Updates from: 04/15/2022 01:49:28
Category Microsoft Docs article Related commit history on GitHub Change details
admin Sharepoint Site Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/sharepoint-site-usage-ww.md
The **SharePoint site usage** report can be viewed for trends over the last 7 da
|Site owner principal name |The email address of the owner of the site. | |Last activity date (UTC) | The date of the last time file activity was detected or a page was viewed on the site. | |Site sensitivity label ID | The sensitivity label on the site. |
-|External sharing | The external sharable settings on the site. |
+|External sharing | The value of the external sharing setting for the site. This value does not reflect changes to the effective setting made by site sensitivity labels. If you use sensitivity labels, use the [data access governance reports](/sharepoint/data-access-governance-reports) to get the correct values.|
|Unmanaged device policy | The site access policy for unmanaged devices. | |Geo location | The Geo location of the site. | |Files |The number of files on the site. |
admin Convert User Mailbox To Shared Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox.md
audience: Admin
ms.localizationpriority: medium--- M365-subscription-management +
+- M365-subscription-management
- Adm_O365 - Adm_TOC-+ - AdminSurgePortfolio - AdminTemplateSet - admindeeplinkEXCHANGE
When you convert a user's mailbox to a shared mailbox, all of the existing email
## Before you begin
-**Here are some really important things that you need to know:**
+**Here are some really important things that you need to know**:
-- The user mailbox you're converting needs a license assigned to it before you convert it to a shared mailbox. Otherwise, you won't see the option to convert the mailbox. If you've removed the license, add it back so you can convert the mailbox. After converting the mailbox to a shared one, you can remove the license from the user's account.
+- The user mailbox needs a license assigned to it before you convert it to a shared mailbox. Otherwise, you won't see the option to convert the mailbox. If you've removed the license, add it back so you can convert the mailbox. After converting the user mailbox to a shared mailbox, you can remove the license from the user's account.
-- Shared mailboxes can have up to 50 GB of data without a license assigned to them. To hold more data than that, you need a license assigned to it. You may need to delete a bunch of large emails (say, ones with attachments) from the shared mailbox to shrink it down so you can remove the license.
+- Without a license, shared mailboxes are limited to 50 GB. You might need to delete a bunch of large messages (say, messages with attachments) from the shared mailbox to shrink it down so you can remove the license.
-- Don't delete the old user's account. That's required to anchor the shared mailbox. If you've already deleted the user account, see [Convert the mailbox of a deleted user](#convert-the-mailbox-of-a-deleted-user).
+ To increase the size limit to 100 GB, assign an Exchange Online Plan 2 license to the shared mailbox.
-- The rules are intact after the mailbox is converted to a shared mailbox.
+ If you assign an Exchange Online Plan 1 license and an Exchange Online Archiving add-on license to the shared mailbox, you can enable auto-expanding archiving for additional archive storage capacity.
+
+- Don't delete the old user's account, because the account is required to anchor the shared mailbox. If you've already deleted the user account, see [Convert the mailbox of a deleted user](#convert-the-mailbox-of-a-deleted-user).
+
+- You don't need to reset the account password of the user mailbox. However, if you don't reset the password, **the original username and password will continue to work on the shared mailbox** after the conversion is finished.
+
+- Inbox rules are preserved after the user mailbox is converted to a shared mailbox.
+
+- To put an In-Place Hold or a Litigation Hold on a shared mailbox, you must assign an Exchange Online Plan 2 license *or* an Exchange Online Plan 1 license and an Exchange Online Archiving add-on license to the shared mailbox.
## Use the Classic Exchange admin center to convert a mailbox
-
+ 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Classic Exchange admin center</a>. 2. Select **Recipients** \> **Mailboxes**.
When you convert a user's mailbox to a shared mailbox, all of the existing email
3. Select the user mailbox. Under **Convert to Shared Mailbox**, select **Convert**. 4. If the mailbox is smaller than 50 GB, you can remove the [license from the user](../manage/remove-licenses-from-users.md), and stop paying for it. Don't delete the user's account. The shared mailbox needs it there as an anchor. If you're converting the mailbox of an employee that's leaving your organization, you should take additional steps to make sure that they can no longer log in. For more information, see [Remove a former employee from Microsoft 365](../add-users/remove-former-employee.md).
-
-> [!NOTE]
-> It's not required to reset the user's password during mailbox conversion. However, if the password is not reset, **the original username and password continue to work** after the mailbox conversion is finished.
For everything else you need to know about shared mailboxes, see [About shared mailboxes](about-shared-mailboxes.md) and [Create a shared mailbox](create-a-shared-mailbox.md).
-> [!NOTE]
-> Shared mailboxes donΓÇÖt require a separate license. However, if you want to enable In-Place Archive or put an In-Place Hold or a Litigation Hold on a shared mailbox, you must assign an Exchange Online Plan 1 with Exchange Online Archiving or Exchange Online Plan 2 license to the mailbox.
- ## Use the New Exchange admin center to convert a mailbox 1. Go to the <a href="https://admin.exchange.microsoft.com/#/homepage" target="_blank"> Exchange admin center</a>.
For everything else you need to know about shared mailboxes, see [About shared m
3. Select the user mailbox. In the **Mailbox** tab, under **More Actions**, select **Convert to shared mailbox**. 4. If the mailbox is smaller than 50 GB, you can remove the [license from the user](../manage/remove-licenses-from-users.md), and stop paying for it. Don't delete the user's account. The shared mailbox needs it there as an anchor. If you are converting the mailbox of an employee that is leaving your organization, you should take additional steps to make sure that they cannot log in anymore. Please see [Remove a former employee from Microsoft 365](../add-users/remove-former-employee.md).
-
-> [!NOTE]
-> It's not required to reset the user's password during mailbox conversion. However, if the password is not reset, **the original username and password continue to work** after the mailbox conversion is finished.
For everything else you need to know about shared mailboxes, see [About shared mailboxes](about-shared-mailboxes.md) and [Create a shared mailbox](create-a-shared-mailbox.md).
-> [!NOTE]
-> Shared mailboxes donΓÇÖt require a separate license. However, if you want to enable In-Place Archive or put an In-Place Hold or a Litigation Hold on a shared mailbox, you must assign an Exchange Online Plan 1 with Exchange Online Archiving or Exchange Online Plan 2 license to the mailbox.
- ## Convert the mailbox of a deleted user After deleting a user account, follow these steps to convert their old mailbox to a share mailbox:
After deleting a user account, follow these steps to convert their old mailbox t
2. Make sure a Microsoft 365 license is assigned to it. 3. Reset the user's password.
-
+ 4. Wait 20-30 minutes for their mailbox to be re-created.
-
-6. Once the mailbox is re-created, remove the license from the user's mailbox. Don't delete the user's old mailbox. The shared mailbox needs it there as an anchor.
-
-7. Add members to the shared mailbox.
+
+5. Once the mailbox is re-created, remove the license from the user's mailbox. Don't delete the user's old mailbox. The shared mailbox needs it there as an anchor.
+
+6. Add members to the shared mailbox.
## Convert a shared mailbox back to a user's (private) mailbox 1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
-
+ 2. Select **Recipients** \> **Shared**. 3. Select the shared mailbox. Under **Convert to Regular Mailbox**, select **Convert**.
After deleting a user account, follow these steps to convert their old mailbox t
For more info about converting a user mailbox to a shared mailbox in an Exchange Hybrid environment, see:
-
+- [Cmdlets to create or modify a remote shared mailbox in an on-premises Exchange environment](https://support.microsoft.com/office/cmdlets-to-create-or-modify-a-remote-shared-mailbox-in-an-on-premises-exchange-environment-9e83fb59-c001-729c-a4c0-b2964c154b49)
+- [Shared mailboxes are unexpectedly converted to user mailboxes after directory synchronization runs in an Exchange hybrid deployment](/exchange/troubleshoot/user-and-shared-mailboxes/shared-mailboxes-unexpectedly-converted-to-user-mailboxes)
> [!NOTE] > If you're a member of the Organization Management or Recipient Management role group, you can use the Exchange Management Shell to change a user mailbox to a shared mailbox on-premises. For example, `Set-Mailbox -Identity mailbox1@contoso.com -Type Shared`.
compliance Assign Ediscovery Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/assign-ediscovery-permissions.md
The following table lists the eDiscovery-related RBAC roles in the Microsoft 365
|Preview <br/> | <br/> |![Check mark.](../media/checkmark.png) <br/> | <br/> | <br/> | |Review <br/> | <br/> |![Check mark.](../media/checkmark.png) <br/> | <br/> |![Check mark](../media/checkmark.png) <br/> | |RMS Decrypt <br/> ||![Check mark](../media/checkmark.png) <br/> |||
-|Search And Purge <br/> | <br/> | <br/> |![Check mark](../media/checkmark.png) <br/> | <br/> |
-||||
+|Search And Purge <br/> | <br/> | <br/> |![Check mark](../media/checkmark.png)<br/> | <br/> |
+||||||
The following sections describe each of the eDiscovery-related RBAC roles listed in the previous table.
compliance Data Spillage Scenariosearch And Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-spillage-scenariosearch-and-purge.md
Here's a how to manage a data spillage incident:
## Things to know before you start
+- The data spillage workflow described in this article doesn't delete chat messages in Microsoft Teams. To search for and delete Teams chat messages, see [Search and purge chat messages in Teams](search-and-delete-Teams-chat-messages.md).
+ - When a mailbox is on hold, a deleted message remains in the Recoverable Items folder until the retention period expires or the hold is released. [Step 6](#step-6-prepare-the-mailboxes) describes how to remove hold from the mailboxes. Check with your records management or legal departments before removing the hold. Your organization might have a policy that defines whether a mailbox on hold or a data spillage incident takes priority.
-
+ - To control which user mailboxes a data spillage investigator can search and manage who can access the case, you can set up compliance boundaries and create a custom role group, which is described in [Step 1](#optional-step-1-manage-who-can-access-the-case-and-set-compliance-boundaries). To do this, you have to be a member of the Organization Management role group or be assigned the role management role. If you or an administrator in your organization has already set compliance boundaries, you can skip Step 1.
-
+ - To create a case, you must be a member of the eDiscovery Manager role group or be a member of a custom role group that's assigned the Case Management role. If you're not a member, ask a Microsoft 365 administrator to [add you to the eDiscovery manager role group](assign-ediscovery-permissions.md).
-
+ - To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions](./assign-ediscovery-permissions.md).
-
-- To search the audit log eDiscovery activities in Step 8, auditing must be turned on for your organization. You can search for activities that were performed within the last 90 days. To learn more about how to enable and use auditing, see the [Auditing the data spillage investigation process](#auditing-the-data-spillage-investigation-process) section in Step 8.
-
+
+- To search the audit log eDiscovery activities in Step 8, auditing must be turned on for your organization. You can search for activities that were performed within the last 90 days. To learn more about how to enable and use auditing, see the [Auditing the data spillage investigation process](#auditing-the-data-spillage-investigation-process) section in Step 8.
+ ## (Optional) Step 1: Manage who can access the case and set compliance boundaries Depending on your organizational practice, you need to control who can access the eDiscovery case used to investigate a data spillage incident and set up compliance boundaries. The easiest way to do this is to add investigators as members of an existing role group in the Microsoft 365 compliance center and then add the role group as a member of the eDiscovery case. For information about the built-in eDiscovery role groups and how to add members to an eDiscovery case, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
compliance Ediscovery Decryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-decryption.md
This role is assigned by default to the eDiscovery Manager role group on the **P
Any rights-protected (RMS-protected) email messages included in the results of a Content search will be decrypted when you export them. Additionally, any file that's encrypted with a [Microsoft encryption technology](encryption.md) and is attached to an email message that's included in the search results will be decrypted when it's exported. This decryption capability is enabled by default for members of the eDiscovery Manager role group. This is because the RMS Decrypt management role is assigned to this role group by default. Keep the following things in mind when exporting encrypted email messages and attachments: -- As previously explained, to decrypt RMS-protected messages when you export them, you have to export the search results as individual messages. If you export search results to a PST file, RMS-protected messages remain encrypted.
+- As previously explained, if you enable decryption of RMS-protected messages when you export them, you have to export the search results as individual messages. If you export search results to a PST file, RMS-protected messages will be exported as individual email messages.
- Messages that are decrypted are identified in the **ResultsLog** report. This report contains a column named **Decode Status**, and a value of **Decoded** identifies the messages that were decrypted.
compliance Limits Ediscovery20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-ediscovery20.md
The following table lists the limits for holds associated with an Advanced eDisc
|Description of limit|Limit| |||
-|Maximum number of hold policies for an organization. This limit includes the combined total of hold policies in Core eDiscovery and Advanced eDiscovery cases.|10,000<sup>3</sup>|
-|Maximum number of mailboxes in a single case hold. This limit includes the combined total of user mailboxes, and the mailboxes associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups.|1,000|
-|Maximum number of sites in a single case hold. This limit includes the combined total of OneDrive for Business sites, SharePoint sites, and the sites associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups.|100|
+|Maximum number of hold policies for an organization. This limit includes the combined total of hold policies in Core eDiscovery and Advanced eDiscovery cases.|10,000|
+|Maximum number of mailboxes in a single case hold. This limit includes the combined total of user mailboxes, and the mailboxes associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups.|1,000<sup>3</sup>|
+|Maximum number of sites in a single case hold. This limit includes the combined total of OneDrive for Business sites, SharePoint sites, and the sites associated with Microsoft 365 Groups, Microsoft Teams, and Yammer Groups.|100<sup>3</sup>|
## Indexing limits
compliance Search And Delete Teams Chat Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-and-delete-Teams-chat-messages.md
+
+ Title: "Search for and delete chat messages in Teams"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+ms.localizationpriority: medium
+
+- M365-security-compliance
+search.appverid:
+- MOE150
+- MET150
+ms.assetid: 3526fd06-b45f-445b-aed4-5ebd37b3762a
+description: "Use Advanced eDiscovery and the Microsoft Graph Explorer to search for and purge chat messages in Microsoft Teams, and respond to data spillage incidents in Teams."
++
+# Search and purge chat messages in Teams
+
+You can use Advanced eDiscovery and the Microsoft Graph Explorer to search for and delete chat messages in Microsoft Teams. This can help you find and remove sensitive information or inappropriate content. This search and purge workflow will also help you respond to a data spillage incident, when content containing confidential or malicious information is released through Teams chat messages.ΓÇï
+
+> [!NOTE]
+> This article applies to Microsoft 365 Enterprise organizations. Support for the US Government cloud (including GCC, GCC High, and DoD) is coming soon.
+
+## Before you search and purge chat messages
+
+- To create an Advanced eDiscovery case and use collections to search for chat messages, you have to be a member of the **eDiscovery Manager** role group in the Microsoft 365 compliance center. To delete chat messages, you have to be assigned the **Search And Purge** role. This role is assigned to the Data Investigator and Organization Management role groups by default. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
+- Search and purge is supported for conversations within your tenant. Support for Teams Connect Chat (External Access or Federation) conversations is enabled in the interface in some cases but is not working as intended.
+- A maximum of 10 items per mailbox can be removed at one time. Because the capability to search for and remove chat messages is intended to be an incident-response tool, this limit helps ensure that chat messages are quickly removed.
+
+## Search and purge workflow
+
+Here's the process to search for and purge Teams chat messages:
+
+![Workflow to search for and purge Teams chat messages.](../media/TeamsSearchAndPurgeWorkflow.png)
+
+## Step 1: Create a case in Advanced eDiscovery
+
+The first step is to create a case in Advanced eDiscovery to manage the search and purge process. For information about creating a case, see [Use the new case format](advanced-ediscovery-new-case-format.md).
+
+## Step 2: Create a draft collection
+
+After you create a case, the next step is to create a draft collection to search for the Teams chat messages that you want to purge. The purge process you perform is Step 5 will purge all items that are found in the draft collection.
+
+In Advanced eDiscovery, a *collection* is an eDiscovery search of the Teams content locations that contain the chat messages that you want to purge. Create the draft collection in the case that you created in the previous step. For more information, see [Create a draft collection](create-draft-collection.md).
+
+### Data sources for chat messages
+
+Use the following table to determine which data sources to search depending on the type of chat message you need to purge.
+
+| For this type of chat...|Search this data source...|
+|:|:|
+|Teams 1:1 chats |The mailbox of chat participants.|
+|Teams group chats |The mailboxes of chat participants.|
+|Teams channels (standard and shared) |The mailbox associated with the parent team.|
+|Teams private channels |The mailbox of the private channel members.|
+
+> [!NOTE]
+> In Step 4, you also have to identify and remove any holds and retention policies assigned to the mailbox that contains the type of chat messages that you want to delete.
+
+### Tips for searching for chat messages
+
+To help ensure the most comprehensive collection of Teams chat conversations (including 1:1 and group chats, and chats from standard, shared, and private chats) use the **Type** condition and select the **Instant messages** option when you build the search query for the draft collection. We also recommend including a date range or several keywords to narrow the scope of the collection to items relevant to your search a purge investigation.
+
+Here's a screenshot of a sample query using the **Type** and **Date** options:
+
+ ![Query to collect Teams content.](..\media\TeamsConditionsQueryType.png)
+
+For more information, see [Build search queries for collections](building-search-queries.md).
+
+## Step 3: Review and verify chat messages to purge
+
+As previously mentioned, the purge process in Step 5 will delete the items returned by the collection. So it's important that you review the draft collection results to ensure that the collection only returns the items that you want to purge. To review a sample of items in a draft collection, see the "Next steps after a draft collection is complete" section in [Create a draft collection](create-draft-collection.md#next-steps-after-a-draft-collection-is-complete).
+
+Additionally, you can use the collection statistics (specifically the Top Locations statistics) to generate a list of the data sources that contain items returned by the collection. Use this list in the next step to remove hold and retention policies from the data sources that contain search results. For more information, see [Collection statistics and reports](collection-statistics-reports.md).
+
+## Step 4: Remove holds and retention policies from data sources
+
+Before you can purge chat messages from a mailbox, you have to remove any hold or retention policy that is assigned to a target mailbox. If not, then the chat you're trying to delete will be retained.
+
+Use the list of mailboxes that contain the chat messages that you want to delete and determine if there's a hold or retention policy assigned to those mailboxes, and then remove the hold or retention policy. Be sure to identify the hold or retention policy that you remove so that you can reassign to the mailboxes in Step 7.
+
+For instructions about how to identify and remove holds and retention policies, see "Step 3: Remove all holds from the mailbox" in [Delete items in the Recoverable Items folder of cloud-based mailboxes on hold](delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md#step-3-remove-all-holds-from-the-mailbox)..
+
+## Step 5: Purge chat messages from Teams
+
+Now you're ready to actually purge chat messages from Teams. You'll use the Microsoft Graph Explorer to perform the following three tasks:
+
+1. Get the Id of the Advanced eDiscovery case that you created in Step 1. This is the case that contains the collection created in Step 2.
+
+2. Get the Id of the collection that you created in Step 2 and verified the search results in Step 3. The search query in this collection returns the chat messages that will be purged.
+
+3. Purge the chat messages returned by the collection.
+
+For information about using Graph Explorer, see [Use Graph Explorer to try Microsoft Graph APIs](/graph/graph-explorer/graph-explorer-overview).
+
+> [!IMPORTANT]
+> To perform these three tasks in Graph Explorer, you may have to consent to the eDiscovery.Read.All and eDiscovery.ReadWrite.All permissions. For more information, see the "Consent to permissions" section in [Working with Graph Explorer](/graph/graph-explorer/graph-explorer-features#consent-to-permissions).
+
+### Get the case Id
+
+1. Go to <https://developer.microsoft.com/graph/graph-explorer> and sign in to the Graph Explorer with an account that's assigned the **Search And Purge** role in the Microsoft 365 compliance center.
+
+2. Run the following GET request to retrieve the Id for the Advanced eDiscovery case. Use the value `https://graph.microsoft.com/beta/compliance/ediscovery/cases` in the address bar of the request query. Be sure to select **v1.0** in the API version dropdown list.
+
+ ![GET request for case Id.](..\media\GraphGetRequestForCaseId.png)
+
+ This request returns information about all cases in your organization on the **Response preview** tab.
+
+3. Scroll through the response to locate the Advanced eDiscovery case. Use the **displayName** property to identify the case.
+
+ ![Response with case Id.](..\media\GraphResponseForCaseId.png)
+
+4. Copy the corresponding Id (or copy and paste it to a text file). You'll use this Id in the next task to get the collection Id.
+
+> [!TIP]
+> Instead of using the previous procedure to obtain the case Id, you can open the case in the Microsoft 365 compliance center and copy the case Id from the URL.
+
+### Get the collection Id
+
+1. In Graph Explorer, run the following GET request to retrieve the Id for the collection that you created in Step 2, and contains the items you want to purge. Use the value `https://graph.microsoft.com/beta/compliance/ediscovery/cases('caseId')/sourceCollections` in the address bar of the request query, where CaseId is the Id that you obtained in the previous procedure. Be sure to surround the case Id with parentheses and single quotation marks.
+
+ ![GET request for collection Id.](..\media\GraphGetRequestForCollectionId.png)
+
+ This request returns information about all collections in the case on the **Response preview** tab.
+
+2. Scroll through the response to locate the collection that contains the items that you want to purge. Use the **displayName** property to identify the collection that you created in Step 3.
+
+ ![Response with collection Id.](..\media\GraphResponseForCollectionId.png)
+
+ In the response, the search query from the collection is displayed in the **contentQuery** property. Items returned by this query will be purged in the next task.
+
+3. Copy the corresponding Id (or copy and paste it to a text file). You'll use this Id in the next task to purge the chat messages.
+
+### Purge the chat messages
+
+1. In Graph Explorer, run the following POST request to purge the items returned by the collection that you created in Step 2. Use the value `https://graph.microsoft.com/beta/compliance/ediscovery/cases('caseId')/sourceCollections('collectionId')/purgeData` in the address bar of the request query, where caseId and collectionId are the Ids that you obtained in the previous procedures. Be sure to surround the Id values with parentheses and single quotation marks.
+
+ ![POST request to delete items returned by the collection.](..\media\GraphPOSTRequestToPurgeItems.png)
+
+ If the POST request is successful, an HTTP response code is displayed in a green banner stating that the request was accepted.
+
+ ![Response for the purge request.](..\media\GraphResponseForPurge.png)
+
+## Step 6: Verify chat messages are purged
+
+After you run the POST request to purge chat messages, these messages are removed from the Teams client and replaced with an automatically generated stating that an admin has removed the message. For an example of this message, see the [End-user experience](#end-user-experience) section in this article.
+
+Purged chat messages are moved to the SubstrateHolds folder, which is a hidden mailbox folder. Purged chat messages are stored there for at least 1 day, and then are permanently deleted the next time the timer job runs (typically between 1-7 days). For more information, see [Learn about retention for Microsoft Teams](retention-policies-teams.md).
+
+## Step 7: Reapply holds and retention policies to data sources
+
+After you verify that chat messages are purged and removed from the Teams client, you can reapply the holds and retention policies that you removed in Step 4.
+
+<!--
+## Deleting chat messages in federated environments
+
+Admins can use the procedures in this article to search and delete Teams chat messages in federated environments. However, you must adhere to the following guidelines. These guidelines are based on the organizational ownership of the conversation thread that contains the messages you want to delete. An organization is the owner of a conversation thread that is started by a user in that organization. In other words, when a user starts a chat, the user's organization becomes the owner of the conversation thread.
+
+- Admins can delete the compliance copy in conversation threads owned by their organization. That means compliance copies are purged when the admin who purges the chat messages in Step 5 is in the same organization as the user who initiated the conversation thread that contains the purged messages. If a conversation thread has users in two organizations, compliance copies for the other organization will be retained.
+
+- If a conversation thread has users in two organizations, purged chat messages are removed from the Teams client in both organizations.
+
+- The only way to purge chat messages from user mailboxes in your organization for chat messages in conversation threads owned by another organization is to use retention policies for Teams. For more information, see [Learn about retention for Microsoft Teams](retention-policies-teams.md).
+-->
+
+## End-user experience
+
+For deleted chat messages, users will see an automatically generated message stating "This message was deleted by an admin".
+
+![View of purged chat message in Teams client.](..\media\TeamsPurgeTombstone.png)
+
+The message in the previous screenshot replaces the chat message that was deleted.
+
+> [!NOTE]
+> If you're an end-user and a chat message was deleted, contact your admin for more information.
compliance Search For And Delete Messages In Your Organization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization.md
You can use the Content search feature to search for and delete email messages f
## Before you begin -- The search and purge workflow described in this article doesn't delete chat messages or other content from Microsoft Teams. If the Content search that you create in Step 2 returns items from Microsoft Teams, those items won't be deleted when you purge items in Step 3.
+- The search and purge workflow described in this article doesn't delete chat messages or other content from Microsoft Teams. If the Content search that you create in Step 2 returns items from Microsoft Teams, those items won't be deleted when you purge items in Step 3. To search for and delete chat messages, see [Search and purge chat messages in Teams](search-and-delete-Teams-chat-messages.md).
- To create and run a Content search, you have to be a member of the **eDiscovery Manager** role group or be assigned the **Compliance Search** role in the Microsoft 365 compliance center. To delete messages, you have to be a member of the **Organization Management** role group or be assigned the **Search And Purge** role in the compliance center For information about adding users to a role group, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
compliance Teams Workflow In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/teams-workflow-in-advanced-ediscovery.md
Here are some tips and best practices for viewing Teams content in a review set.
- Use [filters](review-set-search.md) for Teams-related properties to quickly display Teams content. There are filters for most of the metadata properties described in the previous section.
+## Deleting Teams chat messages
+
+You can use Advanced eDiscovery and the Microsoft Graph Explorer to respond to data spillage incidents, when content containing confidential or malicious information is released through Teams chat messages.ΓÇï Admins in your organization can search for and delete chat messages in Microsoft Teams. This can help you remove sensitive information or inappropriate content in Teams chat messages. For more information, see [Search and purge chat messages in Teams](search-and-delete-Teams-chat-messages.md).
+ ## Reference guide Here's a quick reference guide for using Advanced eDiscovery for Microsoft Teams. This guide summarizes the keys points for using Advanced eDiscovery to preserve, collect, review, and export content from Microsoft Teams.
contentunderstanding Leverage Term Store Taxonomy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/leverage-term-store-taxonomy.md
After applying your model to the document library, when documents are uploaded t
![Contract service column.](../media/content-understanding/creative.png)</br>
+> [!NOTE]
+> If the term set is open, then any extracted values that do not match a preferred term or synonym value will be added as a new term to the root of the term set. These new terms can be moved, merged, or made synonyms in the term store where the term set resides.
-## See Also
+## See also
[Introduction to Managed Metadata](/sharepoint/managed-metadata#terms) [Create an extractor](create-an-extractor.md)
security Compare Mdb M365 Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/compare-mdb-m365-plans.md
audience: Admin Previously updated : 04/08/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
Microsoft Defender for Business is available as a standalone offering or as part
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> **Use this article to**:
The following table compares security features and capabilities in Defender for
|Feature/Capability|[Defender for Business](mdb-overview.md)<br/>(standalone; currently in preview)|[Defender for Endpoint Plan 1](../defender-endpoint/defender-endpoint-plan-1.md)|[Defender for Endpoint Plan 2](../defender-endpoint/microsoft-defender-endpoint.md)| |||||
-|[Centralized management](../defender-endpoint/manage-atp-post-migration.md) <sup>[[1](#fn1)]</sup>|Yes|Yes|Yes|
+|[Centralized management](../defender-endpoint/manage-atp-post-migration.md) |Yes <sup>[[1](#fn1)]</sup>|Yes|Yes|
|[Simplified client configuration](mdb-simplified-configuration.md)|Yes|No|No| |[Threat & vulnerability management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)|Yes|No|Yes| |[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md)|Yes|Yes|Yes| |[Next-generation protection](../defender-endpoint/next-generation-protection.md)|Yes|Yes|Yes| |[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md)|Yes <sup>[[2](#fn2)]</sup>|No|Yes|
-|[Automated investigation and response](../defender-endpoint/automated-investigations.md)|Yes <sup>[[2](#fn2)]</sup>|No|Yes|
-|[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention <sup>[[3](#fn3)]</sup>|No|No|Yes|
-|[Threat analytics](../defender-endpoint/threat-analytics.md)|Yes <sup>[[2](#fn2)]</sup>|No|Yes|
-|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, macOS, iOS, and Android OS)|Yes <sup>[[4](#fn4)]</sup>|Yes|Yes|
+|[Automated investigation and response](../defender-endpoint/automated-investigations.md)|Yes <sup>[[3](#fn3)]</sup>|No|Yes|
+|[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention |No <sup>[[4](#fn4)]</sup>|No|Yes|
+|[Threat analytics](../defender-endpoint/threat-analytics.md)|Yes <sup>[[5](#fn5)]</sup>|No|Yes|
+|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, macOS, iOS, and Android OS)|Yes <sup>[[6](#fn6)]</sup>|Yes|Yes|
|[Microsoft Threat Experts](../defender-endpoint/microsoft-threat-experts.md)|No|No|Yes| |Partner APIs|Yes|Yes|Yes| |[Microsoft 365 Lighthouse integration](../../lighthouse/m365-lighthouse-overview.md) <br/>(For viewing security incidents across customer tenants)|Yes|No|No|
-(<a id="fn1">1</a>) Onboard and manage devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or with another tool, such as Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).
+(<a id="fn1">1</a>) Onboard and manage devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or with Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).
-(<a id="fn2">2</a>) These capabilities are optimized for small and medium-sized businesses.
+(<a id="fn2">2</a>) Endpoint detection and response (EDR) capabilities in Defender for Business include behavior-based detection and the following four types of manual response actions:
+- Run antivirus scan
+- Isolate device
+- Stop and quarantine a file
+- Add an indicator to block or allow a file
-(<a id="fn3">3</a>) There is no timeline tab in Defender for Business.
+(<a id="fn3">3</a>) In Defender for Business, automated investigation and response is turned on by default, tenant wide. If you turn off automated investigation and response, it affects real-time protection. See [Review settings for advanced features](mdb-configure-security-settings.md#review-settings-for-advanced-features).
-(<a id="fn4">4</a>) During the preview program, Windows client devices are supported in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
+(<a id="fn4">4</a>) There is no timeline view in Defender for Business.
+
+(<a id="fn5">5</a>) In Defender for Business, threat analytics are optimized for small and medium-sized businesses.
+
+(<a id="fn6">6</a>) During the preview program, Windows client devices are supported for onboarding in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). You can use the local script method. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).
## Next steps
security Get Defender Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business.md
audience: Admin Previously updated : 04/08/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Get Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
If you don't already have Microsoft Defender for Business, you can choose from several options: - [Work with a Microsoft solution provider](#work-with-a-microsoft-solution-provider) - [Get Microsoft 365 Business Premium](#get-microsoft-365-business-premium)-- [Sign up for the preview program](#sign-up-for-the-preview-program)
+- [Sign up for Defender for Business preview program](#sign-up-for-the-preview-program)
If you have signed up for a trial, after you receive your acceptance email, you can [activate your trial and assign user licenses](#activate-your-trial), and then proceed to your [next steps](#next-steps). > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Work with a Microsoft Solution Provider
When you receive your acceptance email, here's how to activate your trial subscr
| Scenario | Procedure | |:|:|
- | You're setting up a Microsoft 365 subscription for the first time. | Select **Go to guided setup** and complete the following steps:<br/><br/>1. Either install your Office apps now, or choose **Continue** to skip this step. (You can install your Office apps later.)<br/><br/>2. If your company has a domain, you can add it now (this option is recommended). Alternately, you could choose to use your default `.onmicrosoft.com` domain for now.<br/><br/>3. Add users and assign licenses. Each user you list will be assigned a license automatically. See [Add users and assign licenses at the same time](../../admin/add-users/add-users.md). |
+ | You're setting up a Microsoft 365 subscription for the first time. | Select **Go to guided setup** and complete the following steps:<br/><br/>1. Either install your Office apps now, or choose **Continue** to skip this step. (You can install your Office apps later.)<br/><br/>2. If your company has a domain, you can add it now (this option is recommended). Alternately, you could choose to use your default `.onmicrosoft.com` domain for now.<br/><br/>3. Add users and assign licenses. Each user you list will be assigned a license automatically. See [Add users and assign licenses at the same time](mdb-add-users.md). |
| You're adding a trial to an existing Microsoft 365 tenant. | 1. Go to the Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) and sign in.<br/><br/>2. In the navigation pane, choose **Users** > **Active users**. Review the list of users. <br/><br/>3. To assign licenses, follow the guidance in [Assign licenses to users](../../admin/manage/assign-licenses-to-users.md). |
security Mdb Add Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-add-users.md
+
+ Title: Add users and assign licenses in Microsoft Defender for Business
+description: Learn how to add users and assign licenses
+search.appverid: MET150
+++
+audience: Admin
+ Last updated : 04/14/2022
+ms.technology: mdb
+ms.localizationpriority: medium
++
+f1.keywords: NOCSH
++
+# Add users and assign licenses in Microsoft Defender for Business
+
+As soon as you have signed up for Microsoft Defender for Business, your first step is to add users and assign licenses. This article describes how to add users and includes next steps.
+
+## Add users and assign licenses
+
+> [!IMPORTANT]
+> You must be a global administrator to perform this task. The person who signed up your company for Microsoft 365 or for Microsoft Defender for Business is a global administrator by default.
+
+1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://admin.microsoft.com) and sign in.
+
+2. Go to **Users** > **Active users**, and then select **Add a user**.
+
+3. In the **Set up the basics** pane, fill in the basic user information, and then select **Next**.
+
+ - **Name**: Fill in the first and last name, display name, and username.
+ - **Domain** Choose the domain for the user's account. For example, if the user's username is `Pat`, and the domain is `contoso.com`, they'll sign in by using `pat@contoso.com`.
+ - **Password settings**: Choose whether to use the autogenerated password or to create your own strong password for the user. The user must change their password after 90 days. Or you can choose the option to **Require this user to change their password when they first sign in**. You can also choose whether you want to send the user's password in email when the user is added.
+
+4. On the **Assign product licenses** page, select Microsoft Defender for Business (or Microsoft 365 Business Premium). Then choose **Next**.
+
+ If you don't have any licenses available, you can still add a user and buy additional licenses. For more information about adding users, see [Add users and assign licenses at the same time](../../admin/add-users/add-users.md).
+
+5. On the **Optional settings** page, you can expand **Profile info** and fill in details, such as the user's jo title, department, location, and so forth. Then choose **Next**.
+
+6. On the **Review and finish** page, review the details, and then select **Finish adding** to add the user. If you need to make any changes, choose **Back** to go back to a previous page.
+
+## Next steps
+
+- [Visit the Microsoft 365 Defender portal](mdb-get-started.md)
+- [Use the setup wizard in Microsoft Defender for Business](mdb-use-wizard.md).
security Mdb Configure Security Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# View and edit your security policies and settings in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
## Overview
After you've onboarded your company's devices to Microsoft Defender for Business
- **[Next-generation protection policies](#view-or-edit-your-next-generation-protection-policies)**, which determine antivirus and antimalware protection for your company's devices - **[Firewall protection and rules](#view-or-edit-your-firewall-policies-and-custom-rules)**, which determine what network traffic is allowed to flow to or from your company's devices - **[Web content filtering](#set-up-web-content-filtering)**, which prevents people from visiting certain websites (URLs) based on categories, such as adult content or legal liability.
+- **[Advanced features](#review-settings-for-advanced-features)**, such as automated investigation and response, and endpoint detection and response (EDR) in block mode.
In Defender for Business, security policies are applied to devices through [device groups](mdb-create-edit-device-groups.md#what-is-a-device-group).
Use this article as a guide to managing your security policies and settings.
4. [Set up web content filtering](#set-up-web-content-filtering).
-5. [View and edit other settings in the Microsoft 365 Defender portal](#view-and-edit-other-settings-in-the-microsoft-365-defender-portal).
+5. [Review settings for advanced features](#review-settings-for-advanced-features).
-6. [Proceed to your next steps](#next-steps).
+6. [View and edit other settings in the Microsoft 365 Defender portal](#view-and-edit-other-settings-in-the-microsoft-365-defender-portal).
+
+7. [Proceed to your next steps](#next-steps).
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Choose where to manage security policies and devices
The following table can help you choose where to manage your security policies a
## View or edit your next-generation protection policies
-Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your next-generation protection policies, use one of the procedures in the following table: <br/><br/>
+Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your next-generation protection policies, use one of the procedures in the following table:
| Portal | Procedure | |:|:|
Depending on whether you're using the Microsoft 365 Defender portal or Microsoft
## View or edit your firewall policies and custom rules
-Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your firewall protection, use one of the procedures in the following table: <br/><br/>
+Depending on whether you're using the Microsoft 365 Defender portal or Microsoft Endpoint Manager to manage your firewall protection, use one of the procedures in the following table:
| Portal | Procedure | |:|:|
Depending on whether you're using the Microsoft 365 Defender portal or Microsoft
Web content filtering enables your security team to track and regulate access to websites based on their content categories, such as: - Adult content: Sites that are related to cults, gambling, nudity, pornography, sexually explicit material, or violence- - High bandwidth: Download sites, image sharing sites, or peer-to-peer hosts- - Legal liability: Sites that include child abuse images, promote illegal activities, foster plagiarism or school cheating, or that promote harmful activities- - Leisure: Sites that provide web-based chat rooms, online gaming, web-based email, or social networking- - Uncategorized: Sites that have no content or that are newly registered Not all of the websites in these categories are malicious, but they could be problematic for your company because of compliance regulations, bandwidth usage, or other concerns. In addition, you can create an audit-only policy to get a better understanding of whether your security team should block any website categories.
Web content filtering is available on the major web browsers, with blocks perfor
> [!TIP] > To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md).
+## Review settings for advanced features
+
+In addition to next-generation protection, firewall, and web content filtering policies, Defender for Business includes advanced security features. These features are preconfigured using recommended settings; however, you can review them, and if necessary, edit settings to suit your business needs.
+
+To access settings for advanced features, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features**.
+
+The following table describes settings for advanced features:
+
+| Setting | Description |
+|:|:|
+| Automated Investigation <br/>(turned on by default) | As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action, and then takes (or recommends) remediation actions (such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL). While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<br/><br/>You can view investigations on the **Incidents** page. Select an incident, and then select the **Investigations** tab.<br/><br/>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). |
+| Live Response <br/>(turned on by default) | Defender for Business includes the following types of manual response actions: <br/>- Run antivirus scan<br/>- Isolate device<br/>- Stop and quarantine a file<br/>- Add an indicator to block or allow a file <br/><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). |
+| Live Response for Servers | (This setting is currently not available in Defender for Business) |
+| Live Response unsigned script execution | (This setting is currently not available in Defender for Business) |
+| Enable EDR in block mode<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. For devices running Microsoft Defender Antivirus as their primary antivirus, EDR in block mode provides an extra layer of defense by allowing Microsoft Defender Antivirus to take automatic actions on post-breach, behavioral EDR detections.<br/><br/>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). |
+| Allow or block a file <br/>(turned on by default) | Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) to be turned on.<br/><br/>Blocking a file will prevent it from being read, written, or executed on devices in your organization. <br/><br/>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). |
+| Custom network indicators<br/>(turned on by default) | Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) to be turned on.<br/><br/>You can allow or block IPs, URLs, or domains based on your own threat intelligence. You can also warn users with a prompt if they open a risky app. The prompt won't stop them from using the app, but you can provide a warning for users.<br/><br/>[Learn more about network protection](../defender-endpoint/network-protection.md). |
+| Tamper protection<br/>(we recommend turning this setting on) | Tamper protection prevents malicious apps taking actions such as:<br/>- Disabling virus and threat protection<br/>- Disabling real-time protection<br/>- Turning off behavior monitoring<br/>- Disabling cloud protection<br/>- Removing security intelligence updates<br/>- Disabling automatic actions on detected threats<br/><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed by apps and unauthorized methods. <br/><br/>[Lern more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). |
+| Show user details<br/>(turned on by default) | Enables people in your organization to see details, such as employees' picture, name, title, and department. These details are stored in Azure Active Directory (Azure AD).<br/><br/>[Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). |
+| Skype for Business integration<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <br/><br/>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. |
+| Web content filtering<br/>(turned on by default) | Block access to websites containing unwanted content and track web activity across all domains. See [Set up web content filtering](#set-up-web-content-filtering). |
+| Microsoft Intune connection<br/>(we recommend turning this setting on if you have Intune) | If your organization's subscription includes Microsoft Intune (part of Microsoft Endpoint Manager, and included in [Microsoft 365 Business Premium](../../business/index.yml)), this setting enables Defender for Business to share information about devices with Intune. |
+| Device discovery<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network - whether it's an unpatched printer, network devices with weak security configurations, or a server with no security controls. <br/><br/>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. <br/><br/>[Learn more about device discovery](../defender-endpoint/device-discovery.md). |
+| Preview features | Microsoft is continually updating services, such as Defender for Business, to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. <br/><br/>[Learn more about preview features](../defender-endpoint/preview.md). |
++ ## View and edit other settings in the Microsoft 365 Defender portal In addition to security policies that are applied to devices, there are other settings you can view and edit in Defender for Business. For example, you specify the time zone to use, and you can onboard (or offboard) devices.
In addition to security policies that are applied to devices, there are other se
### Settings to review for Defender for Business
-The following table describes settings to view (and if necessary, edit) in Defender for Business.
-
-<br/><br/>
+The following table describes settings to view (and if necessary, edit) in Defender for Business:
| Category | Setting | Description | |:|:|:|
The following table describes settings to view (and if necessary, edit) in Defen
| **Microsoft 365 Defender** | **Preview features** | Turn on preview features to try upcoming features and new capabilities. You can be among the first to preview new features and provide feedback. | | **Endpoints** | **Email notifications** | Set up or edit your email notification rules. When vulnerabilities are detected or an alert is created, the recipients specified in your email notification rules will receive an email. [Learn more about email notifications](mdb-email-notifications.md). | | **Endpoints** | **Device management** > **Onboarding** | Onboard devices to Defender for Business by using a downloadable script. To learn more, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |
-| **Endpoints** | **Device management** > **Offboarding** | Offboard (remove) devices from Defender for Business. When you offboard a device, it no longer sends data to Defender for Business, but data received prior to offboarding is retained. To learn more, see [Offboarding a device](mdb-onboard-devices.md#offboarding-a-device). |
+| **Endpoints** | **Device management** > **Offboarding** | Offboard (remove) devices from Defender for Business. When you offboard a device, it no longer sends data to Defender for Business, but data received prior to offboarding is retained. To learn more, see [Offboarding a device](mdb-offboard-devices.md). |
### Access your settings in the Microsoft 365 Defender portal
The following table describes settings to view (and if necessary, edit) in Defen
3. In the list of settings, select an item to view or edit. - ## Next steps Proceed to one or more of the following tasks:
security Mdb Create Edit Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-create-edit-device-groups.md
audience: Admin Previously updated : 02/07/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Device groups in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
In Microsoft Defender for Business, policies are applied to devices through certain collections that are called device groups.
In Microsoft Defender for Business, policies are applied to devices through cert
- [What device groups are](#what-is-a-device-group) - [How to create device groups in Defender for Business](#create-a-new-device-group)
+- [How to view an existing device group](#view-an-existing-device-group)
+- [What the Add All Devices option does](#what-does-the-add-all-devices-option-do)
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## What is a device group?
-A device group is a collection of devices that are grouped together because of certain specified criteria, such as operating system version. Devices that meet the criteria are included in that device group, unless you exclude them. In Microsoft Defender for Business, policies are applied to devices by using device groups.
+A device group is a collection of devices that are grouped together because of certain specified criteria, such as operating system version. Devices that meet the criteria are included in that device group, unless you exclude them. In Microsoft Defender for Business, policies are applied to devices by using device groups.
-Defender for Business includes default device groups that you can use. The default device groups include all the devices that are onboarded to Defender for Business. However, you can also create new device groups to assign policies with specific settings to certain devices.
+Defender for Business includes default device groups that you can use. The default device groups include all the devices that are onboarded to Defender for Business. For example, there's a default device group for Windows devices. Whenever you onboard Windows devices, they're added to the default device group automatically.
+
+You can also create new device groups to assign policies with specific settings to certain devices. For example, you might have a firewall policy assigned to one set of Windows devices, and a different firewall policy assigned to another set of Windows devices. You can define specific device groups to use with your policies.
+
+> [!NOTE]
+> As you create policies in Defender for Business, an order of priority is assigned. If you apply multiple policies to a given set of devices, those devices will receive the first applied policy only. For more information, see [Understand policy order in Microsoft Defender for Business](mdb-policy-order.md).
All device groups, including your default device groups and any custom device groups that you define, are stored in [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) (Azure AD).
Currently, in Defender for Business, you can create a new device group while you
10. On the **Review your policy** step, review all the settings, make any needed edits, and then choose **Create policy** or **Update policy**.
+## View an existing device group
+
+Currently, in Defender for Business, you can view your existing device groups while you are in the process of creating or editing a policy, as described in the following procedure:
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+
+2. In the navigation pane, choose **Device configuration**.
+
+3. Take one of the following actions:
+
+ 1. Select an existing policy, and then choose **Edit**.
+ 2. Choose **+ Add** to create a new policy.
+
+ > [!TIP]
+ > To get help creating or editing a policy, see [View or edit policies in Microsoft Defender for Business](mdb-view-edit-policies.md).
+
+4. On the **General information** step, review the information, edit if necessary, and then choose **Next**.
+
+5. Choose **Use existing group**. A flyout opens and displays device groups. If you don't have any device groups yet, you'll be prompted to create a new device group.
+
+## What does the Add All Devices option do?
+
+When you are creating or editing a policy, you might see the **Add all devices** option.
++
+If you select this option, all devices that are enrolled in Microsoft Endpoint Manager (which includes Microsoft Intune) will receive the policy that you are creating or editing by default.
+ ## Next steps Choose one or more of the following tasks: - [View or edit policies](mdb-view-edit-policies.md)- - [Create a new policy](mdb-create-new-policy.md)- - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)
security Mdb Custom Rules Firewall https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-custom-rules-firewall.md
audience: Admin Previously updated : 02/24/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Manage your custom rules for firewall policies in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
Microsoft Defender for Business includes firewall policies that help protect your devices from unwanted network traffic. You can use custom rules to define exceptions for your firewall policies. That is, you can use custom rules to block or allow specific connections.
To learn more about firewall policies and settings, see [Firewall in Microsoft D
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Create a custom rule for a firewall policy
To learn more about firewall policies and settings, see [Firewall in Microsoft D
## Next steps - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)
security Mdb Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-email-notifications.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Set up email notifications
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
You can set up email notifications for your security team. Then, as alerts are generated, or new vulnerabilities are discovered, people on your security team will be notified automatically.
You can set up email notifications for your security team. Then, as alerts are g
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Types of email notifications
-When you set up email notifications, you can choose from two types, as described in the following table: <br/><br/>
+When you set up email notifications, you can choose from two types, as described in the following table:
| Notification type | Description | |||
security Mdb Firewall https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-firewall.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Firewall in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
Microsoft Defender for Business includes firewall capabilities with [Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). Firewall protection helps secure devices with rules that determine which network traffic is permitted to enter or flow from devices.
You can use firewall protection to specify whether to allow or block connections
**This article describes**: - [Default firewall settings in Defender for Business](#default-firewall-settings-in-defender-for-business)- - [Firewall settings you can configure in Defender for Business](#firewall-settings-you-can-configure-in-defender-for-business) > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Default firewall settings in Defender for Business
In Microsoft Defender for Business, you can define exceptions to block or allow
## Firewall settings you can configure in Defender for Business
-Microsoft Defender for Business includes firewall protection through Windows Defender Firewall. The following table lists settings that can be configured for firewall protection in Microsoft Defender for Business. <br/><br/>
+Microsoft Defender for Business includes firewall protection through Windows Defender Firewall. The following table lists settings that can be configured for firewall protection in Microsoft Defender for Business.
| Setting | Description | |--|--|
Microsoft Defender for Business includes firewall protection through Windows Def
## Next steps - [Manage firewall settings in Microsoft Defender for Business](mdb-custom-rules-firewall.md)- - [Learn more about Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)- - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)
security Mdb Get Help https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-help.md
Last updated 02/24/2022
# Get help and support for Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
## Get help and support
If you don't see the answer to your question, you can open a support ticket.
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## See also - [Microsoft Defender for Business - Frequently asked questions and answers](mdb-faq.yml)- - [Microsoft Defender for Business troubleshooting](mdb-troubleshooting.yml)
security Mdb Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-started.md
Title: Get started using the Microsoft 365 Defender portal
+ Title: Visit the Microsoft 365 Defender portal
description: See how to get started using the Microsoft 365 Defender portal. Learn how to navigate the portal, and view your current security status and recommendations search.appverid: MET150
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
-# Get started using the Microsoft 365 Defender portal
+# Visit the Microsoft 365 Defender portal
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
-
-After you've signed up for Microsoft Defender for Business, you'll want to get acquainted with the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This article includes the following sections:
--- [How to navigate the Microsoft 365 Defender portal](#navigate-the-microsoft-365-defender-portal)
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
-- [Learning modules about incidents and response actions](#complete-a-learning-module-about-incidents-and-response-actions)
+The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is your one-stop shop for using and managing Microsoft Defender for Business. It includes a welcome banner and callouts to help you get started, cards that surface relevant information, and a navigation bar to give you easy access to the various features and capabilities.
-- [Next steps](#next-steps)
+
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
>
-## Navigate the Microsoft 365 Defender portal
-
-The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) is your one-stop shop for using and managing Microsoft Defender for Business. It includes a welcome banner and callouts to help you get started, cards that surface relevant information, and a navigation bar to give you easy access to the various features and capabilities.
-
-Take a moment to get acquainted with your Microsoft 365 Defender portal.
--
-### Use the navigation bar
+## The navigation bar
Use the navigation bar on the left side of the screen to access your incidents, view reports, and manage your security policies. The following table describes items you'll see in your navigation bar.
Use the navigation bar on the left side of the screen to access your incidents,
| **Settings** | Enables you to edit settings for the Microsoft 365 Defender portal and Microsoft Defender for Business. For example, you can onboard (or offboard) and your company's devices (also referred to as endpoints). You can also define rules, such as alert suppression rules, and set up indicators to block or allow certain files or processes. | | **More resources** | Navigate to other portals, such as Azure Active Directory. Keep in mind that the Microsoft 365 Defender portal should meet your needs without requiring you to navigate to other portals. |
-## Complete a learning module about incidents and response actions
-
-See the learning module, [Detect and respond to security issues](/learn/modules/m365-detect-respond-security-issues-defender-endpoint/), to get an overview of incidents and response actions. You'll learn about the incident queue, alerts, and response actions that you can take. This course will help you get started working with incidents in Defender for Business.
-
-> [!NOTE]
-> Although the learning module ([Detect and respond to security issues](/learn/modules/m365-detect-respond-security-issues-defender-endpoint/)) is actually for Microsoft Defender for Endpoint, the basic concepts and overall flow are similar to what you'll see in Defender for Business.
- ## Next steps
-Now that you have an overview of Defender for Business, try one or more of the following tasks:
--- [Try tutorials and simulations in Microsoft Defender for Business](mdb-tutorials.md)--- [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)--- [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)--- [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)--- [Review remediation actions in the Action center](mdb-review-remediation-actions.md)--- [View or edit policies in Microsoft Defender for Business](mdb-view-edit-policies.md)
+- [Use the setup wizard in Microsoft Defender for Business](mdb-use-wizard.md)
+- [See the setup and configuration process](mdb-setup-configuration.md)
security Mdb Lighthouse Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-lighthouse-integration.md
audience: Admin Previously updated : 02/24/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Microsoft 365 Lighthouse and Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
## Microsoft Defender for Business integrates with Microsoft 365 Lighthouse
To access the list of incidents, in Microsoft 365 Lighthouse, on the home page,
Microsoft 365 Lighthouse enables Microsoft Cloud Service Providers to secure and manage devices, data, and users at scale for small- and medium-sized business customers who are using one of the following subscriptions: - [Microsoft Defender for Business](/security/defender-business/mdb-overview.md)- - [Microsoft 365 Business Premium](../../admin/admin-overview/what-is-microsoft-365.md)- - [Microsoft 365 E3](../../enterprise/microsoft-365-overview.md) (which now includes [Microsoft Defender for Endpoint Plan 1](../defender-endpoint/defender-endpoint-plan-1.md)) To learn more, see [Overview of Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md).
security Mdb Manage Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md
audience: Admin Previously updated : 02/24/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Manage devices in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
In Microsoft Defender for Business, you can manage devices as follows: - [View a list of onboarded devices](#view-the-list-of-onboarded-devices) to see their risk level, exposure level, and health state- - [Take action on a device](#take-action-on-a-device-that-has-threat-detections) that has threat detections- - [Onboard a device to Defender for Business](#onboard-a-device) - - [Offboard a device from Defender for Business](#offboard-a-device) > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## View the list of onboarded devices
See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md)
## Offboard a device
-See [Offboarding a device](mdb-onboard-devices.md#offboarding-a-device).
+See [Offboarding a device](mdb-offboard-devices.md).
## Next steps - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)- - [Create or edit device groups](mdb-create-edit-device-groups.md)
security Mdb Next Gen Configuration Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-next-gen-configuration-settings.md
audience: Admin Previously updated : 02/24/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Understand next-generation configuration settings in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
Next-generation protection in Defender for Business includes robust antivirus and antimalware protection. Your default policies are designed to protect your devices and users without hindering productivity; however, you can also customize your policies to suit your business needs. And, if you're using Microsoft Endpoint Manager, you can use that to manage your security policies. **This article describes**: - [Next-generation protection settings and options](#next-generation-protection-settings-and-options)- - [Other preconfigured settings in Defender for Business](#other-preconfigured-settings-in-defender-for-business) - - [Defender for Business default settings and Microsoft Endpoint Manager](#defender-for-business-default-settings-and-microsoft-endpoint-manager) ## Next-generation protection settings and options
-The following table lists your settings and options:<br/><br/>
+The following table lists your settings and options:
| Setting | Description | |:|:|
The following table lists your settings and options:<br/><br/>
The following security settings are preconfigured in Defender for Business: - Scanning of removable drives is turned on ([AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning))- - Daily quick scans don't have a preset time ([ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime))- - Security intelligence updates are checked before an antivirus scan runs ([CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan))- - Security intelligence checks occur every four hours ([SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval)) ## Defender for Business default settings and Microsoft Endpoint Manager The following table describes settings that are preconfigured for Defender for Business and how those settings correspond to what you might see in Microsoft Endpoint Manager (or Microsoft Intune). If you're using the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md) (preview), you don't need to edit these settings.
-<br/><br/>
| Setting | Description | |||
The following table describes settings that are preconfigured for Defender for B
## Next steps - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md) ## See also - [Visit the Microsoft 365 Defender portal](mdb-get-started.md)- - [Manage firewall settings in Microsoft Defender for Business](mdb-custom-rules-firewall.md)- - [Policy CSP - Defender](/windows/client-management/mdm/policy-csp-defender)
security Mdb Offboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-offboard-devices.md
+
+ Title: Offboard a device from Microsoft Defender for Business
+description: Learn about how to remove a device from Microsoft Defender for Business
+search.appverid: MET150
+++
+audience: Admin
+ Last updated : 04/14/2022
+ms.technology: mdb
+ms.localizationpriority: medium
+
+f1.keywords: NOCSH
+
+- SMB
+- M365-security-compliance
+- m365-initiative-defender-business
++
+# Offboard a device from Microsoft Defender for Business
+
+If you want to offboard a device, use one of the following procedures:
+
+- [Offboard a Windows device](#offboard-a-windows-device)
+- [Offboard a macOS computer](#offboard-a-macos-computer)
+
+## Offboard a Windows device
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+
+2. In the navigation pane, choose **Settings**, and then choose **Endpoints**.
+
+3. Under **Device management**, choose **Offboarding**.
+
+4. Select an operating system, such as **Windows 10 and 11**, and then, under **Offboard a device**, in the **Deployment method** section, choose **Local script**.
+
+5. In the confirmation screen, review the information, and then choose **Download** to proceed.
+
+6. Select **Download offboarding package**. We recommend saving the offboarding package to a removable drive.
+
+7. Run the script on each device that you want to offboard.
+
+## Offboard a macOS computer
+
+1. Go to **Finder** > **Applications**.
+
+2. Right click on Microsoft Defender for Business, and then choose **Move to Trash**. <br/><br/> or <br/><br/> Use the following command: `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`.
+
+> [!IMPORTANT]
+> Offboarding a device causes the devices to stop sending data to Defender for Business. However, data received prior to offboarding is retained for up to six (6) months.
+
+## Next steps
+
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
audience: Admin Previously updated : 04/01/2022 Last updated : 04/14/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Onboard devices to Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
With Microsoft Defender for Business, you have several options to choose from for onboarding your company's devices. This article walks you through your options and includes an overview of how onboarding works. > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## What to do
-1. [See your options for onboarding devices](#device-onboarding-methods), and select a method.
+1. Select the tab for your operating system:
- - [Use automatic onboarding for Windows devices already enrolled in Microsoft Endpoint Manager](#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager)
- - [Use a local script to onboard Windows or macOS devices](#local-script-in-defender-for-business)
- - [Use Microsoft Endpoint Manager to onboard Windows, macOS, or mobile devices](#microsoft-endpoint-manager)
+ - Windows clients
+ - Windows Server (preview)
+ - macOS computers
+ - mobile devices
-2. [Run a detection test](#run-a-detection-test) on newly onboarded Windows devices.
+2. View your onboarding options and follow the guidance on the selected tab.
-3. [See your next steps](#next-steps).
+3. Proceed to your next steps.
-This article also includes information about [Offboarding a device](#offboarding-a-device).
+## [**Windows clients**](#tab/WindowsClientDevices)
-## Device onboarding methods
+## Windows clients
-Defender for Business offers you several different methods for onboarding devices, whether you're already using Microsoft Endpoint Manager, or you just want a simplified onboarding experience. The most commonly used methods to onboard devices to Defender for Business include:
+Choose one of the following options to onboard Windows client devices to Defender for Business:
-- **Automatic onboarding** for Windows devices that are already enrolled in Microsoft Endpoint Manager. Automatic onboarding sets up a connection between Defender for Business and Microsoft Endpoint Manager, and then onboards Windows devices to Defender for Business. In order to use this option, your devices must already be enrolled in Endpoint Manager. To learn more, see [Automatic onboarding](#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager).
+- [Local script](#local-script-for-windows-clients) (for onboarding devices manually in the Microsoft 365 Defender portal)
+- [Microsoft Endpoint Manager](#endpoint-manager-for-windows-clients) (included in [Microsoft 365 Business Premium](../../business-premium/index.md))
-- **Local script** to onboard Windows and macOS devices to Defender for Business manually. You can onboard up to 10 devices at a time using the local script. To learn more, see [Local script in Defender for Business](#local-script-in-defender-for-business). -- **Microsoft Intune** or **Microsoft Endpoint Manager** to onboard Windows, macOS, and mobile devices. You can enroll devices in Endpoint Manager, and then onboard your devices to Defender for Business. [Microsoft 365 Business Premium](../../business-premium/index.md) customers already have [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), and both Microsoft Intune and [Mobile Device Management](/mem/intune/enrollment/device-enrollment) are now part of Endpoint Manager. To use this method, see [Microsoft Endpoint Manager](#microsoft-endpoint-manager).
+### Local script for Windows clients
-> [!IMPORTANT]
-> If something goes wrong and your onboarding process fails, see [Microsoft Defender for Business troubleshooting](mdb-troubleshooting.yml).
+You can use a local script to onboard Windows client devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business. The local script method works even if you don't currently have Endpoint Manager (or Microsoft Intune). We recommend onboarding up to 10 devices at a time using this method.
+
+> [!TIP]
+> We recommend onboarding up to 10 devices at a time when you use the local script method.
+
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.
+
+3. Select an operating system, such as **Windows 10 and 11**, and then, in the **Deployment method** section, choose **Local script**.
+
+4. Select **Download onboarding package**. We recommend saving the onboarding package to a removable drive.
+
+5. On a Windows device, extract the contents of the configuration package to a location, such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`.
+
+6. Open Command Prompt as an administrator.
+
+7. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press the Enter key (or select **OK**).
-## Automatic onboarding for Windows devices enrolled in Microsoft Endpoint Manager
+8. After the script runs, proceed to [Run a detection test](#running-a-detection-test-on-a-windows-client).
-The automatic onboarding option applies to Windows devices only. Automatic onboarding is available if the following conditions are met:
+### Endpoint Manager for Windows clients
-- Your company was already using Microsoft Endpoint Manager, Microsoft Intune, or Mobile Device Management (MDM) in Microsoft Intune before you got Defender for Business
+If your subscription includes [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can onboard Windows clients and other devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you have Endpoint Manager as part of your subscription. Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management capabilities](/mem/intune/fundamentals/what-is-device-management).
-- You already have Windows devices enrolled in Endpoint Manager
+There are several methods available for enrolling devices in Intune. We recommend starting with one of the following methods:
+
+- [Enable Windows automatic enrollment](/mem/intune/enrollment/windows-enroll) for company-owned or company-managed devices
+- [Ask users to enroll their own Windows 10/11 devices in Intune](/mem/intune/user-help/enroll-windows-10-device)
+
+#### To enable automatic enrollment for Windows devices
+
+When you set up automatic enrollment, users add their work account to the device. In the background, the device registers and joins Azure Active Directory (Azure AD), and is enrolled in Intune.
+
+1. Go to the Azure portal ([https://portal.azure.com/](https://portal.azure.com/)) and sign in.
+
+2. Select **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**.
+
+3. Configure the MDM User scope and the MAM user scope.
+
+ :::image type="content" source="mediM user scope and MAM user scope in Intune.":::
+
+ - For MDM User scope, we recommend selecting **All** so that all users can automatically enroll their Windows devices.
+ - In the MAM user scope section, we recommend using the following default values for the URLs:
+
+ - **MDM Terms of use URL**
+ - **MDM Discovery URL**
+ - **MDM Compliance URL**
+
+4. Choose **Save**.
+
+5. After a device has been enrolled in Intune, you can add it to a device group. [Learn more about device groups in Microsoft Defender for Business](mdb-create-edit-device-groups.md).
-If Windows devices are already enrolled in Endpoint Manager, Defender for Business will detect those devices while you are in the process of setting up and configuring Defender for Business. You'll be asked if you want to use automatic onboarding for all or some of your Windows devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more devices later.
> [!TIP]
-> We recommend selecting the "all devices enrolled" option. That way, when Windows devices are enrolled in Endpoint Manager later on, they'll be onboarded to Defender for Business automatically. In addition, if you've been managing security policies and settings in Endpoint Manager, we recommend switching to the Microsoft 365 Defender portal to manage your devices, policies, and settings. To learn more, see [Choose where to manage security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices).
+> To learn more about automatic enrollment, see [Enable Windows automatic enrollment](/mem/intune/enrollment/windows-enroll).
+
+#### To have users enroll their own Windows devices
+
+1. Watch the following video to see how enrollment works: <br/><br/>
+
+ > [!VIDEO https://www.youtube.com/embed/TKQxEckBHiE?rel=0]
+
+2. Share this article with users in your organization: [Enroll Windows 10/11 devices in Intune](/mem/intune/user-help/enroll-windows-10-device).
+
+3. After a device has been enrolled in Intune, you can add it to a device group. [Learn more about device groups in Microsoft Defender for Business](mdb-create-edit-device-groups.md).
+
+### Running a detection test on a Windows client
+
+After you've onboarded Windows devices to Defender for Business, you can run a detection test on a Windows device to make sure that everything is working correctly.
+
+1. On the Windows device, create a folder: `C:\test-MDATP-test`.
+
+2. Open Command Prompt as an administrator.
+
+3. In the Command Prompt window, run the following PowerShell command:
+
+ ```powershell
+ powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference = 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
+ ```
+
+After the command has run, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes.
+
+## View a list of onboarded devices
+
+To view the list of devices that are onboarded to Defender for Business, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, under **Endpoints**, choose **Device invetory**.
+
+## Next steps
+
+- If you have other devices to onboard, select the tab that corresponds to the operating system on the devices [(Windows clients, Windows Server, macOS, or mobile devices](#what-to-do)), and follow the guidance on that tab.
+- If you're done onboarding devices, proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business](mdb-configure-security-settings.md)
+- See [Get started using Microsoft Defender for Business](mdb-get-started.md).
-To learn more about automatic onboarding, see step 2 in [Use the wizard to set up Microsoft Defender for Business](mdb-use-wizard.md).
+## [**Windows Server**](#tab/WindowsServerEndpoints)
-## Local script in Defender for Business
+## Windows Server (preview)
-You can use a local script to onboard Windows and Mac devices. When you run the onboarding script on a device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business. This method is useful for onboarding devices in Defender for Business. You can onboard up to 10 devices at a time.
+You can onboard a Windows Server device by using a local script.
+
+> [!IMPORTANT]
+> The ability to onboard Windows Server endpoints is currently in preview.
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in. 2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.
-3. Select an operating system, such as **Windows 10 and 11** or **macOS**, and then, in the **Deployment method** section, choose **Local script**.
+3. Select an operating system, such as **Windows Server 1803, 2019, and 2022**, and then, in the **Deployment method** section, choose **Local script**.
-4. Select **Download onboarding package**. We recommend saving the onboarding package to a removable drive. (If you selected **macOS**, also select **Download installation package** and save it to your removable device.)
+ If you select **Windows Server 2012 R2 and 2016**, you'll have two packages to download and run: an installation package, and an onboarding package. The installation package contains an MSI file that installs the Microsoft Defender for Business agent. The onboarding package contains the script to onboard your Windows Server endpoint to Defender for Business.
-5. Follow the guidance in the following table:
+4. Select **Download onboarding package**. We recommend saving the onboarding package to a removable drive.
- | Operating System | Procedure |
- |||
- | Windows | 1. On a Windows device, extract the contents of the configuration package to a location, such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`. <br/><br/>2. Open Command Prompt as an administrator.<br/><br/>3. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type: `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press the Enter key (or select **OK**).<br/><br/>4. After the script runs, proceed to [Run a detection test](#run-a-detection-test). |
- | macOS | 1. On a Mac computer, save the installation package as `wdav.pkg` to a local directory. <br/><br/>2. Save the onboarding package as `WindowsDefenderATPOnboardingPackage.zip` to the same directory you used for the installation package. <br/><br/>3. Use Finder to navigate to `wdav.pkg` you saved, and then open it.<br/><br/>4. Select **Continue**, agree with the License terms, and then enter your password when prompted.<br/><br/>5. You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold", or both. The driver must be allowed to be installed. To allow the installation, select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.<br/><br/>6. Use the following Python command in Bash to run the onboarding package: `/usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py`. <br/><br/>7. To confirm that the device is associated with your company, use the following Python command in Bash: `mdatp health --field org_id`.<br/><br/>8. If you are using macOS 10.15 (Catalina) or later, grant Defender for Business consent to protect your device. Go to **System Preferences** > **Security & Privacy** > **Privacy** > **Full Disk Access**. Select the lock icon to make changes (bottom of the dialog box), and then select Microsoft Defender for Business (or Defender for Endpoint, if that's what you see). <br/><br/>9. To verify that the device is onboarded, use the following command in Bash: `mdatp health --field real_time_protection_enabled`. |
+ If you selected **Windows Server 2012 R2 and 2016**, also select **Download installation package**, and save it to a removable drive
-## Microsoft Endpoint Manager
+5. On your Windows Server endpoint, extract the contents of the installation/onboarding package(s) to a location, such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`.
-If you were already using Endpoint Manager (which includes Microsoft Intune and Mobile Device Management), before you got Defender for Business, you can continue to use Endpoint Manager to onboard your company's devices. With Endpoint Manager, you can onboard computers, tablets, and phones, including iOS and Android devices.
+ If you're onboarding Windows Server 2012 R2 or Windows Server 2016, extract the installation package first.
-See [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment).
+6. Open Command Prompt as an administrator.
-## Run a detection test
+7. If you're onboarding Windows Server 2012R2 or Windows Server 2016, run the following command: `Msiexec /i md4ws.msi /quiet`.
-After you've onboarded Windows devices to Defender for Business, you can run a detection test on a Windows device to make sure that everything is working correctly.
+ If you're onboarding Windows Server 1803, 2019, or 2022, skip this step and proceed to step 8.
-1. On the Windows device, create a folder: `C:\test-MDATP-test`.
+8. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press the Enter key (or select **OK**).
+
+9. Proceed to [Run a detection test on Windows Server](#running-a-detection-test-on-windows-server)
+
+### Running a detection test on Windows Server
+
+After you've onboarded your Windows Server endpoint to Defender for Business, you can run a detection test to make sure that everything is working correctly.
+
+1. On the Windows Server device, create a folder: `C:\test-MDATP-test`.
2. Open Command Prompt as an administrator.
After you've onboarded Windows devices to Defender for Business, you can run a d
After the command has run, the Command Prompt window will close automatically. If successful, the detection test will be marked as completed, and a new alert will appear in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) for the newly onboarded device in about 10 minutes.
-## Gradual device onboarding
+## View a list of onboarded devices
-You can onboard your company's devices in phases. *We call this gradual device onboarding*.
+To view the list of devices that are onboarded to Defender for Business, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, under **Endpoints**, choose **Device invetory**.
-1. Identify a set of devices to onboard.
+## Next steps
-2. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+- If you have other devices to onboard, select the tab that corresponds to the operating system on the devices [(Windows clients, Windows Server, macOS, or mobile devices](#what-to-do)), and follow the guidance on that tab.
+- If you're done onboarding devices, proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business](mdb-configure-security-settings.md)
+- See [Get started using Microsoft Defender for Business](mdb-get-started.md).
-3. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.
+## [**macOS**](#tab/macOSdevices)
-4. Select an operating system (such as **Windows 10 and 11)**, and then choose an onboarding method (such as **Local script**). Follow the guidance provided for the method you selected.
+## macOS computers
-5. Repeat this process for each set of devices you want to onboard.
+> [!NOTE]
+> - We recommend using a [local script to onboard macOS devices](#local-script-for-macos). Although you can [set up enrollment for macOS devices in Intune](/mem/intune/enrollment/macos-enroll), the local script is the simplest method for onboarding macOS devices to Defender for Business.
-> [!TIP]
-> You don't have to use the same onboarding package every time you onboard devices. For example, you can use a local script to onboard some devices, and later on, you can choose another method to onboard more devices.
+Choose one of the following options to onboard macOS devices:
-## Offboarding a device
+- [Local script for macOS](#local-script-for-macos) (*recommended*)
+- [Endpoint Manager for macOS](#endpoint-manager-for-macos)
-If you want to offboard a device, use one of the following procedures:
+### Local script for macOS
-| Operating system | Procedure |
-|||
-| Windows | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/><br/>2. In the navigation pane, choose **Settings**, and then choose **Endpoints**.<br/><br/>3. Under **Device management**, choose **Offboarding**.<br/><br/>4. Select an operating system, such as **Windows 10 and 11**, and then, under **Offboard a device**, in the **Deployment method** section, choose **Local script**. <br/><br/>5. In the confirmation screen, review the information, and then choose **Download** to proceed.<br/><br/>6. Select **Download offboarding package**. We recommend saving the offboarding package to a removable drive.<br/><br/>7. Run the script on each device that you want to offboard.|
-| macOS | 1. Go to **Finder** > **Applications**. <br/><br/>2. Right click on Microsoft Defender for Business, and then choose **Move to Trash**. <br/><br/> or <br/><br/> Use the following command: `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`.|
+When you run the local script on a macOS device, it creates a trust with Azure Active Directory (if that trust doesn't already exist), enrolls the device in Microsoft Endpoint Manager (if it isn't already enrolled), and then onboards the device to Defender for Business. The local script method works even if you don't currently have Endpoint Manager (or Microsoft Intune). We recommend onboarding up to 10 devices at a time using this method.
-> [!IMPORTANT]
-> Offboarding a device causes the devices to stop sending data to Defender for Business. However, data received prior to offboarding is retained for up to six (6) months.
+1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
+
+2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.
+
+3. Select **macOS**, and then, in the **Deployment method** section, choose **Local script**.
+
+4. Select **Download onboarding package**, and save it to a removable drive. Also select **Download installation package**, and save it to your removable device.
+
+5. On a macOS device, save the installation package as `wdav.pkg` to a local directory.
+
+6. Save the onboarding package as `WindowsDefenderATPOnboardingPackage.zip` to the same directory you used for the installation package.
+
+7. Use Finder to navigate to `wdav.pkg` you saved, and then open it.
+
+8. Select **Continue**, agree with the License terms, and then enter your password when prompted.
+
+9. You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold", or both. The driver must be allowed to be installed. To allow the installation, select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.
+
+10. Use the following Python command in Bash to run the onboarding package: `/usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py`
+
+11. After a device has been enrolled in Intune, you can add it to a device group. [Learn more about device groups in Microsoft Defender for Business](mdb-create-edit-device-groups.md).
+
+### Endpoint Manager for macOS
+
+If your subscription includes [Microsoft Endpoint Manager](/mem/endpoint-manager-overview), you can onboard macOS devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you have Endpoint Manager as part of your subscription. Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management capabilities](/mem/intune/fundamentals/what-is-device-management).
+
+There are several methods available for enrolling devices in Intune. We recommend starting with one of the following methods:
+
+- [Choose an option for company-owned macOS devices](#options-for-company-owned-macos-devices)
+- [Ask users to enroll their own macOS devices in Intune](#ask-users-to-enroll-their-own-macos-devices-in-intune)
+
+#### Options for company-owned macOS devices
+
+Choose one of the options in the following table to enroll company-managed macOS devices in Intune:
+
+| Option | Description |
+|||
+| Apple Automated Device Enrollment | Use this method to automate the enrollment experience on devices purchased through Apple Business Manager or Apple School Manager. Automated device enrollment deploys the enrollment profile over-the-air, so you don't need to have physical access to devices. <br/><br/>See [Automatically enroll macOS devices with the Apple Business Manager or Apple School Manager](/mem/intune/enrollment/device-enrollment-program-enroll-macos). |
+| Device enrolllment manager (DEM) | Use this method for large-scale deployments and when there are multiple people in your organization who can help with enrollment setup. Someone with device enrollment manager (DEM) permissions can enroll up to 1,000 devices with a single Azure Active Directory account. This method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account to enroll devices via Automated Device Enrollment.<br/><br/> See [Enroll devices in Intune by using a device enrollment manager account](/mem/intune/enrollment/device-enrollment-manager-enroll). |
+| Direct enrollment | Direct enrollment enrolls devices with no user affinity, so this method is best for devices that aren't associated with a single user. This method requires you to have physical access to the Macs you're enrolling. <br/><br/>See [Use Direct Enrollment for macOS devices](/mem/intune/enrollment/device-enrollment-direct-enroll-macos). |
+
+#### Ask users to enroll their own macOS devices in Intune
+
+If your business prefers to have people enroll their own devices in Intune, ask users to follow these steps:
+
+1. Go to the Company Portal website ([https://portal.manage.microsoft.com/](https://portal.manage.microsoft.com/)) and sign in.
+
+2. Follow the instructions on the Company Portal website to add their device.
+
+3. Install the Company Portal app at [https://aka.ms/EnrollMyMac](https://aka.ms/EnrollMyMac), and follow the instructions in the app.
+
+### Confirm that a macOS device is onboarded
+
+1. To confirm that the device is associated with your company, use the following Python command in Bash: `mdatp health --field org_id`.
+
+2. If you are using macOS 10.15 (Catalina) or later, grant Defender for Business consent to protect your device. Go to **System Preferences** > **Security & Privacy** > **Privacy** > **Full Disk Access**. Select the lock icon to make changes (bottom of the dialog box), and then select **Microsoft Defender for Business** (or **Defender for Endpoint**, if that's what you see).
+
+3. To verify that the device is onboarded, use the following command in Bash: `mdatp health --field real_time_protection_enabled`
+
+4. After a device has been enrolled in Intune, you can add it to a device group. [Learn more about device groups in Microsoft Defender for Business](mdb-create-edit-device-groups.md).
+
+## View a list of onboarded devices
+
+To view the list of devices that are onboarded to Defender for Business, in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, under **Endpoints**, choose **Device inventory**.
## Next steps
-Proceed to:
+- If you have other devices to onboard, select the tab that corresponds to the operating system on the devices ([Windows clients, Windows Server, macOS, or mobile devices](#what-to-do)), and follow the guidance on that tab.
+- If you're done onboarding devices, proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business](mdb-configure-security-settings.md)
+- See [Get started using Microsoft Defender for Business](mdb-get-started.md).
+
+## [**mobile devices**](#tab/mobiles)
-- [Step 5: Configure your security settings and policies in Microsoft Defender for Business](mdb-configure-security-settings.md)
+## Mobile devices
+
+You'll need Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS devices. If you have [Microsoft 365 Business Premium](../../business/index.yml), you have Endpoint Manager as part of your subscription. Endpoint Manager includes [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management capabilities](/mem/intune/fundamentals/what-is-device-management).
+
+See the following resources to get help enrolling these devices into Intune:
+
+- [Enroll Android devices](/mem/intune/enrollment/android-enroll)
+- [Enroll iOS or iPadOS devices](/mem/intune/enrollment/ios-enroll)
+
+After a device has been enrolled in Intune, you can add it to a device group. [Learn more about device groups in Microsoft Defender for Business](mdb-create-edit-device-groups.md).
+
+## Next steps
-- [Get started using Microsoft Defender for Business](mdb-get-started.md)
+- If you have other devices to onboard, select the tab that corresponds to the operating system on the devices ([Windows clients, Windows Server, macOS, or mobile devices](#what-to-do)), and follow the guidance on that tab.
+- If you're done onboarding devices, proceed to [Step 5: Configure your security settings and policies in Microsoft Defender for Business](mdb-configure-security-settings.md)
+- See [Get started using Microsoft Defender for Business](mdb-get-started.md).
security Mdb Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Overview of Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
Microsoft Defender for Business is a new endpoint security solution that was designed especially for the small and medium-sized business (up to 300 employees). With this endpoint security solution, your company's devices are better protected from ransomware, malware, phishing, and other threats.
This article describes what's included in Defender for Business, with links to l
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> With Defender for Business, you can help protect the devices and data your business uses with:
With Defender for Business, you can help protect the devices and data your busin
## Next steps - [Learn more about the simplified configuration process in Microsoft Defender for Business](mdb-simplified-configuration.md)- - [Find out how to get Microsoft Defender for Business](get-defender-business.md)
security Mdb Policy Order https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-policy-order.md
audience: Admin Previously updated : 02/24/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Understand policy order in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
## Policy order in Microsoft Defender for Business
As policies are added, you'll notice that an order of priority is assigned. You
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Key points to remember about policy order - Policies are assigned an order of priority.- - Devices receive the first applied policy only.- - You can change the order of priority for policies.- - Default policies are given the lowest order of priority. ## Next steps - [Get started using Defender for Business](mdb-get-started.md)- - [Manage devices](mdb-manage-devices.md)- - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)
security Mdb Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-reports.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Reports in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
Several reports are available in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This article describes these reports, how you can use them, and how to find them.
-<br/><br/>
- ## Reports in Defender for Business |Report |Description |
Several reports are available in the Microsoft 365 Defender portal ([https://sec
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## See also - [Get started using Microsoft Defender for Business](mdb-get-started.md)- - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)
security Mdb Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md
audience: Admin Previously updated : 04/01/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Microsoft Defender for Business requirements
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
This article describes the requirements for Microsoft Defender for Business.
This article describes the requirements for Microsoft Defender for Business.
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Review the requirements
-The following table lists the basic requirements to configure and use Microsoft Defender for Business. <br/><br/>
+The following table lists the basic requirements to configure and use Microsoft Defender for Business.
| Requirement | Description | |:|:| | Subscription | Microsoft 365 Business Premium <br/> or <br/>Microsoft Defender for Business (standalone; currently in preview). <br/><br/> See [How to get Microsoft Defender for Business](get-defender-business.md).<br/><br/>Note that if you have multiple subscriptions, the highest subscription takes precedence. For example, if you have Microsoft Defender for Endpoint Plan 2 (purchased or trial subscription), and you get Microsoft Defender for Business, Defender for Endpoint Plan 2 takes precedence. In this case, you won't see the Defender for Business experience. | | Datacenter | One of the following datacenter locations: <br/>- European Union <br/>- United Kingdom <br/>- United States |
-| User accounts | User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/><br/>Microsoft Defender for Business licenses are assigned in the Microsoft 365 admin center<br/><br/>To get help with this task, see [Add users and assign licenses](../../admin/add-users/add-users.md). |
+| User accounts | User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/><br/>Microsoft Defender for Business licenses are assigned in the Microsoft 365 admin center<br/><br/>To get help with this task, see [Add users and assign licenses](mdb-add-users.md). |
| Permissions | To sign up for Microsoft Defender for Business, you must be a Global Admin.<br/><br/>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned: <br/>- Security Reader<br/>- Security Admin<br/>- Global Admin<br/><br/>To learn more, see [Roles and permissions in Microsoft Defender for Business](mdb-roles-permissions.md). | | Browser requirements | Microsoft Edge or Google Chrome |
-| Operating system | To manage devices in Microsoft Defender for Business, your devices must be running one of the following operating systems: <br/>- Windows 10 Business or later <br/>- Windows 10 Professional or later <br/>- Windows 10 Enterprise or later <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed. <br/><br/>If you're already managing devices in Microsoft Intune (or Microsoft Endpoint Manager), you can onboard those devices to Defender for Business. |
+| Operating system | To manage devices in Microsoft Defender for Business, your devices must be running one of the following operating systems: <br/>- Windows 10 Business or later <br/>- Windows 10 Professional or later <br/>- Windows 10 Enterprise or later <br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed. <br/><br/>If you're already managing devices in Microsoft Intune (or Microsoft Endpoint Manager), you can onboard those devices to Defender for Business.<br/><br/>The ability to onboard endpoints running Windows Server 2012 R2 and later is currently in preview. |
> [!NOTE] > [Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/active-directory-whatis) is used to manage user permissions and device groups. Azure AD is included in your Defender for Business subscription.
security Mdb Respond Mitigate Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-respond-mitigate-threats.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Respond to and mitigate threats in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
The Microsoft 365 Defender portal enables your security team to respond to and mitigate detected threats. This article walks you through an example of how you can use Defender for Business. > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## View detected threats
The Microsoft 365 Defender portal enables your security team to respond to and m
## Next steps - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)- - [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)- - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)
security Mdb Review Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-review-remediation-actions.md
audience: Admin Previously updated : 03/10/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Review remediation actions in the Action center
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
As threats are detected, remediation actions come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval. Examples of remediation actions include sending a file to quarantine, stopping a process from running, and removing a scheduled task. All remediation actions are tracked in the Action center.
As threats are detected, remediation actions come into play. Depending on the pa
**This article describes**: - [How to use the Action center](#how-to-use-the-action-center)- - [Remediation actions](#remediation-actions) > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## How to use the Action center
The following table lists remediation actions that are available:
## Next steps - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)
security Mdb Roles Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-roles-permissions.md
audience: Admin Previously updated : 04/01/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Assign roles and permissions in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
To perform tasks in the Microsoft 365 Defender portal, such as configuring Microsoft Defender for Business, viewing reports, or taking response actions on detected threats, appropriate permissions must be assigned to your security team. Permissions are granted through roles that are assigned in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or in [Azure Active Directory](/azure/active-directory/roles/manage-roles-portal).
To perform tasks in the Microsoft 365 Defender portal, such as configuring Micro
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Roles in Defender for Business
-The following table describes the three roles that can be assigned in Defender for Business. [Learn more about admin roles](../../admin/add-users/about-admin-roles.md). <br/><br/>
+The following table describes the three roles that can be assigned in Defender for Business. [Learn more about admin roles](../../admin/add-users/about-admin-roles.md).
| Permission level | Description | |:|:|
The following table describes the three roles that can be assigned in Defender f
## Need to add users?
-If you haven't already added users to your subscription, see [Add users and assign licenses at the same time](../../admin/add-users/add-users.md).
+If you haven't already added users to your subscription, see [Add users and assign licenses at the same time](mdb-add-users.md).
## Next steps Proceed to: - [Step 3: Set up email notifications](mdb-email-notifications.md)- - [Step 4: Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md)
security Mdb Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-setup-configuration.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Set up and configure Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
-Microsoft Defender for Business provides a streamlined setup and configuration experience, designed especially for the small and medium-sized business. Use this article as a guide.
+Microsoft Defender for Business provides a streamlined setup and configuration experience, designed especially for the small and medium-sized business. Use this article as a guide for the overall process.
+
+> [!TIP]
+> If you used the [setup wizard](mdb-use-wizard.md), then you've already completed several steps of your basic setup process. In this case, you can:
+> - [Onboard more devices](mdb-onboard-devices.md)
+> - [Configure your security policies and settings](mdb-configure-security-settings.md)
+> - [Visit your vulnerability management dashboard](mdb-view-tvm-dashboard.md)
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## The setup and configuration process
+The following diagram depicts the overall setup and configuration process for Defender for Business. If you used the setup wizard, then you've likely already completed steps 1-3, and possibly step 4.
+ :::image type="content" source="media/mdb-setup-process-2.png" alt-text="Setup and configuration process for Microsoft Defender for Business."::: | Step | Article | Description |
security Mdb Simplified Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-simplified-configuration.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# The simplified configuration process in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
Microsoft Defender for Business features a simplified configuration process, designed especially for small and medium-sized businesses. This experience takes the guesswork out of onboarding and managing devices, with a wizard-like experience and default policies that are designed to protect your company's devices from day one. **We recommend using the simplified configuration process; however, you're not limited to this option**.
When it comes to onboarding devices and configuring security settings for your c
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Review your setup and configuration options The following table describes each experience:
-<br/><br/>
| Portal experience | Description | |||
Defender for Business is designed to provide strong protection while saving you
## Next steps - [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md)- - [Get started using Microsoft Defender for Business](mdb-get-started.md)
security Mdb Tutorials https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-tutorials.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
If you've just finished setting up Microsoft Defender for Business, you might be
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Try these preview scenarios
-The following table summarizes several scenarios to try with Defender for Business.
-<br/><br/>
-
+The following table summarizes several scenarios to try with Defender for Business:
| Scenario | Description | |||
-| Onboard devices using a local script <br/>(*not for production deployment*) | In Defender for Business, you can onboard up to ten Windows 10 and 11 devices using a script that you download and run on each device. Suitable for evaluating how Defender for Business will work in your environment, the script creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune. To learn more, see [Local script in Defender for Business](mdb-onboard-devices.md#local-script-in-defender-for-business). |
+| Onboard devices using a local script <br/>(*not for production deployment*) | In Defender for Business, you can onboard up to ten Windows 10 and 11 devices using a script that you download and run on each device. Suitable for evaluating how Defender for Business will work in your environment, the script creates a trust with Azure Active Directory (Azure AD) and enrolls the device with Microsoft Intune. To learn more, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md). |
| Onboard devices using Microsoft Intune | If you were already using Microsoft Intune before getting Defender for Endpoint, you can continue to use Microsoft Intune to onboard devices. Try onboarding macOS, iOS, and Android devices with Microsoft Intune. To learn more, see [Device enrollment in Microsoft Intune](/mem/intune/enrollment/device-enrollment). | | Edit security policies | If you're managing your security policies in Defender for Business, use the **Device configuration** page to view and edit your policies. To learn more, see [View or edit policies in Microsoft Defender for Business](mdb-view-edit-policies.md). | | Execute a simulated attack | Several tutorials and simulations are available in Defender for Business. These tutorials and simulations are designed to show you firsthand how the threat protection features of Defender for Business can work for your company. To try one or more of the tutorials, see [Recommended tutorials for Microsoft Defender for Business](#recommended-tutorials-for-defender-for-business). |
The following table summarizes several scenarios to try with Defender for Busine
## Recommended tutorials for Defender for Business The following table describes the recommended tutorials for Defender for Business customers:
-<br/><br/>
- | Tutorial | Description | |||
Each tutorial includes a walkthrough document that explains the scenario, how it
## Next steps - [Manage devices in Microsoft Defender for Business](mdb-manage-devices.md)- - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)
security Mdb Use Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-use-wizard.md
audience: Admin Previously updated : 04/08/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Use the setup wizard in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
-
-Microsoft Defender for Business was designed to save small and medium-sized businesses time and effort with a wizard-like experience for initial setup and configuration. The setup wizard guides you through granting access to your security team, setting up email notifications for your security team, and onboarding your company's Windows devices.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
+Microsoft Defender for Business was designed to save small and medium-sized businesses time and effort. For example, you can do initial setup and configuration with a setup wizard. The setup wizard guides you through granting access to your security team, setting up email notifications for your security team, and onboarding your company's Windows devices.
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
>
-## Overview of the setup wizard
+## How to start the setup wizard
+
+The setup wizard is designed to run the first time someone in your company signs into the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
+
+If your company has been using Microsoft 365 Business Premium, the Defender for Business setup wizard will run the first time someone goes to **Endpoints** > **Device inventory**.
+
+The setup wizard start screen looks like the following image:
++
+## The setup wizard flow
> [!IMPORTANT]
-> Before you begin, make sure that you have already added users to your Microsoft 365 subscription. To get help with this task, see [Add users and assign licenses at the same time](../../admin/add-users/add-users.md).
+> You must be a global administrator to run the setup wizard. The person who signed up your company for Microsoft 365 or for Microsoft Defender for Business is a global administrator by default.
-The wizard is designed to help you set up and configure Defender for Business quickly and efficiently. The wizard walks you through the following steps:
+The setup wizard is designed to help you set up and configure Defender for Business quickly and efficiently. The wizard walks you through the following steps:
1. **Assign user permissions**. In this step, you grant your security team access to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). This portal is where you and your security team will manage your security capabilities, view alerts, and take any needed actions on detected threats. Portal access is granted through roles that imply certain permissions.
- In Defender for Business, members of your security team can be assigned one of three roles:<br/>
+ In Defender for Business, members of your security team can be assigned one of the following three roles:<br/>
- - **Global Admin**: A global admin can view and edit all settings across your Microsoft 365 tenant. The global admin does the initial setup and configuration for your company's Microsoft 365 subscription.
- - **Security Administrator**: A security administrator can view and edit security settings, and take action when threats are detected.
- - **Security Reader**: A security reader can view information in reports, but cannot change any security settings.
-
- [Learn more about roles and permissions](mdb-roles-permissions.md).
+ - **Global Admin**: A global admin can view and edit all settings across your Microsoft 365 tenant. The global admin does the initial setup and configuration for your company's Microsoft 365 subscription.
+ - **Security Administrator**: A security administrator can view and edit security settings, and take action when threats are detected.
+ - **Security Reader**: A security reader can view information in reports, but cannot change any security settings.
-2. **Set up email notifications**. In this step, you can set up email notifications for your security team. Then, when an alert is generated or a new vulnerability is discovered, your security team will not about it even if they're away from their desk.
+ [Learn more about roles and permissions](mdb-roles-permissions.md).
- [Learn more about email notifications](mdb-email-notifications.md).
+2. **Set up email notifications**. In this step, you can set up email notifications for your security team. Then, when an alert is generated or a new vulnerability is discovered, your security team will not about it even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md).
3. **Onboard and configure Windows devices**. In this step, you can onboard your company's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one.
- - **If you're already using Microsoft Endpoint Manager** (which includes Microsoft Intune), and your company has devices enrolled in Endpoint Manager, you'll be asked whether you want to use [automatic onboarding](mdb-onboard-devices.md#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager) for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.
- - **If you're not already using Endpoint Manager**, you can [onboard devices to Defender for Business by using a local script](mdb-onboard-devices.md#local-script-in-defender-for-business).
+ - **If you're already using Microsoft Endpoint Manager** (which includes Microsoft Intune), and your company has devices enrolled in Endpoint Manager, you'll be asked whether you want to use [automatic onboarding](#what-is-automatic-onboarding) for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.
+ - **If you're not already using Endpoint Manager**, you can [onboard devices to Defender for Business](mdb-onboard-devices.md).
- See [Learn more about onboarding devices to Microsoft Defender for Business](mdb-onboard-devices.md).
+ [Learn more about onboarding devices to Microsoft Defender for Business](mdb-onboard-devices.md).
4. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can also create your own security policies. And, if you're already using Endpoint Manager, you can continue using that to manage your security policies.
- To learn more, see [View and edit your security policies and settings](mdb-configure-security-settings.md). |
+ [View and edit your security policies and settings](mdb-configure-security-settings.md).
+
+## What is automatic onboarding?
+
+Automatic onboarding is a simplified way to onboard Windows devices to Defender for Business. Automatic onboarding is only available for Windows devices that are already enrolled in Microsoft Endpoint Manager (or Microsoft Intune).
+
+While you are using the setup wizard, the system will detect whether Windows devices are already enrolled in Endpoint Manager. You'll be asked if you want to use automatic onboarding for all or some of those devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more devices later.
+
+To onboard other devices, see [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).
+
+> [!TIP]
+> - We recommend selecting the "all devices enrolled" option. That way, when Windows devices are enrolled in Endpoint Manager later on, they'll be onboarded to Defender for Business automatically.
+> - If you've been managing security policies and settings in Endpoint Manager, we recommend switching to the Microsoft 365 Defender portal to manage your devices, policies, and settings. To learn more, see [Choose where to manage security policies and devices](mdb-configure-security-settings.md#choose-where-to-manage-security-policies-and-devices).
## What happens if I don't use the wizard?
-Using the setup wizard is optional. If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own. See [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md) to walk through these steps:
+Using the setup wizard is optional. If you choose not to use the wizard, or if the wizard is closed before your setup process is complete, you can complete the setup and configuration process on your own.
+
+See [Set up and configure Microsoft Defender for Business](mdb-setup-configuration.md) to walk through these steps:
1. **[Assign roles and permissions](mdb-roles-permissions.md)** so your security team can access and use the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
Using the setup wizard is optional. If you choose not to use the wizard, or if t
## Next steps -- [Set up email notifications for your security team](mdb-email-notifications.md)--- [Get started using the Microsoft 365 Defender portal](mdb-get-started.md)--- [Use your Threat & Vulnerability Management dashboard](mdb-view-tvm-dashboard.md)
+- [Onboard more devices to Microsoft Defender for Business](mdb-onboard-devices.md)
+- [View and edit your security policies and settings in Microsoft Defender for Business](mdb-configure-security-settings.md)
security Mdb View Edit Create Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-edit-create-policies.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# View or edit policies in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
In Microsoft Defender for Business, security settings are configured through policies that are applied to devices. To help simplify your setup and configuration experience, Defender for Business includes preconfigured policies to help protect your company's devices as soon as they are onboarded. You can use the default policies, edit policies, or create your own policies. **This article describes how to**: - [Get an overview of your default policies](#default-policies-in-defender-for-business)- - [View your existing policies](#view-your-existing-policies)- - [Edit an existing policy](#edit-an-existing-policy)- - [Create a new policy](#create-a-new-policy) > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Default policies in Defender for Business
In Microsoft Defender for Business, security settings are configured through pol
In Defender for Business, there are two main types of policies to protect your company's devices: - **Next-generation protection policies**, which determine how Microsoft Defender Antivirus and other threat protection features are configured- - **Firewall policies**, which determine what network traffic is permitted to flow to and from your company's devices
In Defender for Business, there are two main types of policies to protect your c
Choose one or more of the following tasks: - [Manage devices](mdb-manage-devices.md)- - [Create a new policy in Microsoft Defender for Business](mdb-create-new-policy.md)- - [View and manage incidents in Microsoft Defender for Business](mdb-view-manage-incidents.md)- - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)
security Mdb View Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-manage-incidents.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# View and manage incidents in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft 365 Defender portal. **This article includes**: - [How to monitor your incidents and alerts](#monitor-your-incidents--alerts)- - [Alert severity](#alert-severity)- - [Next steps](#next-steps) > > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Monitor your incidents & alerts
As threats are detected and alerts are triggered, incidents are created. Your co
## Alert severity When Microsoft Defender Antivirus assigns an alert severity based on the absolute severity of a detected threat (malware) and the potential risk to an individual endpoint (if infected).
-Microsoft Defender for Business assigns an alert severity based on the severity of the detected behavior, the actual risk to an endpoint (device), and more importantly, the potential risk to your company. The following table lists a few examples: <br/><br/>
+Microsoft Defender for Business assigns an alert severity based on the severity of the detected behavior, the actual risk to an endpoint (device), and more importantly, the potential risk to your company. The following table lists a few examples:
| Scenario | Alert severity | Reason | |:|:|:|
Microsoft Defender for Business assigns an alert severity based on the severity
## Next steps - [Respond to and mitigate threats in Microsoft Defender for Business](mdb-respond-mitigate-threats.md)- - [Review remediation actions in the Action center](mdb-review-remediation-actions.md)- - [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md)
security Mdb View Tvm Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-tvm-dashboard.md
audience: Admin Previously updated : 03/15/2022 Last updated : 04/12/2022 ms.prod: m365-security ms.technology: mdb ms.localizationpriority: medium
# Use your Threat & Vulnerability Management dashboard in Microsoft Defender for Business
-> [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
->
-> Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
+> [!NOTE]
+> Microsoft Defender for Business is now included in [Microsoft 365 Business Premium](../../business-premium/index.md).
Microsoft Defender for Business includes a Threat & Vulnerability Management dashboard that is designed to save your security team time and effort. In addition to providing an exposure score, you can also view information about exposed devices and security recommendations. You can use your Threat & Vulnerability Management dashboard to: - View your exposure score, which is associated with devices in your company- - View your top security recommendations, such as addressing impaired communications with devices, turning on firewall protection, or updating Microsoft Defender Antivirus definitions- - View remediation activities, such as any files that were sent to quarantine, or vulnerabilities found on devices Want to see how it works? Watch this video, which describes Threat & Vulnerability Management in [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md).
To learn more about Threat & Vulnerability Management, see [Threat and vulnerabi
> > **Got a minute?**
-> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about Microsoft Defender for Business</a>. We'd love to hear from you!
+> Please take our <a href="https://microsoft.qualtrics.com/jfe/form/SV_0JPjTPHGEWTQr4y" target="_blank">short survey about security</a>. We'd love to hear from you!
> ## Next steps - [Tutorials and simulations in Microsoft Defender for Business](mdb-tutorials.md)- - [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md)- - [View or edit policies in Microsoft Defender for Business](mdb-view-edit-create-policies.md)
security Deployment Rings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md
The deployment rings can be applied in the following scenarios:
## New deployments A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring.
Table 1 provides an example of the deployment rings you might use.
**Table 1**:
-<br>
-
-****
- |Deployment ring|Description| ||| |Evaluate|Ring 1: Identify 50 systems for pilot testing| |Pilot|Ring 2: Identify the next 50-100 endpoints in production environment| |Full deployment|Ring 3: Roll out service to the rest of environment in larger increments|
-|
### Exit criteria
Microsoft Defender for Endpoint supports a variety of endpoints that you can onb
The following table shows the supported endpoints and the corresponding tool you can use to onboard devices to the service.
-| Endpoint | Deployment tool |
-|--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.<br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud) |
-| **macOS** | [Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
-| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
-| **iOS** | [Microsoft Endpoint Manager](ios-install.md) |
-| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
+|Endpoint|Deployment tool|
+|||
+|**Windows**|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.<br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Microsoft Defender for Cloud](configure-server-endpoints.md#integration-with-microsoft-defender-for-cloud)|
+|**macOS**|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)|
+|**Linux Server**|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
+|**iOS**|[Microsoft Endpoint Manager](ios-install.md)|
+|**Android**|[Microsoft Endpoint Manager](android-intune.md)|
### Full deployment
At this stage, you can use the [Plan deployment](deployment-strategy.md) materia
Use the following material to select the appropriate Microsoft Defender for Endpoint architecture that best suites your organization.
-|**Item**|**Description**|
-|:--|:--|
-|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for Microsoft Defender for Endpoint deployment" lightbox="images/mde-deployment-strategy.png":::](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul>
+|Item|Description|
+|||
+|[:::image type="content" source="images/mde-deployment-strategy.png" alt-text="The strategy for Microsoft Defender for Endpoint deployment." lightbox="images/mde-deployment-strategy.png":::](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/security/defender-endpoint/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.pdf) \| [Visio](https://download.microsoft.com/download/5/6/0/5609001f-b8ae-412f-89eb-643976f6b79c/mde-deployment-strategy.vsdx)|The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li></ul>|
## Existing deployments
With macOS and Linux, you could take a couple of systems and run in the Beta cha
The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in Beta are the first ones to receive updates and new features, followed later by Preview and lastly by Current. - In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either Beta or Preview.
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
ms.technology: mde Previously updated : 03/16/2022 Last updated : 04/14/2022 - M365-security-compliance - m365initiative-defender-endpoint
The table in this section summarizes the features and capabilities that are acti
> [!IMPORTANT] > The following table is designed to be informational only. **Do not turn off capabilities**, such as real-time protection, cloud-delivered protection, or limited periodic scanning if you are using Microsoft Defender Antivirus in passive mode, or if you are using [EDR in block mode](edr-in-block-mode.md), which works behind the scenes to detect and remediate malicious artifacts that were detected post-breach.
- | Protection | Microsoft Defender Antivirus <br/>(*Active mode*) | Microsoft Defender Antivirus <br/>(*Passive mode*) | Microsoft Defender Antivirus <br/>(*Disabled or uninstalled*) | [EDR in block mode](edr-in-block-mode.md) |
- |:|:|:|:|:|
- | [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) | Yes | See note <sup>[[4](#fn4)]</sup> | No | No |
- | [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No | No | No |
- | [Network protection](network-protection.md) | Yes | No | No | No |
- | [Attack surface reduction rules](attack-surface-reduction.md) | Yes | No | No | No |
- | [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | Yes | No |
- | [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) | Yes | Yes<sup>[[5](#fn5)]</sup> | No | Yes |
- | [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[6](#fn6)]</sup> | No | Yes |
- | [Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes | No | Yes |
+| Protection | Microsoft Defender Antivirus <br/>(*Active mode*) | Microsoft Defender Antivirus <br/>(*Passive mode*) | Microsoft Defender Antivirus <br/>(*Disabled or uninstalled*) | [EDR in block mode](edr-in-block-mode.md) |
+|:|:|:|:|:|
+| [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) | Yes | See note <sup>[[4](#fn4)]</sup> | No | No |
+| [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No | No | No |
+| [Network protection](network-protection.md) | Yes | No | No | No |
+| [Attack surface reduction rules](attack-surface-reduction.md) | Yes | No | No | No |
+| [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | Yes | No |
+| [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) | Yes | Yes<sup>[[5](#fn5)]</sup> | No | Yes |
+| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[6](#fn6)]</sup> | No | Yes |
+| [Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes <sup>[[7](#fn7)]</sup> | No | Yes <sup>[[7](#fn7)]</sup> |
+| [Data Loss Prevention](../../compliance/endpoint-dlp-learn-about.md) | Yes | Yes | No | No |
+| [Controlled folder access](controlled-folders.md) | Yes |No | No | No |
+| [Web content filtering](web-content-filtering.md) | Yes | See note <sup>[[8](#fn8)]</sup> | No | No |
+| [Device control](device-control-report.md) | Yes | Yes | No | No |
+| [PUA protection](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Yes | No | No | No |
(<a id="fn4">4</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
The table in this section summarizes the features and capabilities that are acti
(<a id="fn6">6</a>) When Microsoft Defender Antivirus is in passive mode, it does not remediate threats. However, threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md). In this case, you might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
+(<a id="fn7">7</a>) The security intelligence update cadence is controlled by Windows Update settings only. Defender-specific update schedulers (daily/weekly at specific time, interval-based) settings only work when Microsoft Defender Antivirus is in active mode. They are ignored in passive mode.
+
+(<a id="fn8">8</a>) When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser.
+ > [!NOTE] > [Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Defender for Endpoint uses the following combination of technology built into Wi
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4vnC4?rel=0] > [!TIP]
->
> - Learn about the latest enhancements in Defender for Endpoint: [What's new in Microsoft Defender for Endpoint](whats-new-in-microsoft-defender-endpoint.md). > - Microsoft Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +
+>[!IMPORTANT]
+>The capabilities on non-Windows platforms may be different from the ones for Windows. For more information on what capabilities are available for non-Windows platforms, see [Microsoft Defender for Endpoint for non-Windows platforms](/security/defender-endpoint/non-windows).
+ <a name="tvm"></a> **[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
Response actions run along the top of a specific device page and include:
[![Image of response actions.](images/response-actions.png)](images/response-actions.png#lightbox)
+> [!IMPORTANT]
+> [Microsoft Defender for Business](../defender-business/mdb-overview.md) includes the following manual response actions:
+> - Run antivirus scan
+> - Isolate device
+> - Stop and quarantine a file
+> - Add an indicator to block or allow a file
+
+> Your subscription must include Defender for Endpoint Plan 2 to have all of the response actions described in this article.
You can find device pages from any of the following views:
security M365d Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-remediation-actions.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:**+ - Microsoft 365 Defender
-During and after an automated investigation in Microsoft 365 Defender, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on email content. Automated investigations complete after remediation actions are taken, approved, or rejected.
+During and after an automated investigation in Microsoft 365 Defender, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on identities, accounts and email content. Automated investigations complete after remediation actions are taken, approved, or rejected.
> [!IMPORTANT]
-> Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as how automation levels. To learn more, see the following articles:
+> Whether remediation actions are taken automatically or only upon approval depends on certain settings, such as automation levels. To learn more, see the following articles:
+>
> - [Configure your automated investigation and response capabilities in Microsoft 365 Defender](m365d-configure-auto-investigation-response.md)
+> - [Configure action accounts in Microsoft Defender for Identity](/defender-for-identity/manage-action-accounts)
> - [How threats are remediated on devices](../defender-endpoint/automated-investigations.md) > - [Threats and remediation actions on email & collaboration content](../office-365-security/air-remediation-actions.md#threats-and-remediation-actions)
-The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender.
+The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender.
-|Device (endpoint) remediation actions |Email remediation actions |
-|:|:|
-|- Collect investigation package <br/>- Isolate device (this action can be undone)<br/>- Offboard machine <br/>- Release code execution <br/>- Release from quarantine <br/>- Request sample <br/>- Restrict code execution (this action can be undone) <br/>- Run antivirus scan <br/>- Stop and quarantine |- Block URL (time-of-click)<br/>- Soft delete email messages or clusters<br/>- Quarantine email<br/>- Quarantine an email attachment<br/>- Turn off external mail forwarding |
+|Device (endpoint) remediation actions |Email remediation actions |Users (accounts) |
+|:|:|-|
+|- Collect investigation package <br/>- Isolate device (this action can be undone)<br/>- Offboard machine <br/>- Release code execution <br/>- Release from quarantine <br/>- Request sample <br/>- Restrict code execution (this action can be undone) <br/>- Run antivirus scan <br/>- Stop and quarantine |- Block URL (time-of-click)<br/>- Soft delete email messages or clusters<br/>- Quarantine email<br/>- Quarantine an email attachment<br/>- Turn off external mail forwarding |- Disable user<br />- Reset user password<br />- Confirm user as compromised |
Remediation actions, whether pending approval or already complete, can be viewed in the [Action center](m365d-action-center.md).
The following table lists possible verdicts and outcomes:
| Verdict | Affected entities | Outcomes| |||| | Malicious | Devices (endpoints) | Remediation actions are taken automatically (assuming your organization's [device groups](m365d-configure-auto-investigation-response.md#review-or-change-the-automation-level-for-device-groups) are set to **Full - remediate threats automatically**)|
+| Compromised | Users | Remediation actions are taken automatically |
| Malicious | Email content (URLs or attachments) | Recommended remediation actions are pending approval| | Suspicious | Devices or email content | Recommended remediation actions are pending approval| | No threats found | Devices or email content | No remediation actions are needed| - ## Remediation actions that are taken manually In addition to remediation actions that follow automated investigations, your security operations team can take certain remediation actions manually. These include the following: - Manual device action, such as device isolation or file quarantine-- Manual email action, such as soft-deleting email messages -- [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md) action on devices or email
+- Manual email action, such as soft-deleting email messages
+- Manual user action, such as disable user or reset user password
+- [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md) action on devices, users, or email
- [Explorer](../office-365-security/threat-explorer.md) action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email - Manual [live response](/windows/security/threat-protection/microsoft-defender-atp/live-response) action, such as deleting a file, stopping a process, and removing a scheduled task - Live response action with [Microsoft Defender for Endpoint APIs](../defender-endpoint/management-apis.md#microsoft-defender-for-endpoint-apis), such as isolating a device, running an antivirus scan, and getting information about a file
security Configure Anti Malware Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-malware-policies.md
Creating a custom anti-malware policy in the Microsoft 365 Defender portal creat
When you're finished, click **Next**. 4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
When you're finished, click **Next**. 4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
When you're finished, click **Next**. 4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
Creating a custom outbound spam policy in the Microsoft 365 Defender portal crea
When you're finished, click **Next**.
-4. On the **Users, groups, and domains** page that appears, identify the internal senders that the policy applies to (sender conditions):
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+4. On the **Users, groups, and domains** page that appears, identify the internal senders that the policy applies to (recipient conditions):
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All senders in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
When you're finished, click **Next**. 4. On the **Users, groups, and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
security Manage Tenant Blocks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-blocks.md
ms.prod: m365-security
4. When you're finished, click **Add**. > [!NOTE]
-> The emails from these senders will be blocked as *spam*.
+> The emails from these senders will be blocked as *high confidence spam (SCL = 9)*.
### Create block URL entries in the Tenant Allow/Block List
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
A profile determines the level of protection. The following profiles are availab
- **Standard protection**: A baseline protection profile that's suitable for most users. - **Strict protection**: A more aggressive protection profile for selected users (high value targets or priority users).
- for **Standard protection** and **Strict protection**, you use rules with conditions and exceptions that determine who the profiles are or are not applied to.
+ for **Standard protection** and **Strict protection**, you use rules with conditions and exceptions to determine the internal recipients that the policy applies to (recipient conditions).
The available conditions and exceptions are:
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. You can only use a condition or exception once, but you can specify multiple values for the condition or exception. Multiple values of the same condition or exception use OR logic (for example, _\<recipient1\>_ or _\<recipient2\>_). Different conditions or exceptions use AND logic (for example, _\<recipient1\>_ and _\<member of group 1\>_).
security Set Up Safe Attachments Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-attachments-policies.md
Creating a custom Safe Attachments policy in the Microsoft 365 Defender portal c
When you're finished, click **Next**. 4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
When you're finished, click **Next**. 4. On the **Users and domains** page that appears, identify the internal recipients that the policy applies to (recipient conditions):
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&
We've focused on platform and data-quality improvements to increase data accuracy and consistency for email records. Improvements include consolidation of pre-delivery and post-delivery information, such as actions executed on an email as part of the ZAP process, into a single record. Additional details like spam verdict, entity-level threats (for example, which URL was malicious), and latest delivery locations are also included.
-After these updates, you'll see a single entry for each message, regardless of the different post-delivery events that affect the message. Actions can include ZAP, manual remediation (which means admin action), dynamic delivery, and so on.
+After these updates, you'll see a single entry for each message, regardless of the different post-delivery events that affect the message. Actions can include ZAP, manual remediation (which means admin action), [Dynamic Delivery](safe-attachments.md#dynamic-delivery-in-safe-attachments-policies), and so on.
In addition to showing malware and phishing threats, you see the spam verdict associated with an email. Within the email, see all the threats associated with the email along with the corresponding detection technologies. An email can have zero, one, or multiple threats. You'll see the current threats in the **Details** section of the email flyout. For multiple threats (such as malware and phishing), the **Detection tech** field shows the threat-detection mapping, which is the detection technology that identified the threat.
You can now see the specific threat for a URL on the email flyout **Details** ta
Timeline view identifies all delivery and post-delivery events. It includes information about the threat identified at that point of time for a subset of these events. Timeline view also provides information about any additional action taken (such as ZAP or manual remediation), along with the result of that action. Timeline view information includes: - **Source:** Source of the event. It can be admin/system/user.-- **Event:** Includes top-level events like original delivery, manual remediation, ZAP, submissions, and dynamic delivery.
+- **Event:** Includes top-level events like original delivery, manual remediation, ZAP, submissions, and Dynamic Delivery.
- **Action:** The specific action that was taken either as part of ZAP or admin action (for example, soft delete). - **Threats:** Covers the threats (malware, phish, spam) identified at that point of time. - **Result/Details:** More information about the result of the action, such as whether it was performed as part of ZAP/admin action.
Currently, we surface delivery location in the email grid and email flyout. The
### Additional actions
-*Additional actions* were applied after delivery of the email. They can include *ZAP*, *manual remediation* (action taken by an Admin such as soft delete), *dynamic delivery*, and *reprocessed* (for an email that was retroactively detected as good).
+*Additional actions* were applied after delivery of the email. They can include *ZAP*, *manual remediation* (action taken by an Admin such as soft delete), *Dynamic Delivery*, and *reprocessed* (for an email that was retroactively detected as good).
> [!NOTE] > As part of the pending changes, the "Removed by ZAP" value currently surfaced in the Delivery Action filter is going away. You'll have a way to search for all email with the ZAP attempt through **Additional actions**.
security Try Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md
When you evaluate Defender for Office 365, the policies that control protection
3. In the **Select the users you want to include** dialog, configure the following settings: - **All users**: This is the default and recommended option.
- - **Select users**: If you select this option, you need to select who the evaluation applies to:
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
- - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
+ - **Select users**: If you select this option, you need to select the internal recipients that the evaluation applies to:
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
+ - **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization.
Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.
When you evaluate Defender for Office 365, the policies that control protection
3. In the **Select the users you want to include** dialog, configure the following settings: - **All users**: This is the default and recommended option.
- - **Select users**: If you select this option, you need to select who the evaluation applies to:
- - **Users**: The specified mailboxes, mail users, or mail contacts in your organization.
- - **Groups**: The specified distribution groups, mail-enabled security groups, or Microsoft 365 Groups in your organization.
+ - **Select users**: If you select this option, you need to select the internal recipients that the evaluation applies to:
+ - **Users**: The specified mailboxes, mail users, or mail contacts.
+ - **Groups**:
+ - Members of the specified distribution groups or mail-enabled security groups.
+ - The specified Microsoft 365 Groups.
- **Domains**: All recipients in the specified [accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains) in your organization. Click in the appropriate box, start typing a value, and select the value that you want from the results. Repeat this process as many times as necessary. To remove an existing value, click remove ![Remove icon.](../../media/m365-cc-sc-remove-selection-icon.png) next to the value.