user's username is Jakob, and the domain is contoso.com, they'll sign in to by typing jakob@contoso.com.
- - **Contact information** Expand to fill in a mobile phone number, address, and so on.
- - **Password** Use the autogenerated password or expand to specify a strong password for the user. They must change their password after 90 days. Or you can choose to **Make this user change their password when they first sign in**.
- - **Roles** Expand if you need to make this user an admin.
- - **Product licenses** Expand this section and select the appropriate license. If you don't have any licenses available, you can still add a user and buy additional licenses.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">https://portal.partner.microsoftonline.cn</a>.
+
+2. Go to **Users** > **Active users**, and select **Add a user**.
+3. In the **Set up the basics** pane, fill in the basic user information, and then select **Next**.
+ - **Name** Fill in the first and last name, display name, and username.
+ - **Domain** Choose the domain for the user's account. For example, if the user's username is Jakob, and the domain is contoso.com, they'll sign in by using jakob@contoso.com.
+ - **Password settings** Choose to use the autogenerated password or to create your own strong password for the user.
+ - The user must change their password after 90 days. Or you can choose to **Require this user to change their password when they first sign in**.
+ - Choose whether you want to send the password in email when the user is added.
+4. In the **Assign product licenses** pane, select the location and the appropriate license for the user. If you don't have any licenses available, you can still add a user and buy additional licenses. Expand **Apps** and select or deselect apps to limit the apps the user has a license for. Select **Next**.
+5. In the **Optional settings** pane, expand **Roles** to make this user an admin. Expand **Profile info** to add additional information about the user.
+6. Select **Next**, review your new user's settings, make any changes you like, then select **Finish adding**, then **Close**.
## Add multiple users at the same time
admin Admin Roles Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/admin-roles-page.md
On the Roles page, you can give users permissions to do tasks in the admin cente
![A figure that shows admin roles](../../media/roles-main-page.png) > [!TIP]
-> Looking for the detailed role descriptions? Check out [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles) and [About admin roles](/office365/admin/add-users/about-admin-roles).
+> Looking for the detailed role descriptions? Check out [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles#available-roles) and [About admin roles](/microsoft-365/admin/add-users/about-admin-roles).
## About the admin roles page
This isn't an exhaustive list of all the permissions that these roles have. Sele
### Exchange admin
-Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups and Exchange Online. They can also open and manage service requests to Microsoft support. [Learn more](/office365/admin/add-users/about-exchange-online-admin-role)
+Assign the Exchange admin role to users who need to view and manage your user's email mailboxes, Microsoft 365 groups and Exchange Online. They can also open and manage service requests to Microsoft support. [Learn more](/microsoft-365/admin/add-users/about-exchange-online-admin-role)
### Global admin
-Assign the global admin role to users who need global access to most management features and data across Microsoft online services. Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. Only global admins can reset passwords for all user and add and manage domains. They can also open and manage service requests to Microsoft support . The person who signed up for Microsoft online services automatically becomes a global admin. [Learn more](/office365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
+Assign the global admin role to users who need global access to most management features and data across Microsoft online services. Giving too many users global access is a security risk and we recommend that you have between 2 and 4 Global admins. Only global admins can reset passwords for all user and add and manage domains. They can also open and manage service requests to Microsoft support . The person who signed up for Microsoft online services automatically becomes a global admin. [Learn more](/microsoft-365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
### Global reader
-Assign the global reader admin role to user's who need to view admin features and settings in all admin centers that the global admin can view. The global reader admin role can't edit any settings. [Learn more](/office365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
+Assign the global reader admin role to user's who need to view admin features and settings in all admin centers that the global admin can view. The global reader admin role can't edit any settings. [Learn more](/microsoft-365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
### Helpdesk admin
-Assign the Helpdesk admin role to users who want to reset passwords, force users to sign out for any security issues. They can also open and manage service requests to Microsoft support. The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. [Learn more](/office365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
+Assign the Helpdesk admin role to users who want to reset passwords, force users to sign out for any security issues. They can also open and manage service requests to Microsoft support. The Helpdesk admin can only help non-admin users and users assigned these roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, and Reports reader. [Learn more](/microsoft-365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
### Service admin
-Assign the service admin role to users who need to create service requests for Azure, Microsoft 365, and Office 365 services. [Learn more](/office365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
+Assign the service admin role to users who need to create service requests for Azure, Microsoft 365, and Office 365 services. [Learn more](/microsoft-365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
### SharePoint admin
Assign the Teams admin role to users who you want to access and manage the Teams
### User admin
-Assign the user admin role to users who you want to access and manage user password resets and manage users and groups. They can also open and manage service requests to Microsoft support. [Learn more](/office365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
-
+Assign the user admin role to users who you want to access and manage user password resets and manage users and groups. They can also open and manage service requests to Microsoft support. [Learn more](/microsoft-365/admin/add-users/about-admin-roles#roles-available-in-the-microsoft-365-admin-center)
## Compare roles
In the admin center:
![A figure that shows a comparison of admin roles](../../media/compare-roles-list.png) - ## Related topics [About Microsoft 365 admin roles](about-admin-roles.md)
admin Azure Ad Roles In The Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/azure-ad-roles-in-the-mac.md
The Microsoft 365 admin center lets you manage over 30 Azure AD roles. However,
A user who is assigned an admin role will have the same level of access to cloud services that your organization has subscribed to, regardless of whether you assign the role in the Microsoft 365 admin center or the Azure portal, or by using the Azure AD module for Windows PowerShell. - In the Microsoft 365 admin center, you can go to **Roles**, and then select any role to open its detail pane. Select the **Permissions** tab to view the detailed list of what admins assigned that role have permissions to do. Select the **Assigned** or **Assigned admins** tab to add users to roles. For more information on assigning roles in the Microsoft 365 admin center, see [Assign admin roles](assign-admin-roles.md). - ## All Azure AD roles
-Here's a list of all the admin roles available in the Microsoft 365 admin center. Looking for the detailed role descriptions of the Microsoft 365 admin roles? Check out [About admin roles](./about-admin-roles.md?view=o365-worldwide).
+Here's a list of all the admin roles available in the Microsoft 365 admin center. Looking for the detailed role descriptions of the Microsoft 365 admin roles? Check out [About admin roles](./about-admin-roles.md).
|Admin role |Description | |||
admin Create Edit Or Delete A Custom User View https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/create-edit-or-delete-a-custom-user-view.md
If you're a global or user management admin of a Microsoft 365 for business subs
## Custom user views in the admin center - When you create, edit, or delete a custom user view, the changes will be shown in the **Filter** list that all admins in your company see when they go to the **Users** page. You can create up to 50 custom views. --
-When you create, edit, or delete a custom user view, the changes will be shown in the **Views** list that all admins in your company see when they go to the **Users** page. You can create up to 50 custom views.
---
-When you create, edit, or delete a custom user view, the changes will be shown in the **Views** list that all admins in your company see when they go to the **Users** page. You can create up to 50 custom views.
-- > [!TIP] > Standard user views are displayed by default in the **Filters** drop-down list. The standard filters include **All users**, **Licensed users**, **Guest users**, **Sign-in allowed**, **Sign-in blocked**, **Unlicensed users**, **Users with errors**, **Billing admins**, **Global admins**, **Helpdesk admins**, **Service admins**, and **User management admins**. You can't edit or delete standard views.
admin Delete A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/delete-a-user.md
Before you begin, think about what you want to do with the user's email and OneD
Since the guided experience walks through the steps to delete a user, here's how to get started. ::: moniker range="o365-worldwide"+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.+ ::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
+
+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
+ ::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+
+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+ ::: moniker-end 2. Select the user that you want to delete, and then select **Delete user**.
admin Get Access To And Back Up A Former User S Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/get-access-to-and-back-up-a-former-user-s-data.md
To preserve a former user's OneDrive files, first give yourself access to their
::: moniker range="o365-worldwide"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
-
-2. Select a user.
-
-3. In the right pane, select **OneDrive**. Under **Get access to files**, select **Create link to files**.
-
-4. Select the link to open the file location. Download the files to your computer, or select **Move to** or **Copy to** to move or copy them to your own OneDrive or to a shared library.
-
-> [!NOTE]
-> You can move or copy up to 500 MB of files and folders at a time.<br/>
-> When you move or copy documents that have version history, only the latest version is moved.
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-germany"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-2. Select a user.
-
-3. In the right pane, expand **OneDrive Settings**, and then next to **Access**, select **Access files**.
-
-4. Select the link to open the file location. Download the files to your computer, or select **Move to** or **Copy to** to move or copy them to your own OneDrive or to a shared library.
-
-> [!NOTE]
-> You can move or copy up to 500 MB of files and folders at a time.<br/>
-> When you move or copy documents that have version history, only the latest version is moved.
+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+ 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
+ 2. Select a user.
-3. In the right pane, expand **OneDrive Settings**, and then next to **Access**, select **Access files**.
+3. In the right pane, select **OneDrive**. Under **Get access to files**, select **Create link to files**.
-4. Select the link to open the file location. Download the files to your computer, or select **Move to** or **Copy to** to move or copy them to your own OneDrive or to a shared library.
+4. Select the link to open the file location. Download the files to your computer, or select **Move to** or **Copy to** to move or copy them to your own OneDrive or to a shared library.
> [!NOTE] > You can move or copy up to 500 MB of files and folders at a time.<br/> > When you move or copy documents that have version history, only the latest version is moved.
-
-- ## Revoke admin access to a user's OneDrive As global admin, you can give yourself access to the content in a user's OneDrive, but you may want to remove your access when you no longer need it. -
-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a> as a global admin or SharePoint admin.
+ ::: moniker range="o365-worldwide"
- If you get a message that you don't have permission to access the admin center, then you don't have administrator permissions in your organization.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>.
::: moniker-end ::: moniker range="o365-germany"
-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a> as a global admin or SharePoint admin.
-
- If you get a message that you don't have permission to access the admin center, then you don't have administrator permissions in your organization.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">https://portal.office.de</a>.
::: moniker-end ::: moniker range="o365-21vianet"
-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a> as a global admin or SharePoint admin.
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">https://portal.partner.microsoftonline.cn</a>.
- If you get a message that you don't have permission to access the admin center, then you don't have administrator permissions in your organization.
- 2. In the left pane, select **Admin centers** \> **SharePoint**. (You might need to select **Show all** to see the list of admin centers.)
admin Intune Admin Roles In The Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/intune-admin-roles-in-the-mac.md
The Microsoft 365 admin center lets you manage some Microsoft Intune roles. Howe
For more information on assigning roles in the Microsoft 365 admin center, see [Assign admin roles](assign-admin-roles.md). - In the Microsoft 365 admin center, you can go to **Roles**, and then select any role to open its detail pane. Select the **Permissions** tab to view the detailed list of what admins assigned that role have permissions to do. Select the **Assigned** or **Assigned admins** tab to add users to roles. - ## Microsoft Intune Roles available in the Microsoft 365 admin center |Admin role |Who should be assigned this role? |
admin Get Started With Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/get-started-with-office-365.md
description: "Learn how to set up and use Microsoft 365 on your computer, phone,
# Get started Your organization recently got Microsoft 365, and now you need to use it so you can start reading email, sharing documents, and more. Learn how to set up and use Microsoft 365 on your computer, phone, and tablet.
-
-
-****
-- ## Training resources for your users
business Migrate From E3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/migrate-from-e3.md
This table shows the differences between Microsoft 365 Business Premium and Offi
| OneDrive for Business | 1 TB storage limit per user | Unlimited | | Yammer, SharePoint Online, Planner, Stream | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Office 365 E3](../media/check-mark.png) | | StaffHub | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Office 365 E3](../media/check-mark.png) |
-| Outlook Customer Manager | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | |
+| MileIQ | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | |
| **Threat Protection** | | | | Defender for Office 365 Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | Not included, but can be added on | | **Identity management** | | |
This table shows the differences between Microsoft 365 Business Premium and Offi
| Upgrade rights to Windows 10 Pro from Win 7/8.1 Pro licenses| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) || | **Information protection** | | | |Office 365 Data Loss Prevention| ![Included with Microsoft 365 Business Premium](../media/check-mark.png)|![Included with Office 365 E3](../media/check-mark.png)|
-|Azure Information Protection Plan 1, Bitlocker enforcement|![Included with Microsoft 365 Business Premium](../media/check-mark.png)||
+|Azure Information Protection Plan 1, BitLocker enforcement|![Included with Microsoft 365 Business Premium](../media/check-mark.png)||
|Azure Information Protection Plan 1, Sensitivity labels|![Included with Microsoft 365 Business Premium](../media/check-mark.png)|| |**Client Access License (CAL rights)**||| |Enterprise CAL Suite (Exchange, SharePoint, Skype)||![Included with Office 365 E3](../media/check-mark.png)|
commerce Manage Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-partners.md
If you don't want to give the admin roles to the partner, cancel the invitation
You can remove admin roles from a partner at any time. Removing the admin roles doesnΓÇÖt remove the partner relationship. They can still work with you in a different capacity, such as a Reseller. If you decide that you donΓÇÖt want to work with a partner anymore, contact your partner to end the relationship.
-1. In the admin center, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2074649" target="_blank">Partner relationships</a> page.
+1. In the admin center, go to the **Settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2074649" target="_blank">Partner relationships</a> page.
2. On the **Partner relationships** page, select the row that contains the name of the partner that you want to remove. 3. Select the row that contains the name of the partner. 4. On the partner page, select **Remove roles**.
-5. In the **Remove roles?** dialog box, select **Yes**.
+5. In the **Remove roles?** dialog box, select **Yes**.
compliance Archive Ciscojabberonmssql Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonmssql-data.md
localization_priority: Normal
-description: "Admins can set up a connector to import and archive Cisco Jabber data from Veritas in Microsoft 365. This connector lets you archive data from third-party data sources in Microsoft 365. After your archive this data, you can use compliance features such as legal hold, content search, and retention policies to manage third-party data."
+description: "Admins can set up a connector to import and archive Cisco Jabber on MS SQL data from Veritas in Microsoft 365. This connector lets you archive data from third-party data sources in Microsoft 365. After your archive this data, you can use compliance features such as legal hold, content search, and retention policies to manage third-party data."
-# Set up a connector to archive Cisco Jabber data
+# Set up a connector to archive Cisco Jabber on MS SQL data
-Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Cisco Jabber platform to user mailboxes in your Microsoft 365 organization. Veritas provides you with a [Cisco Jabber](https://globanet.com/jabber/) connector that is configured to capture items from the JabberΓÇÖs MS SQL Database, such as 1:1 chat messages and group chats and then import those items to Microsoft 365. The connector retrieves data from the Cisco JabberΓÇÖs MS SQL Database, processes it, and the converts the content from a user's Cisco Jabber account to an email message format and then imports those items to the user's mailbox in Microsoft 365.
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Cisco Jabber platform to user mailboxes in your Microsoft 365 organization. Veritas provides you with a [Cisco Jabber](https://globanet.com/jabber/) connector that is configured to capture items from the Jabber's MS SQL Database, such as 1:1 chat messages and group chats and then import those items to Microsoft 365. The connector retrieves data from the Cisco Jabber's MS SQL Database, processes it, and the converts the content from a user's Cisco Jabber account to an email message format and then imports those items to the user's mailbox in Microsoft 365.
After Cisco Jabber data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Cisco Jabber connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies. ## Overview of archiving Cisco Jabber data
-The following overview explains the process of using a connector to archive Cisco Jabber data in Microsoft 365.
+The following overview explains the process of using a connector to archive Cisco Jabber on MS SQL data in Microsoft 365.
![Archiving workflow for Cisco Jabber data](../media/CiscoJabberonMSSQLConnectorWorkflow.png)
The following overview explains the process of using a connector to archive Cisc
- The user who creates the Cisco Jabber connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
-## Step 1: Set up the Cisco Jabber connector
+## Step 1: Set up the Cisco Jabber on MS SQL connector
The first step is to access to the **Data Connectors** in the Microsoft 365 compliance center and create a connector for Cisco Jabber on MS SQL data.
The first step is to access to the **Data Connectors** in the Microsoft 365 comp
5. Sign in to your Merge1 account to configure the connector.
-## Step 2: Configure the Cisco Jabber connector on the Veritas Merge1 site
+## Step 2: Configure the Cisco Jabber on MS SQL connector on the Veritas Merge1 site
The second step is to configure the Cisco Jabber on MS SQL connector on the Veritas Merge1 site. For information about how to configure the Cisco Jabber on MS SQL connector, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20Cisco%20Jabber%20on%20MS%20SQL%20User%20Guide%20.pdf).
After you create the Cisco Jabber on MS SQL connector, you can view the connecto
## Known issues -- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Ciscojabberonoracle Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonoracle-data.md
+
+ Title: "Set up a connector to archive Cisco Jabber on Oracle data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a connector in the Microsoft 365 compliance center to import and archive data from Cisco Jabber on Oracle to Microsoft 365."
++
+# Set up a connector to archive Cisco Jabber on Oracle data (preview)
+
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Cisco Jabber on Oracle platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Cisco Jabber on Oracle](https://www.veritas.com/insights/merge1/jabber) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as files and file operations, comments, and shared content from Cisco Jabber on Oracle to an email message format and then imports those items to the user's mailbox in Microsoft 365.
+
+After Cisco Jabber on Oracle data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels. Using a Cisco Jabber on Oracle connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Cisco Jabber on Oracle data
+
+The following overview explains the process of using a connector to archive the Cisco Jabber on Oracle data in Microsoft 365.
+
+![Archiving workflow for Cisco Jabber on Oracle data](../media/CiscoJabberOnOracleConnectorWorkflow.png)
+
+1. Your organization works with Cisco Jabber on Oracle to set up and configure a Cisco Jabber on Oracle site.
+
+2. Once every 24 hours, Cisco Jabber on Oracle items are copied to the Veritas Merge1 site. The connector also converts Cisco Jabber on Oracle items to an email message format.
+
+3. The Cisco Jabber on Oracle connector that you create in the Microsoft 365 compliance center, connects to the Veritas Merge1 site every day and transfers the Jabber content to a secure Azure Storage location in the Microsoft cloud.
+
+4. The connector imports the converted items to the mailboxes of specific users using the value of the *Email* property of the automatic user mapping as described in [Step 3](#step-3-map-users-and-complete-the-connector-setup). A subfolder in the Inbox folder named **Cisco Jabber on Oracle** is created in the user mailboxes, and items are imported to that folder. The connector does this by using the value of the *Email* property. Every Jabber item contains this property, which is populated with the email address of every participant of the item.
+
+## Before you begin
+
+- Create a Merge1 account for Microsoft connectors. To do this, contact [Veritas Customer Support](https://www.veritas.com/content/support/en_US). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Cisco Jabber on Oracle connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up the Cisco Jabber on Oracle connector
+
+The first step is to access to the **Data Connectors** page in the Microsoft 365 compliance center and create a connector for Jabber data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Cisco Jabber on Oracle**.
+
+2. On the **Cisco Jabber on Oracle** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector, and then click **Next**.
+
+5. Sign in to your Merge1 account to configure the connector.
+
+## Step 2: Configure the Cisco Jabber on Oracle on the Veritas Merge1 site
+
+The second step is to configure the Cisco Jabber on Oracle connector on the Veritas Merge1 site. For information about how to configure the Cisco Jabber on Oracle connector, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20Cisco%20Jabber%20on%20Oracle%20User%20Guide.pdf).
+
+After you click **Save & Finish**, the **User mapping** page in the connector wizard in the Microsoft 365 compliance center is displayed.
+
+## Step 3: Map users and complete the connector setup
+
+To map users and complete the connector setup in the Microsoft 365 compliance center, follow these steps:
+
+1. On the **Map Cisco Jabber on Oracle users to Microsoft 365 users** page, enable automatic user mapping. The Cisco Jabber on Oracle items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that user's mailbox.
+
+2. Click **Next**, review your settings, and then go to the **Data connectors** page to see the progress of the import process for the new connector.
+
+## Step 4: Monitor the Cisco Jabber on Oracle connector
+
+After you create the Cisco Jabber on Oracle connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com/> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the **Cisco Jabber on Oracle** connector to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+- At this time, we don't support importing attachments or items larger than 10 MB but support for larger items will be available at a later date.
compliance Archive Ciscojabberonpostgresql Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-ciscojabberonpostgresql-data.md
+
+ Title: "Set up a connector to archive Cisco Jabber on PostgreSQL data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+search.appverid:
+- MET150
++
+description: "Learn how to set up and use a connector in the Microsoft 365 compliance center to import and archive data from Cisco Jabber on PostgreSQL to Microsoft 365."
++
+# Set up a connector to archive Cisco Jabber on PostgreSQL data (preview)
+
+Use a Veritas connector in the Microsoft 365 compliance center to import and archive data from the Cisco Jabber platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Cisco Jabber on PostgreSQL](https://www.veritas.com/insights/merge1/jabber) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as messages, chats, and shared content from Cisco Jabber on PostgreSQL to an email message format and then imports those items to the user's mailbox in Microsoft 365.
+
+After Cisco Jabber on PostgreSQL data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels. Using a Cisco Jabber on PostgreSQL connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Cisco Jabber on PostgreSQL data
+
+The following overview explains the process of using a connector to archive the Cisco Jabber on PostgreSQL data in Microsoft 365.
+
+![Archiving workflow for Cisco Jabber on PostgreSQL data](../media/CiscoJabberonPostgreSQLConnectorWorkflow.png)
+
+1. Your organization works with Cisco Jabber on PostgreSQL to set up and configure a Cisco Jabber on PostgreSQL site.
+
+2. Once every 24 hours, Cisco Jabber on PostgreSQL items are copied to the Veritas Merge1 site. The connector also converts Cisco Jabber on PostgreSQL items to an email message format.
+
+3. The Cisco Jabber on PostgreSQL connector that you create in the Microsoft 365 compliance center, connects to the Veritas Merge1 site every day, and transfers the Jabber content to a secure Azure Storage location in the Microsoft cloud.
+
+4. The connector imports the converted items to the mailboxes of specific users using the value of the *Email* property of the automatic user mapping as described in [Step 3](#step-3-map-users-and-complete-the-connector-setup). A subfolder in the Inbox folder named **Cisco Jabber on PostgreSQL** is created in the user mailboxes, and items are imported to that folder. The connector does this by using the value of the *Email* property. Every Jabber item contains this property, which is populated with the email address of every participant of the item.
+
+## Before you begin
+
+- Create a Merge1 account for Microsoft connectors. To do this, contact [Veritas Customer Support](https://www.veritas.com/content/support/en_US). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Cisco Jabber on PostgreSQL connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](https://docs.microsoft.com/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up the Cisco Jabber on PostgreSQL connector
+
+The first step is to access to the **Data Connectors** page in the Microsoft 365 compliance center and create a connector for Jabber data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** &gt; **Cisco Jabber on PostgreSQL**.
+
+2. On the **Cisco Jabber on PostgreSQL** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector, and then click **Next**.
+
+5. Sign in to your Merge1 account to configure the connector.
+
+## Step 2: Configure the Cisco Jabber on PostgreSQL on the Veritas Merge1 site
+
+The second step is to configure the Cisco Jabber on PostgreSQL connector on the Veritas Merge1 site. For information about how to configure the Cisco Jabber on PostgreSQL connector, see [Merge1 Third-Party Connectors User Guide](https://docs.ms.merge1.globanetportal.com/Merge1%20Third-Party%20Connectors%20Cisco%20Jabber%20on%20PostgreSQL%20User%20Guide.pdf).
+
+After you click **Save & Finish**, the **User mapping** page in the connector wizard in the Microsoft 365 compliance center is displayed.
+
+## Step 3: Map users and complete the connector setup
+
+To map users and complete the connector setup in the Microsoft 365 compliance center, follow these steps:
+
+1. On the **Map Cisco Jabber on PostgreSQL users to Microsoft 365 users** page, enable automatic user mapping. The Cisco Jabber on PostgreSQL items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that user's mailbox.
+
+2. Click **Next**, review your settings, and then go to the **Data connectors** page to see the progress of the import process for the new connector.
+
+## Step 4: Monitor the Cisco Jabber on PostgreSQL connector
+
+After you create the Cisco Jabber on PostgreSQL connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com/> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the **Cisco Jabber on PostgreSQL** connector to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+- At this time, we don't support importing attachments or items larger than 10 MB but support for larger items will be available at a later date.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
The following table lists the third-party data connectors available in the Micro
|[Bell Network <sup>1</sup>](archive-bell-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Bloomberg Message](archive-bloomberg-message-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[CellTrust <sup>2</sup>](archive-celltrust-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
-|[Cisco Jabber <sup>2</sup>](archive-ciscojabberonmssql-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber on MS SQL <sup>2</sup>](archive-ciscojabberonmssql-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber on Oracle <sup>2</sup>](archive-ciscojabberonoracle-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Cisco Jabber on PostgreSQL <sup>2</sup>](archive-ciscojabberonpostgresql-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[EML <sup>2</sup>](archive-eml-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||| |[Enterprise Number <sup>1</sup>](archive-enterprise-number-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Facebook](archive-facebook-data-with-sample-connector.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
compliance Create A Litigation Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-litigation-hold.md
localization_priority: Normal search.appverid: MET150 ms.assetid: 39db1659-0b12-4243-a21c-2614512dcb44
-description: Learn how to place a mailbox on Litigation Hold, retaining all the mailbox content during an investigation.
+description: "Learn how to place a mailbox on Litigation Hold, retaining all the mailbox content during an investigation."
- seo-marvel-mar2020 - seo-marvel-apr2020
compliance Dlp Alerts Dashboard Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-alerts-dashboard-get-started.md
+
+ Title: "Get started with the data loss prevention alert dashboard"
+f1.keywords:
+- CSH
+++ Last updated :
+audience: ITPro
+
+f1_keywords:
+- 'ms.o365.cc.DLPLandingPage'
+
+localization_priority: Normal
+
+- M365-security-compliance
+- SPO_Content
+search.appverid:
+- MET150
+
+- seo-marvel-apr2020
+description: Get started with defining and managing alerts for data loss prevention policies.
++
+# Get started with the data loss prevention alert dashboard
+
+Data loss prevention (DLP) policies can take protective actions to prevent unintentional sharing of sensitive items. When an action is taken on a sensitive item, you can be notified by configuring alerts for DLP. This article shows you how to define rich alert policies that are linked to your data loss prevention (DLP) policies. You'll see how to use the [DLP alert management dashboard](https://compliance.microsoft.com/datalossprevention?viewid=dlpalerts) in the [Microsoft 365 compliance center](https://compliance.microsoft.com/) to view alerts, events, and associated metadata for DLP policy violations.
+
+If you are new to DLP alerts, you should review [Learn about the data loss prevention alerts dashboard](dlp-alerts-dashboard-learn.md)
+
+## Before you begin
+
+Before you begin, make sure you have the necessary prerequisites:
+
+- Licensing for the DLP alerts management dashboard
+- Licensing for alert configuration options
+- Roles
+
+### Licensing for the DLP alert management dashboard
+
+All eligible tenants for Office 365 DLP can access the DLP alert management dashboard. To get started, you should be eligible for Office 365 DLP for Exchange Online, SharePoint Online, and OneDrive for Business. For more information about the licensing requirements for Office 365 DLP, see [Which licenses provide the rights for a user to
+benefit from the service?](https://docs.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#which-licenses-provide-the-rights-for-a-user-to-benefit-from-the-service-16).
+
+Customers who use [Endpoint DLP](endpoint-dlp-learn-about.md) who are eligible for [Teams DLP](dlp-microsoft-teams.md) will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard.
+
+The **content preview** feature is available only for these licenses:
+
+- Microsoft 365 (E5)
+- Office 365 (E5)
+- Advanced Compliance (E5) add on
+- Microsoft 365 E5/A5 Information Protection and Governance
+- Microsft 365 E5/A5 Compliance
+
+### Licensing for alert configuration options
+
+**Single-event alert configuration**: Organizations that have an E1, F1, or G1 subscription or an E3 or G3 subscription can create alert policies only where an alert is triggered every time an activity occurs.
+
+**Aggregated alert configuration**: To configure aggregate alert policies based on a threshold, you must one of these licensing configurations:
+
+- An E5 or G5 subscription
+- An E1, F1, or G1 subscription or an E3 or G3 subscription that includes one of the following features:
+ - Office 365 Advanced Threat Protection Plan 2
+ - Microsoft 365 E5 Compliance
+ - Microsoft 365 eDiscovery and Audit add-on license
+
+### Roles
++
+If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups:
+
+- Compliance Administrator
+- Compliance Data Administrator
+- Security Administrator
+- Security Operator
+- Security Reader
+
+To access the DLP alert management dashboard, you need the:
+
+- Manage alerts
+
+and either of these two roles:
+
+- DLP Compliance Management
+- View-Only DLP Compliance Management
+
+To access the Content preview feature and the Matched sensitive content and context features you must be a member of:
+
+- Content Explorer Content Viewer role group
+
+which has the data classification content viewer role pre-assigned.
+
+## DLP alert configuration
+
+To learn how to configure an alert in your DLP policy, see [Where to start with data loss prevention](create-test-tune-dlp-policy.md#where-to-start-with-data-loss-prevention).
+
+### Aggregate event alert configuration
+
+If your org is licensed for [aggregated alert configuration options](#licensing-for-alert-configuration-options),
+then you'll see these options when you create or edit a DLP policy.
++
+This configuration allows you to set up a policy to generate an alert every time an activity matches the policy conditions or when a certain threshold is exceeded, based on the number of activities or based on the volume of exfiltrated data.
+
+### Single event alert configuration
+
+If your org is licensed for [single-event alert configuration options](#licensing-for-alert-configuration-options), then you'll see these options when you create or edit a DLP policy. Use this option to create an alert that's raised every time a DLP rule match happens.
++
+## Investigate a DLP alert
+
+To work with the DLP alert management dashboard:
+
+1. In the [Microsoft 365 compliance center](https://www.compliance.microsoft.com), go to **Data Loss Prevention**.
+2. Select the **Alerts** tab to view the DLP alerts dashboard.
+3. Select an alert to see details:
++
+4. Select the **Events** tab to view all of the events associated with the alert. You can choose a particular event to view its details. For a list of some of the available event details, see, [Learn about the data loss prevention Alerts dashboard](dlp-alerts-dashboard-learn.md).
+5. Select **Details** to open the **Overview** page for the alert. The overview page provides a summary:
+ 1. of what happened
+ 1. who performed the actions that caused the policy match
+ 1. information about the matched policy, and more
+
+6. Choose the **Events** tab to access the:
+ 1. content involved
+ 1. sensitive information types matched
+ 1. metadata
+
+7. Select the **Sensitive Info Types** tab to view details about the sensitive information types detected in the content. Details include confidence, count, and the content that matches the sensitive information type.
+
+8. After you investigate the alert, return to the **Overview** tab where you can manage triage and manage the disposition of the alert and add comments.
+
+- To see the history of workflow management, choose **Management log**.
+- After you take the required action for the alert, set the status of the alert to **Resolved**.
+
+## See also
+
+- [Learn about data loss prevention alerts and the alerts dashboard](dlp-alerts-dashboard-learn.md)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)
compliance Dlp Alerts Dashboard Learn https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-alerts-dashboard-learn.md
+
+ Title: "Learn about the data loss prevention Alerts dashboard"
+f1.keywords:
+- CSH
+++ Last updated :
+audience: ITPro
+
+f1_keywords:
+- 'ms.o365.cc.DLPLandingPage'
+
+localization_priority: Normal
+
+- M365-security-compliance
+- SPO_Content
+search.appverid:
+- MET150
+
+- seo-marvel-apr2020
+description: Learn about data loss prevention alerts and the alerts dashboard.
++
+# Learn about the data loss prevention Alerts dashboard
+
+When the criteria in a Data loss prevention (DLP) policy is matched by the actions a user is taking on a sensitive item, the policy can generate an alert. This can result in a high volume of alerts. DLP alerts are collected in the alerts dashboard. The alerts dashboard gives you a single place to go to perform a deep investigation of all the details regarding the policy match.
+
+<!-- [Microsoft 365 compliance center](https://compliance.microsoft.com/)-->
+
+## Workloads
+
+The [DLP alert management dashboard](https://compliance.microsoft.com/datalossprevention?viewid=dlpalerts), in the [Microsoft 365 compliance center](https://compliance.microsoft.com/), shows alerts for DLP policies on these workloads:
+
+- Exchange
+- SharePoint
+- OneDrive
+- Teams
+- Windows 10 devices
+
+> [!TIP]
+> Customers who use [Endpoint DLP](endpoint-dlp-learn-about.md) who are eligible for [Teams DLP](dlp-microsoft-teams.md) will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard.
+
+## Single alert and aggregate alert
+
+There are two types of alerts that can be configured in DLP policies.
+
+**Single-event alerts** are typically used in policies that monitor for highly sensitive events that occur in a low volume, like a single email with 10 or more customer credit card numbers being sent outside your organization.
+
+**Aggregate-event alerts** are typically used in policies that monitor for events that occur in a higher volume over a period of time. For example, an aggregate alert can be triggered when 10 individual emails each with one customer credit card number is sent outside your org over 48 hours.
+
+## Types of events
+
+Here are some of the events associated with an alert. In the UI, you can choose a particular event to view its details.
+
+### Event details
+
+|Property name |Description |Event types |
+||||
+|ID |unique ID associated with the event |all events |
+|Location |workload where the event was detected|all events |
+|time of activity |time of the user activity that matched the criteria of the DLP policy |
+
+### Impacted entities
+
+|Property name |Description| Event types|
+||||
+|user | user who took the action that caused the policy match | all events|
+|hostname | host name of the computer where the DLP policy match occurred | device events|
+|IP address | IP address of the computer where the DLP policy match occurred | device events|
+|sha1 |SHA-1 hash of the file | device events|
+|sha256 | SHA-256 hash of the file | device events|
+|MDATP device ID | endpoint device MDATP ID|
+|file size | size of the file| SharePoint, OneDrive, and device events|
+|file path | the absolute path of the item involved with the DLP policy match | SharePoint, OneDrive, and devices events|
+|email recipients |if an email was the sensitive item that matched the DLP policy, this field includes the recipients of that email| Exchange events|
+|email subject |subject of the email that matched the DLP policy |Exchange events|
+|email attachments | names of the attachments in the email that matched the DLP policy| Exchange events|
+|site owner |name of the site owner| SharePoint and OneDrive events|
+|site URL |full of the URL of the SharePoint or OneDrive site where the DLP policy match occurred |SharePoint and OneDrive events|
+|file created |time of creation of the file that matched the DLP policy |SharePoint and OneDrive events|
+|file last modified | the last time that the file that matched the DLP policy was changed | SharePoint and OneDrive events|
+|file size | size of the file that matched the DLP policy |SharePoint and OneDrive events|
+|file owner |owner of the file that matched the DLP policy |SharePoint and OneDrive events|
+
+### Policy details
+
+|Property name |Description |Event types |
+||||
+|DLP policy matched |name of the matched DLP policy |all events|
+|rule matched |name of the matched DLP policy rule |all events|
+|sensitive information types (SIT) detected|SITs that were detected as part of the DLP policy match |all events|
+|actions taken |actions that were taken that caused the DLP policy match| all events|
+|violating action | action on the endpoint device that raised the DLP alert| device events |
+|user overrode policy |did the user override the policy via a policy tip | all events|
+|use override justification |the text of the reason provided by the user for the override | all events|
+
+## See Also
+
+- [Get started with the data loss prevention alert dashboard](dlp-alerts-dashboard-get-started.md)
+- [Where to start with data loss prevention](create-test-tune-dlp-policy.md#where-to-start-with-data-loss-prevention)
compliance Dlp Configure View Alerts Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-view-alerts-policies.md
Title: "Configure and view alerts for DLP policies (preview)"
+ Title: "Configure and view alerts for data loss prevention policies"
f1.keywords: - CSH
search.appverid:
- MET150 - seo-marvel-apr2020
-description: Learn how to define and manage alerts for DLP policies.
+description: Learn how to define and manage alerts for data loss prevention policies.
-# Configure and view alerts for DLP polices (preview)
+# Configure and view alerts for data loss prevention polices
-This article shows you how to define rich alert policies that are linked
-to your data loss prevention (DLP) policies. You'll see how to use the
+Data loss prevention (DLP) polices can take protective actions to prevent unintentional sharing of sensitive items. When an action is taken on a sensitive item, you can be notified by configuring alerts for DLP. This article shows you how to define rich alert policies that are linked to your data loss prevention (DLP) policies. You'll see how to use the
new DLP alert management dashboard in the [Microsoft 365 compliance center](https://compliance.microsoft.com/) to view alerts, events, and associated metadata for DLP policy violations.
+<!-- LEFT OFF HERE-->
+ ## Features
-The following features are part of this preview:
+The following features are part of this:
- **DLP alert management dashboard**: In the [Microsoft 365 compliance center](https://compliance.microsoft.com/), this dashboard shows
Office 365 DLP, see [Which licenses provide the rights for a user to
benefit from the service?](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#which-licenses-provide-the-rights-for-a-user-to-benefit-from-the-service-16).
-Customers who participate in the [Endpoint
-DLP](./endpoint-dlp-learn-about.md?view=o365-worldwide)
-public preview or who are eligible for [Teams
-DLP](./dlp-microsoft-teams.md?view=o365-worldwide)
-will see their endpoint DLP policy alerts and Teams DLP policy alerts in
-the DLP alert management dashboard.
+Customers who use [Endpoint DLP](endpoint-dlp-learn-about.md) who are eligible for [Teams
+DLP](dlp-microsoft-teams.md) will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard.
### Licensing for alert configuration options
compliance Ediscovery Decryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-decryption.md
Encryption is an important part of your file protection and information protecti
To execute common eDiscovery tasks on encrypted content, eDiscovery managers were required to decrypt email message content as it was exported from content searches, Core eDiscovery cases, and Advanced eDiscovery cases. Content encrypted with Microsoft encryption technologies wasn't available for review until after it was exported.
-To make it easier to manage encrypted content in the eDiscovery workflow, Microsoft 365 eDiscovery tools now incorporate decryption of encrypted files that are attached to email messages and sent in Exchange Online. Additionally, encrypted documents stored in SharePoint Online and OneDrive for Business are decrypted in Advanced eDiscovery.
+To make it easier to manage encrypted content in the eDiscovery workflow, Microsoft 365 eDiscovery tools now incorporate the decryption of encrypted files attached to email messages and sent in Exchange Online.<sup>1</sup> Additionally, encrypted documents stored in SharePoint Online and OneDrive for Business are decrypted in Advanced eDiscovery.
-Prior to this new capability, only the content of an email message protected by rights management (and not attached files) were decrypted. Encrypted documents in SharePoint and OneDrive couldn't be decrypted during the eDiscovery workflow. Now, if a file that's encrypted with a Microsoft encryption technology is attached to an email message or located on a SharePoint or OneDrive account, those encrypted items are decrypted when the search results are prepared for preview, added to a review set in Advanced eDiscovery, and exported. This allows eDiscovery managers to view the content of encrypted email attachments and site documents when previewing search results, and review them after they have been added to a review set in Advanced eDiscovery.
+Prior to this new capability, only the content of an email message protected by rights management (and not attached files) were decrypted. Encrypted documents in SharePoint and OneDrive couldn't be decrypted during the eDiscovery workflow. Now, files that are encrypted with a Microsoft encryption technology is located on a SharePoint or OneDrive account are searchable and decrypted when the search results are prepared for preview, added to a review set in Advanced eDiscovery, and exported. Additionally, encrypted documents in SharePoint and OneDrive that are attached to an email message are searchable. This decryption capability allows eDiscovery managers to view the content of encrypted email attachments and site documents when previewing search results, and review them after they have been added to a review set in Advanced eDiscovery.
## Supported encryption technologies
The following table identifies the supported tasks that can be performed in Micr
|eDiscovery task |Content search |Core eDiscovery |Advanced eDiscovery | |:|:|:|:|
-|Search for content in encrypted files in email and sites |Yes |Yes |Yes |
+|Search for content in encrypted files in email and sites<sup>1</sup> |Yes |Yes |Yes |
|Preview encrypted files attached to email |Yes |Yes |Yes | |Preview encrypted documents in SharePoint and OneDrive|No |No |Yes | |Review encrypted files in a review set |N/A |N/A | Yes |
The following table identifies the supported tasks that can be performed in Micr
|Export encrypted documents in SharePoint and OneDrive |No |No |Yes | |||||
-**Note:** eDiscovery doesn't support encrypted files in SharePoint and OneDrive when a sensitivity label that applied the encryption is configured with either of the following settings:
+> [!NOTE]
+> <sup>1</sup> Encrypted files that are located on a local computer (and not stored on a SharePoint or OneDrive site) aren't indexed for eDiscovery. That means if an encrypted local file is attached to an email message, the file won't be returned by a keyword search query, even if the file contains keywords that match the search query. However, email messages with local encrypted file can be returned by an eDiscovery search if an email property (such as sent date, sender, recipient, or subject) matches the search query.
-- Users can assign permissions when they manually apply the label to a document. This is sometimes referred to as *user-defined permissions*.<br/>
+### Decryption limitations with sensitivity labels
+
+eDiscovery doesn't support encrypted files in SharePoint and OneDrive when a sensitivity label that applied the encryption is configured with either of the following settings:
+
+- Users can assign permissions when they manually apply the label to a document. This is sometimes referred to as *user-defined permissions*.
- User access to the document has an expiration setting that is set to a value other than **Never**.
compliance Export A Content Search Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-a-content-search-report.md
When you export a report, it's downloaded to a folder that has the same name as
- To export a Content Search report, you have to be assigned the Compliance Search management role in the Security & Compliance Center. This role is assigned by default to the built-in eDiscovery Manager and Organization Management role groups. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md). -- When you export a report, the data is temporarily stored in a unique Azure Storage area in the Microsoft cloud before it's downloaded to your local computer. Be sure that your organization can connect to the endpoint in Azure, which is **\*.blob.core.windows.net** (the wildcard represents a unique identifier for your export). The search results data is deleted from the Azure Storage area two weeks after it's created.
-
+- When you export a report, the data is temporarily stored in a unique Azure Storage area in the Microsoft cloud before it's downloaded to your local computer. Be sure that your organization can connect to the endpoint in Azure, which is **\*.blob.core.windows.net** (the wildcard represents a unique identifier for your export). The search results data is deleted from the Azure Storage area two weeks after it's created.
+ - The computer you use to export the search results has to meet the following system requirements:
-
- - 32-bit or 64-bit versions of Windows 7 and later versions
-
+
+ - Latest version of Windows (32-bit or 64-bit)
+ - Microsoft .NET Framework 4.7
-
+ - You have to use one of the following supported browsers to run the eDiscovery Export Tool<sup>1</sup>: - Microsoft Edge <sup>2</sup>
compliance Export Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-search-results.md
Exporting the results of a Content Search involves preparing the results, and th
- The computer you use to export the search results has to meet the following system requirements:
- - 32-bit or 64-bit versions of Windows 7 and later versions
+ - Latest version of Windows (32-bit or 64-bit)
- Microsoft .NET Framework 4.7
Exporting the results of a Content Search involves preparing the results, and th
- **64-bit:** `%windir%\Microsoft.NET\Framework64\[version]\Config\machine.config`
- Add the following lines to the *machine.config* file somewhere between the `<configuration>` and `</configuration>` tags. Be sure to replace `ProxyServer` and `Port` with the correct values for your organization; for example, `proxy01.contoso.com:80` .
+ Add the following lines to the *machine.config* file somewhere between the `<configuration>` and `</configuration>` tags. Be sure to replace `ProxyServer` and `Port` with the correct values for your organization; for example, `proxy01.contoso.com:80`.
```xml <system.net>
Any rights-protected (RMS-protected) email messages included in the results of a
- There is a 260-character limit (imposed by the operating system) for the full path name for email messages and site documents exported to your local computer. The full path name for exported items includes the item's original location and the folder location on the local computer where the search results are downloaded to. For example, if you specify to download the search results to `C:\Users\Admin\Desktop\SearchResults` in the eDiscovery Export tool, then the full pathname for a downloaded email item would be `C:\Users\Admin\Desktop\SearchResults\ContentSearch1\03.15.2017-1242PM\Exchange\sarad@contoso.com (Primary)\Top of Information Store\Inbox\Insider trading investigation.msg`.
- If the 260-character limit is exceeded, the full path name for an item will be truncated.
+- If the 260-character limit is exceeded, the full path name for an item will be truncated, based on the following:
- If the full path name is longer than 260 characters, the file name will be shortened to get under the limit; note that the truncated filename (excluding the file extension) won't be fewer than eight characters. - If the full path name is still too long after shortening the file name, the item is moved from its current location to the parent folder. If the pathname is still too long, then the process is repeated: shorten the filename, and if necessary move again to the parent folder. This process is repeated until the full pathname is under the 260-character limit.
- - If a truncated full path name already exists, a version number is added to the end of the filename; for example, `statusmessage(2).msg`.
+ - If a truncated full path name already exists, a version number is added to the end of the filename; for example, `statusmessage(2).msg`.
To help mitigate this issue, consider downloading search results to a location with a short path name; for example, downloading search results to a folder named `C:\Results` would add fewer characters to the path names of exported items than downloading them to a folder named `C:\Users\Admin\Desktop\Results`.
Any rights-protected (RMS-protected) email messages included in the results of a
- The file system metadata for documents on SharePoint and OneDrive for Business sites is maintained when documents are exported to your local computer. That means document properties, such as created and last modified dates, aren't changed when documents are exported. -- If your search results include a list item from SharePoint that matches the search query, all rows in the list will be exported in addition to the item that matches the search query and any attachments in the list. The reason for this behavior is to provide a context for list items that are returned in the search results. Also note that the additional list items and attachments may cause the count of exported items to be different than the original estimate of search results.
+- If your search results include a list item from SharePoint that matches the search query, all rows in the list will be exported in addition to the item that matches the search query and any attachments in the list. The reason for this behavior is to provide a context for list items that are returned in the search results. The additional list items and attachments may cause the count of exported items to be different than the original estimate of search results.
compliance New Defender Alert Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/new-defender-alert-policies.md
+
+ Title: "New alert policies in Microsoft Defender for Office 365"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Priority
+
+- M365-security-compliance
+search.appverid:
+- MET150
+- MOE150
+
+- seo-marvel-apr2020
+
+description: "We're releasing new alert policies for Microsoft Defender for Office 365. We're also retiring two existing alert policies that have been replaced by the new ones."
++
+# New alert policies in Microsoft Defender for Office 365
+
+Microsoft Defender for Office 365 is introducing new and improved alert policies related to post-delivery detections. This includes enhancements to the Automated Investigation & Response (AIR) playbooks associated with them. In addition, we're modifying the severity classification for six default alert policies to better align the alerts generated by these policies with their impact on your organization.
+
+## Post-delivery detections
+
+We'll be introducing four new default alert policies related to post-delivery detections after the Microsoft Defender for Office 365 Zero-hour auto purge (ZAP) removes messages from an inbox. These four new alert policies will replace two existing default alert policies that cover ZAP scenarios and will provide organizations enhanced details about the underlying detection and related indicators. These alerts (and the AIR playbooks that will be triggered from these alerts) will accurately capture the threats of the emails and entities, including if the URL points to a malicious file or if the file contains a malicious URL.
+
+The following table lists the new alert policies and the existing alert policies that will be removed. See the [How this will affect your organization](#how-this-will-affect-your-organization) section for details about the rollout.
+
+| New or existing alert policy | Alert policy name | Alert policy ID|
+|:--|:-|:--|
+| New| **Email messages containing malicious URL removed after delivery** | 0179B3F7-3FDA-40C3-8F24-278563978DBB |
+| New| **Email messages containing malicious file removed after delivery** | 8E6BA277-EF39-404E-AAF1-294F6D9A2B88 |
+| New| **Email messages from a campaign were delivered and later removed** | ef850570-5624-42b2-ff0a-08d8d899d578 |
+| New|**Malicious emails were delivered and later removed** | a1f563cc-fb1f-466b-1fb5-08d8d71a3050 |
+| Existing (will be removed)| **Email messages containing phish URLs removed after delivery**| EA8169FA-0678-4751-8854-AEBEA7ADECEB |
+| Existing (will be removed)| **Email messages containing malware removed after delivery**| 0179B3F7-3FDA-40C3-8F24-278563978DBB |
+||||
+
+## Alert severity enhancements
+
+For the following table identifies the default alert policies whose severity classifications are being modified. We're changing the severity classification for these alert policies to better align with the potential risk and impact on your organization and to help your security teams prioritize the alerts generated by these policies.
+
+| Alert| Alert policy ID| Old severity| New severity |
+|:-|:|:|:--|
+| **Suspicious email forwarding activity**| BFD48F06-0865-41A6-85FF-ADB746423EBF | Medium| High|
+| **Email reported by user as malware or phish** | B26A5770-0C38-434A-9380-3A3C2C27BBB3 | Informational | Low|
+| **Unusual increase in email reported as phish** | A00D8C62-9320-4EEA-A7E5-966B9AC09558 | High| Medium |
+| **Admin Submission result completed** | AE9B83DD-6039-4EA9-B675-6B0AC3BF4A41 | Low| Informational |
+| **Creation of forwarding/redirect rule** | D59A8FD4-1272-41EE-9408-86F7BCF72479 | Low| Informational |
+| e**Discovery search started or exported**ΓÇï| 6FDC5710-3998-47F0-AFBB-57CEFD7378AE | Medium| Informational |
+|||||
+
+## When will these changes happen
+
+The following table identifies when the new alert policies will begin triggering post-delivery alerts. The table also identifies when the two existing alert policies will be removed.
+
+| Alert policy| Date |
+|:|:--|
+| **Email messages containing malicious URL removed after delivery** (new) | Alerts will start triggering on April 11, 2021|
+| **Email messages containing malicious file removed after delivery** (new) | Alerts will start triggering on April 11, 2021 |
+| **Emails messages from a campaign were delivered and later removed** (new) | Alerts will start triggering on April 30, 2021|
+| **Malicious emails were delivered and later removed** (new) | Alerts will start triggering on April 30, 2021|
+| **Email messages containing phish URLs removed after delivery** (existing, will be removed)| The alert policy will be removed on April 30, 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section.|
+| **Email messages containing malware removed after delivery** (existing, will be removed) | The alert policy will be removed on April 30, 2021. See the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section. |
+|||
+
+The alert severity changes will be rolled out to all organizations by April 30, 2021.
+
+## How this will affect your organization
+
+The new alerts will begin firing, and triggering the AIR investigations in your organization on the dates listed above. To reduce the impact on security organizations that have operationalized the two alerts that are to be removed, you will see alerts triggered by the existing alert policies *and* the alerts triggered by the new alert policies between April 5, 2021 and April 30, 2021. This is to provide security teams with time to handle the required changes. To help security teams with the increased alert volume during this short duration, both the existing alerts and the new alerts will be correlated into the same AIR investigation and correlated into a same Incident. More specifically, this includes the following behavior for alerts, AIR investigations, and Incidents:
+
+- **Alerts**: By design, you will see the following alert pairs across the existing and new alerts:
+
+ - **Email messages containing phish URLs removed after delivery** AND **Email messages containing malicious URL removed after delivery**
+
+ - **Email messages containing malware removed after delivery** AND **Email messages containing malicious file removed after delivery**
+
+ ![Alert pairs for new and existing alerts](../media/DefenderAlerts.png)
+
+ For more information about managing these alert pairs, see the [What you need to do to prepare for these changes](#what-you-need-to-do-to-prepare-for-these-changes) section.
+
+- **AIR Investigations**: Alerts will be correlated into a single AIR Investigation, with one of the alerts classified as "triggering" and the other as "repeated".
+
+ ![Alert pairs in AIR Investigations](../media/AIRAlerts.png)
+
+- **Incidents**: Both alerts will correlate into the same Incident
+
+ ![Alert pairs in Incidents](../media/IncidentsAlerts.png)
+
+## What you need to do to prepare for these changes
+
+How your organization utilizes these alerts will determine what you need to do to prepare. If you have operationalized the alerts and are using or consuming them either through an API, an alert email notification, or in the Office 365 Security & Compliance Center (`https://protection.office.com/viewalerts`) or the Microsoft security center (`https://security.microsoft.com/viewalerts`), you'll need to modify your workflows.
+
+**If you haven't operationalized these alerts, you can do one of the following:**
+
+- Disable the following alert policies (that are being removed) to reduce alert volume in your organization:
+
+ - **Email messages containing phish URLs removed after delivery**
+
+ - **Email messages containing malware removed after delivery**
+
+- Do nothing. We'll disable the existing alert policies on April 30, 2021.
+
+**If you have operationalized these alerts:**
+
+- Start consuming the new alerts as a part of your workflows, in anticipation of the existing alert policy removal on April 30, 2021. If you have custom logic in your ticketing system, a security mailbox where you receive alert email notifications, or a SIEM solution that depends on the alert name or alert policy Id (CorrelationId), you will need to modify the logic to accommodate the change.
+
+ > [!NOTE]
+ > The information in the alerts, investigations, and incidents has not changed. In fact, this information has been enhanced with additional detail about the threats associated with them.
+
+- After you've made the modifications, you can disable the existing alert policies to reduce alert volume in your organization:
+
+ - **Email messages containing phish URLs removed after delivery**
+
+ - **Email messages containing malware removed after delivery**
+
+ Alternatively, you can leave these alert policies enabled until we delete them on April 30, 2021.
compliance Ome Version Comparison https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ome-version-comparison.md
audience: Admin
localization_priority: Normal Previously updated : 4/30/2019 - Strat_O365_IP - M365-security-compliance
# Compare versions of OME > [!IMPORTANT]
-> On February 28, 2021, Microsoft will deprecate support for AD RMS in Exchange Online. If you've deployed a hybrid environment where your Exchange mailboxes are online and you're using IRM with Active Directory RMS on-premises, you'll need to migrate to Azure. Organizations that have deployed into the GCC Moderate environment are also affected. See "Overview of AD RMS deprecation in Exchange Online" in this article for information.
+> On February 28, 2021, Microsoft deprecated support for AD RMS in Exchange Online. If you've deployed a hybrid environment where your Exchange mailboxes are online and you're using IRM with Active Directory RMS on-premises, you'll need to migrate to Azure. Organizations that have deployed into the GCC Moderate environment are also affected. See "Overview of AD RMS deprecation in Exchange Online" in this article for information.
The rest of this article compares legacy Office 365 Message Encryption (OME) to the new OME capabilities and Office 365 Advanced Message Encryption. The new capabilities are a merger and newer version of both OME and Information Rights Management (IRM). Unique characteristics of deploying into GCC High are also outlined. The two can coexist in your organization. For information on how the new capabilities work, see [Office 365 Message Encryption (OME)](ome.md).
enterprise Microsoft 365 Germany Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-germany-endpoints.md
hideEdit: true
*Applies To: Office 365 Admin* Office 365 requires connectivity to the Internet. The endpoints below should be reachable for customers using **Office 365 Germany** plans only.+
+> [!NOTE]
+> For customers, which are in the transition to the new Microsoft 365 datacenter region in Germany, the endpoints will change.
+> For additional information, please refer to [Migration from Microsoft Cloud Deutschland to Office 365 services in the new German datacenter regions](ms-cloud-germany-transition.md).
**Office 365 endpoints:** [Worldwide (including GCC)](urls-and-ip-address-ranges.md) | [Office 365 operated by 21 Vianet](urls-and-ip-address-ranges-21vianet.md) | *Office 365 Germany* | [Office 365 U.S. Government DoD](microsoft-365-u-s-government-dod-endpoints.md) | [Office 365 U.S. Government GCC High](microsoft-365-u-s-government-gcc-high-endpoints.md) |
enterprise Ms Cloud Germany Transition Add Pre Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-pre-work.md
Office 365 tenant and user identifiers are preserved during migration. Azure AD
<!-- before phase 9 -->
-**Applies to**: Customers who set a custom _msoid_ CNAME in their own DNS domain
+**Applies to**: Customers who set a custom _msoid_ CNAME in their own DNS domain or using a domain for Exchange Online
If configured, the _msoid_ CNAME affects only customers using Office Desktop client (Microsoft 365 Apps, Office 365 ProPlus, Office 2019, 2016, ...).
nslookup -querytype=CNAME msoid.contoso.com
If the command line returns a DNS record, remove the _msoid_ CNAME from your domain.
+> [!NOTE]
+> If you are using a custom domain for Exchange Online, you'll need to have access to your DNS hosting provider. Please make sure you can access and edit your DNS settings, you'll be modifying DNS records during the migration.
+ ## Active Directory Federation Services (AD FS) <!-- before phase 4 -->
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
| Step(s) | Description | Impact | |:-|:-|:-|
-| Notify external partners of the upcoming transition to Office 365 services. | Customers must notify their partners with whom they have enabled sharing calendar and availability address space configuration (allow sharing of free/busy information with Office 365). Availability configuration needs to transition to use the [Office 365 worldwide endpoints](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) when Exchange Online migration is completed. | Failure to do so may result in service or client failure at a later phase of customer migration. |
-| Notify users of required IMAP4/POP3/SMTP client changes. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols IMAP4, POP3, SMTP are required to manually update their client devices to switch to the [Office 365 worldwide endpoints](https://docs.microsoft.com/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide). | Pre-communicate this dependency to users of these protocols and ensure they either switch to use Outlook mobile or Outlook on the web during this migration. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. |
+| Notify external partners of the upcoming transition to Office 365 services. | Customers must notify their partners with whom they have enabled sharing calendar and availability address space configuration (allow sharing of free/busy information with Office 365). Availability configuration needs to transition to use the [Office 365 worldwide endpoints](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) when Exchange Online migration is completed. | Failure to do so may result in service or client failure at a later phase of customer migration. |
+| Notify users of required IMAP4/POP3/SMTP client changes. | Users who have device connections to Microsoft Cloud Deutschland endpoints for client protocols IMAP4, POP3, SMTP are required to manually update their client devices to switch to the [Exchange Online server names](/exchange/clients-and-mobile-in-exchange-online/pop3-and-imap4/pop3-and-imap4#settings-users-use-to-set-up-pop3-or-imap4-access-to-their-exchange-online-mailboxes). | Pre-communicate this dependency to users of these protocols and ensure they either switch to use Outlook mobile or Outlook on the web during this migration. Failure to update client endpoints will result in client connection failures against Microsoft Cloud Deutschland when user mailboxes are migrated. |
|||| ### Exchange Online Hybrid customers
Read and apply the [ADFS Migration steps](ms-cloud-germany-transition-add-adfs.m
**Applies to:** All customers using an active Exchange Hybrid Configuration with Exchange servers on-premises<br> **When applied**: Any time before Phase 5 starts
-Enterprise customers with a hybrid deployment of Exchange Online and an on-premises Exchange Server run the Hybrid Configuration Wizard (HCW) and AAD Connect to maintain and establish the hybrid setup. When transitioning from Microsoft Cloud Deutschland to the Office 365 Germany region, the administrator must re-run the latest build of HCW in "Office 365 Germany" mode before the Exchange migration (Phase 5) begins. Then, run the HCW again in "Office 365 Worldwide" mode on completion of Phase 5 to finalize the on-premises deployment with the Office 365 Germany region settings. Directory attributes are synced between Office 365 and Azure AD with the on-premises deployment through AAD Connect.
+Enterprise customers with a hybrid deployment of Exchange Online and an on-premises Exchange Server run the Hybrid Configuration Wizard (HCW) and AAD Connect to maintain and establish the hybrid setup.
+Exchange Online Hybrid administrators **must execute the Hybrid Configuration wizard (HCW) multiple times** as part of this transition.
+When transitioning from Microsoft Cloud Deutschland to the Office 365 Germany region, the administrator must re-run the latest build of HCW in "Office 365 Germany" mode before the Exchange migration (Phase 5) begins. Then, run the HCW again in "Office 365 Worldwide" mode on completion of Phase 5 to finalize the on-premises deployment with the Office 365 Germany region settings. The HCW run must not be executed during Phase 5, it is important to run the HCW not until phase 5 finishes.
+Directory attributes are synced between Office 365 and Azure AD with the on-premises deployment through AAD Connect.
| Step(s) | Description | Impact | |:-|:-|:-|
-| (Pre-Phase 5) - Re-run HCW using Office 365 Germany settings <br><br> <i>You may start this activity immediately after receiving the message center notification that your Office 365 tenant migration has begun (phase 1).</i>| Uninstalling and re-running HCW (17.0.5378.0 or higher) from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) before Phase 5 will ensure that your on-premises configuration is prepared to send and receive mail with both Microsoft Cloud Deutschland users and users who are migrated to Office 365 Germany region. <p><li> In the HCW, for the list box below **My Office 365 organization is hosted by**, select **Office 365 Germany.** | Failing to complete this task before Phase 5 [Exchange Migration] begins may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
-| (Post-Phase 5) - Re-run HCW using Office 365 Worldwide settings <br><br> <i>You may start this activity after receiving the message center notification that your Exchange Migration is complete (Phase 5).</i>| Uninstalling and re-running HCW from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) after Phase 5 will reset the on-premises configuration for hybrid configuration with only Office 365 global. <p><li> In the list box below **My Office 365 organization is hosted by**, select **Office 365 Worldwide**. | Failing to complete this task before Phase 9 [Migration Complete] may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
-| Establish AuthServer on-premises pointing to global Security Token Service (STS) for authentication | This ensures that authentication requests for Exchange availability requests from users in migration state that target the hybrid on-premises environment are authenticated to access the on-premises service. Similarly, this will ensure authentication of requests from on-premises to Office 365 Global services endpoints. | After Azure AD migration (phase 2) is complete, the administrator of the on-premises Exchange (hybrid) topology must add a new authentication service endpoint for the Office 365 Global services. With this command from Exchange PowerShell, replace `<TenantID>` with your organization's tenant ID found in the Azure portal on Azure Active Directory.<br>`New-AuthServer GlobalMicrosoftSts -AuthMetadataUrl https://accounts.accesscontrol.windows.net/<TenantId>/metadata/json/1`<br> Failing to complete this task may result in hybrid free-busy requests failing to provide information for mailbox users who have been migrated from Microsoft Cloud Deutschland to Office 365 services. |
-| (Pre-Phase 5) - Preserving Shared Mailbox settings | Some Hybrid customers have converted cloud user mailboxes to be 'shared' mailboxes using Exchange Online commands. This cloud mailbox configuration is written to the mailbox and local Exchange Online directory, however, it is not synced back to the customer's Active Directory via AAD Connect. The result is a discrepancy between the Active Directory representation of the mailbox RemoteRecipientType and RemoteDisplayType values and that in Exchange Online defining the mailbox as shared. <br><br> The customer is responsible to ensure that all Shared mailboxes are properly provisioned using `New-RemoteMailbox -Shared`, `Enable-RemoteMailbox -Shared`, or `Set-RemoteMailbox -Shared`. See this reference for how to [Convert a user's mailbox in a hybrid environment](https://docs.microsoft.com/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox?view=o365-worldwide).| Failing to complete this task before Phase 5 [Exchange Online Migration] may result in NDRs for Shared Mailboxes which convert back to unlicensed mailboxes and loss of shared access for affected mailboxes. [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](https://docs.microsoft.com/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes) outlines the impact of not addressing this before Exchange Online Migration completes.
+| Re-run HCW using Office 365 Germany settings <br><br> <i>You may start this activity immediately after receiving the message center notification that your Office 365 tenant migration has begun (phase 1).</i>| Uninstalling and re-running HCW (17.0.5378.0 or higher) from [https://aka.ms/hybridwizard](https://aka.ms/hybridwizard) before Phase 5 will ensure that your on-premises configuration is prepared to send and receive mail with both Microsoft Cloud Deutschland users and users who are migrated to Office 365 Germany region. <p><li> In the HCW, for the list box below **My Office 365 organization is hosted by**, select **Office 365 Germany.** | Failing to complete this task before Phase 5 [Exchange Migration] begins may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
+| Preserving Shared Mailbox settings | Some Hybrid customers have converted cloud user mailboxes to be 'shared' mailboxes using Exchange Online commands. This cloud mailbox configuration is written to the mailbox and local Exchange Online directory, however, it is not synced back to the customer's Active Directory via AAD Connect. The result is a discrepancy between the Active Directory representation of the mailbox RemoteRecipientType and RemoteDisplayType values and that in Exchange Online defining the mailbox as shared. <br><br> The customer is responsible to ensure that all Shared mailboxes are properly provisioned using `New-RemoteMailbox -Shared`, `Enable-RemoteMailbox -Shared`, or `Set-RemoteMailbox -Shared`. See this reference for how to [Convert a user's mailbox in a hybrid environment](/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox?view=o365-worldwide).| Failing to complete this task before Phase 5 [Exchange Online Migration] may result in NDRs for Shared Mailboxes which convert back to unlicensed mailboxes and loss of shared access for affected mailboxes. [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes) outlines the impact of not addressing this before Exchange Online Migration completes.
|||| ## Skype for Business Online
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
If you are using Active Directory Federation Services (AD FS), make sure to [bac
## Phase 2: Azure AD Migration In this phase the Azure Active Directory will be migrated to the new datacenter region and become active. The old Azure AD endpoints will be still available.
+### Exchange Online Hybrid - Modify AuthServer on-premises
+**Applies to:** All customers using an active Exchange Hybrid Configuration with Exchange servers on-premises
+
+**When applied**: After phase 2 ends
+
+The AuthServer on-premises must be pointing to global Security Token Service (STS) for authentication after Azure AD migration is complete.
+This ensures that authentication requests for Exchange availability requests from users in migration state that target the hybrid on-premises environment are authenticated to access the on-premises service. Similarly, this will ensure authentication of requests from on-premises to Office 365 Global services endpoints.
+After Azure AD migration (phase 2) is complete, the administrator of the on-premises Exchange (hybrid) topology must add a new authentication service endpoint for the Office 365 Global services.
+With this command from Exchange PowerShell, replace `<TenantID>` with your organization's tenant ID found in the Azure portal on Azure Active Directory.
+
+```powershell
+New-AuthServer GlobalMicrosoftSts -AuthMetadataUrl https://accounts.accesscontrol.windows.net/<TenantID>/metadata/json/1
+```
+
+Failing to complete this task may result in hybrid free-busy requests failing to provide information for mailbox users who have been migrated from Microsoft Cloud Deutschland to Office 365 services.
+ ## Phase 3: Subscription transfer **Applies to**: All customers with an Office 365 tenant hosted in the Microsoft Cloud Deutschland (MCD)
In case you are still using SharePoint 2013 workflows, limit the use of SharePoi
Additional considerations: - If your organization still uses SharePoint 2010 workflows, they'll no longer function after December 31, 2021. SharePoint 2013 workflows will remain supported, although turned off by default for new tenants starting on November 1, 2020. After migration to the SharePoint Online service is complete, we recommend that you to move to Power Automate or other supported solutions.-
+
- Microsoft Cloud Deutschland customers whose SharePoint Online instance is not yet migrated need to stay on SharePoint Online PowerShell module/Microsoft.SharePointOnline.CSOM version 16.0.20616.12000 or below. Otherwise, connections to SharePoint Online via PowerShell or the client-side object model will fail.
+- During this phase, the IP addresses behind the SharePoint URLs will change. After the transition to Office 365 Global services, the addresses for the preserved tenant URLs (for example, `contoso.sharepoint.de` and `contoso-my.sharepoint.de`) will be changed to the [Worldwide Microsoft 365 URLs and IP address ranges (SharePoint Online and OneDrive for Business)](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide#sharepoint-online-and-onedrive-for-business).
+ > [!NOTE]
-> In case you are using eDiscovery, make sure you are aware of the [eDiscovery migration experience](ms-cloud-germany-transition-add-experience.md).
+> In case you are using eDiscovery, make sure you are aware of the [eDiscovery migration experience](ms-cloud-germany-transition-add-scc.md).
## Phase 5: Exchange Online
+Starting with phase 5, Exchange Online mailboxes are moved from Microsoft Cloud Deutschland to Office 365 Global services.
-**Applies to:** All customers using Exchange Online
+The Office 365 Global services region is set as default, which enables the internal load-balancing service to redistribute mailboxes to the appropriate default region in Office 365 services. In this transition, users on either side (MCD or Global services) are in the same organization and can use either URL endpoint.
-If you're using Exchange Online hybrid: Exchange Online Hybrid administrators **must execute the Hybrid Configuration wizard (HCW) multiple times** as part of this transition. Apply the [Exchange prework](ms-cloud-germany-transition-add-pre-work.md#exchange-online-hybrid-customers) **before the migration step phase 5 begins**. Exchange Online hybrid customers must run the latest version of the Exchange Hybrid Configuration Wizard (HCW) in "Office 365 Germany" mode to prepare the on-premises configuration for the migration to Office 365 global services.
+The new region "Germany" is added to the organization setup. Exchange Online configuration adds the new go-local German region to the transitioning organization.
-Upon **completion of the migration phase 9** (when the Message Center notice is published), you need to run the HCW again using Office 365 Worldwide settings to point your on-premises systems to the Office 365 Global services.
+- Transition users and services from your legacy MCD URLs (`https://outlook.office.de`) to new Office 365 services URLs (`https://outlook.office365.com`).
+- The Exchange Online services (Outlook Web Access and Exchange Admin Center) for the new German datacenter region will be available from this phase, they will not be available before.
+- Users may continue to access the service through legacy MCD URLs during the migration, however they need to stop using the legacy URLs on completion of the migration.
+- Users should transition to using the worldwide Office portal for Office Online features (Calendar, Mail, People). Navigation to services that aren't yet migrated to Office 365 services won't function until they are migrated.
+- The Outlook Web App won't provide the public folder experience during migration.
-If you want to modify user photos during phase 5, see [Exchange Online Set-UserPhoto during phase 5](#exchange-online-powershell)
+If you want to modify user photos during phase 5, see [Exchange Online PowerShell - Set-UserPhoto during phase 5](#exchange-online-powershell).
-| Step(s) | Description | Impact |
-|:-|:-|:-|
-|**Admin**: Stop mailbox moves|Stop or delete any onboarding or offboarding mailbox moves, namely don't move mailboxes between Exchange on-premises and Exchange Online. | This ensures the mailbox move requests don't fail with an error. Failure to do so may result in failure of the service or Office clients. |
-| The new region "Germany" is added to the organization setup. | Exchange Online configuration adds the new go-local German region to the transitioning organization. | |
-| Exchange Online mailboxes are moved from Microsoft Cloud Deutschland to Office 365 Global services.| The Office 365 Global services region is set as default, which enables the internal load-balancing service to redistribute mailboxes to the appropriate default region in Office 365 services. In this transition, users on either side (MCD or Global services) are in the same organization and can use either URL endpoint. |<ul><li>Transition users and services from your legacy MCD URLs (outlook.office.de) to new Office 365 services URLs (`https://outlook.office365.com`).</li><li>Users may continue to access the service through legacy MCD URLs during the migration, however they need to stop using the legacy URLs on completion of the migration.</li><li>Users should transition to using the worldwide Office portal for Office Online features (Calendar, Mail, People). Navigation to services that aren't yet migrated to Office 365 services won't function until they are migrated. </li><li>The Outlook Web App won't provide the public folder experience during migration. </li></ul>|
-| **Admin**: Update custom DNS Settings for AutoDiscover| Customer-managed DNS settings for AutoDiscover that currently point to Microsoft Cloud Deutschland need to be updated to refer to the Office 365 Global endpoint on completion of the Exchange Online phase (phase 5). <br> Existing DNS entries with CNAME pointing to autodiscover-outlook.office.de need to be updated to point to autodiscover.outlook.com. | Availability requests and service discovery calls via AutoDiscover point directly to the Office 365 services. Customers who do not perform these DNS updates may experience Autodiscover service issues when the migration is finalized. |
-||||
+### DNS Record for Autodiscover in Exchange Online
+**Applies to:** Customers using Exchange Online with a custom domain
+
+Customer-managed DNS settings for AutoDiscover that currently point to Microsoft Cloud Deutschland need to be updated to refer to the Office 365 Global endpoint on completion of the Exchange Online phase (phase 5). <br> Existing DNS entries with CNAME pointing to autodiscover-outlook.office.de need to be updated to point to **autodiscover.outlook.com**.
+
+Customers who do not perform these DNS updates upon **completion of the migration phase 9** may experience service issues when the migration is finalized.
### Exchange Online PowerShell **Applies to:** Exchange Online Administrators using Exchange Online PowerShell
Additional considerations:
- `myaccount.microsoft.com` will only work after the tenant cutover in phase 9. Links will produce "something went wrong" error messages until that time. --> - Users of Outlook Web App that access a shared mailbox in the other environment (for example, a user in the MCD environment accesses a shared mailbox in the Global environment) will be prompted to authenticate a second time. The user must first authenticate and access their mailbox in `outlook.office.de`, then open the shared mailbox that is in `outlook.office365.com`. They'll need to authenticate a second time when accessing the shared resources that are hosted in the other service.- - For existing Microsoft Cloud Deutschland customers or those in transition, when a shared mailbox is added to Outlook by using **File > Info > Add Account**, viewing calendar permissions may fail (the Outlook client attempts to use the Rest API `https://outlook.office.de/api/v2.0/Me/Calendars`). Customers who want to add an account to view calendar permissions can add the registry key as described in [User experience changes for sharing a calendar in Outlook](https://support.microsoft.com/office/user-experience-changes-for-sharing-a-calendar-in-outlook-5978620a-fe6c-422a-93b2-8f80e488fdec) to ensure this action will succeed. This registry key can be deployed organization-wide by using Group Policy.
+- Ensure that all users using legacy protocols (POP3/IMAP4/SMTP) for their devices are prepared to change the endpoints in their client after their Exchange mailbox has been moved to the new German datacenter region as described in the [pre-migration steps for Exchange Online](ms-cloud-germany-transition-add-pre-work.md#exchange-online).
To find out more about the differences for organizations in migration and after Exchange Online resources are migrated, review the information in [Customer experience during the migration to Office 365 services in the new German datacenter regions](ms-cloud-germany-transition-experience.md).
Back-end Exchange Online Protection (EOP) features are copied to the new region
| Migration of Exchange Online routing and historical message detail. | Exchange Online enables routing from external hosts to Office 365. The external MX records are transitioned to route to the EOP service. Tenant configuration and historical details are migrated. |<ul><li>MicrosoftΓÇômanaged DNS entries are updated from Office 365 Germany EOP to Office 365 services.</li><li>Customers should wait for 30 days after EOP dual write for EOP migration. Otherwise, there may be data loss.</li></ul>| ||||
+### Exchange Online Hybrid deployments
+**Applies to:** All customers using an active Exchange Hybrid Configuration with Exchange servers on-premises
+
+Make sure the [Exchange prework](ms-cloud-germany-transition-add-pre-work.md#exchange-online-hybrid-customers) have been applied **before the migration step phase 5 begins**. Exchange Online hybrid customers must run the latest version of the Exchange Hybrid Configuration Wizard (HCW) in "Office 365 Germany" mode to prepare the on-premises configuration for the migration to Office 365 global services.
+
+**Admin actions:**
+- Between the start of the migration phase 6 and the completion of the migration phase 9 (when the Message Center notice is published), you need to run the HCW again using Office 365 Worldwide settings to point your on-premises systems to the Office 365 Global services. Failing to complete this task before phase 9 [Migration Complete] may result in NDRs for mail routed between your on-premises Exchange deployment and Office 365.
+- Stop or delete any onboarding or offboarding mailbox moves, namely don't move mailboxes between Exchange on-premises and Exchange Online. This ensures the mailbox move requests don't fail with an error. Failure to do so may result in failure of the service or Office clients.
+- Additional Send-Connectors that have been created besides the connector created by the HCW and which are targeting to Exchange Online must be updated in this phase immediately after the HCW run has been executed, otherwise they will stop working. The TLS domain must be updated for these Send-Connectors. <br> To update the TLS domain, use the following PowerShell command in your Exchange Server environment:
+```powershell
+Set-SendConnector -Identity <SendConnectorName> -TlsDomain "mail.protection.outlook.com"
+```
+ ## Phase 7: Skype for Business Online **Applies to:** All customers using Skype for Business Online
Customers with Dynamics 365 require additional engagement to migrate the organiz
\*\* (i) Customers with Microsoft Power BI must take action in this migration scenario as defined by the Migration process provided. (ii) Failure by the customer to take action will mean that Microsoft will be unable to complete the migration. (iii) When Microsoft is unable to complete the migration due to the customer's inaction, then the customer's subscription will expire on October 29, 2021.
-## Phase 9 & 10: Azure AD Finalization
-
-**Applies to:** All customers
-
-When the Office 365 tenant completes the final step of the migration [Azure AD Finalization (Phase 9)] all services are transitioned to worldwide. No application or user should be accessing resources for the tenant against any of the Microsoft Cloud Deutschland endpoints. Automatically, 30 days after the finalization completes, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned tenant. Endpoint requests such as Authentication will fail from this point forward against the Microsoft Cloud Deutschland service.
-
-| Step(s) | Description | Impact |
-|:-|:-|:-|
-| Update user endpoints | Ensure all users access the service using the proper Microsoft worldwide endpoints |30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail. |
-| Update Azure AD application endpoints | You must update Authentication, Azure Active Directory (Azure AD) Graph, and MS Graph endpoints for your applications to those of the Microsoft Worldwide service. | 30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail. |
-||||
-
-## Office Apps
+## Phase 9: Office Apps
**Applies to:** All customers using Office desktop applications (Word, Excel, PowerPoint, Outlook, ...) Office 365 tenants transitioning to the region "Germany" require all users to close, sign out from Office 365 and back in for all Office desktop applications (Word, Excel, PowerPoint, Outlook, etc.) and OneDrive for Business client after the tenant migration has reached phase 9. Signing out and in, allows the Office services to obtain new authentication tokens from the global Azure AD service.
+The best user experience can be ensured by using most recent Office applications. Enterprises should consider using the Monthly Enterprise Channel.
+ Make sure you have completed the [prework for mobile devices](ms-cloud-germany-transition-add-pre-work.md#mobile-device-management) procedure. | Step(s) | Description | Impact |
Make sure you have completed the [prework for mobile devices](ms-cloud-germany-t
## Phase 9: Line-of-business apps
+**Applies to:** All customers using line-of-business apps connected to Office 365
+ In case you have line-of-business apps, make sure you have completed the [prework for line-of-business apps](ms-cloud-germany-transition-add-pre-work.md#line-of-business-apps) procedure.
+## Phase 9 & 10: Azure AD Finalization
+
+**Applies to:** All customers
+
+When the Office 365 tenant completes the final step of the migration [Azure AD Finalization (Phase 9)] all services are transitioned to worldwide. No application or user should be accessing resources for the tenant against any of the Microsoft Cloud Deutschland endpoints. Automatically, 30 days after the finalization completes, the Microsoft Cloud Deutschland Azure AD service will stop endpoint access for the transitioned tenant. Endpoint requests such as Authentication will fail from this point forward against the Microsoft Cloud Deutschland service.
+
+| Step(s) | Description | Impact |
+|:-|:-|:-|
+| Update user endpoints | Ensure all users access the service using the proper Microsoft worldwide endpoints |30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail. |
+| Update Azure AD application endpoints | You must update Authentication, Azure Active Directory (Azure AD) Graph, and MS Graph endpoints for your applications to those of the Microsoft Worldwide service. | 30 days after the migration finalizes, the Microsoft Cloud Deutschland endpoints will stop honoring requests; client or application traffic will fail. |
+||||
+ ## Post migration Make sure you read the [post migration activities](ms-cloud-germany-transition-add-experience.md) article and execute them accordingly.
enterprise O365 Data Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/o365-data-locations.md
ms.assetid: 706d5449-45e5-4b0c-a012-ab60501899ad
description: "Determine where your Microsoft 365 customer data is stored worldwide"
-<!--
-Note to new owner: Links in the Notes and FAQ sections need to be added from the source document at https://microsoft.sharepoint.com/:w:/t/golocalteam/Ebv6_Lw6FvNKucfA1eESTPUBy6O1MdvWEeT-L8O5a2HsIg?e=4%3AUfF1Uj&at=9&xsdata=MDR8MDF8am9zZXBoZEBtaWNyb3NvZnQuY29tfGM1ZTg1ODI0ZWRmMTRlN2E3MDkzMDhkNzgzNDMxYTczfDcyZjk4OGJmODZmMTQxYWY5MWFiMmQ3Y2QwMTFkYjQ3fDF8MHw2MzcxMjIxOTY1MzQ5NjM5NDl8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fC0x&sdata=MkxOUXhlZEdyR0I1SzBvd044d2hkd2RPaGN2RUpaS09jMkZTcys0dkZQRT0%3D
>- # Where your Microsoft 365 customer data is stored The tables below shows where customer data is stored at-rest for Microsoft 365 services across all of Microsoft's global cloud locations. Expand the location of your billing address country to find out where customer data for each service would be stored. If your business is located in the European Union, see [Data locations for the European Union](EU-data-storage-locations.md) for more information.
-Customers should view tenant specific data location information in your Microsoft 365 Admin Center in **Settings | Org settings | Organization Profile | Data location**.
+Customers should view tenant specific data location information in your Microsoft 365 Admin Center in **Settings | Org settings | Organization Profile | Data location**. If you [requested to move to a new Geo](request-your-data-move.md), the data location information in the Microsoft 365 admin center may show only your new Geo even though some data may be stored temporarily in your prior Geo during the transition.
New Microsoft 365 tenants are defaulted to Geo based on the country of the transaction associated with that tenant's first subscription.
knowledge Manage Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/manage-topics.md
Title: 'Manage topics in the Topic center in Microsoft Viva Topics'
+ Title: 'Manage topics in the topic center in Microsoft Viva Topics'
description: 'How to manage topics in the Topic Center.'--++ audience: admin
localization_priority: None
-# Manage topics in the Topic center
+# Manage topics in the topic center in Microsoft Viva Topics
</br>
localization_priority: None
</br>
-In the Viva Topics Topic center, a knowledge manager can view the **Manage topics** page to review topics that have been identified in SharePoint source locations as specified by your knowledge admin.
+In the Viva Topics topic center, a knowledge manager can view the **Manage topics** page to review topics that have been identified in SharePoint source locations as specified by your knowledge admin.
![Topic Center](../media/knowledge-management/topic-center.png) </br>
In the Viva Topics Topic center, a knowledge manager can view the **Manage topic
Knowledge managers help to guide discovered topics through the topic lifecycle in which topics are: -- Suggested: A topic has been identified by AI and has enough supporting resources, connections, and properties.-- Confirmed: A topic that has been suggested by AI is validated. Validation is done by confirmation from a knowledge manager. Additionally, a topic can be confirmed if at least two users give positive feedback through the feedback question on the topic card.-- Published: A confirmed topic that has been curated: manual edits have been made to improve its quality.-- Removed: A topic is rejected by a knowledge manager and will no longer be visible to viewers. The topic can be in any state when it is removed (suggested, confirmed or published). When a published topic is removed, the page with the curated details will need to be deleted manually through the Pages Library of the topic center.
+- **Suggested**: A topic has been identified by AI and has enough supporting resources, connections, and properties.
+- **Confirmed**: A topic that has been suggested by AI is validated. Validation is done by confirmation from a knowledge manager. Additionally, a topic can be confirmed if at least two users give positive feedback through the feedback question on the topic card.
+- **Published**: A confirmed topic that has been curated: manual edits have been made to improve its quality.
+- **Removed**: A topic is rejected by a knowledge manager and will no longer be visible to viewers. The topic can be in any state when it is removed (suggested, confirmed, or published). When a published topic is removed, the page with the curated details will need to be deleted manually through the Pages Library of the topic center.
![Topic Lifecycle chart](../media/knowledge-management/topic-lifecycle.png) </br> > [!Note]
-> In the Manage Topics page, each knowledge manager will only be able to see topics where they have access to the files and pages of the topic. This will be reflected in the topics that are listed under the Suggested, Confirmed, Removed, and Published tabs. The topic counts, however, show the total counts in the organization.
+> On the Manage Topics page, each knowledge manager will only be able to see topics where they have access to the files and pages of the topic. This will be reflected in the topics that are listed under the **Suggested**, **Confirmed**, **Removed**, and **Published** tabs. The topic counts, however, show the total counts in the organization.
## Requirements
-To manage topics in the Topic center, you need to:
+To manage topics in the topic center, you need to:
- Have a Viva Topics license. - Have the [**Who can manage topics**](./topic-experiences-user-permissions.md) permission. Knowledge admins can give users this permission in the Viva Topics topic permissions settings.
-You will not be able to view the Manage Topics page in the Topic Center unless you have the **Who can manage topics** permission.
+You will not be able to view the Manage Topics page in the topic center unless you have the **Who can manage topics** permission.
In the topic center, a knowledge manager can review topics that have been identified in the SharePoint source locations you specified, and can either confirm or reject them. A knowledge manager can also create and publish new topic pages if one was not found in topic discovery, or edit existing ones if they need to be updated. ## Review suggested topics
-On the Topic center Manage Topics page, topics that were discovered in your specified SharePoint source locations will be listed in the **Suggested** tab. If needed, a knowledge manager can review unconfirmed topics and choose to confirm or reject them.
+On the topic center Manage Topics page, topics that were discovered in your specified SharePoint source locations will be listed in the **Suggested** tab. If needed, a knowledge manager can review unconfirmed topics and choose to confirm or reject them.
![Suggested Topics](../media/knowledge-management/quality-score.png) </br>
To review a suggested topic:
2. On the topic page, review the topic page, and select **Edit** if you need to make any changes to the page. Publishing any edits will move this topic to the **Published** tab.
-3. After reviewing the topic, go back to the Manage topics page. For the selected topic, you can:
+3. After reviewing the topic, go back to the Manage Topics page. For the selected topic, you can:
- Select the check mark to confirm the topic.
To review a suggested topic:
### Quality score
-Each topic that appears in your Suggested Topics page has a <b>Quality</b> score assigned to it. The Quality score is a reflection of the amount of information that the average user will see for the information on the topic, keeping in mind that each user may see more or less information because of the permissions they may or may not have on the information in a topic.
+Each topic that appears on your Suggested Topics page has a quality score assigned to it. The quality score is a reflection of the amount of information that the average user will see for the information on the topic, keeping in mind that each user might see more or less information because of the permissions they might or might not have on the information in a topic.
-The Quality score can help give insight to the topics with the most information and can be useful for finding topics that may need to be manually edited. For example, a topic with a lower quality score may be the result of some users not having SharePoint permissions to pertinent files or sites that AI has included in the topic. A contributor could then edit the topic to include the information (when appropriate), which will then be viewable to all users who can view the topic.
+The quality score can help give insight to the topics with the most information and can be useful for finding topics that may need to be manually edited. For example, a topic with a lower quality score might be the result of some users not having SharePoint permissions to pertinent files or sites that AI has included in the topic. A contributor could then edit the topic to include the information (when appropriate), which will then be viewable to all users who can view the topic.
-The Quality score could range from 1 to 100. A newly discovered topic will have a quality score of 0 until two or more users have viewed it. Each users quality score is determined by a number of factors, such as the amount of content displayed for the specific user, which is controlled the user's permissions as each topic page has security trimming in place for AI-generated content. The Quality score shown on the Suggested topics tab is an average of each users individual score.
+The quality score could range from 1 to 100. A newly discovered topic will have a quality score of 0 until two or more users have viewed it. Each user's quality score is determined by a number of factors, such as the amount of content displayed for the specific user, which is controlled the user's permissions as each topic page has security trimming in place for AI-generated content. The quality score shown on the **Suggested** topics tab is an average of each users individual score.
### Impressions
-The <b>Impressions</b> column displays the number of times a topic has been shown to end users. This includes views through topic cards in search, through topic highlights, and through Topic center views. It does not reflect the click-through on these topics, but that the topic has been displayed. The Impressions column will show for topics in the Suggested, Confirmed, Published, and Removed tabs in the Manage Topics page.
-
+The **Impressions** column displays the number of times a topic has been shown to end users. This includes views through topic cards in search, through topic highlights, and through topic center views. It does not reflect the click-through on these topics, but that the topic has been displayed. The **Impressions** column will show for topics in the **Suggested**, **Confirmed**, **Published**, and **Removed** tabs on the Manage Topics page.
## Confirmed topics
-On the Manage topics page, topics that were discovered in your specified SharePoint source locations and have been confirmed by a knowledge manager or "crowd-sourced" confirmed by two or more people through the card feedback mechanism will be listed in the **Confirmed** tab. If needed, a user with permissions to manage topics can review confirmed topics and choose to reject them.
+On the Manage Topics page, topics that were discovered in your specified SharePoint source locations and have been confirmed by a knowledge manager or "crowdsourced" confirmed by two or more people through the card feedback mechanism will be listed in the **Confirmed** tab. If needed, a user with permissions to manage topics can review confirmed topics and choose to reject them.
To review a confirmed topic:
To review a confirmed topic:
2. On the topic page, review the topic page, and select **Edit** if you need to make any changes to the page.
-Note that you can still chose to reject a confirmed topic. To do this, go to the selected topic in the Confirmed list, and select the **x** if you want to reject the topic.
+Note that you can still choose to reject a confirmed topic. To do this, go to the selected topic on the **Confirmed** tab, and select the **x** if you want to reject the topic.
## Published topics Published topics have been edited so that specific information will always appear to whoever encounters the page. Manually created topics are listed here as well.
knowledge Topic Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-center-overview.md
Title: 'Topic center overview '
+ Title: "Topic center overview in Microsoft Viva Topics"
description: 'Learn about the Topic Center in Microsoft Viva Topics.'--++ audience: admin
localization_priority: None
-# Topic center overview
+# Topic center overview in Microsoft Viva Topics
-In Microsoft Viva Topics, the topic center is a Modern SharePoint site that serves as a center of knowledge for your organizationΓÇï. It's created during [Viva Topics setup](set-up-topic-experiences.md) in the Microsoft 365 admin center.
+In Microsoft Viva Topics, the topic center is a modern SharePoint site that serves as a center of knowledge for your organizationΓÇï. It's created during [Viva Topics setup](set-up-topic-experiences.md) in the Microsoft 365 admin center.
-The topic center has a default home page with the Topics web part where all licensed users can see the topics to which they have a connection.
+The topic center has a default home page with the **Topics** web part where all licensed users can see the topics to which they have a connection.
-While all licensed users who can view topics will have access to the topic center, knowledge managers can al manage topics through the **Manage topics** page. The Manage topics tab will only display to users who have the **Manage topics** permissions.
+While all licensed users who can view topics will have access to the topic center, knowledge managers can also manage topics through the **Manage topics** page. The **Manage topics** tab will only display to users who have the Manage topics permissions.
-## Where is my Topic center
+## Where is my topic center
The topic center is created during Viva Topics setup. After setup completes, an admin can find the URL on the [Topic center management page](./topic-experiences-administration.md#to-access-topics-management-settings).
-1. In the Microsoft 365 admin center, click **Settings**, then **Org settings**.
-2. On the **Services** tab, click **Topic Experiences**.
+1. In the Microsoft 365 admin center, select **Settings**, and then select **Org settings**.
+2. On the **Services** tab, select **Topic Experiences**.
![Connect people to knowledge](../media/admin-org-knowledge-options-completed.png) </br>
The topic center is created during Viva Topics setup. After setup completes, an
On the topic center home page, you can see the topics in your organization to which you have a connection. -- Suggested connections - You will see topics listed under **We've listed you on these topics. Did we get it right?**. These are topics in which your connection to the topic has been suggested through AI. For example, you may be an author of a related file or site. You are asked to confirm that you should stay listed as a related person for the topic.
+- Suggested connections - You will see topics listed under **We've listed you on these topics. Did we get it right?**. These are topics in which your connection to the topic has been suggested through AI. For example, you might be an author of a related file or site. You are asked to confirm that you should stay listed as a related person for the topic.
![Suggested connections](../media/knowledge-management/my-topics.png) </br>
Once a user confirms their connection to a topic, the user can make edits to the
## Manage topics page
-To work in the **Manage Topics** section of Topic center, you need to have the required *Manage topics* permissions needed for the knowledge manager role. Your admin can assign these permissions to users during [knowledge management setup](set-up-topic-experiences.md), or new users can be [added afterwards](topic-experiences-knowledge-rules.md) by an admin through the Microsoft 365 admin center.
+To work in the **Manage Topics** section of topic center, you need to have the required Manage topic permissions needed for the knowledge manager role. Your admin can assign these permissions to users during [knowledge management setup](set-up-topic-experiences.md), or new users can be [added afterwards](topic-experiences-knowledge-rules.md) by an admin through the Microsoft 365 admin center.
-On the Manage Topics page, the topic dashboard shows all the topics, you have access to, that were identified from your specified source locations. Each topic will show the date the topic was discovered. A user who was assigned **Manage topics** permissions can review the unconfirmed topics and choose to:
+On the Manage Topics page, the topic dashboard shows all the topics, you have access to, that were identified from your specified source locations. Each topic will show the date the topic was discovered. A user who was assigned Manage topics permissions can review the unconfirmed topics and choose to:
- Confirm the topic: Highlights the topic to users who have access to the files and pages related to the topic, and lets them see the associated topic card and topic page. - Publish the topic: Edit the topic information to improve the quality of the topic that was initially identified, and highlights the topic to all users who have view access to topics. - Reject the topic: Makes the topic not available to users. The topic is moved to the **Rejected** tab and can be confirmed later if needed.
On the Manage Topics page, the topic dashboard shows all the topics, you have ac
> [!Note] > See [Manage topics](manage-topics.md) for more details about topic managing topics in the Manage topics page. - ## Create or edit a topic
-If you have **Create and edit topics** permissions, you can:
+If you have Create and edit topics permissions, you can:
- [Edit existing topics](edit-a-topic.md): You can make changes to existing topic pages that were created through discovery. - [Create new topics](create-a-topic.md): You can create new topics for ones that were not found through discovery, or if AI tools did not find enough evidence to create a topic. ---- ## See also -
+[Manage topics in the topic center](manage-topics.md)
security Onboard Windows 10 Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device.md
There are several ways to onboard a WVD host machine:
#### *Scenario 1: Using local group policy* This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process.
-Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1).
+Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](configure-endpoints-vdi.md#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1).
Follow the instructions for a single entry for each device.
Follow the instructions for a single entry for each device.
This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. **Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center**+ 1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip)
- - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
- - Select Windows 10 as the operating system.
- - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
- - Click **Download package** and save the .zip file.
+
+ 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**.
+ 1. Select Windows 10 as the operating system.
+ 1. In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints.
+ 1. Click **Download package** and save the .zip file.
+ 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. **Use Group Policy management console to run the script when the virtual machine starts**+ 1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
-1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
-1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
-1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field.
-Enter the following:
-> Action = "Start a program" <br>
-> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe <br>
-> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"
+2. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**.
+
+3. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7).
+
+4. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
+
+5. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
+
+6. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field. Enter the following:
+
+ `Action = "Start a program"`
+
+ `Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe`
+
+ `Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1"`
-Click **OK** and close any open GPMC windows.
+ Then select **OK** and close any open GPMC windows.
#### *Scenario 3: Onboarding using management tools* If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager.
-For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-sccm)
+For more information, see [Onboard Windows 10 devices using Configuration Manager](configure-endpoints-sccm.md).
> [!WARNING]
-> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction), please note that rule ΓÇ£[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
+> If you plan to use [Attack Surface reduction Rules](attack-surface-reduction.md), note that the rule ΓÇ£[Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used, because that rule is incompatible with management through Microsoft Endpoint Configuration Manager. The rule blocks WMI commands that the Configuration Manager client uses to function correctly.
> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/run-detection-test).
+> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
#### Tagging your machines when building your golden image As part of your onboarding, you may want to consider setting a machine tag to can differentiate WVD machines more easily in the Microsoft Security Center. For more information, see
-[Add device tags by setting a registry key value](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/machine-tags#add-device-tags-by-setting-a-registry-key-value).
+[Add device tags by setting a registry key value](machine-tags.md#add-device-tags-by-setting-a-registry-key-value).
#### Other recommended configuration settings
-When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-endpoints-gp#other-recommended-configuration-settings).
+When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](configure-endpoints-gp.md#other-recommended-configuration-settings).
Also, if you're using FSlogix user profiles, we recommend you exclude the following files from always-on protection: **Exclude Files:**
-> %ProgramFiles%\FSLogix\Apps\frxdrv.sys <br>
-> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys <br>
-> %ProgramFiles%\FSLogix\Apps\frxccd.sys <br>
-> %TEMP%\*.VHD <br>
-> %TEMP%\*.VHDX <br>
-> %Windir%\TEMP\*.VHD <br>
-> %Windir%\TEMP\*.VHDX <br>
-> \\storageaccount.file.core.windows.net\share\*\*.VHD <br>
-> \\storageaccount.file.core.windows.net\share\*\*.VHDX <br>
+`%ProgramFiles%\FSLogix\Apps\frxdrv.sys`
+
+`%ProgramFiles%\FSLogix\Apps\frxdrvvt.sys`
+
+`%ProgramFiles%\FSLogix\Apps\frxccd.sys`
+
+`%TEMP%\*.VHD`
+
+`%TEMP%\*.VHDX`
+
+`%Windir%\TEMP\*.VHD`
+
+`%Windir%\TEMP\*.VHDX`
+
+`\\storageaccount.file.core.windows.net\share\*\*.VHD`
+
+`\\storageaccount.file.core.windows.net\share\*\*.VHDX`
**Exclude Processes:**
-> %ProgramFiles%\FSLogix\Apps\frxccd.exe <br>
-> %ProgramFiles%\FSLogix\Apps\frxccds.exe <br>
-> %ProgramFiles%\FSLogix\Apps\frxsvc.exe <br>
+`%ProgramFiles%\FSLogix\Apps\frxccd.exe`
+
+`%ProgramFiles%\FSLogix\Apps\frxccds.exe`
+
+`%ProgramFiles%\FSLogix\Apps\frxsvc.exe`
#### Licensing requirements
-Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements).
+Note on licensing: When using Windows 10 Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 Security, or Microsoft 365 E5, or have the VM licensed through Azure Defender.
+Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](minimum-requirements.md#licensing-requirements).
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Enable controlled folder access](enable-controlled-folders.md) ##### [Customize controlled folder access](customize-controlled-folders.md) +
+### [Device discovery]()
+#### [Device discovery overview](device-discovery.md)
+#### [Configure device discovery](configure-device-discovery.md)
+#### [Device discovery FAQ](device-discovery-faq.md)
++ ### [Network devices](network-devices.md) ### [Microsoft Defender for Endpoint on macOS]()
##### [Migrate to Attack surface reduction rules](migrating-asr-rules.md) # [Microsoft 365 Defender](../index.yml)
-# [Defender for Office 365](../office-365-security/overview.md)
+# [Defender for Office 365](../office-365-security/index.yml)
+# [Defender for Identity](https://docs.microsoft.com/defender-for-identity/)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
When you enable Intune integration, Intune will automatically create a classic C
> [!NOTE] > The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. +
+## Device discovery
+Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. For more information, see [Device discovery](device-discovery.md).
+ ## Preview features Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
security Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Collect Diagnostic Data Update Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Command Line Arguments Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Common Exclusion Mistakes Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configuration Management Reference Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: priority
security Configure Cloud Block Timeout Period Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md
+
+ Title: Configure device discovery
+description: Learn how to configure device discovery in Microsoft 365 Defender using basic or standard discovery
+keywords: basic, standard, configure endpoint discovery, device discovery
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+localization_priority: normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Configure device discovery
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+++
+Discovery can be configured to be on standard or basic mode. Use the standard option to actively find devices in your network, which will better guarantee the discovery of endpoints and provide richer device classification.
+
+You can customize the list of devices that are used to perform standard discovery. You can either enable standard discovery on all the onboarded devices that also support this capability (currently - Windows 10 devices only) or select a subset or subsets of your devices by specifying their device tags.
++
+> [!IMPORTANT]
+> For preview, you'll first need to turn on the Preview features in Microsoft Defender Security Center.
+> You can then access the device discovery configuration in Microsoft 365 security center. The list of unmanaged devices and security recommendations will be available in both Microsoft Defender Security Center and Microsoft 365 security center, while the dashboard tiles will only be available in Microsoft 365 security center.
++
+Take the following configuration steps in Microsoft 365 security center:
+
+1. Navigate to **Settings > Device discovery**.
+2. Select the discovery mode to use on your onboarded devices.
+3. If you've selected to use standard discovery, select which devices to use for active probing: all devices or on a subset by specifying their device tags.
+4. Click **Save**.
++
+## Exclude devices from being actively probed in standard discovery
+If there are devices on your network which should not be actively scanned (for example, devices used as honeypots for another security tool), you can also define a list of exclusions to prevent them from being scanned. Note that devices can still be discovered using Basic discovery mode. Those devices will be passively discovered but won't be actively probed.
+
+## Select networks to monitor
+ Microsoft Defender for Endpoint analyzes a network and determines if it is a corporate network that needs to be monitored or a non-corporate network that can be ignored. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor non-corporate networks where onboarded devices are found.
+
+You can configure where device discovery can be performed by specifying which networks to monitor. When a network is monitored, device discovery can be performed on it.
+
+A list of networks where device discovery can be performed is shown in the **Monitored networks** page.
++
+>[!NOTE]
+> Only top 50 networks (according to the number of associated devices) will be available in the network list.
++
+The list of monitored networks is sorted based upon the total number of devices seen on the network in the last 7 days.
++
+You can apply a filter to view any of the following network discovery states:
+
+- **Monitored networks** - Networks where device discovery is performed.
+- **Ignored networks** - This network will be ignored and device discovery will not be performed on it.
+- **All** - Both monitored and ignored networks will be displayed.
++
+### Configure the network monitor state
+You control where device discovery takes place. Monitored networks is where device discovery will be performed and are typically corporate networks. You can also choose to ignore networks or select the initial discovery classification after modifying a state.
+
+Choosing the initial discovery classification means applying the default system-made network monitor state. Selecting the default system-made network monitor state means that networks that were identified to be corporate, will be monitored, and ones identified as non-corporate, will be ignored automatically.
+
+1. Select **Settings > Device discovery**.
+2. Select **Monitored networks**.
+3. View the list of networks.
+4. Select the three dots next to the network name.
+5. Choose whether you want to monitor, ignore, or use the initial discovery classification.
+
+ > [!WARNING]
+ >- Choosing to monitor a network that was not identified by Microsoft Defender for Endpoint as a corporate network can cause device discovery outside of your corporate network, and may therefore detect home or other non-corporate devices.
+ > - Choosing to ignore a network will stop monitoring and discovering devices in that network. Devices that were already discovered will not be removed from the inventory, but will no longer be updated, and details will be retained until the data retention period of the Defender for Endpoint expires.
+ > - Before choosing to monitor non-corporate networks, you must ensure you have permission to do so. <br>
++
+6. Confirm that you want to make the change.
++++
+## See also
+- [Device discovery overview](device-discovery.md)
+- [Device discovery FAQs](device-discovery-faq.md)
security Configure End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-end-user-interaction-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about)
+- [Microsoft 365 Insider risk management](/microsoft-365/compliance/insider-risk-management)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
security Configure Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md
Title: Set up exclusions for Microsoft Defender AV scans
+ Title: Set up exclusions for Microsoft Defender Antivirus scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell. keywords: search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
-+ ms.technology: mde
+ms.audience: ITPro
+ # Configure and validate exclusions for Microsoft Defender Antivirus scans
To configure and validate exclusions, see the following:
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process. ## Recommendations for defining exclusions-
+[!IMPORTANT]
+Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. The following is a list of recommendations that you should keep in mind when defining exclusions:
The following is a list of recommendations that you should keep in mind when def
## Related articles - [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)-- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
+- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Notifications Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
Last updated 12/16/2019
security Configure Remediation Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Customize Run Review Remediate Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Customize Run Review Remediate Scans Windows Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-windows-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
If you have alerts that are either false positives or that are true positives bu
Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone. After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can:-- [Undo one action at a time](#undo-an-action);-- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and -- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). +
+- [Restore a quarantined file from the Action Center](#restore-a-quarantined-file-from-the-action-center)
+- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time)
+- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). and
+- [Restore file from quarantine](#restore-file-from-quarantine)
When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions).
When you're done reviewing and undoing actions that were taken as a result of fa
3. Select an item to view more details about the remediation action that was taken.
-### Undo an action
+### Restore a quarantined file from the Action Center
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
When you're done reviewing and undoing actions that were taken as a result of fa
2. On the **History** tab, select a file that has the Action type **Quarantine file**.
+3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
+
+### Restore file from quarantine
+
+You can roll back and remove a file from quarantine if youΓÇÖve determined
+that itΓÇÖs clean after an investigation. Run the following command on each
+device where the file was quarantined.
+
+1. Open an elevated commandΓÇôline prompt on the device:
+
+ 1. Go to **Start** and type _cmd_.
+
+ 1. RightΓÇôclick **Command prompt** and select **Run as administrator**.
+
+2. Enter the following command, and press **Enter**:
+
+ ```console
+ "ProgramFiles%\Windows Defender\MpCmdRun.exe" ΓÇôRestore ΓÇôName EUS:Win32/CustomEnterpriseBlock ΓÇôAll
+ ```
+
+ > [!NOTE]
+ > In some scenarios, the **ThreatName** may appear as: `EUS:Win32/
+CustomEnterpriseBlock!cl`. Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
+
+ > [!IMPORTANT]
+ > A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
+ 3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. + ## Part 3: Review or define exclusions An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process wonΓÇÖt be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
security Deploy Manage Report Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Deploy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: detect ms.sitesec: library
+localization_priority: priority
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
+
+ Title: Device discovery frequently asked questions
+description: Find answers to frequently asked questions (FAQs) about device discovery
+keywords: device discovery, discover, passive, proactive, network, visibility, server, workstation, onboard, unmanaged devices
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+localization_priority: normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Device discovery frequently asked questions
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
++
+Find answers to frequently asked questions (FAQs) about device discovery.
+
+## What is Basic discovery mode?
+This mode allows every Microsoft Defender for Endpoint onboarded device to collect network data and discover neighboring devices. Onboarded endpoints passively collect events in the network and extract device information from them. No network traffic will be initiated. Onboarded endpoints will simply extract data from every network traffic that is seen by an onboarded device. This data used to list unmanaged devices in your network.
+
+## Can I disable Basic discovery?
+You have the option to turn off device discovery through the [Advanced features](advanced-features.md) page. However, you will lose visibility on unmanaged devices in your network.
+
+## What is Standard discovery mode?
+ In this mode endpoints onboarded to Microsoft Defender for Endpoint can actively probe observed devices in the network to enrich collected data (with negligible amount of network traffic). This mode is highly recommended for building a reliable and coherent device inventory. If you choose to disable this mode, and select Basic discovery mode, you will likely only gain limited visibility of unmanaged endpoints in your network.
+
+## Can I control which devices perform Standard discovery?
+ You can customize the list of devices that are used to perform Standard discovery. You can either enable Standard discovery on all the onboarded devices that also support this capability (currently Windows 10 devices only) or select a subset or subsets of your devices by specifying their device tags. In this case, all other devices will be configured to run Basic discovery only. The configuration is available in the device discovery settings page.
+
+## Which onboarded devices can perform discovery?
+ Onboarded devices running on Windows 10 version 1809 or later can perform discovery.
+
+## What happens if my onboarded devices is connected to my home network, or to public access point?
+ The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. By correlating network identifiers across all tenant's clients, events are differentiated between ones that were received from private networks and corporate networks. Private network devices will not be listed in the inventory and will not be actively probed.
+
+## What protocols are you capturing and analyzing?
+ By default, all onboarded devices running on Windows 10 version 1809 or later are capturing and analyzing the following protocols:
+ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, NBNS, SSDP, TCP (headers), UDP (headers), WSD
+
+## Which protocols do you use for active probing in Standard discovery?
+ When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols:
+ARP, FTP, HTTP, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL
+
+## How can I exclude targets from being probed with Standard discovery?
+ If there are devices on your network which should not be actively probed, you can also define a list of exclusions to prevent them from being scanned. The configuration is available in the device discovery settings page.
+
+## Can I exclude devices from being discovered?
+ As device discovery uses passive methods to discover devices in the network, any device that communicates with your onboarded devices in the corporate network can be discovered and listed in the inventory. You can exclude devices from active probing only.
+
+## How frequent is the active probing?
+ Devices will actively be probed when changes in device characteristics are observed, and once a week to make sure the existing information is up-to-date.
+
+## My security tool raised alert on UnicastScanner.ps1 or port scanning activity initiated by it, what should I do?
+ The active probing scripts are signed by Microsoft and are safe. You can add the following path to your exclusion list:
+`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps`
++
+## What is the amount of traffic being generated by the Standard discovery active probe?
+ Active probing can generate up to 5K of traffic between the onboarded device and the probed device, every probing attempt
+
+## Why is there a discrepancy between "can be onboarded" devices in the device inventory, and the number of "devices to onboard" in the dashboard tile?
+You may notice differences between the number of listed devices under "can be onboarded" in the device inventory, "onboard to Microsoft Defender for Endpoint" security recommendation, and "devices to onboard" dashboard widget.
+
+ The security recommendation and the dashboard widget are for devices that are stable in the network; excluding ephemeral devices, guest devices and others. The idea is to recommend on persistent devices, that also imply on the overall security score of the organization.
+
+## Can I onboard unmanaged devices that were found?
+ Yes. Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them.
++
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
+
+ Title: Device discovery overview
+description: Learn how to leverage endpoint discovery in Microsoft 365 Defender to find unmanaged devices in your network
+keywords: device discovery, discover, passive, proactive, network, visibility, server, workstation, onboard, unmanaged devices
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+localization_priority: normal
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Device discovery overview
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
++
+Protecting your environment requires taking inventory of the devices that are in your network. However, mapping devices in a network can often be expensive, challenging, and time-consuming.
+
+Microsoft Defender for Endpoint provides a device discovery capability that helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes.
++
+The device discovery capability allows you to:
+
+- **Discover enterprise endpoints connected to your corporate network** <br>
+Using either basic or standard discovery options, you can discover workstations, servers, and mobile endpoints that are not yet onboarded to Microsoft Defender for Endpoint.
+
+- **Onboard discovered endpoints**<br>
+Unmanaged endpoints in your network introduce vulnerabilities and risks to your network. Onboarding them to the service can increase the security visibility on them.
+
+In conjunction with this capability, a new security recommendation to onboard devices to Microsoft Defender for Endpoint will be available as part of the existing Threat and Vulnerability Management experience.
+++
+## Discovery methods
+There are two modes of discovery:
+
+- Basic discovery
+- Standard discovery (recommended)
++
+> [!IMPORTANT]
+> Discovery is set to basic mode. You can choose to retain this configuration through the settings page. Standard discovery will be the default mode for all preview customers starting May 10, 2021 - unless modified through the settings page before this date.
+
+### Basic discovery
+
+In this mode, endpoints will passively collect events in your network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic will be initiated. Endpoints will simply extract data from every network traffic that is seen by an onboarded device.
+
+### Standard discovery
+
+This mode allows endpoints to actively probe observed devices in the network to enrich collected data - helping you build a reliable and coherent device inventory. Standard mode uses smart, active probing to discover even more information about observed devices to enrich existing device information.
+
+When Standard mode is enabled, minimal and negligible network activity generated by the discovery sensor might be observed by network monitoring tools in your organization.
+
+ If you choose not to enable this mode, you will only gain limited visibility of unmanaged endpoints in your network.
+
+Standard discovery uses various PowerShell scripts to actively probe devices in the network. Those PowerShell scripts are Microsoft signed and are executed from the following location: `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps`. For example, `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\UnicastScannerV1.1.0.ps1`.
+
+You can change and customize your discovery settings, for more information see [Configure device discovery](configure-device-discovery.md).
+
+> [!NOTE]
+> The discovery engine distinguishes between network events that are received in the corporate network versus outside of the corporate network. Devices that are not connected to corporate networks will not be discovered or listed in the device inventory.
+++
+## Device Inventory
+Devices that have been discovered but have not yet been onboarded and secured by Microsoft Defender for Endpoint will be listed in Device Inventory within the Endpoints tab.
+You can now use a new filter in the device inventory list called Onboarding status which can have any of the following values:
+
+- Onboarded ΓÇô The endpoint is onboarded to Microsoft Defender for Endpoint.
+- Can be onboarded ΓÇô The endpoint was discovered in the network and the Operating System was identified as one that is supported by Microsoft Defender for Endpoint, but it is not currently onboarded. We highly recommend onboarding these devices.
+- Unsupported ΓÇô The endpoint was discovered in the network but is not supported by Microsoft Defender for Endpoint.
+- Insufficient info ΓÇô The system could not determine the supportability of the device. Enabling standard discovery on more devices in the network can enrich the discovered attributes.
+
+
+![Image of device inventory dashboard](images/2b62255cd3a9dd42f3219e437b956fb9.png)
+++
+## Vulnerability assessment on discovered devices
+Vulnerabilities and risks on your devices as well as other discovered unmanaged devices in the network are part of the current TVM flows under "Security Recommendations" and represented in entity pages across the portal.
+Search for "SSH" related security recommendations to find SSH vulnerabilities that are related for unmanaged and managed devices.
+
+![Image of security recommendations dashboard](images/1156c82ffadd356ce329d1cf551e806c.png)
+
+## Use Advanced Hunting on discovered devices
+You can use Advanced Hunting queries to gain visibility on discovered devices.
+Find details about discovered Endpoints in the DeviceInfo table, or network-related information about those devices in the DeviceNetworkInfo table.
+
+
+![Image of advanced hunting use](images/f48ba1779eddee9872f167453c24e5c9.png)
++
+Device discovery leverages Microsoft Defender for Endpoint onboarded devices as a network data source to attribute activities to non-onboarded devices. This means that if a Microsoft Defender for Endpoint onboarded device communicated with a non-onboarded device, activities on the non-onboarded device can be seen on the timeline and through the Advanced hunting DeviceNetworkEvents table. 
+++
+New events are Transmission Control Protocol (TCP) connections-based and will fit to the current DeviceNetworkEvents scheme. TCP ingress to the Microsoft Defender for Endpoint enabled device from a non-Microsoft Defender for Endpoint enabled. 
+
+The following action types have also been added:ΓÇ»
+
+- ConnectionAttemptΓÇ»- An attempt to establish a TCP connection (syn)ΓÇ»
+- ConnectionAcknowledgedΓÇ»- An acknowledgment that a TCP connection was accepted (syn\ack)ΓÇ»
+
+You can try this example query:ΓÇ»
+
+```
+DeviceNetworkEvents
+| where ActionType == "ConnectionAcknowledged" or ActionType == "ConnectionAttempt"
+| take 10
+```
++
+## Changed behaviour
+The following section lists the changes you'll observe in Microsoft Defender for Endpoint and/or Microsoft 365 Security Center when this capability is enabled.
+
+1. Devices that are not onboarded to Microsoft Defender to Endpoint are expected to appear in the device inventory, advanced hunting, and API queries. This may significantly increase the size of query results.
+ 1. "DeviceInfo" and "DeviceNetworkInfo" tables in Advanced Hunting will now hold discovered device. You can filter out those devices by using ΓÇ£OnboardingStatusΓÇ¥ attribute.
+
+ 2. Discovered devices are expected to appear in Streaming API query results. You can filter out those devices by using the `OnboardingStatus` filter in your query.
+
+2. Unmanaged devices will be assigned to existing device groups based on the defined criteria.
+3. In rare cases, Standard discovery might trigger alerts on network monitors or security tools. Please provide feedback, if you experience such events, to help prevent these issues from recurring. You can explicitly exclude specific targets or entire subnets from being actively probed by Standard discovery.
+++
+## Next steps
+- [Configure device discovery](configure-device-discovery.md)
+- [Device discovery FAQs](device-discovery-faq.md)
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
Last updated 11/13/2020
security Evaluate Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
ms.sitesec: library
ms.pagetype: security
+localization_priority: normal
audience: ITPro
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
The following commands are available for user roles that are granted the ability
|`connections` | Shows all the active connections. | |`dir` | Shows a list of files and subdirectories in a directory. | |`download <file_path> &` | Downloads a file in the background. |
-drivers | Shows all drivers installed on the device. |
-|`fg <command ID>` | Returns a file download to the foreground. |
+|`drivers` | Shows all drivers installed on the device. |
+|`fg <command ID>` | Place the specified job in the foreground in the foreground, making it the current job. <br> NOTE: fg takes a ΓÇ£command IDΓÇ¥ available from jobs, not a PID |
|`fileinfo` | Get information about a file. | |`findfile` | Locates files by a given name on the device. |
+|`getfile <file_path>` | Downloads a file. |
|`help` | Provides help information for live response commands. |
+|`jobs` | Shows currently running jobs, their ID and status. |
|`persistence` | Shows all known persistence methods on the device. | |`processes` | Shows all processes running on the device. | |`registry` | Shows registry values. |
The following commands are available for user roles that are granted the ability
| Command | Description | ||| | `analyze` | Analyses the entity with various incrimination engines to reach a verdict. |
-| `getfile` | Gets a file from the device. <br> NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. |
| `run` | Runs a PowerShell script from the library on the device. | | `library` | Lists files that were uploaded to the live response library. | | `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
Each command is tracked with full details such as:
## Limitations -- Live response sessions are limited to 10 live response sessions at a time.-- Large-scale command execution is not supported.-- Live response session inactive timeout value is 5 minutes. -- A user can only initiate one session at a time.
+- Live response sessions are limited to 25 live response sessions at a time.
+- Live response session inactive timeout value is 30 minutes.
+- A user can initiate up to 10 concurrent sessions.
- A device can only be in one session at a time. - The following file size limits apply: - `getfile` limit: 3 GB
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
The following steps can be used to troubleshoot and mitigate these issues:
125 CrashPlanService 164 ```
- To improve the performance of Defender for Endpoint for Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
+ To improve the performance of Defender for Endpoint on Mac, locate the one with the highest number under the Total files scanned row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on Linux](linux-exclusions.md).
> [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Manage Protection Update Schedule Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md
search.appverid: met150
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Manage Updates Mobile Devices Vms Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Microsoft Defender Antivirus In Windows 10 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: priority
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-This topic describes how to install, configure, update, and use Defender for Endpoint for Android.
+This topic describes how to install, configure, update, and use Defender for Endpoint on Android.
> [!CAUTION]
-> Running other third-party endpoint protection products alongside Defender for Endpoint for Android is likely to cause performance problems and unpredictable system errors.
+> Running other third-party endpoint protection products alongside Defender for Endpoint on Android is likely to cause performance problems and unpredictable system errors.
## How to install Microsoft Defender for Endpoint on Android
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
ms.technology: mde
iOS devices along with other platforms. > [!CAUTION]
-> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
+> Running other third-party endpoint protection products alongside Defender for Endpoint on iOS is likely to cause performance problems and unpredictable system errors.
## Pre-requisites
iOS devices along with other platforms.
- Access to the Microsoft Defender Security Center portal. > [!NOTE]
- > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint on iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune.
+ > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint on iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint on iOS related device compliance policies in Intune.
- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
iOS devices along with other platforms.
- Device is enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358). > [!NOTE]
-> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
+> **Microsoft Defender ATP (Microsoft Defender for Endpoint) on iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
## Installation instructions
security Microsoft Defender Offline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Migrating Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
audience: ITPro
ms.technology: mde
# Migrating from a third-party HIPS to ASR rules
-This article helps you to map common rules to Microsoft Defender for Endpoint. The following table shows common questions and scenarios when migrating from a third-party HIPS product to ASR rules.
-
-|Scope and Action|Processes|Operation|Examples of Files/Folders, Registry Keys/Values, Processes, Services|Attack Surface Reduction rules|Other recommended features|
-|:--|:--|:--|:--|:--|:--|
-|All Processes: Block creation of specific files and registry keys||File Creation|*.zepto, *.odin, *.locky, *.jaff, *.lukitus, *.wnry, *.krab|ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension is not always useful, because it does not prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.|Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommended you use other prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, several of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges to be able to be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.|
-|All Processes: Block creation of specific files and registry keys||Registry Modifications|*\Software\*,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs\*\StartExe, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*\Debugger,HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\*\MonitorProcess|ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension is not always useful, because it does not prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.|Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommended you use additional prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, several of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. Plus, the registry keys used require a minimum of Local Admin or Trusted Installer privileges to be able to be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.|
-|Untrusted Programs from USB: Block untrusted programs from running from removable drives|*|Process Execution|*|ASR rules have a built-in rule to prevent the launch of untrusted and unsigned programs from removable drives: "Block untrusted and unsigned processes that run from USB", GUID "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4".|Please explore additional controls for USB devices and other removable media using Microsoft Defender for Endpoint: [How to control USB devices and other removable media using Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune). |
-|Mshta: Block Mshta from launching certain child processes|mshta.exe|Process Execution|powershell.exe, cmd.exe, regsvr32.exe|ASR rules don't contain any specific rule to prevent child processes from "mshta.exe". This control is within the remit of Exploit Protection or Windows Defender Application Control.|Enable Windows Defender Application Control to prevent mshta.exe from being executed altogether. If your organization requires "mshta.exe" for line of business apps, configure a specific Windows Defender Exploit Protection rule, in order to prevent mshta.exe from launching child processes.|
-|Outlook: Block Outlook from launching child processes|outlook.exe|Process Execution|powershell.exe|ASR rules have a built-in rule to prevent Office communication apps (Outlook, Skype and Teams) from launching child processes: "Block Office communication application from creating child processes", GUID "26190899-1602-49e8-8b27-eb1d0a1ce869".|We recommend enabling PowerShell constrained language mode, in order to minimize the attack surface from PowerShell.|
-|Office: Block Office Apps from launching child processes and from creating executable content|winword.exe, powerpnt.exe, excel.exe|Process Execution|powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe|ASR rules have a built-in rule to prevent Office apps from launching child processes: "Block all Office applications from creating child processes", GUID "D4F940AB-401B-4EFC-AADC-AD5F3C50688A".|N/A|
-|Office: Block Office Apps from launching child processes and from creating executable content|winword.exe, powerpnt.exe, excel.exe|File Creation|C:\Users\*\AppData\**\*.exe, C:\ProgramData\**\*.exe, C:\ProgramData\**\*.com, C:\Users\*AppData\Local\Temp\**\*.com, C:\Users\**\Downloads\**\*.exe, C:\Users\*\AppData\**\*.scf, C:\ProgramData\**\*.scf, C:\Users\Public\*.exe, C:\Users\*\Desktop\**\*.exe|N/A|
-|Wscript: Block Wscript from reading certain types of files|wscript.exe|File Read|C:\Users\*\AppData\**\*.js*, C:\Users\*\Downloads\**\*.js*|Due to reliability and performance issues, ASR rules do not have the capability to prevent a specific process from reading a certain script file type. We do have a rule to prevent attack vectors that might originate from these scenarios. The rule name is "Block JavaScript or VBScript from launching downloaded executable content" (GUID "D3E037E1-3EB8-44C8-A917-57927947596D") and the "Block execution of potentially obfuscated scripts" (GUID " 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC")|Though there are specific ASR rules that mitigate certain attack vectors within these scenarios, it's important to mention that AV is able by default to inspect scripts (PowerShell, Windows Script Host, JavaScript, VBScript, and more) in real time, through the Antimalware Scan Interface (AMSI). More info is available here: [Antimalware Scan Interface (AMSI)](https://docs.microsoft.com/windows/win32/amsi/antimalware-scan-interface-portal). |
-|Adobe Acrobat: Block launch of child processes|AcroRd32.exe, Acrobat.exe|Process Execution|cmd.exe, powershell.exe, wscript.exe|ASR rules allow blocking Adobe Reader from launching child processes. The rule name is "Block Adobe Reader from creating child processes", GUID "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c".|N/A|
-|CertUtil: Block download or creation of executable content|certutil.exe|File Creation|*.exe|ASR rules don't support these scenarios because they're part of Microsoft Defender Antivirus protection.|Microsoft Defender AV prevents CertUtil from creating or downloading executable content.|
-|All Processes: Block processes from stopping critical System components|*|Process Termination|MsSense.exe, MsMpEng.exe, NisSrv.exe, svchost.exe*, services.exe, csrss.exe, smss.exe, wininit.exe, and more.|ASR rules don't support these scenarios because they're protected with Windows 10 built-in security protections.|ELAM (Early Launch AntiMalware), PPL (Protection Process Light), PPL AntiMalware Light, and System Guard.|
-|Specific Processes: Block specific launch Process Attempt|"Name your Process"|Process Execution|tor.exe, bittorrent.exe, cmd.exe, powershell.exe, and more.|Overall, ASR rules aren't designed to function as an Application manager.|To prevent users from launching specific processes or programs, the recommendation would be to use Windows Defender Application Control. Microsoft Defender for Endpoint File and Cert indicators, can be used in an Incident Response scenario (should not be seen as an application control mechanism).|
-|All Processes: Block unauthorized changes to MDATP AV configurations|*|Registry Modifications|HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealTimeMonitoring, etc.|ASR rules don't cover these kinds of scenarios because they are part of the Microsoft Defender for Endpoint built-in protection.|Tamper Protection (opt-in, managed from Intune) prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware, DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring and DisableIOAVProtection registry keys (and more). |
+This article helps you to map common rules to Microsoft Defender for Endpoint.
+## Scenarios when migrating from a third-party HIPS product to ASR rules
+### Block creation of specific files and registry keys
+
+- **Applies to**- All processes
+- **Operation**- File Creation
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- *.zepto, *.odin, *.locky, *.jaff, *.lukitus, *.wnry, *.krab
+- **Attack Surface Reduction rules**- ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, as it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.
+- **Other recommended features**- Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend that you use other prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, many of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. The registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.
+
+### Block creation of specific files and registry keys
+
+- **Applies to**- All Processes
+- **Processes**- N/A
+- **Operation**- Registry Modifications
+- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- *\Software*,HKCU\Environment\UserInitMprLogonScript,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs*\StartExe, HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options*\Debugger,HKEY_CURRENT_USER\Software\Microsoft\HtmlHelp Author\location,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit*\MonitorProcess
+- **Attack Surface Reduction rules**- ASR rules block the attack techniques and not the Indicators of Compromise (IOC). Blocking a specific file extension isn't always useful, because it doesn't prevent a device from compromise. It only partially thwarts an attack until attackers create a new type of extension for the payload.
+- **Other recommended features**- Having Microsoft Defender AV enabled, along with Cloud Protection and Behavior Analysis is highly recommended. We recommend you use additional prevention, such as the ASR rule "Use advanced protection against ransomware". This provides a greater level of protection against ransomware attacks. Furthermore, several of these registry keys are monitored by Microsoft Defender for Endpoint, such as ASEP techniques, which will trigger specific alerts. Additionally, the registry keys used require a minimum of Local Admin or Trusted Installer privileges can be modified. Using a locked down environment, with minimum administrative accounts or rights, is recommended. Other system configurations can be enabled, including "Disable SeDebug for non-required roles" that are part of our wider security recommendations.
+
+### Block untrusted programs from running from removable drives
+
+- **Applies to**- Untrusted Programs from USB
+- **Processes**- *
+- **Operation**- Process Execution
+- **Examples of Files/Folders, Registry Keys/Values, Processes,
+- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent the launch of untrusted and unsigned programs from removable drives: "Block untrusted and unsigned processes that run from USB", GUID "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4".
+- **Other recommended features**- Please explore additional controls for USB devices and other removable media using Microsoft Defender for Endpoint:[How to control USB devices and other removable media using Microsoft Defender for Endpoint](/windows/security/threat-protection/device-control/control-usb-devices-using-intune).
+
+### Block Mshta from launching certain child processes
+
+- **Applies to**- Mshta
+- **Processes**- mshta.exe
+- **Operation**- Process Execution
+- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- powershell.exe, cmd.exe, regsvr32.exe
+- **Attack Surface Reduction rules**- ASR rules don't contain any specific rule to prevent child processes from "mshta.exe". This control is within the remit of Exploit Protection or Windows Defender Application Control.
+- **Other recommended features**- Enable Windows Defender Application Control to prevent mshta.exe from being executed altogether. If your organization requires "mshta.exe" for line of business apps, configure a specific Windows Defender Exploit Protection rule, to prevent mshta.exe from launching child processes.
+
+### Block Outlook from launching child processes
+
+- **Applies to**- Outlook
+- **Processes**- outlook.exe
+- **Operation**- Process Execution
+- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- powershell.exe
+- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent Office communication apps (Outlook, Skype and Teams) from launching child processes: "Block Office communication application from creating child processes", GUID "26190899-1602-49e8-8b27-eb1d0a1ce869".
+- **Other recommended features**- We recommend enabling PowerShell constrained language mode to minimize the attack surface from PowerShell.
++
+### Block Office Apps from launching child processes and from creating executable content
+
+- **Applies to**- Office
+- **Processes**- winword.exe, powerpnt.exe, excel.exe
+- **Operation**- Process Execution
+- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- powershell.exe, cmd.exe, wscript.exe, mshta.exe, EQNEDT32.EXE, regsrv32.exe
+- **Attack Surface Reduction rules**- ASR rules have a built-in rule to prevent Office apps from launching child processes: "Block all Office applications from creating child processes", GUID "D4F940AB-401B-4EFC-AADC-AD5F3C50688A".
+- **Other recommended features**- N/A
+
+### Block Office Apps from launching child processes and from creating executable content
+
+- **Applies to**- Office
+- **Processes**- winword.exe, powerpnt.exe, excel.exe
+- **Operation**- File Creation
+- **Examples of Files/Folders, Registry Keys/Values, Processes,Services**- C:\Users*\AppData**.exe, C:\ProgramData**.exe, C:\ProgramData**.com, C:\Users*AppData\Local\Temp**.com, C:\Users*\Downloads**.exe, C:\Users*\AppData**.scf, C:\ProgramData**.scf, C:\Users\Public*.exe, C:\Users*\Desktop***.exe
+- **Attack Surface Reduction rules**- N/A.
+
+### Block Wscript from reading certain types of files
+
+- **Applies to**- Wscript
+- **Processes**- wscript.exe
+- **Operation**- File Read
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- C:\Users*\AppData**.js, C:\Users*\Downloads**.js
+- **Attack Surface Reduction rules**- Due to reliability and performance issues, ASR rules don't have the capability to prevent a specific process from reading a certain script file type. We do have a rule to prevent attack vectors that might originate from these scenarios. The rule name is "Block JavaScript or VBScript from launching downloaded executable content" (GUID "D3E037E1-3EB8-44C8-A917-57927947596D") and the "Block execution of potentially obfuscated scripts" (GUID " 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC").
+- **Other recommended features**- Though there are specific ASR rules that mitigate certain attack vectors within these scenarios, it's important to mention that AV is able by default to inspect scripts (PowerShell, Windows Script Host, JavaScript, VBScript, and more) in real time, through the Antimalware Scan Interface (AMSI). More info is available here: [Antimalware Scan Interface (AMSI)](/windows/win32/amsi/antimalware-scan-interface-portal).
+
+### Block launch of child processes
+
+- **Applies to**- Adobe Acrobat
+- **Processes**- AcroRd32.exe, Acrobat.exe
+- **Operation**- Process Execution
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- cmd.exe, powershell.exe, wscript.exe
+- **Attack Surface Reduction rules**- ASR rules allow blocking Adobe Reader from launching child processes. The rule name is "Block Adobe Reader from creating child processes", GUID "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c".
+- **Other recommended features**- N/A
++
+### Block download or creation of executable content
+
+- **Applies to**- CertUtil: Block download or creation of executable
+- **Processes**- certutil.exe
+- **Operation**- File Creation
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- *.exe
+- **Attack Surface Reduction rules**- ASR rules don't support these scenarios because they're a part of Microsoft Defender Antivirus protection.
+- **Other recommended features**- Microsoft Defender AV prevents CertUtil from creating or downloading executable content.
++
+### Block processes from stopping critical System components
+
+- **Applies to**- All Processes
+- **Processes**- *
+- **Operation**- Process Termination
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- MsSense.exe, MsMpEng.exe, NisSrv.exe, svchost.exe*, services.exe, csrss.exe, smss.exe, wininit.exe, and more.
+- **Attack Surface Reduction rules**- ASR rules don't support these scenarios because they're protected with Windows 10 built-in security protections.
+- **Other recommended features**- ELAM (Early Launch AntiMalware), PPL (Protection Process Light), PPL AntiMalware Light, and System Guard.
+
+### Block specific launch Process Attempt
+
+- **Applies to**- Specific Processes
+- **Processes**- "Name your Process"
+- **Operation**- Process Execution
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- tor.exe, bittorrent.exe, cmd.exe, powershell.exe, and more
+- **Attack Surface Reduction rules**- Overall, ASR rules aren't designed to function as an Application manager.
+- **Other recommended features**- To prevent users from launching specific processes or programs, it's recommended to use Windows Defender Application Control. Microsoft Defender for Endpoint File and Cert indicators, can be used in an Incident Response scenario (shouldn't be seen as an application control mechanism).
+
+### Block unauthorized changes to MDATP AV configurations
+
+- **Applies to**- All Processes
+- **Processes**- *
+- **Operation**- Registry Modifications
+- **Examples of Files/Folders, Registry Keys/Values, Processes, Services**- HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware, HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealTimeMonitoring, and so on.
+- **Attack Surface Reduction rules**- ASR rules don't cover these scenarios because they're part of the Microsoft Defender for Endpoint built-in protection.
+- **Other recommended features**- Tamper Protection (opt-in, managed from Intune) prevents unauthorized changes to DisableAntiVirus, DisableAntiSpyware, DisableRealtimeMonitoring, DisableOnAccessProtection, DisableBehaviorMonitoring and DisableIOAVProtection registry keys (and more).
See also
security Office 365 Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
audience: ITPro
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
audience: ITPro
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release:
+- [Device discovery](device-discovery.md) <br> Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.
+
+ > [!IMPORTANT]
+ > Standard discovery will be the default mode for all preview customers starting May 10, 2021. You can choose to retain the basic mode through the settings page.
++ - [Web Content Filtering](web-content-filtering.md) <br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. - [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
security Report Monitor Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Restore Quarantined Files Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Review Scan Results Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Scheduled Catch Up Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Specify Cloud Protection Level Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
Last updated 10/26/2020
security Symantec To Microsoft Defender Atp Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-onboard.md
Now that you have onboarded your organization's devices to Microsoft Defender fo
- [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html) - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040) - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
- - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
+ - Linux devices: [Frequently Asked Questions for Endpoint Protection on Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
## Make sure Microsoft Defender for Endpoint is in active mode
security Symantec To Microsoft Defender Atp Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-prepare.md
To enable communication between your devices and Microsoft Defender for Endpoint
|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016) <br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows 7 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | |EDR |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender for Endpoint on macOS: Network connections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac#network-connections) | |[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-health/release-information/) <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) <br/>- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)<br/> |
-|Antivirus |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft -Defender for Endpoint for Mac: Network connections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac#network-connections) |
+|Antivirus |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender for Endpoint on Mac: Network connections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac#network-connections) |
|Antivirus |Linux: <br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Microsoft Defender for Endpoint on Linux: Network connections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-linux#network-connections) | ## Next step
security Threat Protection Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md
Microsoft Defender for Endpoint provides a comprehensive server protection solut
The Microsoft Defender for Endpoint connector lets you stream alerts from Microsoft Defender for Endpoint into Azure Sentinel. This will enable you to more comprehensively analyze security events across your organization and build playbooks for effective and immediate response. ### Azure Information Protection
-Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection.
+We recently deprecated the Azure Information Protection integration as our Endpoint DLP capabilities incorporate an improved discovery and protection solution for sensitive data stored on endpoint devices that facilitates greater visibility and integration between solutions. This was announced in the following [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protecting-sensitive-information-on-devices/ba-p/2143555). We recommend that customers move to using Endpoint DLP.
### Conditional Access Microsoft Defender for Endpoint's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
security Troubleshoot Cloud Connect Mdemac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac.md
ms.sitesec: library
ms.pagetype: security
+localization_priority: normal
audience: ITPro
macOS
This topic describes how to Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS. ## Run the connectivity test
-To test if Defender for Endpoint for Mac can communicate to the cloud with the current network settings, run a connectivity test from the command line:
+To test if Defender for Endpoint on Mac can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```Bash mdatp connectivity test
security Troubleshoot Microsoft Defender Antivirus When Migrating https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
security Troubleshoot Np https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md
localization_priority: Normal
audience: ITPro Previously updated : 01/26/2021-+ ms.technology: mde+ # Troubleshoot network protection [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+> [!TIP]
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
When you report a problem with network protection, you are asked to collect and
mpcmdrun -getfiles ```
-3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+3. Attach the file to the submission form. By default, diagnostic logs are saved at `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
+
+## Resolve connectivity issues with network protection (for E5 customers)
+
+Due to the environment where network protection runs, Microsoft is unable to see your operating system proxy settings. In some cases, network protection clients are unable to reach the cloud service. To resolve connectivity issues with network protection, configure one of the following registry keys so that network protection becomes aware of the proxy configuration:
+
+```powershell
+reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyServer /d "<proxy IP address: Port>" /f
+```
+
+OR
++
+```powershell
+reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyPacUrl /d "<Proxy PAC url>" /f
+```
+
+You can configure the registry key by using PowerShell, Microsoft Endpoint Manager, or Group Policy. Here are some resources to help:
+- [Working with Registry Keys](/powershell/scripting/samples/working-with-registry-keys)
+- [Configure custom client settings for Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure-client)
+- [Use Group Policy settings to manage Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-group-policies)
-## Related topics
+## See also
- [Network protection](network-protection.md) - [Evaluate network protection](evaluate-network-protection.md)
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
If the verification fails and your environment is using a proxy to connect to th
![Image of registry key for Microsoft Defender Antivirus](images/atp-disableantispyware-regkey.png) > [!NOTE]
- > In addition, you must ensure that wdfilter.sys and wdboot.sys are set to their default start values of "0".
+ > All Windows Defender services (wdboot, wdfilter, wdnisdrv, wdnissvc, and windefend) should be in their default state. Changing the startup of these services is unsupported and may force you to reimage your system.
>
+ > Example default configurations for WdBoot and WdFilter:
> - `<Key Path="SYSTEM\CurrentControlSet\Services\WdBoot"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>` > - `<Key Path="SYSTEM\CurrentControlSet\Services\WdFilter"><KeyValue Value="0" ValueKind="DWord" Name="Start"/></Key>`
security Troubleshoot Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
security Use Group Policy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
Previously updated : 03/31/2021 Last updated : 04/13/2021 ms.technology: mde
+audience: ITPro
+ # Use Group Policy settings to configure and manage Microsoft Defender Antivirus
The following table in this topic lists the Group Policy settings available in W
| Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | | Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Root | Turn off Microsoft Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly)
-| Root | Define addresses to bypass proxy server | No longer relevant |
-| Root | Define proxy autoconfig (.pac) for connecting to the network | No longer relevant |
-| Root | Define proxy server for connecting to the network | No longer relevant |
+| Root | Define addresses to bypass proxy server | Not used |
+| Root | Define proxy autoconfig (.pac) for connecting to the network | Not used |
+| Root | Define proxy server for connecting to the network | Not used |
| Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | | Root | Allow antimalware service to start up with normal priority | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) | | Root | Allow antimalware service to remain running always | [Configure remediation for Microsoft Defender Antivirus scans](configure-remediation-microsoft-defender-antivirus.md) |
security Use Intune Config Manager Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
Last updated 10/26/2018
ms.technology: mde
+audience: ITPro
+ # Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
security Use Powershell Cmdlets Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
Last updated 07/23/2020
ms.technology: mde
+audience: ITPro
+ # Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
Omit the `-online` parameter to get locally cached help.
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)-- [Microsoft Defender Antivirus Cmdlets](/powershell/module/defender/?view=win10-ps)
+- [Microsoft Defender Antivirus Cmdlets](/powershell/module/defender)
security Use Wmi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
+localization_priority: normal
Last updated 09/03/2018
ms.technology: mde
+audience: ITPro
+ # Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus
security Why Use Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
+localization_priority: normal
audience: ITPro
security Advanced Hunting Cloudappevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-cloudappevents-table.md
ms.technology: m365d
-The `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about activities in various cloud apps and services covered by Microsoft Cloud App Security, specifically Dropbox, Exchange Online, OneDrive, Microsoft Teams, and SharePoint. Use this reference to construct queries that return information from this table.
+The `CloudAppEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about activities in various cloud apps and services covered by Microsoft Cloud App Security. For a complete list, jump to [Apps and services covered](#apps-and-services-covered). Use this reference to construct queries that return information from this table.
>[!IMPORTANT] >This table includes information that used to be available in the `AppFileEvents` table. Starting March 7, 2021, users hunting through file-related activities in cloud services on and beyond this date should use the `CloudAppEvents` table instead. <br><br>Make sure to search for queries and custom detection rules that still use the `AppFileEvents` table and edit them to use the `CloudAppEvents` table. More guidance about converting affected queries can be found in [Hunt across cloud app activities with Microsoft 365 Defender advanced hunting](https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857).
For information on other tables in the advanced hunting schema, [see the advance
| `RawEventData` | string | Raw event information from the source application or service in JSON format | | `AdditionalFields` | string | Additional information about the entity or event |
+## Apps and services covered
+
+- Dropbox
+- Dynamics 365
+- Exchange Online
+- Microsoft Teams
+- OneDrive for Business
+- Power Automate
+- Power BI
+- SharePoint Online
+- Skype for Business
+- Office 365
+- Yammer
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Go Hunt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-go-hunt.md
With the *go hunt* action, you can quickly investigate events and various entity
The *go hunt* action is available in various sections of the security center whenever event or entity details are displayed. For example, you can use *go hunt* from the following sections: -- In the [incident page](investigate-incidents.md#incident-overview), you can review details about users, devices, and many other entities associated with an incident. As you select an entity, you get additional information as well as various actions you could take on that entitity. In the example below, a mailbox is selected, showing details about the mailbox as well the option to hunt for more information about the mailbox.
+- In the [incident page](investigate-incidents.md#summary), you can review details about users, devices, and many other entities associated with an incident. As you select an entity, you get additional information as well as various actions you could take on that entitity. In the example below, a mailbox is selected, showing details about the mailbox as well the option to hunt for more information about the mailbox.
![Image showing mailbox details with the go hunt option](../../media/mtp-ah/go-hunt-email.png)
security Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender - Microsoft 365 Defender is a unified experience where you can monitor and manage security across your enterprise. With the integrated alerts across identities, endpoints, data, apps, email, and collaboration tools - investigating and responding to threats now happen in a central location. Whether you're new to the Microsoft suite of security products or familiar with individual workflows, this topic will guide you in the simple steps you need to take to get started with Microsoft 365 Defender.
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
+Microsoft 365 Defender applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility that Microsoft 365 Defender has across the entire suite of products. This view gives your security analysts the broader attack story, which help them better understand and deal with complex threats across your organization.
+The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
-Microsoft 365 Defender applies correlation analytics and aggregates all related alerts and investigations from different products into one incident. Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility that Microsoft 365 Defender has across the entire estate and suite of products. This view gives your security operations analyst the broader attack story, which helps them better understand and deal with complex threats across the organization.
--
-The **Incidents queue** shows a collection of incidents that were flagged from across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
+You get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)).
-![Image of incidents queue](../../media/incidents-queue.png)
+By default, the queue in the Microsoft 365 security center displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first.
-By default, the queue in the Microsoft 365 security center displays incidents seen in the last 30 days. The most recent incident is at the top of the list so you can see it first.
-
-The incident queue exposes customizable columns that give you visibility into different characteristics of the incident or the contained entities. This helps you make an informed decision regarding prioritization of incidents to handle.
+The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This helps you make an informed decision regarding the prioritization of incidents for anaylsis.
For additional visibility at a glance, automatic incident naming generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This allows you to quickly understand the scope of the incident.
The incident queue also exposes multiple filtering options, that when applied, e
## Available filters
-### Assigned to
-You can choose to show alerts that are assigned to you or those handled by automation.
+From the default incident queue, you can select **Filters** to see a Filters pane, from which you can view a filtered set of incidents. Here is an example.
-### Categories
-Choose categories to focus on specific tactics, techniques, or attack components seen.
-### Classification
-Filter incidents based on the set classifications of the related alerts. The values include true alerts, false alerts, or not set.
+This table lists the filter names that are available.
-### Data sensitivity
-Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter to see if sensitive data is involved in the incident, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents.
+| Filter name | Description |
+|:-|:--|
+| Assigned to | You can choose to show alerts that are assigned to you or those handled by automation. |
+| Categories | Choose categories to focus on specific tactics, techniques, or attack components seen. |
+| Classification | Filter incidents based on the set classifications of the related alerts. The values include true alerts, false alerts, or not set. |
+| Data sensitivity | Some attacks focus on targeting to exfiltrate sensitive or valuable data. By applying a filter to see if sensitive data is involved in the incident, you can quickly determine if sensitive information has potentially been compromised and prioritize addressing those incidents. <br><br> Only applicable if Microsoft Information Protection is turned on.|
+| Device group | Filter by defined device groups. |
+| Investigation state | Filter incidents by the status of automated investigation. |
+| Multiple categories | You can choose to see only incidents that have mapped to multiple categories and can thus potentially cause more damage. |
+| Multiple service sources | Filter to only see incidents that contain alerts from different sources (Microsoft Defender for Endpoint, Microsoft Cloud App Security, Microsoft Defender for Identity, Microsoft Defender for Office 365). |
+| OS platform | Limit the incident queue view by operating system. |
+| Service sources | By choosing a specific source, you can focus on incidents that contain at least one alert from that chosen source. |
+| Severity | The severity of an incident is indicative of the impact it can have on your assets. The higher the severity, the bigger the impact and typically requires the most immediate attention. |
+| Status | You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved. |
+|||
->[!NOTE]
->Only applicable if Microsoft Information Protection is turned on.
+## Incident response workflow
-### Device group
-Filter by defined device groups.
+Here is the typical workflow for responding to incidents:
-### Investigation state
-Filter incidents by the status of automated investigation.
+1. Identify and triage the highest priority incidents for investigation and resolution.
+2. For each high-priority incident, begin an [investigation](investigate-incidents.md):
-### Multiple categories
-You can choose to see only incidents that have mapped to multiple categories and can thus potentially cause more damage.
+ a. View the summary of the incident to understand it's scope, what entities are affected, and severity (the **Summary** tab).
-### Multiple service sources
-Filter to only see incidents that contain alerts from different sources (Microsoft Defender for Endpoint, Microsoft Cloud App Security, Microsoft Defender for Identity, Microsoft Defender for Office 365).
+ b. Begin looking at the alerts to understand their origin, scope, and severity (the **Alerts** tab).
-### OS platform
-Limit the incident queue view by operating system.
+ c. As needed, gather information on impacted devices, users, and mailboxes (the **Devices**, **Users**, and **Mailboxes** tabs).
-### Service sources
-By choosing a specific source, you can focus on incidents that contain at least one alert from that chosen source.
+ d. See how Microsoft 365 Defender has automatically resolved some alerts (the **Investigations** tab).
+
+ e. As needed, use information in the data set for the incident for more information (the **Evidence and Response** tab).
-### Severity
-The severity of an incident is indicative of the impact it can have on your assets. The higher the severity, the bigger the impact and typically requires the most immediate attention.
+As you investigate, you should be concerned with:
-### Status
-You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
+- Containment: Reducing any additional impact on your tenant.
+- Eradication: Removing the security threat.
+- Recovery: Restoring your tenant resources to the state they were in before the attack.
+After you resolve the incident, take a moment to learn from it to:
+- Understand the type of the attack and its impact.
+- Research the attack in the security community for a security attack trend.
+- Recall the workflow you used to resolve the incident and update your standard workflows and plalbooks as needed.
+Here's a summary of the basic process.
-## Next steps
-After you've determined which incident requires the highest priority, you can proceed to do further investigative work on an incident.
-- [Investigate incidents](investigate-incidents.md)+
+## Next step
+After you've determined which incident requires the highest priority, select it and begin your [investigation](investigate-incidents.md).
## See also - [Incidents overview](incidents-overview.md)
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
Title: Incidents overview in Microsoft 365 Defender
+ Title: Incidents in Microsoft 365 Defender
description: Investigate incidents seen across devices, users, and mailboxes. keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365 search.product: eADQiWindows 10XVcnh
search.appverid:
ms.technology: m365d
-# Incidents overview in Microsoft 365 Defender
+# Incidents in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
ms.technology: m365d
> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) or [run your pilot project in production](m365d-pilot.md?ocid=cx-evalpilot). >
+An incident in Microsoft 365 Defender is a collection of correlated alerts and associated data that make up the story of an attack.
-Incidents are based on related alerts. Alerts are created when a malicious event or activity is seen on your network. Individual alerts provide valuable clues about an on-going attack. However, attacks typically employ various vectors and techniques to carry out a breach. Piecing individual clues together can be challenging and time-consuming.
+Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant.
-This short video gives an overview of incidents in Microsoft 365 Defender.
-<br>
+Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.
++
+Watch this short overview of incidents in Microsoft 365 Defender (4 minutes).
+<br>
+<br>
>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bzwz?]
-An incident is a collection of correlated alerts that make up the story of an attack. Malicious and suspicious events that are found in different device, user, and mailbox entities in the network are automatically aggregated by Microsoft 365 Defender. Grouping related alerts into an incident gives security defenders a comprehensive view of an attack.
+Grouping related alerts into an incident gives you a comprehensive view of an attack. For example, you can see:
+
+- Where the attack started.
+- What tactics were used.
+- How far the attack has gone into your tenant.
+- The scope of the attack, such as how many devices, users, and mailboxes were impacted.
+- All of the data associated with the attack.
+
+If [enabled](m365d-enable.md), Microsoft 365 Defender can automatically investigate and resolve alerts through automation and artificial intelligence. You can also perform additional remediation steps to resolve the attack.
+
+## Incidents and alerts in the Microsoft 365 security center
+
+You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
++
+Selecting an incident name displays a summary of the incident and provides access to tabs with additional information.
++
+The additional tabs for an incident are:
+
+- Alerts
+
+ All the alerts related to the incident and their information.
+
+- Devices
+
+ All the devices that have been identified to be part of or related to the incident.
+
+- Users
+
+ All the users that have been identified to be part of or related to the incident.
+
+- Mailboxes
+
+ All the mailboxes that have been identified to be part of or related to the incident.
+
+- Investigations
+
+ All the automated investigations triggered by alerts in the incident.
-For instance, security defenders can see where the attack started, what tactics were used, and how far the attack has gone into the network. They can also see the scope of the attack, like how many devices, users, and mailboxes were impacted, how severe the impact was, and other details about affected entities.
+- Evidence and Response
-If enabled, Microsoft 365 Defender can automatically investigate and resolve the individual alerts through automation and artificial intelligence. Security defenders can also perform additional remediation steps to resolve the attack straight from the incidents view.
+ All the supported events and suspicious entities in the alerts in the incident.
-Incidents from the last 30 days are shown in the incident queue. From here, security defenders can see which incidents should be prioritized based on risk level and other factors.
+Here's the relationship between an incident and its data and the tabs of an incident in the Microsoft 365 security center.
-Security defenders can also rename incidents, assign them to individual analysts, classify, and add tags to incidents for a better and more customized incident management experience.
+## Next step
+The incident queue from the **Incidents** page lists the most recent incidents. From here, you can:
-## See also
-- [Prioritize incidents](incident-queue.md)-- [Investigate incidents](investigate-incidents.md)-- [Manage incidents](manage-incidents.md)
+- See which incidents should be [prioritized](incident-queue.md) based on severity and other factors.
+- Perform an [investigation](investigate-incidents.md) of an incident.
+- [Manage incidents](manage-incidents.md), which includes renaming, assigning them, classifying, and adding tags for your incident management workflow.
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender - Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide pieces of clues about an incident. In Microsoft 365 Defender, related alerts are aggregated together to form incidents. Incidents will always provide the broader context of an attack, however, investigating alerts can be valuable when deeper analysis is required.
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
ms.technology: m365d
- Microsoft 365 Defender
-Microsoft 365 Defender aggregates all related alerts, assets, investigations and evidence from across your devices, users, and mailboxes to give you a comprehensive look into the entire breadth of an attack.
+Microsoft 365 Defender aggregates all related alerts, assets, investigations and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.
-Investigate the alerts that affect your network, understand what they mean, and collate evidence associated with the incidents so that you can devise an effective remediation plan.
+Within an incident, you investigate the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
-## Investigate an incident
+## Initial investigation
-1. Select an incident from the incident queue. <BR> A side panel opens and gives a preview of important information such as status, severity, categories, and the impacted entities.
+Before diving into the details, take a look at the properties and summary of the incident.
- ![Image of incident side panel](../../media/incident-side-panel.png)
+You can start by selecting the incident from the check mark column. Here's an example.
-2. Select **Open incident page**. <BR> This opens the incident page where you'll find more information incident details, comments, and actions, tabs (overview, alerts, devices, users, investigations, evidence).
-3. Review the alerts, devices, users, other entities involved in the incident.
+When you do, a summary pane opens with key information about the incident, such as severity, who it is assigned to, and the [MITRE ATT&CK&trade;](https://attack.mitre.org/) categories for the incident. Here's an example.
-## Incident overview
-The overview page gives you a snapshot glance into the top things to notice about the incident.
+From here, you can select **Open incident page**. This opens the main page for the incident where you'll find more summary information and tabs for alerts, devices, users, investigations, and evidence.
-![Image of the incidents overview page](../../media/incidents-overview.png)
+You can also open the main page for an incident by selecting the incident name from the incident queue.
+
+## Summary
+
+The **Summary** page gives you a snapshot glance at the top things to notice about the incident.
+ The attack categories give you a visual and numeric view of how advanced the attack has progressed against the kill chain. As with other Microsoft security products, Microsoft 365 Defender is aligned to the [MITRE ATT&CK&trade;](https://attack.mitre.org/) framework. The scope section gives you a list of top impacted assets that are part of this incident. If there is specific information regarding this asset, such as risk level, investigation priority as well as any tagging on the assets this will also surface in this section.
-The alerts timeline provides a sneak peek into the chronological order in which the alerts occurred, as well as the reasons that these alerts linked to this incident.
+The alerts timeline provides a sneak peek into the chronological order in which the alerts occurred, as well as the reasons that these alerts are linked to this incident.
And last - the evidence section provides a summary of how many different artifacts were included in the incident and their remediation status, so you can immediately identify if any action is needed on your end.
-This overview can assist in the initial triage of the incident by providing insight to the top characteristics of the incident that you should be aware of.
+This overview can assist in the initial triage of the incident by providing insight into the top characteristics of the incident that you should be aware of.
## Alerts
-You can view all the alerts related to the incident and other information about them such as severity, entities that were involved in the alert, the source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365) and the reason they were linked together.
+On the **Alert** tab, you can view the alert queue for alerts related to the incident and other information about them such as:
+
+- Severity.
+- The entities that were involved in the alert.
+- The source of the alerts (Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office 365).
+- The reason they were linked together.
+
+Here's an example.
-![Image of the incident alerts page](../../media/incident-alerts.png)
-By default, the alerts are ordered chronologically, to allow you to first view how the attack played out over time. Clicking on each alert will lead you to the relevant alert page where you can conduct an in-depth investigation of that alert. Learn how to use alert pages and the unified alert queue in [Investigate alerts](investigate-alerts.md)
+By default, the alerts are ordered chronologically to allow you to see how the incident played out over time. Selecting each alert takes you to the alert's main page where you can conduct an in-depth investigation of that alert.
+
+Learn how to use the alert queue and alert pages in [Investigate alerts](investigate-alerts.md)
## Devices
-The devices tab lists all the devices where alerts related to the incident are seen.
+The **Devices** tab lists all the devices related to the incident. Here's an example.
-Clicking the name of the machine where the attack was conducted navigates you to its Machine page where you can see alerts that were triggered on it and related events provided to ease investigation.
-![Image of machines tab of an incident](../../media/incident-machines.png)
+You can select the check mark for a device to see details of the device, directory data, active alerts, and logged on users. Select the name of the device to see device details in the Microsoft Defender for Endpoints device inventory.
-Selecting the Timeline tab enables you to scroll through the machine timeline and view all events and behaviors observed on the machine in chronological order, interspersed with the alerts raised.
-> [!TIP]
-> You can do on-demand scans on a device page. In the Microsoft 365 security center, choose **Device inventory**. Select a device that has alerts, and then run an antivirus scan. Actions, such as antivirus scans, are tracked and are visible on the **Device inventory** page. To learn more, see [Run Microsoft Defender Antivirus scan on devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices).
+From the device page, you can gather additional information about the device, such as all of its alerts, a timeline, and security recommendations. For example, from the **Timeline** tab, you can scroll through the machine timeline and view all events and behaviors observed on the machine in chronological order, interspersed with the alerts raised.
+> [!TIP]
+> You can do on-demand scans on a device page. In the Microsoft 365 security center, choose **Endpoints > Device inventory**. Select a device that has alerts, and then run an antivirus scan. Actions, such as antivirus scans, are tracked and are visible on the **Device inventory** page. To learn more, see [Run Microsoft Defender Antivirus scan on devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices).
## Users
-See users that have been identified to be part of, or related to a given incident.
+The **Users** tab lists all the users that have been identified to be part of or related to the incident. Here's an example.
-Clicking the username navigates you to the user's Cloud App Security page where further investigation can be conducted.
-![Image of users tab of an incident](../../media/incident-users.png)
+You can select the check mark for a user to see details of the user account threat, exposure, and contact information.
+Select the user name to see additional user account details.
## Mailboxes
-Investigate mailboxes that's been identified to be part of, or related to an incident. To do further investigative work, selecting the mail-related alert will open Microsoft Defender for Office 365 where you can take remediation actions.
+The **Mailboxes** tab lists all the mailboxes that have been identified to be part of or related to the incident. Here's an example.
-![Image of mailbox tab of an incident](../../media/incident-mailboxes.png)
+
+You can select the check mark for a mailbox to see a list of active alerts. Select the mailbox name to see additional mailbox details on the Explorer page for Microsoft Defender for Office 365.
## Investigations
-Select **Investigations** to see all the automated investigations triggered by alerts in this incident. The investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Microsoft Defender for Endpoint and Defender for Office 365.
+The **Investigations** tab lists all the automated investigations triggered by alerts in this incident. The investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Microsoft Defender for Endpoint and Defender for Office 365.
-![Image of investigations tab of an incident](../../media/incident-investigations.png)
Select an investigation to navigate to the Investigation details page to get full information on the investigation and remediation status. If there are any actions pending for approval as part of the investigation, they will appear in the Pending actions tab. Take action as part of incident remediation.
-## Evidence
+## Evidence and Response
+
+The **Evidence and Response** tab shows all the supported events and suspicious entities in the alerts in the incident. Here's an example.
-Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with autoresponse and information about the important files, processes, services, emails, and more. This helps quickly detect and block potential threats in the incident.
-![Image of evidence tab of an incident](../../media/incident-evidence.png)
+Microsoft 365 Defender automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with information about the important emails, files, processes, services, IP Addresses, and more. This helps you quickly detect and block potential threats in the incident.
-Each of the analyzed entities will be marked with a verdict (Malicious, Suspicious, Clean) as well as a remediation status. This assists you in understanding the remediation status of the entire incident and what are the next steps that can be taken to further remediate.
+Each of the analyzed entities is marked with a verdict (Malicious, Suspicious, Clean) and a remediation status. This helps you understand the remediation status of the entire incident and what next steps can be taken.
## Related topics
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+Incident management is critical in ensuring that threats are contained and addressed.
+You manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
-Managing incidents is critical in ensuring that threats are contained and addressed. In Microsoft 365 Defender, you have access to managing incidents on devices, users, and mailboxes.
+Here are the ways you can manage your incidents:
-You can manage incidents by selecting an incident from the **Incidents queue**.
+- Change the incident name
+- Add incident tags.
+- Assign the incident to a user account
+- Resolve them
+- Set its classification and determination
+- Add comments.
-You can edit the name of an incident, resolve it, set its classification and determination. You can also assign the incident to yourself, add incident tags and comments.
+You can manage incidents from the **Manage incident** pane for an incident. Here's an example.
-In cases where while investigating you would like to move alerts from one incident to another you can also do so from the Alerts tab, thus creating a larger or smaller incident that include all relevant alerts.
-## Edit incident name
-Incidents are automatically assigned a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
+You can display this pane from the **Manage incident** link on the:
-For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+- Properties pane of an incident in the incident queue.
+- **Summary** page of an incident.
-You can modify the incident name to better align with your preferred naming convention.
+In cases where, while investigating you would like to move alerts from one incident to another, you can also do so from the **Alerts** tab, thus creating a larger or smaller incident that includes all relevant alerts.
+
+## Edit the incident name
+
+Incidents are automatically assigned a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident. For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+
+You can edit the incident name from the **Incident name** field on the **Manage incident** pane.
> [!NOTE] > Incidents that existed prior the rollout of the automatic incident naming feature will retain their name.
+## Add incident tags
+
+You can add custom tags to an incident, for example to flag a group of incidents with a common characteristic. You can later filter the incident queue for all incidents that contain a specific tag.
+When you start typing, you have the option to select from a list of selected tags.
## Assign incidents
-If an incident has not yet been assigned, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
-## Set status and classification
-### Incident status
-You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
+If an incident has not yet been assigned, you can select **Assign to** and specify the user account. Doing so assigns ownership of the incident and all the alerts associated with it.
-For example, your SOC analyst can review the urgent **Active** incidents for the day, and decide to assign them to herself for investigation.
+## Resolve incident
-Alternatively, your SOC analyst might set the incident as **Resolved** if the incident has been remediated. Resolving an incident will automatically close all alerts that are part of the incident and still open.
+If the incident has been remediated, select **Resolve incident** to move the toggle to the right. Note that resolving an incident also resolves all the linked and active alerts related to the incident.
-### Classification and determination
-You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
+An incident that is not resolved displays as **Active**.
-## Add comments
-You can add comments and view historical events about an incident to see previous changes made to it.
+## Set the classification and determination
-Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
+The incident classification is whether it was a true alert or a false alert, which you configure from the **Classification** field.
-Added comments instantly appear on the pane.
+If it was a true alert, you should also specify what type of threat it was with the **Determination** field. Specifying the threat type helps your security team see threat patterns and act to defend your organization from them.
-## Add incident tags
-You can add custom tags to an incident, for example to flag a group of incidents with a common characteristic. You can later filter the incidents queue for all incidents that contain a specific tag.
+## Add comments
+
+You can add multiple comments to an incident with the **Comment** field. Each comment is added to the historical events of the incident. You can see the comments and history of an incident from the **Comments and history** link on the **Summary** page.
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft 365 Defender](microsoft-365-defender.md)
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft 365 Defender](microsoft-365-defender.md) - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
security Microsoft 365 Security Mde Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mde-redirection.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender - Defender for Endpoint
security Overview Security Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/overview-security-center.md
ms.mktglfcycl: deploy
localization_priority: Normal f1.keywords: - NOCSH Previously updated : 02/02/2021 Last updated : 04/07/2021
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft 365 Defender](microsoft-365-defender.md)
Microsoft 365 security center brings together functionality from existing Micros
- **[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365)** Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources. - **[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-advanced-threat-protection)** delivers preventative protection, post-breach detection, automated investigation, and response for devices in your organization.-- **[Microsoft 365 Defender](microsoft-365-defender.md)**
-is part of MicrosoftΓÇÖs *Extended Detection and Response* (XDR) solution that leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, and build a picture of an attack on a single dashboard.
+- **[Microsoft 365 Defender](microsoft-365-defender.md)** is part of MicrosoftΓÇÖs *Extended Detection and Response* (XDR) solution that leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, and build a picture of an attack on a single dashboard.
If you need information about what's changed from the Office 365 Security & Compliance center or the Microsoft Defender Security Center, see:
If you need information about what's changed from the Office 365 Security & Comp
All the security content that you use in the Office 365 Security and Compliance Center (protection.office.com) and the Microsoft Defender security center (securitycenter.microsoft.com) can now be found in the *Microsoft 365 security center*.
-Microsoft 365 security center helps security teams investigate and respond to attacks by brining in signals from different workloads into a single, unified experiences:
+Microsoft 365 security center helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for:
- Incidents & alerts - Hunting - Action Center - Threat analytics
-The Microsoft 365 security center emphasizes *unity, clarity, and common goals* as it merges Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The merge was based on the priorities listed below, and made without sacrificing the capabilities that each security suite brought to the combination:
+The Microsoft 365 security center emphasizes *unity, clarity, and common goals* as it merges Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The merge was based on the priorities listed below, and made without sacrificing the capabilities that each security suite brought to the combination of:
-- common building blocks-- common terminology-- common entities-- feature parity with other workloads
+- Common building blocks
+- Common terminology
+- Common entities
+- Feature parity with other workloads
## Unified investigations
-Streamlining security centers creates a single pane for investigating any incidents across a Microsoft 365 organization. A primary example is the **Incidents** node on the quick launch of the Microsoft 365 security center.
+Converging security centers creates a single place for investigating security incidents across Microsoft 365. A primary example is **Incidents** under **Incidents & alerts** on the quick launch of the Microsoft 365 security center.
-As an example, double-clicking on an incident name with **High** severity brings you to a page that demonstrates the advantage of converging centers.
+Selecting an incident name displays a page that demonstrates the value of converging security centers.
-![Multi-stage incident involving privilege escalation on multiple endpoints, showing see 16 impacted devices and 9 impacted users.](../../media/converged-incident-info-3.png)
-> [!TIP]
-> The converged **Users** tab is a good place to begin your inquiries. This single page surfaces information for users from converged workloads (Microsoft Defender for Endpoint, Microsoft Defender for Identity, and MCAS, if you leverage it) and a range of sources such as on-premises Active Directory, Azure Active Directory, synced, local, and third-party users. Learn more about [the new Users experience](investigate-users.md).
+<!--
+![Example of the Summary page for an incident in the Microsoft 365 security center](../../media/converged-incident-info-3.png)
+-->
-Incident information shows user/identity specifics and at-risk devices, beside affected mailboxes. It also relates any **Investigation information** and gathered **Evidence**. This makes it easier for admins and security operation teams to pivot from one high-risk alert to the affected users and mailboxes. Looking at the **Incident** tabs at the top of this page, there are other key security pivots available from this single location.
+Along the top of an incident page, you'll see the **Summary**, **Alerts**, **Devices**, **Users**, **Mailboxes**, **Investigations**, and **Evidence** tabs. Select these tabs for more detailed information. For example, the **Users** tab displays information for users from converged workloads (Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security) and a range of sources such as on-premises Active Directory Domain Services (AD DS), Azure Active Directory (Azure AD), and third-party identity providers. For more information, see [investigate users](investigate-users.md).
-> [!IMPORTANT]
-> Along the top of any page for a specific Incident, you'll see the **Summary**, **Alerts**, **Devices**, **Users**, **Mailboxes**, **Investigations**, and **Evidence** tabs.
+Take the time to review the incidents in your environment, drill down into these tabs, and practice building an understanding of how to access the information provided for incidents for different kinds of threats.
-Selecting **Investigations** opens a page that features a graphic of the analysis taking place and lists a status (such as **pending approval**) for remediation. Take time to select specific incidents in your environment, drill down into these tabs, and practice building a profile for different kinds of threats. Familiarity will benefit any later pressing investigations.
+For more information, see [incidents in the Microsoft 365 security center](incidents-overview.md).
## Improved processes
security Microsoft Defender For Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/microsoft-defender-for-office.md
> [!IMPORTANT]
-> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](../defender/overview-security-center.md). This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the **Applies To** section and look for specific call-outs in this article where there might be differences.
+> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
security Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/microsoft-defender.md
> [!IMPORTANT]
-> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. [Learn more about what's changed](../defender/overview-security-center.md).
+> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
security Configure Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/configure-microsoft-threat-experts.md
ms.sitesec: library
ms.pagetype: security
+localization_priority: normal
audience: ITPro
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-threat-experts.md
ms.sitesec: library
ms.pagetype: security
+localization_priority: normal
audience: ITPro
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
+
+ Title: Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+
+ - M365-security-compliance
+
+description: Admins can learn how to use the advanced delivery policy in Exchange Online Protection (EOP) to identify messages that should not be filtered in specific supported scenarios (third-party phishing simulations and messages delivered to security operations (SecOps) mailboxes.
+ms.technology: mdo
+++
+# Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes
+
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+> [!NOTE]
+> The feature that's described in this article is in Preview, isn't available to everyone, and is subject to change.
+
+We want to keep your organization [secure by default](secure-by-default.md), so Exchange Online Protection (EOP) does not allow safe lists or filtering bypass for messages that result in malware or high confidence phishing verdicts. But, we recognize there are specific scenarios that require the delivery of unfiltered messages. For example:
+
+- **Third-party phishing simulations**: Simulated attacks can help you identify vulnerable users before a real attack impacts your organization.
+- **Security operations (SecOps) mailboxes**: Dedicated mailboxes that are used by security teams to collect and analyze unfiltered messages (both good and bad).
+
+You use the _advanced delivery policy_ in Microsoft 365 to prevent these messages _in these specific scenarios_ from being filtered<sup>\*</sup>. The advanced delivery policy ensures that messages in these scenarios are not filtered:
+
+- Filters in EOP and Microsoft Defender for Office 365 take no action on these messages.<sup>\*</sup>
+- [Zero-hour Purge (ZAP)](zero-hour-auto-purge.md) for spam and phishing takes no action on these messages.<sup>\*</sup>
+- [Default system alerts](alerts.md) are not triggered for these scenarios.
+- [AIR and clustering in Defender for Office 365](office-365-air.md) ignores these messages.
+- Specifically for third-party phishing simulations:
+ - [Admin submissions](admin-submission.md) generates an automatic response stating that the message is part of a phishing simulation campaign and is not a real threat. Alerts and AIR will not be triggered.
+ - [Safe Links in Defender for Office 365](safe-links.md) does not block or detonate the specifically identified URLs in these messages.
+ - [Safe Attachments in Defender for Office 365](safe-attachments.md) does not detonate attachments in these messages.
+
+<sup>\*</sup> You can't bypass malware filtering or ZAP for malware.
+
+Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked as system overrides. Admins can filter and analyze these system overrides in the following experiences:
+
+- [Threat Explorer/Real-time detections in Defender for Office 365 plan 2](threat-explorer.md)
+- The [Email entity Page in Threat Explorer/Real-time detections](mdo-email-entity-page.md)
+- The [Threat protection status report](view-email-security-reports.md#threat-protection-status-report)
+- [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md)
+- [Campaign Views](campaigns.md)
+
+## What do you need to know before you begin?
+
+- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Advanced delivery** page, open <https://protection.office.com/advanceddelivery>.
+
+- You need to be assigned permissions before you can do the procedures in this article:
+ - To create, modify, or remove configured settings in the advanced delivery policy, you need to be a member of the **Security Administrator** role group in the **Security & Compliance Center** and a member of the **Organization Management** role group in **Exchange Online**.
+ - For read-only access to the advanced delivery policy, you need to be a member of the **Global Reader** or **Security Reader** role groups.
+
+ For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md) and [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+
+## Use the Security & Compliance Center to configure third-party phishing simulations in the advanced delivery policy
+
+1. In the Security & Compliance Center, go to **Threat management** \> **Policy** \> **Advanced delivery**.
+
+2. On the **Advanced delivery** page, select the **Phishing simulation** tab, and then click **Edit**.
+
+3. On the **Third-party phishing simulation** flyout that opens, configure the following settings:
+
+ - **Sending domain**: At least one email address domain is required (for example, contoso.com). You can add up to 10 entries.
+ - **Sending IP**: At least one valid IPv4 address is required. You can add up to 10 entries. Valid values are:
+ - Single IP: For example, 192.168.1.1.
+ - IP range: For example, 192.168.0.1-192.168.0.254.
+ - CIDR IP: For example, 192.168.0.1/25.
+ - **Simulation URLs to allow**: Optionally, enter specific URLs that are part of your phishing simulation campaign that should not be blocked or detonated. You can add up to 10 entries.
+
+4. When you're finished, click **Save.**
+
+The third-party phishing simulation entries that you configured are displayed on the **Phishing simulation** tab. To make changes, click **Edit** on the tab.
+
+## Use the Security & Compliance Center to configure SecOps mailboxes in the advanced delivery policy
+
+1. In the Security & Compliance Center, go to **Threat Management** \> **Policy** \> **Advanced delivery**.
+
+2. On the **Advanced delivery** page, select the **SecOps mailbox** tab, and then click **Edit**.
+
+3. On the **SecOps mailbox** flyout that opens, enter the email addresses of existing Exchange Online mailboxes that you want to designate as SecOps mailboxes. Distribution groups are not allowed.
+
+4. When you're finished, click **Save**.
+
+The SecOps mailbox entries that you configured are displayed on the **SecOps mailbox** tab. To make changes, click **Edit** on the tab.
+
+## Additional scenarios that require filtering bypass
+
+In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios that might require you bypass filtering:
+
+- **Third-party filters**: If you domain's MX record doesn't point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) is not available.
+
+ To bypass Microsoft filtering for messages that have already been evaluated by third-party filtering, use mail flow rules (also known as transport rules), see [Use mail flow rules to set the SCL in messages](use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages.md).
+
+- **False positives under review**: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via [admin submissions](admin-submission.md) to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, we highly recommended that these allowances are temporary.