| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Ownerless Groups Teams | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/ownerless-groups-teams.md | + + Title: "Manage ownerless Microsoft 365 groups and teams" ++f1.keywords: NOCSH ++++audience: Admin +++ms.localizationpriority: medium ++- M365-subscription-management +- Adm_O365 +- Adm_TOC ++- AdminSurgePortfolio +- AdminTemplateSet +- admindeeplinkMAC +search.appverid: +- MET150 +- MOE150 +description: "Learn how to automatically invite members to become owners in an ownerless Microsoft 365 group or a team in Microsoft Teams." +++# Manage ownerless Microsoft 365 groups and teams ++A team in Microsoft Teams or a Microsoft 365 group can become ownerless if an owner's account is deleted or disabled in Microsoft 365. Groups and teams require an owner to add or remove members and change group settings. ++You can create a policy what automatically asks the most active members or an ownerless group or team if they'll accept ownership. When a member accepts the invitation to become an owner, the action is logged in the compliance center audit log. Guests are never invited to be owners. ++When creating the policy, you can specify: +- If you want to limit who can be invited to be an owner by specifying a security group +- The sender address of the notifications +- The number of weeks that the notifications will be sent +- Which groups or teams are part of the policy ++To set an ownerless group or team policy ++1. In the admin center, go to **Show all** \> **Settings** \> **Org settings** and on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">**Services** tab</a>, select **Microsoft 365 Groups**. ++1. Select the **When there's no owner, email and ask active group members to become an owner** check box. ++1. If you want to keep the default configuration settings, select **Save**, otherwise, select **Configure policy** and complete the following steps. ++1. On the *Weekly notification options* page, specify who can receive ownership notifications. If you choose to allow or block certain members, then search for and add the security group that you want to use. ++1. Type the number of active members that you want to notify and select the number of weeks to send the notification. (The notification list is created during the first notification and does not change.) Select **Next**. ++1. On the *Who is this email coming from* page, select a sender for the email, and then select **Next**. ++1. On the *Subject and message* page, customize the email and optionally include a **policy guideline URL**, and then select **Next**. ++1. On the *Select which groups to target* page, select **Specific groups** and choose the groups and teams that you want to include in this policy, or select **All groups**. ++1. Select **Next**. ++1. On the *Review and finish* page, confirm your settings and click **Finish**, and then select **Done**. ++Notifications are sent weekly starting within 24 hours of policy creation. |
| admin | Download Software Licenses Csp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/download-software-licenses-csp.md | f1.keywords: -+ audience: Admin |
| commerce | Allotment Basics | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/allotment-basics.md | f1.keywords: -+ audience: Admin |
| commerce | Manage License Requests | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-license-requests.md | f1.keywords: -+ audience: Admin |
| commerce | Subscriptions And Licenses | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/subscriptions-and-licenses.md | f1.keywords: -+ audience: Admin |
| compliance | Declare Records | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/declare-records.md | If you change your mind about seeing this option in the retention label wizard, ## Configuring retention labels to declare records -When you create a retention label from the **Records Management** solution in the Microsoft 365 compliance center, you have the option to mark items as a record. If you ran the PowerShell command from the previous section, you can alternatively mark items as a regulatory record. +When you create a retention label from the **Records Management** solution in the Microsoft 365 compliance center, you can select the option **Mark items as a record**. Then, as an additional option that's currently rolling out in preview, unlock the record by default for SharePoint and OneDrive. ++The additional option of **Unlock this record by default** effectively lets users declare records themselves because they lock the record when they have finished editing the content. For more information about this supported scenario, see [Use record versioning to update records stored in SharePoint or OneDrive](record-versioning.md). ++If you ran the PowerShell command from the previous section, you can alternatively mark items as a regulatory record. For example: - + Using this retention label, you can now apply it to SharePoint or OneDrive documents and Exchange emails, as needed. |
| compliance | Enable Mailbox Auditing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-mailbox-auditing.md | ms.assetid: aaca8987-5b62-458b-9882-c28476a66918 - seo-marvel-apr2020 - admindeeplinkEXCHANGE-description: "Mailbox audit logging is turned on by default in Microsoft 365 (also called default mailbox auditing or mailbox auditing on by default). This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged in a mailbox audit log, where you can search for activities performed on the mailbox." +description: "Mailbox audit logging is turned on by default in Microsoft 365 (also called 'default mailbox auditing' or 'mailbox auditing on by default'). This configuration means that certain actions performed by mailbox owners, delegates, and admins are automatically logged in a mailbox audit log, where you can search for activities performed on the mailbox." # Manage mailbox auditing -Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization. +In January 2019, Microsoft turned on mailbox audit logging by default for all organizations. This configuration means that certain actions by mailbox owners, delegates, and admins are automatically logged. It also means the corresponding mailbox audit records will be available when you search for them in the mailbox audit log. Before mailbox auditing was turned on by default, you had to manually enable it for every user mailbox in your organization. Here are some benefits of mailbox auditing on by default: Here are some benefits of mailbox auditing on by default: > [!NOTE] > > - The important thing to remember about the release of mailbox auditing on by default is: you don't need to do anything to manage mailbox auditing. However, to learn more, customize mailbox auditing from the default settings, or turn it off altogether, this article can help you.-> - By default, only mailbox audit events for E5 users are available in audit log searches in the Microsoft 365 compliance center or via the Office 365 Management Activity API. For more information, see the [More information](#more-information) section in this article. +> - By default, only mailbox audit events for users with licenses that include the [Advanced Audit](advanced-audit.md) feature are available in audit log searches in the Microsoft 365 compliance center or via the Office 365 Management Activity API. These licenses are described [here](auditing-solutions-overview.md#advanced-audit-1). For brevity, this article will collectively refer to licenses that include Advanced Audit as *E5/A5/G5 licenses*. +> For more information about how licensing affects mailbox auditing events in the M365 compliance center, see the [More information](#more-information) section later in this article. ## Verify mailbox auditing on by default is turned on Get-OrganizationConfig | Format-List AuditDisabled The value **False** indicates that mailbox auditing on by default is enabled for the organization. This on by default organizational value overrides the mailbox auditing setting on specific mailboxes. For example, if mailbox auditing is disabled for a mailbox (the *AuditEnabled* property is **False** on the mailbox), the default mailbox actions will still be audited for the mailbox, because mailbox auditing on by default is enabled for the organization. -To keep mailbox auditing disabled for specific mailboxes, you configure mailbox auditing bypass for the mailbox owner and other users who have been delegated access to the mailbox. For more information, see the [Bypass mailbox audit logging](#bypass-mailbox-audit-logging) section in this article. +To keep mailbox auditing disabled for specific mailboxes, you configure mailbox auditing bypass for the mailbox owner and other users who have been delegated access to the mailbox. For more information, see the [Bypass mailbox audit logging](#bypass-mailbox-audit-logging) section later in this article. > [!NOTE] > When mailbox auditing on by default is turned on for the organization, the *AuditEnabled* property for affected mailboxes won't be changed from **False** to **True**. In other words, mailbox auditing on by default ignores the *AuditEnabled* property on mailboxes. The following table describes the mailbox actions that are available in mailbox |**FolderBind**|A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. <br/><br/> **Note**: Audit records for folder bind actions performed by delegates are consolidated. One audit record is generated for individual folder access within a 24-hour period.|||| |**HardDelete**|A message was purged from the Recoverable Items folder.|<sup>\*</sup>|<sup>\*</sup>|<sup>\*</sup>| |**MailboxLogin**|The user signed into their mailbox.||||-|**MailItemsAccessed**|**Note**: This value is available only for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <br/><br/> Mail data is accessed by mail protocols and clients.|<sup>\*</sup>|<sup>\*</sup>|<sup>\*</sup>| -|**MessageBind**|**Note**: This value is available only for E3 users (users without E5 or E5 Compliance add-on subscriptions). <br/><br/> A message was viewed in the preview pane or opened by an admin.|||| +|**MailItemsAccessed**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <br/><br/> Mail data is accessed by mail protocols and clients.|<sup>\*</sup>|<sup>\*</sup>|<sup>\*</sup>| +|**MessageBind**|**Note**: This value is available only for users *without* E5/A5/G5 licenses. <br/><br/> A message was viewed in the preview pane or opened by an admin.|||| |**ModifyFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.|||| |**Move**|A message was moved to another folder.|||| |**MoveToDeletedItems**|A message was deleted and moved to the Deleted Items folder.|<sup>\*</sup>|<sup>\*</sup>|<sup>\*</sup>| |**RecordDelete**|An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).|||| |**RemoveFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||-|**SearchQueryInitiated**|**Note**: This value is available only for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <br/><br/> A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.|||| -|**Send**|**Note**: This value is available only for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <br/><br/> The user sends an email message, replies to an email message, or forwards an email message.|<sup>\*</sup>||<sup>\*</sup>| +|**SearchQueryInitiated**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <br/><br/> A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.|||| +|**Send**|**Note**: This value is available only for users with E5/A5/G5 licenses. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <br/><br/> The user sends an email message, replies to an email message, or forwards an email message.|<sup>\*</sup>||<sup>\*</sup>| |**SendAs**|A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.|<sup>\*</sup>|<sup>\*</sup>|| |**SendOnBehalf**|A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.|<sup>\*</sup>|<sup>\*</sup>|| |**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|<sup>\*</sup>|<sup>\*</sup>|<sup>\*</sup>| The value **True** indicates that mailbox audit logging is bypassed for the user ## More information -- Although mailbox audit logging on by default is enabled for all organizations, only users with E5 licenses will return mailbox audit log events in [audit log searches in the Microsoft 365 compliance center](search-the-audit-log-in-security-and-compliance.md) or via the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference) **by default**.+- Although mailbox audit logging on by default is enabled for all organizations, only users with [licenses that include the Advanced Audit feature](auditing-solutions-overview.md#advanced-audit-1) (collectively referred to as *E5/A5/G5 licenses*) will return mailbox audit log events in [audit log searches in the Microsoft 365 compliance center](search-the-audit-log-in-security-and-compliance.md) or via the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference) **by default**. - To retrieve mailbox audit log entries for users without E5 licenses, you can: + To retrieve mailbox audit log entries for users without E5/A5/G5 licenses, you can use any of the following workarounds: - - Manually enable mailbox auditing on individual mailboxes (run the command, `Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true`). After you do this, you can use audit log searches in the Microsoft 365 compliance center or via the Office 365 Management Activity API. + - Manually enable mailbox auditing on the affected user mailboxes by running the following command: `Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true`. After you enable mailbox auditing on the mailbox, you can use audit log searches in the Microsoft 365 compliance center or via the Office 365 Management Activity API. > [!NOTE] > If mailbox auditing already appears to be enabled on the mailbox, but your searches return no results, change the value of the *AuditEnabled* parameter to `$false` and then back to `$true`. |
| compliance | File Plan Manager | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/file-plan-manager.md | All columns except the label **Name** can be displayed or hidden by selecting th - Yes - Yes(Regulatory) +- **Is unlocked by default** ΓÇöcurrently rolling outΓÇöidentifies if the item marked as a record is unlocked when the label is applied. Valid values: + - No + - Yes + - **Retention duration** identifies the retention period. Valid values: - Days - Months Use the following information to help you fill out the downloaded template to im |CitationJurisdiction|String|No|This property specifies the jurisdiction or agency that's displayed in the **Provision/citation** file plan descriptor. For example, "U.S. Securities and Exchange Commission (SEC)".| |Regulatory|String|No|This property specifies whether the label marks the content as a regulatory record, which is [more restrictive](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked) than a record. To use this label configuration, your tenant must be configured to [display the option to mark content as a regulatory record](declare-records.md#how-to-display-the-option-to-mark-content-as-a-regulatory-record), or the import validation will fail. Valid values are: </br>**TRUE**: The label marks the item as a regulatory record. You must also set the **IsRecordLabel** property to TRUE.</br>**FALSE**: The label doesn't mark the content as a regulatory record. This is the default value.| |EventType|String|No, unless **RetentionType** is **EventAgeInDays**|This property specifies an event type used for [event-based retention](event-driven-retention.md). Specify an existing event type that's displayed in **Records management** > **Events** > **Manage event types**. Alternatively, use the [Get-ComplianceRetentionEventType](/powershell/module/exchange/get-complianceretentioneventtype) cmdlet to view the available event types. Although there are some built-in event types, such as **Employee activity** and **Product lifetime**, you can also create your own event types. </br> </br> If you specify your own event type, it must exist before the import because the name is validated as part of the import process.|-||| ++Label settings not currently supported for import: ++- Multi-stage disposition review: Although you can configure the settings for a single disposition review stage when you import retention labels with a template, you can't specify additional review stages. Instead, configure these in the compliance center after the import succeeds. ++- Unlock this record by default (currently rolling out in preview): This setting isn't available in the template to import, and you can't select this setting in the compliance center after the import succeeds. + ## Next steps |
| compliance | Record Versioning | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/record-versioning.md | The ability to mark a document as a [record](records-management.md#records) and For example, you might mark a sales contract as a record, but then need to update the contract with new terms and mark the latest version as a new record while still retaining the previous record version. For these types of scenarios, SharePoint and OneDrive support *record versioning*. OneNote notebook folders don't support record versioning. -To use record versioning, you first [label the document and mark it as a record](declare-records.md). At this point, a document property, called *Record status* is displayed next to the retention label, and the initial record status is **Locked**. +To use record versioning, you first label the document with a [retention label that's configured to mark items as a record](declare-records.md). At this point, a document property, called *Record status* is displayed next to the retention label. Depending on whether the label is configured to unlock the record by default (currently rolling out), the initial record status is either **Locked** or **Unlocked**. You can now do the following things: - **Continually edit and retain individual versions of the document as records, by unlocking and locking the Record status property.** Only when the **Record status** property is set to **Locked** is a new version of the record retained. This toggle of locked and unlocked reduces the risk of retaining unnecessary versions and copies of the document.+ + > [!NOTE] + > If the label is configured to unlock the record by default, but versioning is not enabled by the admin, or prevented by the records management setting, users will not be able to unlock the document after they lock it. -- **Have the records automatically stored in an in-place records repository located within the site collection.** Each site collection in SharePoint and OneDrive preserves content in its Preservation Hold library. Record versions are stored in the Records folder in this library.+- **Have the records automatically stored in an in-place records repository located with the site.** Each site in SharePoint and OneDrive preserves content in its Preservation Hold library. Record versions are stored in the Records folder in this library. For more information about how the Preservation Hold library works, see [How retention works for SharePoint and OneDrive](retention-policies-sharepoint.md#how-retention-works-for-sharepoint-and-onedrive). - **Maintain an evergreen document that contains all versions.** By default, each SharePoint and OneDrive document has a version history available on the item menu. In this version history, you can easily see which versions are records and view those documents. > [!TIP] > When you use record versioning with a retention label that has a delete action, consider configuring the retention setting **Start the retention period based on:** to be **When items were labeled**. With this label setting, the start of the retention period is reset for each new record version, which ensures that older versions will be deleted before newer versions. -Record versioning is automatically available for any document that has a retention label applied that marks the item as a record, and that label is [published to the site](create-apply-retention-labels.md). When a user views the document properties by using the details pane, they can toggle the **Record status** from **Locked** to **Unlocked**. This action creates a record in the Records folder in the Preservation Hold library, where it resides for the remainder of its retention period. +By default, record versioning is automatically available for any document that has a retention label applied that marks the item as a record, and that label is [published to the site](create-apply-retention-labels.md). When a user views the document properties by using the details pane, they can toggle the **Record status** between **Locked** and **Unlocked**. While the document is unlocked, any user with standard edit permissions can edit the file. However, users can't delete the file, because it's still a record. When editing is complete, a user can then toggle the **Record status** from **Unlocked** to **Locked**, which prevents further edits while in this status. <br/><br/> :::image type="content" alt-text="Record status property on document tagged as a record." source="../media/recordversioning8.png" lightbox="../media/recordversioning8.png"::: +For more information about what user actions are allowed when a record is locked or unlocked, see [Compare restrictions for what actions are allowed or blocked](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked). + ## Locking and unlocking a record After a retention label that marks content as a record is applied to a document, any user with Contribute permissions or a narrower permission level can unlock a record or lock an unlocked record. After a retention label that marks content as a record is applied to a document, :::image type="content" alt-text="Record status shows record document is unlocked." source="../media/recordversioning9.png" lightbox="../media/recordversioning9.png"::: -When a user unlocks a record, the following actions occur: +When a record is unlocked, the following actions occur: -1. If the current site collection doesn't have a Preservation Hold library, one is created. +1. If the current site doesn't have a Preservation Hold library, one is created. 2. If the Preservation Hold library doesn't have a Records folder, one is created. When a user locks a record, the original document again can't be edited. But it ## Record versions -Each time a user unlocks a record, the latest version is copied to the Preservation Hold library, and that version contains the value of **Record** in the **Comments** field of the version history. +Each time a record is unlocked, the latest version is copied to the Preservation Hold library, and that version contains the value of **Record** in the **Comments** field of the version history. <br/><br/> :::image type="content" alt-text="Record shown in the Preservation Hold library." source="../media/recordversioning10.png" lightbox="../media/recordversioning10.png"::: To view the version history, select a document in the document library and then click **Version history** in the item menu. -## Where records are stored --Records are stored in the Records folder in the Preservation Hold library in the top-level site in the site collection. In the left navigation on the top-level site, choose **Site contents** \> **Preservation Hold Library**. -<br/><br/> -- --<br/><br/> -- --For more information about how the Preservation Hold library works, see [How retention works for SharePoint and OneDrive](retention-policies-sharepoint.md#how-retention-works-for-sharepoint-and-onedrive). - ## Searching the audit log for record versioning events The actions of locking and unlocking records are logged in the audit log. From **File and page activities**, select **Changed record status to locked** and **Changed record status to unlocked**. |
| compliance | Retention Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-settings.md | Be aware that **Conversation History**, a folder in Outlook, is a feature that h By choosing the settings for retaining and deleting content, your policy for retention will have one of the following configurations for a specified period of time: - Retain-only-- For this configuration, choose **Retain items for a specific period** and **At end of the retention period: Do nothing**. Or, select **Retain items forever**. + + For this configuration, choose the following options: + + - For retention policies: On the **Decide if you want to retain content, delete it, or both** page, select **Retain items for a specific period**, specify the retention period and then for **At end of the retention period** select **Do nothing** for the retention settings to be removed. Or to retain without an end date, select **Retain items forever** on this page. + + - For retention labels: On the **Define label settings page**, select **Retain items indefinitely or for a specific period**, and then: + - For the retention settings to no longer be in effect on the labeled content after a specific time: On the **Define the retention period** page, for **Retain items for**, specify the time period. Then on the **Choose what happens after the retention period** page, select **Deactivate retention settings**. The label remains on the content but with no restrictions, as if it's a [label that just classifies](retention.md#classifying-content-without-applying-any-actions). + - To retain without an end date: On the **Define the retention period** page, for **Retain items for**, select **An indefinite period**. The label remains on the content with any [existing restrictions](records-management.md#compare-restrictions-for-what-actions-are-allowed-or-blocked ). - Retain and then delete - For this configuration, choose **Retain items for a specific period** and **At end of the retention period: Delete items automatically**. + For this configuration, choose the following options: + + - For retention policies: On the **Decide if you want to retain content, delete it, or both** page, select **Retain items for a specific period**, specify the retention period and then for **At end of the retention period** select **Delete items automatically**. + + - For retention labels: On the **Define label settings** page, select **Retain items indefinitely or for a specific period**, specify the retention period and then for **Choose what happens after the retention period**, select either **Delete items automatically** or **Start a disposition review**. For information about disposition reviews, see [Disposition review](disposition.md#disposition-reviews). - Delete-only - For this configuration, choose **Only delete items when they reach a certain age**. + For this configuration, choose the following options: + + - For retention policies: On the **Decide if you want to retain content, delete it, or both** page, select **Only delete items when they reach a certain age**, and specify the time period. + + - For retention labels: On the **Define label settings** page, select **Enforce actions after a specific period** and specify the time period, still referred to as the retention period. The option **Choose what happens after the period** is automatically set to **Delete items automatically**. ### Retaining content for a specific period of time Examples: - Exchange: If you want to retain items in a mailbox for seven years, and a message was sent six years ago, the message will be retained for only one year. For Exchange items, the age is based on the date received for incoming email, or the date sent for outgoing email. Retaining items based on when it was last modified applies only to site content in OneDrive and SharePoint. -At the end of the retention period, you choose whether you want the content to be permanently deleted: +At the end of the retention period, you choose whether you want the content to be permanently deleted. For example, for retention polices:  Before you configure retention, first familiarize yourself with capacity and sto ### Deleting content that's older than a specific age -A policy for retention can retain and then delete items, or delete old items without retaining them. +Retention settings can retain and then delete items, or delete old items without retaining them. -In both cases, if your policy deletes items, it's important to understand that the time period you specify is not calculated from the time the policy was assigned, but according to the start of the retention period specified. For example, from the time when the item was created or modified, or labeled. +In both cases, if your retention settings delete items, it's important to understand that the time period you specify is not calculated from the time the policy was assigned, but according to the start of the retention period specified. For example, from the time when the item was created or modified, or labeled. -For this reason, first consider the age of the existing content and how the policy may impact that content. You might also want to communicate the new policy to your users before assigning it, to give them time to assess the possible impact. +For this reason, first consider the age of the existing content and how the settings might impact that content. Consider communicating your chosen settings to your users and help desk before the settings are applied to content, which gives them time to assess the possible impact. ### A policy that applies to entire locations |
| compliance | Search The Audit Log In Security And Compliance | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md | Be sure to read the following items before you start searching the audit log. - Azure Active Directory (Azure AD) is the directory service for Microsoft 365. The unified audit log contains user, group, application, domain, and directory activities performed in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> or in the Azure management portal. For a complete list of Azure AD events, see [Azure Active Directory Audit Report Events](/azure/active-directory/reports-monitoring/concept-audit-logs). -- It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. The following table shows the time it takes for the different services in Microsoft 365.-- |Microsoft 365 service or feature|30 minutes|24 hours| - ||::|::| - |Defender for Microsoft 365 and Threat Intelligence||| - |Azure Active Directory (user login events)||| - |Azure Active Directory (admin events)||| - |Data Loss Prevention||| - |Dynamics 365 CRM||| - |eDiscovery||| - |Exchange Online||| - |Microsoft Power Automate||| - |Microsoft Stream||| - |Microsoft Teams||| - |Power Apps||| - |Power BI||| - |Microsoft 365 compliance center||| - |Sensitivity labels||| - |SharePoint Online and OneDrive for Business||| - |Workplace Analytics||| - |Yammer||| - |Microsoft Forms||| - |||| +- Microsoft doesn't guarantee a specific time after an event occurs for the corresponding audit record to be returned in the results of an audit log search. For core services (such as Exchange, SharePoint, OneDrive, and Teams), audit record availability is typically 60 to 90 minutes after an event occurs. For other services, audit record availability may be longer. However, some issues that are unavoidable (such as a server outage) may occur outside of the audit service that delays the availability of audit records. For this reason, Microsoft doesn't commit to a specific time. - Audit logging for Power BI isn't enabled by default. To search for Power BI activities in the audit log, you have to enable auditing in the Power BI admin portal. For instructions, see the "Audit logs" section in [Power BI admin portal](/power-bi/service-admin-portal#audit-logs). |
| compliance | Sensitivity Labels Coauthoring | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md | Make sure you understand the following prerequisites before you turn on this fea - Sensitivity labels must be [enabled for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md) for the tenant. If this feature isn't already enabled, it will be automatically enabled when you select the setting to turn on co-authoring for files with sensitivity labels. - Microsoft 365 Apps for enterprise:- - **Windows**: Minimum version 2107 from Current Channel or Monthly Enterprise Channel, or minimum version 2202 from Semi-Annual Enterprise Channel + - **Windows**: Minimum version 2107 from Current Channel or Monthly Enterprise Channel, or minimum version 2202 from Semi-Annual Enterprise Channel (Preview) - **macOS**: Minimum version 16.51 - **iOS**: Now in preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 2.58 - **Android**: Now in preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 16.0.14931 |
| contentunderstanding | Content Assembly | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/content-assembly.md | -description: Learn how to automatically create documents and other content using content assembly in Microsoft SharePoint Syntex. +description: Learn how to automatically create documents and other content using a modern template in Microsoft SharePoint Syntex. # Create documents using content assembly in Microsoft SharePoint Syntex Follow these steps to create a modern template. 5. Create placeholders for all dynamic text in the document that users might want to change from one document to another. For example, you might want to create a placeholder for input such as company name, client name, address, phone number, or date. To create a placeholder, select the text (such as the date). The **All placeholders** panel will open, where you'll give the placeholder a relevant name and choose the type of input you want to associate with the placeholder.+ +  -  -- Currently, there are two ways for users to fill in a placeholder: + Currently, there are three ways for users to fill in a placeholder: - [Enter text or select a date](#associate-a-placeholder-by-entering-text-or-selecting-a-date) - [Select from choices in a column of a list or library](#associate-a-placeholder-by-selecting-from-choices-in-a-column-of-a-list-or-library)+ - [Select from managed metadata term set or term](#associate-a-placeholder-by-selecting-from-managed-metadata-term-set-or-term) > [!NOTE]- > You can create placeholders for text only. Currently, images, smart art, tables, and bullet lists are not supported. + > You can create placeholders for text only. Images, smart art, tables, and bullet lists are currently not supported. ### Associate a placeholder by entering text or selecting a date On the **All placeholders** panel: 1. In the **Name** field, enter a relevant name for the placeholder. -  +  2. In the **How authors fill in this placeholder** section, select **Enter text or select a date**. On the **All placeholders** panel: 1. In the **Name** field, enter a relevant name for the placeholder. -  +  2. In the **How authors fill in this placeholder** section, choose **Select from choices in a column of a list or library**, and then choose **Select**. On the **All placeholders** panel: 6. If you want users to be able to add inputs manually, in addition to choosing from a list, select **Allow authors to add new choices**. In this case, the default for the manual input data type is *Single line of text*. Also the values input by the authors will only be used to generate the document. They won't be added to the SharePoint list. - You can create as many placeholders as you think are necessary. When you're done, you can choose to save the template as a draft or publish the template. +### Associate a placeholder by selecting from managed metadata term set or term ++On the **All placeholders** panel: ++1. In the **Name** field, enter a relevant name for the placeholder. ++  ++2. In the **How authors fill in this placeholder** section, choose **Select from managed metadata term set or term**, and then choose **Select**. ++3. On the **Select term sets or terms** page, search for or select the term set or term to associate with the placeholder, and then select **Save**. ++  ++4. When youΓÇÖre done, youΓÇÖll see that the selected term set or term has been associated with the placeholder. ++  ++5. If you want users to be able to add multiple values corresponding to the term set or term, select **Allow multiple values**. Also, if the term set is configured as an open term set, you can select **Allow new values**. If you enable this option, users who generate documents from the modern template can add new terms to the term set and add those terms as placeholder values. ++ > [!TIP] + > When you enable the **Allow new values** option (only allowed for open term sets), users are more likely to add redundant terms in the term store. Redundant terms can make it difficult for admins to manage a term set. ++You can create as many placeholders as you think are necessary. When you're done, you can choose to save the template as a draft or publish the template. - **Save draft** ΓÇô Saves the template as a draft and you can access it later. You can view, edit, or publish saved drafts from the **Modern templates** section by selecting **New** > **Edit New menu** from the document library.- - **Publish** ΓÇô Publishes the template to be used by other users in the organization to create documents. You can view, edit, or unpublish *published* templates from the **Modern templates** section by selecting **New** > **Edit New menu** from the document library. + + - **Publish** ΓÇô Publishes the template to be used by other users in the organization to create documents. You can view, edit, or unpublish *published* templates from the **Modern templates** section by selecting **New** > **Edit New menu** from the document library. ## Edit a modern template You can use a *published* modern template to quickly create similar documents wi 3. On the **Create a document from a template** panel, enter the information, and then select **Create document**. -  +  To help reduce time and effort involved in filling values for placeholders, SharePoint Syntex provides: You can use a *published* modern template to quickly create similar documents wi - Autofill placeholder values if able to uniquely identify a record for placeholders associated with the same list. > [!NOTE]-> -> - Currently, only Microsoft Word documents (.docx extension) are supported for creating a template. Before uploading the document, ensure that the Word document doesn't have **Track changes** enabled or comments. If your document contains text placeholders for images, ensure that they are not text-wrapped. We do not support **Content Controls** in Word at the moment. If you want to create a template from a Word document with content controls, please remove them before creating a modern template. -> - The template and the document are associated with one document library. To use the template in another document library, you will need to create the template again in that document library. -> - The uploaded document that is used to create the modern template will be saved as a separate copy and placed in the /forms directory of the document library. The original file on the disk will be unaffected. -> - You can create placeholders for text only. Currently, images, smart art, tables, and bullet lists are not supported. -> - Once a document is created from a template, it is not associated with the template. +> **Current release limitations** +>- Only Microsoft Word documents (.docx extension) are currently supported for creating a template. Before uploading a Word document, ensure that it doesn't include comments or have **Track changes** enabled. If the document contains text placeholders for images, ensure that they are not text-wrapped. Content controls in Word are currently not supported. If you want to create a template from a Word document with content controls, remove them before you create a modern template. +>- The template and the document are associated with one document library. To use the template in another document library, you will need to create the template again in that document library. +>- The uploaded document that is used to create the modern template will be saved as a separate copy and placed in the /forms directory of the document library. The original file on the disk will be unaffected. +>- You can create placeholders for text only. Images, smart art, tables, and bullet lists are currently not supported. +>- Once a document is created from a template, it's not associated with the template. ++++ |
| enterprise | External Guest Access | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/external-guest-access.md | + + Title: "Overview of external collaboration options in Microsoft 365" ++++audience: ITPro +++f1.keywords: +- NOCSH +++- SPO_Content +ms.localizationpriority: medium +description: "Learn about how people outside your organization can access your Microsoft 365 subscription for meetings, guest sharing, chat, and collaboration." +++# Overview of external collaboration options in Microsoft 365 ++With Microsoft 365, your users can collaborate with people outside your organization in a variety of ways. Users can share files, invite guests to teams, have meetings with external participants, and chat with people from other organizations. This article covers the external collaboration options available and links to the content you need to configure each. ++The following table shows the primary ways people from outside your organization can access your Microsoft 365 resources: ++|Activity|Account type|Default setting| +|:-|:--|:--| +|Authenticated file and folder sharing|Guest account|Enabled| +|Site sharing|Guest account|Enabled| +|Team sharing|Guest account|Enabled| +|Shared channel in Teams|Existing Microsoft 365 external account|Disabled| +|External chat and meetings|Existing Microsoft 365 external account|Enabled| +|Anonymous meeting join|None|Enabled| +|Unauthenticated file and folder sharing|None|Enabled| ++People outside your organization do not have access unless a user in your organization initiates one of these activities. You can disable any of these settings if you don't want to allow that activity in your organization. ++## Document, site, and team sharing with guest accounts ++Sharing documents, sites, and teams with people outside your organization uses *guest accounts*. Guest accounts are a type of account in Azure Active Directory that is managed through [Azure AD B2B collaboration](/azure/active-directory/external-identities/what-is-b2b). They can be used to share resources in your organization with anyone who has an email address. You can manage guest accounts the same way you manage users in your organization. Guests do not require a license for most features of collaboration. ++Guests can only access resources that you specifically share with them. ++If the guest has a work or school account in another organization, or a Microsoft account, they can log in with their regular username and password. If they have a different type of account - such as a Gmail account - they can log in by using a one-time passcode that is sent to their email address. ++With guests you can: ++- Invite them to Microsoft 365 groups, teams, or SharePoint sites where they can collaborate with people in your organization. +- Share a single file or a folder with them which they can view or edit depending on the permissions you give them. ++For information about how to plan for collaboration with guests in Microsoft 365, see the following references: ++- [Plan external collaboration](/microsoft-365/solutions/plan-external-collaboration) +- [Set up secure file sharing and collaboration with Microsoft Teams](/microsoft-365/solutions/setup-secure-collaboration-with-teams) ++For information about how to set up Microsoft 365 for collaboration with guests, see the following references: ++- [Collaborate with guests on a document](/microsoft-365/solutions/collaborate-on-documents) +- [Collaborate with guests in a site](/microsoft-365/solutions/collaborate-in-site) +- [Collaborate with guests in a team](/microsoft-365/solutions/collaborate-as-team) + +## Shared channels ++Shared channels are a type of Teams channel that allows you to share with people outside the team, including people in other Microsoft 365 organizations. While shared channels is turned on by default in Teams, external collaboration with shared channels is disabled by default. External collaboration with shared channels uses [Azure AD B2B direct connect](/azure/active-directory/external-identities/b2b-direct-connect-overview) which allows you to add people from other Microsoft 365 organizations to Teams channels without the need for creating a guest account. ++Shared channels have a particular advantage over guest accounts in that they do not require external participants to switch orgs in the Teams desktop client or log into your organization. They can remain logged in to their organization and access the channel directly. ++Sharing channels with people outside your organization requires that your organization and the external organization both configure an organizational relationship in [Azure AD B2B Direct Connect](/azure/active-directory/external-identities/b2b-direct-connect-overview). ++For information about how to set up Microsoft 365 for external collaboration with shared channels, see the following references: ++- [Plan external collaboration](/microsoft-365/solutions/plan-external-collaboration) +- [Shared channels in Microsoft Teams](/MicrosoftTeams/shared-channels) +- [Collaborate with external participants in a channel](/microsoft-365/solutions/collaborate-teams-direct-connect) ++## External chat and meetings ++Users in your organization can chat, add users to meetings, and use audio or video conferencing in Teams with users in external Microsoft 365 organizations. By default, users in your organization can communicate in these ways with all other Microsoft 365 domains. People in other organizations can communicate in these ways with your users if they know the user's email address. You can allow or block specific domains or block all domains if you want to disable the feature. ++You can also allow users in your organization to communicate with people from outside your organization who are using Teams accounts that are not managed by an organization, as well as Skype for Business (online and on-premises) and Skype users. ++Guest accounts are not used as part of external chat and meetings. External participants remain signed in to their organization or to Skype and can communicate directly with people in your organization. They do not have access to your teams or channels. ++For information about how to set up Microsoft 365 for external chat and meetings, see the following references: ++- [Use guest access and external access to collaborate with people outside your organization](/microsoftteams/communicate-with-users-from-other-organizations) +- [Manage external access in Microsoft Teams](/microsoftteams/manage-external-access). ++## Anonymous meeting join ++People from outside your organization can join meetings in the following ways: ++- If they're logged in to your organization with a guest account, they join meetings as a guest. +- If they're logged in to a different organization with a work or school account, and your organization has enabled external access, they join meetings as an external participant. +- If they're not a guest or external participant, they must join meetings anonymously. ++If the anonymous join setting is enabled for your organization, anonymous users can only join a meeting using a meeting link that has been shared with them (such as a link in the meeting invitation). They will be prompted to enter a display name of their choosing when joining the meeting anonymously. Depending on the lobby settings, the anonymous user may be automatically admitted to the meeting, or be added to a lobby where the meeting organizer (or meeting participants with the presenter role) can allow or deny access to the meeting. ++It is not possible to verify the identity of anonymous users before, during or after the meeting. ++You can control anonymous users' ability to join meetings at the organization level. If it'ss enabled for the organization, meeting organizers can control anonymous join through meeting policy settings. ++For information about configuring anonymous join for meetings, see [Manage meeting settings in Microsoft Teams](/microsoftteams/meeting-settings-in-teams). ++## Unauthenticated file and folder access ++In Microsoft 365, files and folders in Teams, SharePoint, and OneDrive can be shared using unauthenticated - or *Anyone* - links. Anyone links give access to the shared item to anyone who has the link. Anyone links can be shared with others, giving those people access to the file or folder. ++People using an Anyone link do not have to authenticate, and their access cannot be audited. File and folder owners can revoke access at any time by deleting the link. ++Anyone links can't be used with files in a Teams shared channel site. ++For information about working with anonymous file and folder sharing, see the following references: ++- [Manage sharing settings](/sharepoint/turn-external-sharing-on-or-off) +- [Best practices for sharing files and folders with unauthenticated users](/microsoft-365/solutions/best-practices-anonymous-sharing) ++## Related topics ++[Intro to file collaboration in Microsoft 365, powered by SharePoint](/sharepoint/intro-to-file-collaboration) ++[File collaboration in SharePoint with Microsoft 365](/sharepoint/deploy-file-collaboration) ++[Use guest access and external access to collaborate with people outside your organization](/microsoftteams/communicate-with-users-from-other-organizations) ++[Limit guest sharing to specific organizations](/microsoft-365/solutions/limit-guest-sharing-to-specific-organization) ++[Limit organizations where users can have guest accounts](/microsoft-365/solutions/limit-organizations-where-users-have-guest-accounts) |
| managed-desktop | Change History Managed Desktop | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/change-history-managed-desktop.md | This article lists new and updated articles in the [Microsoft Managed Desktop do New or changed article | Description | -| [Shared devices](service-description/shared-devices.md) | Added Register new devices in shared mode section | +| [Shared devices](service-description/shared-devices.md) | Added Register new devices using Windows Autopilot self-deploying mode profile | | [Teams](get-started/teams.md) | Updated Microsoft Intune changes section | ## March 2022 |
| managed-desktop | Shared Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/shared-devices.md | Because you make the choice to use shared device mode at the point of registrati ## When to use shared device mode -Any situation where users are frequently changing devices. +Use shared device mode in situations where users are frequently changing devices. For example, bank tellers might be in one location managing deposits, but move to a back office to help customers with a mortgage. In each of those locations, the device runs different applications and is optimized for those tasks, though they're used by multiple people. Nursing staff typically move between rooms and offices as they interact with pat Shared device mode isn't a good choice in these situations: -- When a user's files need to be stored locally rather than in the cloud-- If the user experience needs to be different for different users on the device-- If the set of applications each user needs differs greatly+- When a user's files need to be stored locally rather than in the cloud. +- If the user experience needs to be different for different users on the device. +- If the set of applications each user needs differs greatly. -## Register new devices in shared device mode +## Register new devices using the Windows Autopilot self-deploying mode profile -Starting in 2203, whether you or a partner are handling device enrollment, you can choose to use the [Windows Autopilot self-deploying mode](/mem/autopilot/self-deploying) profile in Microsoft Managed Desktop. +Whether you or a partner are handling device registration, you can choose to use the [Windows Autopilot self-deploying mode](/mem/autopilot/self-deploying) profile in Microsoft Managed Desktop. -If you're enrolling devices yourself, you must import new devices into the Windows Autopilot Devices blade. +### Before you begin ++Review the Windows Autopilot self-deploying mode requirements: ++> [!IMPORTANT] +> You cannot automatically re-enroll a device through Autopilot after an initial deployment in self-deploying mode. Instead, delete the device record in the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). To delete the device record from the admin center, select **Devices** > **All devices** > select the devices you want to delete > **Delete**. For more information, see [Updates to the Windows Autopilot sign-in and deployment experience](https://techcommunity.microsoft.com/t5/intune-customer-success/updates-to-the-windows-autopilot-sign-in-and-deployment/ba-p/2848452). ++#### Trusted Platform Module ++Self-deploying mode uses a device's TPM 2.0 hardware to authenticate the device into an organization's Azure Active Directory tenant. Therefore, devices without TPM 2.0 can't use this mode. Devices must also support TPM device attestation. All new Windows devices should meet these requirements. The TPM attestation process also requires access to a set of HTTPS URLs that are unique for each TPM provider. For more information, see the entry for Autopilot self-deploying mode and Autopilot pre-provisioning in [Networking requirements](/mem/autopilot/self-deploying#requirements). For more information about Windows Autopilot software requirements, see [Windows Autopilot software requirements](/mem/autopilot/software-requirements). ++> [!TIP] +> If you attempt to deploy self-deploying mode on a device that doesn't have TPM 2.0 support or it's on a virtual machine, the process will fail when verifying the device with the following error: 0x800705B4 timeout error (Hyper-V virtual TPMs are not supported). Also note that Windows 10 version 1903 or later is required to use self-deploying mode due to issues with TPM device attestation in Windows 10 version 1809. Since Windows 10 Enterprise 2019 LTSC is based on Windows 10 version 1809, self-deploying mode is also not supported on Windows 10 Enterprise 2019 LTSC. +> +> For more information about other known issues and review solutions, see [Windows Autopilot known issues](/mem/autopilot/known-issues) and [Troubleshoot Autopilot device import and enrollment](/mem/autopilot/troubleshoot-device-enrollment). ++### Steps to register devices to use the Windows Autopilot self-deploying mode profile ++If you're registering devices yourself, you must import new devices into the Windows Autopilot Devices blade. **To import new devices into the Windows Autopilot Devices blade:** -1. Collect the [hardware hash](../get-started/manual-registration.md#obtain-the-hardware-hash) for the new devices you want to assign the Windows Autopilot Self-deployment mode profile to. +1. Collect the [hardware hash](../get-started/manual-registration.md#obtain-the-hardware-hash) for new devices you want to assign the Windows Autopilot Self-deployment mode profile to. 2. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com). 2. Select **Devices** from the left navigation menu. 3. In the **By platform** section, select **Windows**. Then, select **Windows Enrollment**. If you're having a partner enroll devices, follow the steps in [Partner registra ### Device storage -Users of shared devices must have their data backed up to the cloud so it can follow them to other devices. Once you've registered devices in shared device mode, be sure to then enable OneDrive's [Files On-Demand](https://support.microsoft.com/office/save-disk-space-with-onedrive-files-on-demand-for-windows-10-0e6860d3-d9f3-4971-b321-7092438fb38e#:~:text=%20Turn%20on%20Files%20On-Demand%20%201%20Make,files%20as%20you%20use%20them%20box.%20More%20) and [known-folder redirection](/onedrive/redirect-known-folders) features. This approach minimizes the effect that each user profile has on device storage. Devices in shared device mode automatically delete user profiles if the free disk space drops below 25%. This activity is scheduled for midnight at the device's local time, unless storage becomes critically limited. +Users of shared devices must have their data backed up onto the cloud so it can follow them to other devices. Once you've registered devices in shared device mode, be sure to enable OneDrive's [Files On-Demand](https://support.microsoft.com/office/save-disk-space-with-onedrive-files-on-demand-for-windows-10-0e6860d3-d9f3-4971-b321-7092438fb38e#:~:text=%20Turn%20on%20Files%20On-Demand%20%201%20Make,files%20as%20you%20use%20them%20box.%20More%20) and [known-folder redirection](/onedrive/redirect-known-folders) features. This approach minimizes the effect that each user profile has on device storage. Devices in shared device mode automatically delete user profiles if the free disk space drops below 25%. This activity is scheduled for midnight at the device's local time, unless storage becomes critically limited. Microsoft Managed Desktop uses the [SharedPC](/mem/intune/configuration/shared-user-device-settings-windows) CSP to do these operations, so make sure you don't use those CSPs yourself. |
| security | Configure Server Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md | If you have previously onboarded your servers using MMA, follow the guidance pro The following specifics apply to the new unified solution package for Windows Server 2012 R2 and 2016: - Ensure connectivity requirements as specified in [Enable access to Microsoft Defender for Endpoint service URLs in the proxy server](/microsoft-365/security/defender-endpoint/configure-proxy-internet?enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server) are met. They are equivalent to those for Windows Server 2019. -- We are investigating an issue with Windows Server 2012 R2 connectivity to cloud when static TelemetryProxyServer is used and the certificate revocation list (CRL) URLs are not reachable from the SYSTEM account context. The immediate mitigation is to either use an alternative proxy option that provides such connectivity, or configure the same proxy via the WinInet setting on the SYSTEM account context.+- We have identified an issue with Windows Server 2012 R2 connectivity to cloud when static TelemetryProxyServer is used **and** the certificate revocation list (CRL) URLs are not reachable from the SYSTEM account context. The immediate mitigation is to either use an alternative proxy option ("system-wide") that provides such connectivity, or configure the same proxy via the WinInet setting on the SYSTEM account context. +Alternatively, use the instructions provided at [Workaround for a known issue with TelemetryProxyServer on disconnected machines](#workaround-for-a-known-issue-with-telemetryproxyserver-on-disconnected-machines) to install a certificate as a workaround. - Previously, the use of the Microsoft Monitoring Agent (MMA) on Windows Server 2016 and below allowed for the OMS / Log Analytics gateway to provide connectivity to Defender cloud services. The new solution, like Microsoft Defender for Endpoint on Windows Server 2019, Windows Server 2022, and Windows 10, does not support this gateway. - On Windows Server 2016, verify that Microsoft Defender Antivirus is installed, is active and up to date. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623) or from [MMPC](https://go.microsoft.com/fwlink/?linkid=870379&arch=x64). - On Windows Server 2012 R2, there is no user interface for Microsoft Defender Antivirus. In addition, the user interface on Windows Server 2016 only allows for basic operations. To perform operations on a device locally, refer to [Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe](/microsoft-365/security/defender-endpoint/manage-mde-post-migration-other-tools). As a result, features that specifically rely on user interaction, such as where the user is prompted to make a decision or perform a specific task, may not work as expected. It is recommended to disable or not enable the user interface nor require user interaction on any managed server as it may impact protection capability. The following specifics apply to the new unified solution package for Windows Se In addition, on machines with a high volume of network traffic, performance testing in your environment is highly recommended before enabling this capability broadly. You may need to account for additional resource consumption. - On Windows Server 2012 R2, Network Events may not populate in the timeline. This issue requires a Windows Update released as part of the [October 12, 2021 monthly rollup (KB5006714)](https://support.microsoft.com/topic/october-12-2021-kb5006714-monthly-rollup-4dc4a2cd-677c-477b-8079-dcfef2bda09e). - Operating system upgrades are not supported. Offboard then uninstall before upgrading.-- Automatic exclusions for *server roles* are not supported on Windows Server 2012 R2; however, built-in exclusions for operating system files are. For more information about adding exclusions, see [Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-currently-supported-versions-of-windows-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).-- On machines that have been upgraded from the previous, MMA-based solution and the EDR sensor is a (preview) version older than 10.8047.22439.1056, uninstalling and reverting back to the MMA-based solution may lead to crashes. -- Integration with Microsoft Defender for Cloud / Microsoft Defender for servers for alerting and automated deployment or upgrade is not yet available. Whilst you can manually install the new solution on these machines, no alerts will be displayed in Microsoft Defender for Cloud.+- Automatic exclusions for **server roles** are not supported on Windows Server 2012 R2; however, built-in exclusions for operating system files are. For more information about adding exclusions, see [Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-currently-supported-versions-of-windows-kb822158-c067a732-f24a-9079-d240-3733e39b40bc). +- On machines that have been upgraded from the previous, MMA-based solution and the EDR sensor is a (preview) version older than 10.8047.22439.1056, uninstalling and reverting back to the MMA-based solution may lead to crashes. If you are on such a preview version, please update using KB5005292. +- To deploy and onboard the new solution using Microsoft Endpoint Manager, this currently requires creating a package. For more information on how to deploy programs and scripts in Configuration Manager, see [Packages and programs in Configuration Manager](/configmgr/apps/deploy-use/packages-and-programs). MECM 2107 with the hotfix rollup or later is required to support policy configuration management using the Endpoint Protection node. ++## Workaround for a known issue with TelemetryProxyServer on disconnected machines ++Problem description: +When using the TelemetryProxyServer setting to specify a proxy to be used by the EDR component of Microsoft Defender for Endpoint, on machines that have no other way to access the Certificate Revocation List (CRL) URL, a missing intermediate certificate will cause the EDR sensor to not successfully connect to the cloud service. ++Affected scenario: +-Microsoft Defender for Endpoint with Sense version number 10.8048.22439.1065 or earlier preview versions running on Windows Server 2012 R2 +-Using the TelemetryProxyServer proxy configuration; other methods are not affected ++Workaround: +1. Ensure the machine is running Sense version 10.8048.22439.1065 or higher by either installing using the latest package available from the onboarding page, or by applying KB5005292. +2. Download and unzip the certificate from https://github.com/microsoft/mdefordownlevelserver/blob/main/InterCA.zip +3. Import the certificate to the Local Computer trusted ΓÇ£Intermediate Certification AuthoritiesΓÇ¥ store. +You can use the PowerShell command: +Import-Certificate -FilePath .\InterCA.cer -CertStoreLocation Cert:\LocalMachine\Ca ## Integration with Microsoft Defender for Cloud Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender fo For more information, see [Integration with Microsoft Defender for Cloud](azure-server-integration.md). > [!NOTE]-> For Windows Server 2012 R2 and 2016 running the modern unified solution, integration with Microsoft Defender for Cloud / Microsoft Defender for servers for alerting and automated deployment or upgrade is not yet available. Whilst you can manually install the new solution on these machines, no alerts will be displayed in Microsoft Defender for Cloud. +> For Windows Server 2012 R2 and 2016 running the modern unified solution, integration with Microsoft Defender for Cloud / Microsoft Defender for servers for automated deployment or upgrade is not yet available for all plans. You can manually install the new solution on these machines, or use Microsoft Defender for server P1 to test the new solution. More information at [New Defender for servers plans](/azure/defender-for-cloud/release-notes#new-defender-for-servers-plans). > [!NOTE] > - The integration between Microsoft Defender for servers and Microsoft Defender for Endpoint has been expanded to support Windows Server 2022, [Windows Server 2019, and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview). The installer package will check if the following components have already been i **Prerequisites for Windows Server 2016** -The Servicing Stack Update (SSU) from September 14, 2021 or later must be installed. The Latest Cumulative Update (LCU) from September 20, 2018 or later must be installed. It is recommended to install the latest available SSU and LCU on the server. --The Microsoft Defender Antivirus feature must be installed and running version 4.18.2109.6 or later. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623) or from [MMPC](https://go.microsoft.com/fwlink/?linkid=870379&arch=x64). +- The Servicing Stack Update (SSU) from September 14, 2021 or later must be installed. +- The Latest Cumulative Update (LCU) from September 20, 2018 or later must be installed. It is recommended to install the latest available SSU and LCU on the server. - The Microsoft Defender Antivirus feature must be enabled/installed and up to date. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623) or from [MMPC](https://go.microsoft.com/fwlink/?linkid=870379&arch=x64). **Prerequisites for running with third-party security solutions** If you intend to use a third-party antimalware solution, you'll need to run Microsoft Defender Antivirus in passive mode. You must remember to set to passive mode during the installation and onboarding process. --**Update package for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016** > [!NOTE] > If you're installing Microsoft Defender for Endpoint on Servers with McAfee Endpoint Security (ENS) or VirusScan Enterprise (VSE), the version of the McAfee platform may need to be updated to ensure Microsoft Defender Antivirus is not removed or disabled. For more information including the specific version numbers required, see, [McAfee Knowledge Center article](https://kc.mcafee.com/corporate/index?page=content&id=KB88214). -+**Update package for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016** To receive regular product improvements and fixes for the EDR Sensor component, ensure Windows Update [KB5005292](https://go.microsoft.com/fwlink/?linkid=2168277) gets applied or approved. In addition, to keep protection components updated, see [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions). To receive regular product improvements and fixes for the EDR Sensor component, - STEP 2: [Apply the installation and onboarding package](#step-2-apply-the-installation-and-onboarding-package) - STEP 3: [Complete the onboarding steps](#step-3-complete-the-onboarding-steps) - ### STEP 1: Download installation and onboarding packages You will need to download both the **installation** and **onboarding** packages from the portal. Data collected by Defender for Endpoint is stored in the geo-location of the ten -## Windows Server Semi-Annual Enterprise Channel and Windows Server 2019 and Windows Server 2022 --The onboarding package for Windows Server 2019 and Windows Server 2022 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](/configmgr/apps/deploy-use/packages-and-programs). +## Windows Server Semi-Annual Enterprise Channel (SAC), Windows Server 2019 and Windows Server 2022 ### Download package |
| security | Gov | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md | These are the features and known gaps for [Mobile Threat Defense (Microsoft Defe |Support for MAM|||| |Privacy Controls|||| |Threat and Vulnerability Management (TVM)| In development| In development| In development|-|Web content filtering| In development| In development| In development| |
| security | Manage Updates Baselines Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md | ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security+ms.localizationpriority: high audience: ITPro Security intelligence update version: 1.361.14.0 <br/> - Improved traffic output when SmartScreen service is unreachable - Connectivity improvements for customers using proxies with authentication requirements - Fixed VDI device update bug for network FileShares -- EDR in block mode now supports granular device targetting with new CSPs. See [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md).+- EDR in block mode now supports granular device targeting with new CSPs. See [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md). ### Known Issues For more information, see [Microsoft Defender update for Windows operating syste > - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) > - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) > - [Configure Defender for Endpoint on Android features](android-configure.md)-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) +> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) |
| security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | For more information on Microsoft Defender for Endpoint on other operating syste - [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) - [What's new in Defender for Endpoint on Linux](linux-whatsnew.md) -## March 2022 +## April 2022 - [Updated onboarding and feature parity for Windows Server 2012 R2 and Windows Server 2016)](configure-server-endpoints.md)<br/> The new unified solution package is now generally available and makes it easier to onboard servers by removing dependencies and installation steps. In addition, this unified solution package comes with many new feature improvements. ## January 2022 |
| security | Configure The Outbound Spam Policy | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md | You can configure outbound spam policies in the Microsoft 365 Microsoft 365 Defe The basic elements of an outbound spam policy in EOP are: - **The outbound spam filter policy**: Specifies the actions for outbound spam filtering verdicts and the notification options.-- **The outbound spam filter rule**: Specifies the priority and recipient filters (who the policy applies to) for a outbound spam filter policy.+- **The outbound spam filter rule**: Specifies the priority and sender filters (who the policy applies to) for an outbound spam filter policy. The difference between these two elements isn't obvious when you manage outbound spam polices in the Microsoft 365 Defender portal: - When you create a policy, you're actually creating a outbound spam filter rule and the associated outbound spam filter policy at the same time using the same name for both.-- When you modify a policy, settings related to the name, priority, enabled or disabled, and recipient filters modify the outbound spam filter rule. All other settings modify the associated outbound spam filter policy.+- When you modify a policy, settings related to the name, priority, enabled or disabled, and sender filters modify the outbound spam filter rule. All other settings modify the associated outbound spam filter policy. - When you remove a policy, the outbound spam filter rule and the associated outbound spam filter policy are removed. In Exchange Online PowerShell or standalone EOP PowerShell, you manage the policy and the rule separately. For more information, see the [Use Exchange Online PowerShell or standalone EOP PowerShell to configure outbound spam policies](#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-outbound-spam-policies) section later in this article. Every organization has a built-in outbound spam policy named Default that has these properties: -- The policy is applied to all recipients in the organization, even though there's no outbound spam filter rule (recipient filters) associated with the policy.+- The policy is applied to all senders in the organization, even though there's no outbound spam filter rule (sender filters) associated with the policy. - The policy has the custom priority value **Lowest** that you can't modify (the policy is always applied last). Any custom policies that you create always have a higher priority than the policy named Default. - The policy is the default policy (the **IsDefault** property has the value `True`), and you can't delete the default policy. Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea When you're finished, click **Next**. -4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions): +4. On the **Users, groups, and domains** page that appears, identify the internal senders that the policy applies to (sender conditions): - **Users**: The specified mailboxes, mail users, or mail contacts in your organization. - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.- - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. + - **Domains**: All senders in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove  next to the value. For users or groups, you can use most identifiers (name, display name, alias, email address, account name, etc.), but the corresponding display name is shown in the results. For users, enter an asterisk (\*) by itself to see all available values. - Multiple values in the same condition use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_). + Multiple values in the same condition use OR logic (for example, _\<sender1\>_ or _\<sender2\>_). Different conditions use AND logic (for example, _\<sender1\>_ and _\<member of group 1\>_). - - **Exclude these users, groups, and domains**: To add exceptions for the internal recipients that the policy applies to (recpient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. + - **Exclude these users, groups, and domains**: To add exceptions for the internal senders that the policy applies to (recipient exceptions), select this option and configure the exceptions. The settings and behavior are exactly like the conditions. When you're finished, click **Next**. Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea - **Restriction placed on users who reach the message limit**: Select an action from the drop down list when any of the limits in the **Protection settings** section are exceeded. - For all actions, the recipients specified in the **User restricted from sending email** alert policy (and in the now redundant **Notify these users and groups if a sender is blocked due to sending outbound spam** setting later on this page) receive email notifications. + For all actions, the senders specified in the **User restricted from sending email** alert policy (and in the now redundant **Notify these users and groups if a sender is blocked due to sending outbound spam** setting later on this page) receive email notifications. - **Restrict the user from sending mail until the following day**: This is the default value. Email notifications are sent, and the user will be unable to send any more messages until the following day, based on UTC time. There is no way for the admin to override this block. - The alert policy named **User restricted from sending email** notifies admins (via email and on the **Incidents & alerts** \> **View alerts** page). For detailed syntax and parameter information, see [New-HostedOutboundSpamFilter To create an outbound spam filter rule, use this syntax: ```PowerShell-New-HostedOutboundSpamFilterRule -Name "<RuleName>" -HostedOutboundSpamFilterPolicy "<PolicyName>" <Recipient filters> [<Recipient filter exceptions>] [-Comments "<OptionalComments>"] +New-HostedOutboundSpamFilterRule -Name "<RuleName>" -HostedOutboundSpamFilterPolicy "<PolicyName>" <Sender filters> [<Sender filter exceptions>] [-Comments "<OptionalComments>"] ``` This example creates a new outbound spam filter rule named Contoso Executives with these settings: For detailed syntax and parameter information, see [Set-HostedOutboundSpamFilter ### Use PowerShell to enable or disable outbound spam filter rules -Enabling or disabling an outbound spam filter rule in PowerShell enables or disables the whole outbound spam policy (the outbound spam filter rule and the assigned outbound spam filter policy). You can't enable or disable the default outbound spam policy (it's always applied to all recipients). +Enabling or disabling an outbound spam filter rule in PowerShell enables or disables the whole outbound spam policy (the outbound spam filter rule and the assigned outbound spam filter policy). You can't enable or disable the default outbound spam policy (it's always applied to all senders). To enable or disable an outbound spam filter rule in PowerShell, use this syntax: |
| security | Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/overview.md | +ms.localizationpriority: high search.appverid: - MET150 - MOE150 |
| solutions | Collaborate Teams Direct Connect | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-teams-direct-connect.md | To configure shared channels - To allow users to be invited to shared channels in other organizations, turn **Can be invited to external shared channels** on. 1. Select **Apply**. +In order for external channel participants to participate in meetings, external access must be enabled. This is also required to be able to see external participants' presence in the channel. ++To enable external access +1. In the [Teams admin center](https://admin.teams.microsoft.com/), expand **Users**, and then select **External access**. +1. Under **Teams and Skype for Business users in external organizations**, ensure that the organizations that you want to collaborate with are not blocked. + ## Configure cross-tenant access settings in Azure AD Azure AD B2B direct connect is disabled by default. To enable collaboration in shared channels with people from other organizations, you must: |