Updates from: 04/16/2021 03:19:43
Category Microsoft Docs article Related commit history on GitHub Change details
admin Microsoft365 Apps Usage Ww https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft365-apps-usage-ww.md
The Microsoft 365 **Reports** dashboard shows you the activity overview across t
> [!NOTE]
- > You must be a global administrator, global reader or reports reader in Microsoft 365 or an Exchange, SharePoint, or Skype for Business administrator to see reports. Shared computer activations are not supported in this report.
+ > You must be a global administrator, global reader or reports reader in Microsoft 365 or an Exchange, SharePoint, or Skype for Business administrator to see reports. Shared computer activations are not included in this report.
## How to get to the Microsoft 365 Apps usage report
You can get a view into your user's Microsoft 365 Apps activity by looking at th
|Item|Description| |:--|:--| |1. <br/> |The **Microsoft 365 Apps usage** report can be viewed for trends over the last 7 days, 30 days, 90 days, or 180 days. However, if you select a particular day in the report, the table (7) will show data for up to 28 days from the current date (not the date the report was generated). <br/> |
- |2. <br/> |The data in each report usually covers up to the last seven days. <br/> |
+ |2. <br/> |The data in each report usually covers up to the last two days. Every six day, we will refresh the report with minor updates to ensure data quality. <br/> |
|3. <br/> |The **Users** view shows the trend in the number of active users for each app – Outlook, Word, Excel, PowerPoint, OneNote, and Teams. "Active users" are any who perform any intentional actions within these apps. <br/> | |4. <br/> |The **Platforms** view shows the trend of active users across all apps for each platform – Windows, Mac, Web, and Mobile. <br/> | |5.<br/>|On the **Users** chart, the Y-axis is the number of unique active users for the respective app. On the **Platforms** chart, the Y-axis is the number of unique users for the respective platform. The X-axis on both charts is the date on which an app was used on a given platform.<br/>|
admin Delete A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/delete-a-user.md
Later when you go through the steps to add another person to your business, you'
## Delete many users at the same time
-See the [Remove-MsolUser](https://go.microsoft.com/fwlink/p/?linkid=842230) PowerShell cmdlet.
+See the [Remove-MsolUser](https://docs.microsoft.com/powershell/module/msonline/remove-msoluser) PowerShell cmdlet.
## Fix issues with deleting a user
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
If your organization synchronizes user accounts to Microsoft 365 from a local Ac
To learn how to delete and restore user account in Active Directory, see [Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)).
-If you're using Azure Active Directory, see the [Remove-MsolUser](https://go.microsoft.com/fwlink/?linkid=842230) PowerShell cmdlet.
+If you're using Azure Active Directory, see the [Remove-MsolUser](https://docs.microsoft.com/powershell/module/msonline/remove-msoluser) PowerShell cmdlet.
## What you need to know about terminating an employee's email session
admin Domain Connect https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/domain-connect.md
In the wizard, we'll just confirm that you own the domain, and then automaticall
- [Plesk](https://www.plesk.com/) - [MediaTemple](https://mediatemple.net/) - SecureServer or WildWestDomains (GoDaddy resellers using SecureServer DNS hosting)
- - [MadDog Domains](https://www.maddogdomains.com/)
+ - [MadDog Web Hosting](https://maddogwebhosting.com/domains/)
- [CheapNames](https://www.cheapnames.com) ## What happens to my email and website?
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
If you or your users encounter problems loading the add-in while using Office ap
|**Platform**|**Debug information**| |:--|:--|
-|Office <br/> | Charles/Fiddler logs <br/> Tenant ID ( [learn how](/onedrive/find-your-office-365-tenant-id.aspx)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` <br/> |
+|Office <br/> | Charles/Fiddler logs <br/> Tenant ID ( [learn how](https://docs.microsoft.com/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` <br/> |
|Rich clients (Windows, Mac) <br/> | Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**) <br/> |
admin Upgrade Distribution Lists https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/upgrade-distribution-lists.md
description: "Learn how to upgrade one or many distribution lists to Microsoft 3
# Upgrade distribution lists to Microsoft 365 Groups in Outlook
-You can upgrade distribution lists to Microsoft 365 Groups with Outlook. This is a great way to give your organization's distribution lists all the features and functionality of Microsoft 365 Groups. [Why you should upgrade your distribution lists to groups in Outlook](https://support.microsoft.com/office/7fb3d880-593b-4909-aafa-950dd50ce188)
+You can upgrade distribution lists to Microsoft 365 Groups in Outlook. This is a great way to give your organization's distribution lists all the features and functionality of Microsoft 365 Groups. [Why you should upgrade your distribution lists to groups in Outlook](https://support.microsoft.com/office/7fb3d880-593b-4909-aafa-950dd50ce188)
You can upgrade DLs one at a time, or several at the same time.
-## Upgrade one or many distribution lists to Microsoft 365 Groups in Outlook
+## Upgrade one or many distribution list groups to Microsoft 365 Groups in Outlook
-You must be a global admin or Exchange admin to upgrade a distribution list. To upgrade to Microsoft 365 Groups, a distribution group must have an owner with a mailbox.
+You must be a global admin or Exchange admin to upgrade a distribution list group. To upgrade to Microsoft 365 Groups, the distribution list group must have an owner with a mailbox.
-1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
+### Use the new EAC to upgrade one or many distribution list groups to Microsoft 365 Groups in Outlook
-2. In the Exchange admin center, go to **Recipients** \> **Groups**.<br/>You'll see a notice indicating you have distribution lists (also called **distribution groups** ) that are eligible to be upgraded to Microsoft 365 Groups.<br/> ![Select the Get started button](../../media/8cf838b4-2644-401f-a366-08c1eea183eb.png)
+1. Go to the new [Exchange admin center](https://admin.exchange.microsoft.com), and navigate to **Recipients** \> **Groups**.
-3. Select one or more distribution lists (also called a **distribution group** ) from the **groups** page.<br/>![Select a distribution group](../../media/2c303433-d60b-4100-a6ae-5809b03a8cdb.png)
+2. Select the distribution list group (also called a **distribution group**) that you want to upgrade to Microsoft 365 group from the **Groups** page.
+
+3. Select the **Upgrade distribution group** from the tool bar.
+
+4. In the dialog box **Ready to upgrade?**, click **Upgrade**. The process begins immediately. Depending on the size and number of distribution list groups you're upgrading, the process can take minutes or hours.
+
+> [!NOTE]
+> A banner at the top indicates the upgrade, for example, *Distribution group(s) has been upgraded. It will take 5 minutes to reflect the changes. Filter by Microsoft 365 groups to see the upgraded distrubtion groups(s)*.
+
+### Use the Classic EAC to upgrade one or many distribution list groups to Microsoft 365 Groups in Outlook
+
+1. Go to the Classic <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a>.
+
+2. In the Classic Exchange admin center, go to **Recipients** \> **Groups**.<br/>You'll see a notice indicating you have distribution lists (also called **distribution groups**) that are eligible to be upgraded to Microsoft 365 Groups.<br/> ![Select the Get started button](../../media/8cf838b4-2644-401f-a366-08c1eea183eb.png)
+
+3. Select one or more distribution lists (also called a **distribution group**) from the **groups** page.<br/>![Select a distribution group](../../media/2c303433-d60b-4100-a6ae-5809b03a8cdb.png)
4. Select the upgrade icon.<br/>![Upgrade to Microsoft 365 Groups icon](../../media/1e28cb3d-bff3-4be3-8329-1902d2d54720.png)
You must be a global admin or Exchange admin to upgrade a distribution list. To
6. If you're upgrading multiple distribution lists, use the drop-down list to filter which distribution lists have been upgraded. If the list isn't complete, wait a while longer and then select **Refresh** to see what's been successfully upgraded.<br/>There's no notice that tells you when the upgrade process has completed for all DLs you selected. You can figure this out by looking to see what's listed under **Available for upgrade** or **Upgraded DLs**.
-7. If you selected a DL for upgrade, but it's still appears on the page as Available to upgrade, then it failed to upgrade. See [What to do if the upgrade doesn't work](#what-to-do-if-the-upgrade-doesnt-work).
+7. If you selected a DL for upgrade, but it's still appeared on the page as Available to upgrade, then it failed to upgrade. See [What to do if the upgrade doesn't work](#what-to-do-if-the-upgrade-doesnt-work).
> [!NOTE] > If you're getting the groups digest emails you may notice at the bottom that it will sometimes offer to let you upgrade any eligible distribution lists that you're the owner of. See [Have a group conversation in Outlook](https://support.microsoft.com/office/a0482e24-a769-4e39-a5ba-a7c56e828b22) for more information about digest emails.
Distribution lists that fail to upgrade remain unchanged.
If one or more **eligible** distribution lists fail to be upgraded, open a [Support ticket](../contact-support-for-business-products.md). The issue will need to be escalated to the Groups Engineering team for them to figure out the problem.
-It's possible that the distribution list didn't get upgraded because of a service outage, but pretty unlikely. If you want, wait a while and then try to upgrade the DL again.
+It's possible that the distribution list didn't get upgraded because of a service outage, but unlikely. If you want, wait a while and then try to upgrade the DL again.
## How to use PowerShell to upgrade several distribution lists at the same time
If you're experienced at using PowerShell, you might want to go this route inste
### Upgrade a single DL
-To upgrade a single DL run the following command:
+To upgrade a single DL, run the following command:
```PowerShell Upgrade-DistributionGroup -DlIdentities \<Dl SMTP address\>`
You can only upgrade cloud-managed, simple, non-nested distribution lists. The t
|On-premises managed distribution list. <br/> |No <br/> | |Nested distribution lists. Distribution list either has child groups or is a member of another group. <br/> |No <br/> | |Distribution lists with member **RecipientTypeDetails** other than **UserMailbox**, **SharedMailbox**, **TeamMailbox**, **MailUser** <br/> |No <br/> |
-|Distribution list which has more than 100 owners <br/> |No <br/> |
-|Distribution list which only has members but no owner <br/> |No <br/> |
-|Distribution list which has alias containing special characters <br/> |No <br/> |
+|Distribution list that has more than 100 owners <br/> |No <br/> |
+|Distribution list that only has members but no owner <br/> |No <br/> |
+|Distribution list that has alias containing special characters <br/> |No <br/> |
|If the distribution list is configured to be a forwarding address for Shared Mailbox <br/> |No <br/> | |If the DL is part of **Sender Restriction** in another DL. <br/> |No <br/> | |Security groups <br/> |No <br/> | |Dynamic Distribution lists <br/> |No <br/> |
-|Distribution lists which were converted to **RoomLists** <br/> |No <br/> |
+|Distribution lists that were converted to **RoomLists** <br/> |No <br/> |
|Distribution lists where **MemberJoinRestriction** and/or **MemberDepartRestriction** is **Closed** <br/> |No <br/> | ### Check which DLs are eligible for upgrade
If you want to check which DLs are eligible for upgrade just run the following c
People with global admin or Exchange admin rights.
-### Why is the contact card still showing a distribution list? What should I do to prevent a upgraded distribution list from showing up in my auto suggest list?
+### Why is the contact card still showing a distribution list? What should I do to prevent an upgraded distribution list from showing up in my auto suggest list?
-- For Outlook: When someone tries to send an email in Outlook by typing the Microsoft 365 group name after migration, the recipient will be resolved as the distribution list instead of the group. The contact card of the recipient will be the distribution lists contact card. This is because of the recipient cache or nick name cache in Outlook. The email will be sent successfully to the group, but might cause confusion to the sender.<br/>You can perform the steps in this topic, [Information about the Outlook AutoComplete list](/outlook/troubleshoot/contacts/information-about-the-outlook-autocomplete-list) to reset the cache, which will fix this issue.
+- For Outlook: When someone tries to send an email in Outlook by typing the Microsoft 365 group name after migration, the recipient will be resolved as the distribution list instead of the group. The contact card of the recipient will be the distribution lists contact card. This is because of the recipient cache or nick name cache in Outlook. The email will be sent successfully to the group, but might cause confusion to the sender.<br/>You can perform the steps in this article, [Information about the Outlook AutoComplete list](/outlook/troubleshoot/contacts/information-about-the-outlook-autocomplete-list) to reset the cache, which will fix this issue.
- For Outlook on the web: In case of Outlook on the web, the distribution list recipient will still remain in the cache. You can follow the steps in [Remove suggested name or email address from the Auto-Complete List](https://support.microsoft.com/office/9E1419D9-E88F-445B-B07F-F558B8A37C58) to refresh the cache to see the group contact card.
No. The setting to enable welcome messages is set to false by default. This sett
There are some cases in which though DL is eligible but could not be upgraded. The DL does not get upgraded and remains as a DL. -- Where admin has applied **Group Email Address Policy** for the groups in an organization and they try to upgrade DLs which doesn't fulfill the criteria, the DL does not get upgraded
+- Where admin has applied **Group Email Address Policy** for the groups in an organization and they try to upgrade DLs that doesn't fulfill the criteria, the DL does not get upgraded
- DLs with **MemberJoinRestriction** or **MemberDepartRestriction** set to **Closed**, could not be upgraded ### What happens to the DL if the upgrade from EAC fails?
-The upgrade will happen only when the call is submitted to the server. If the upgrade fails, your DLs will be intact. They will work like they used to.
+The upgrade will happen only when the call is submitted to the server. If the upgrade fails, your DLs will be intact. They will work like they used to.
admin Contacts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/contacts.md
Use Windows PowerShell and a CSV (Comma Separated Value) file to bulk import ext
## What if my question still hasn't been answered?
-Visit the rest of our [admin help](/microsoft-365/admin/misc/index) or give us your feedback below.
+Visit the rest of our [admin help](https://docs.microsoft.com/microsoft-365/admin/) or give us your feedback below.
admin Empower Your Small Business With Remote Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/empower-your-small-business-with-remote-work.md
For details, see [Microsoft 365 Business resources](https://docs.microsoft.com/m
## Need to ask a question?
-Ask in the [Teams forum](https://answers.microsoft.com/msteams/forum) or the [Office Admins forum](https://answers.microsoft.com/msoffice/forum/msoffice_o365Admin).
+Ask in the [Teams forum](https://answers.microsoft.com/msteams/forum) or the [Office Admins forum](https://answers.microsoft.com).
> [!NOTE] > Most of the tasks in this article and video can be accomplished with a subscription to Microsoft 365 Business Basic (formerly Office 365 Business Essentials), but some require a premium subscription. 
admin Upgrade Users To Latest Office Client https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/upgrade-users-to-latest-office-client.md
Switch to a subscription that includes Office. See [Switch to a different Micros
**Option 2: Buy individual, one-time purchases of Office, or buy Office through a volume license**
+ - Buy an individual, one-time purchase of Office. See [Office Home &amp; Business](https://www.microsoft.com/microsoft-365/buy/compare-all-microsoft-365-products-b) or [Office Professional](https://www.microsoft.com/microsoft-365/p/office-professional-2019/CFQ7TTC0K7C5/)
OR
business-video Get Started Teams Small Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/get-started-teams-small-business.md
For help with working remotely, we recommend starting with these three steps:
## 1. Get ready
-Getting started is easy. If you already have a Microsoft 365 subscription, make sure that everyone has a license that includes Microsoft Teams. If your company does not have Microsoft Teams yet, you can [find the right Microsoft Teams for your business](https://aka.ms/TeamsBusinessBasic) and sign up.
+Getting started is easy. If you already have a Microsoft 365 subscription, make sure that everyone has a license that includes Microsoft Teams. If your company does not have Microsoft Teams yet, you can [find the right Microsoft Teams for your business](https://www.microsoft.com/microsoft-teams/teams-for-work) and sign up.
### Get Microsoft Teams ready for your customers
Turn any PC, Mac, or mobile device into a working business phone by adding [Micr
## Related content
-[Empower your small business with remote work](https://docs.microsoft.com/microsoft-365/admin/misc/empower-your-small-business-with-remote-work.md) (article)
+[Empower your small business with remote work](https://docs.microsoft.com/microsoft-365/admin/misc/empower-your-small-business-with-remote-work) (article)
commerce Close Your Account https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/close-your-account.md
If users are synchronized from on-premises, first turn off sync, then delete the
To delete users, see <a href="/office365/admin/add-users/delete-a-user?view=o365-worldwide#user-management-admin-delete-one-or-more-users-from-office-365">User management admin: Delete one or more users</a>.
-You can also use the <a href="https://go.microsoft.com/fwlink/?linkid=842230">Remove-MsolUser</a> PowerShell cmdlet to delete users in bulk.
+You can also use the <a href="https://docs.microsoft.com/powershell/module/msonline/remove-msoluser">Remove-MsolUser</a> PowerShell cmdlet to delete users in bulk.
If your organization uses Active Directory that synchronizes with Microsoft Azure Active Directory (Azure AD), delete the user account from Active Directory, instead. For instructions, see <a href="/azure/active-directory/users-groups-roles/users-bulk-delete">Bulk delete users in Azure Active Directory</a>.
commerce Manage Saas Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-saas-apps.md
You can manage licenses and billing for third-party apps in Microsoft 365 admin
There are a few ways to purchase third-party apps. -- **Direct purchase** ΓÇô Customers can directly purchase subscriptions from [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/), or [AppSource](https://www.appsource.com/).
+- **Direct purchase** ΓÇô Customers can directly purchase subscriptions from [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/), or [AppSource](https://appsource.microsoft.com/).
- **Partner purchase** ΓÇô Work with a partner through Partner Center to purchase subscriptions. - **Microsoft proposal** ΓÇô Respond to a proposal from Microsoft Sales that includes third-party apps.
commerce Back Up Data Before Switching Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/back-up-data-before-switching-plans.md
https://<orgDomain>/_layouts/15/start.aspx#/SitePages/Home.aspx
where _\<orgDomain\>_ is the organization's URL.
-For example, if the domain of the organization is contoso.onmicrosoft.com, then the direct URL to the team site would be https://contoso.onmicrosoft.com/_layouts/15/start.aspx#/SitePages/Home.aspx.
+For example, if the domain of the organization is contoso.onmicrosoft.com, then the direct URL to the team site would be `https://contoso.onmicrosoft.com/_layouts/15/start.aspx#/SitePages/Home.aspx`.
Of course, users can also download SharePoint Online documents from the SharePoint team site to their local computer or to another location at any time.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
Make sure you're aware of the prerequisites before you configure auto-labeling p
- Simulation mode: - Auditing for Microsoft 365 must be turned on. If you need to turn on auditing or you're not sure whether auditing is already on, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md).
- - To view file contents in the source view, you must have the **Content Explorer Content Viewer** role. Global admins don't have this role by default. If you don't have this permission, you don't see the preview pane when you select an item from the **Matched Items** tab.
+ - To view file or email contents in the source view, you must have the **Content Explorer Content Viewer** role. Global admins don't have this role by default. If you don't have this permission, you don't see the preview pane when you select an item from the **Matched Items** tab.
- To auto-label files in SharePoint and OneDrive: - You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md).
compliance Communication Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md
Intelligent customizable templates in communication compliance allow you to appl
Built-in remediation workflows allow you to quickly identify and take action on messages with policy matches in your organization. The following new features increase efficiency for investigation and remediation activities: - **Flexible remediation workflow**: New remediation workflow helps you quickly take action on policy matches, including new options to escalate messages to other reviewers and to send email notifications to users with policy matches.-- **Conversation threading**: Messages are now visually grouped by original message and all associated reply messages, giving you better context during investigation and remediation actions.
+- **Conversation policy matching**: Messages in conversations are grouped by policy matches to give you more visibility about how conversations relate to your communication policies. For example, conversation policy matching in the *Pending Alerts* view will automatically show all messages in a Teams channel that have matches for your Offensive Language policy. Other messages in the conversation that don't match the Offensive Language policy would not be displayed.
- **Keyword highlighting**: Terms matching policy conditions are highlighted in the message text view to help reviewers quickly locate and remediate policy alerts. - **Exact and near duplicate detection**: In addition to scanning for exact terms matching communication compliance policies, near duplicate detection groups textually similar terms and messages together to help speed up your review process. - **Optical character recognition (OCR) (preview)**: Scan, detect, and investigate printed and handwritten text within images embedded or attached to email or Microsoft Teams chat messages.
compliance Export Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-search-results.md
Here's more information about exporting search results.
[Exporting partially indexed items](#exporting-partially-indexed-items) [Exporting individual messages or PST files](#exporting-individual-messages-or-pst-files)
-
-[Exporting results from more than 100,000 mailboxes](#exporting-results-from-more-than-100000-mailboxes)
[Decrypting RMS-protected email messages and encrypted file attachments](#decrypting-rms-protected-email-messages-and-encrypted-file-attachments)
For information about limits when exporting content search results, see the "Exp
- As previously stated, you must export email search results as individual messages to decrypt RMS-protected messages when they're exported. Encrypted messages will remain encrypted if you export email search results as a PST file.
-### Exporting results from more than 100,000 mailboxes
--- As previously explained, you have to use Security & Compliance Center PowerShell to download the search results from more than 100,000 mailboxes. You can run the following script in this section to download these search results. Using this script assumes that you have already exported the search results (the export job is displayed on the **Exports** tab in the Content Search tool) and now want to download them.-
- ```powershell
- $export=Get-ComplianceSearchAction SEARCHNAME_Export -IncludeCredential;
- $exportUrl= [System.Uri]::EscapeDataString(($export.Results.Split(";") | ?{$_ -like '*Container url*'} | %{$_.Split(":",2)} | select -last 1).Trim());
- $exportToken=($export.Results.Split(";") | ?{$_ -like '*SAS Token*'} | %{$_.Split(":",2)} | select -last 1).Trim();
- ."$env:ProgramFiles\Internet Explorer\IEXPLORE.EXE" "https://complianceclientsdf.blob.core.windows.net/v16/Microsoft.Office.Client.Discovery.UnifiedExportTool.application?name=$($export.Name)&source=$exportUrl&zip=allow&trace=1";
- $exportToken | clip;
- ```
-
- In the script, you have to specify the name of the search that you want to export results for. For example, for a search named, `SearchAllMailboxes` replace SEARCHNAME_Export with `SearchAllMailboxes_Export`.
-
- After you add the name of the search to the script, you can copy the script text and then paste it into a Windows PowerShell window that's [connected to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell). After you paste the script, the eDiscovery Export Tool is displayed (like it is when you download search results using the UI):
-
- ![eDiscovery Export Tool](../media/eDiscoveryExportTool.png)
-
- Click in the export key box and then press `CTRL + V` to paste the export key (the script copies the export key to the clipboard). Click **Browse** to specify the location where you want to download the files, and then start the download.
-
- As previously stated, we recommend that you download search results to a local disk drive due to the high amount of disk activity (reads and writes). Don't download search results to a mapped network drive or other network location.
- ### Decrypting RMS-protected email messages and encrypted file attachments Any rights-protected (RMS-protected) email messages included in the results of a Content Search will be decrypted when you export them. Additionally, any file that's encrypted with a [Microsoft encryption technology](encryption.md) and is attached to an email message that's included in the search results will also be decrypted when it's exported. This decryption capability is enabled by default for members of the eDiscovery Manager role group. This is because the RMS Decrypt management role is assigned to this role group by default. Keep the following things in mind when exporting encrypted email messages and attachments:
compliance Hold Distribution Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/hold-distribution-errors.md
If you see one the following error messages when putting custodians and data sou
1. Connect to [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the following command for an eDiscovery hold: ```powershell
- Get-CaseHoldPolicy <policyname> - DistributionDetail | FL
+ Get-CaseHoldPolicy <policyname> -DistributionDetail | FL
``` 2. Examine the value in the *DistributionDetail* parameter. Look for errors like the following:
compliance Limits For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-for-content-search.md
The following table lists the search limits when using the content search tool i
||| > [!NOTE]
-> <sup>1</sup> Although you can search an unlimited number of mailboxes in a single search, you can only download the exported search results from a maximum of 100,000 mailboxes using the eDiscovery Export Tool in the Microsoft 365 compliance center. To download the search results from more than 100,000 mailboxes, you have to use Security & Compliance Center PowerShell. For more information and a sample script, see [Exporting results from more than 100,000 mailboxes](export-search-results.md#exporting-results-from-more-than-100000-mailboxes). <br/><br/> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched are counted against this limit. <br/><br/> <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, `"time*"` can expand to `"time OR timer OR times OR timex OR timeboxed OR …"`. 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
+> <sup>1</sup> Although you can search an unlimited number of mailboxes in a single search, you can only download the exported search results from a maximum of 100,000 mailboxes using the eDiscovery Export Tool in the Microsoft 365 compliance center. <br/><br/> <sup>2</sup> When searching SharePoint and OneDrive for Business locations, the characters in the URLs of the sites being searched are counted against this limit. <br/><br/> <sup>3</sup> For non-phrase queries (a keyword value that doesn't use double quotation marks) we use a special prefix index. This tells us that a word occurs in a document, but not where it occurs in the document. To do a phrase query (a keyword value with double quotation marks), we need to compare the position within the document for the words in the phrase. This means that we can't use the prefix index for phrase queries. In this case, we internally expand the query with all possible words that the prefix expands to; for example, `"time*"` can expand to `"time OR timer OR times OR timex OR timeboxed OR …"`. 10,000 is the maximum number of variants the word can expand to, not the number of documents matching the query. There is no upper limit for non-phrase terms.
## Search times Microsoft collects performance information for searches run by all organizations. While the complexity of the search query can impact search times, the biggest factor that affects how long searches take is the number of mailboxes searched. Although Microsoft doesn't provide a Service Level Agreement for search times, the following table lists average search times for collection searches based on the number of mailboxes included in the search.
The following table lists the limits when exporting the results of a content sea
|Maximum an organization can export in a single day <br/><br/> **Note:** This limit is reset daily at 12:00AM UTC <br/> |2 TB <br/> | |Maximum concurrent exports that can be ran at same time within your organization <br/><br/> **Note:** Running a **Report Only** export counts against total concurrent exports for your organization. If three users are performing 3 exports each, then only one other export can be performed. Whether it is exporting a report or search results, no other exports can be performed until one has completed. <br/> |10 <br/> | |Maximum exports a single user can run at any one time <br/> |3 <br/> |
-|Maximum number of mailboxes for search results that can be downloaded using the eDiscovery Export Tool <br/><br/> **Note:** To download the search results from more than 100,000 mailboxes, you have to use Security & Compliance Center PowerShell. For instructions, see [Exporting results from more than 100,000 mailboxes](export-search-results.md#exporting-results-from-more-than-100000-mailboxes). <br/> | 100,000 <br/>|
+|Maximum number of mailboxes for search results that can be downloaded using the eDiscovery Export Tool <br/>| 100,000 <br/>|
|Maximum size of PST file that can be exported <br/><br/> **Note:** If the search results from a user's mailbox are larger than 10 GB, the search results for the mailbox will be exported in two (or more) separate PST files. If you choose to export all search results in a single PST file, the PST file will be spilt into additional PST files if the total size of the search results is larger than 10 GB. If you want to change this default size, you can edit the Windows Registry on the computer that you use to export the search results. See [Change the size of PST files when exporting eDiscovery search results](change-the-size-of-pst-files-when-exporting-results.md). The search results from a specific mailbox won't be divided among multiple PST files unless the content from a single mailbox is more than 10 GB. If you chose to export the search results in one PST file for that contains all messages in a single folder and the search results are larger than 10 GB, the items are still organized in chronological order, so they will be spilt into additional PST files based on the sent date.<br/> | 10 GB <br/> | |Rate at which search results from mailboxes and sites are uploaded to a Microsoft-provided Azure Storage location. |Maximum of 2 GB per hour| |||
For case limits related to Core eDiscovery and Advanced eDiscovery, see:
- [Limits in Core eDiscovery](limits-core-ediscovery.md) -- [Limits in Advanced eDiscovery](limits-ediscovery20.md)
+- [Limits in Advanced eDiscovery](limits-ediscovery20.md)
compliance Overview Ediscovery 20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/overview-ediscovery-20.md
Licensing for Advanced eDiscovery requires the appropriate organization subscrip
- Microsoft 365 E3 subscription with E5 eDiscovery and Audit add-on
- If you don't have an existing Microsoft 365 E5 plan and want to try Advanced eDiscovery, you can [add Microsoft 365](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365) to your existing subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Microsoft 365 E5.
+ - Microsoft 365 Education A5 or Office 365 Education A5 subscription
+
+ If you don't have an existing Microsoft 365 E5 plan and want to try Advanced eDiscovery, you can [add Microsoft 365](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365) to your existing subscription or [sign up for a trial](https://www.microsoft.com/microsoft-365/enterprise) of Microsoft 365 E5.
- **Per-user licensing:** To add a user as a custodian in an Advance eDiscovery case, that user must be assigned one of the following licenses, depending on your organization subscription:
- - Microsoft 365: Users must be assigned a Microsoft 365 E5 license, an E5 Compliance add-on license, or an E5 eDiscovery and Audit add-on license.
+ - Microsoft 365: Users must be assigned a Microsoft 365 E5 license, an E5 Compliance add-on license, or an E5 eDiscovery and Audit add-on license. Microsoft 365 Education users must be assigned an A5 license.
- - Office 365: Users must be assigned an Office 365 E5 license.
+ - Office 365: Users must be assigned an Office 365 E5 or Office 365 Education A5 license.
For information about how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/microsoft-365/admin/manage/assign-licenses-to-users). > [!NOTE]
-> Users only need an E5 license (or the appropriate add-on license) to be added as custodians to an Advanced eDiscovery case. IT admins, eDiscovery managers, lawyers, paralegals, or investigators who use Advanced eDiscovery to manage cases and review case data don't need an E5 or add-on license.
+> Users only need an E5 or A5 license (or the appropriate add-on license) to be added as custodians to an Advanced eDiscovery case. IT admins, eDiscovery managers, lawyers, paralegals, or investigators who use Advanced eDiscovery to manage cases and review case data don't need an E5, A5, or add-on license.
## Get started with Advanced eDiscovery
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
description: Learn about retention policies and retention labels that help you t
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).* > [!NOTE]
-> If you're seeing seeing messages about retention policies in your apps, contact your IT department for information about how they have been configured for you. If these messages are for Teams chat or channel messages, see [Teams messages about retention policies](https://support.microsoft.com/office/teams-messages-about-retention-policies-c151fa2f-1558-4cf9-8e51-854e925b483b).
+> If you're seeing messages about retention policies in your apps, contact your IT department for information about how they have been configured for you. If these messages are for Teams chat or channel messages, see [Teams messages about retention policies](https://support.microsoft.com/office/teams-messages-about-retention-policies-c151fa2f-1558-4cf9-8e51-854e925b483b).
> > The information on this page is for IT administrators who can create retention policies and retention labels for compliance reasons.
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
Make sure you have version 16.0.19418.12000 or later of the SharePoint Online Ma
$sites | ForEach-Object {Set-SPOTenant $_.url -SensitivityLabel $Id} ```
-To apply different labels to different sites, repeat the following command for each site: `Set-SPOSite -Identity <URL> -SensitivityLabel "<labelguid>"`
+This series of commands lets you label multiple sites across your tenant with the same sensitivity label, which is why you use the Set-SPOTenant cmdlet, rather than the Set-SPOSite cmdlet that's for per-site configuration. However, use the Set-SPOSite cmdlet when you need to apply a different label to specific sites by repeating the following command for each of these sites: `Set-SPOSite -Identity <URL> -SensitivityLabel "<labelguid>"`
## View and manage sensitivity labels in the SharePoint admin center
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
Once the mailbox moves from source to target, you should ensure that the on-prem
Yes, you should update the targetAddress (RemoteRoutingAddress/ExternalEmailAddress) of the source on-premises users when the source tenant mailbox moves to target tenant. While mail routing can follow the referrals across multiple mail users with different targetAddresses, Free/Busy lookups for mail users MUST target the location of the mailbox user. Free/Busy lookups will not chase multiple redirects.
+**Do Teams meetings migrate cross-tenant?**
+
+The meetings will move however the Teams meeting URL does not update when items migrate cross-tenant. Since the URL will be invalid in the target tenant you will need to remove and recreate the Teams meetings.
+ **Does the Teams chat folder content migrate cross-tenant?** No, the Teams chat folder content does not migrate cross-tenant.
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
Measurement samples and office locations should start to appear 24 hours after t
For this option, neither Windows Location Services nor Wi-Fi are required. Your OneDrive for Windows version must be up-to-date and installed on at least one computer at the location.
-You also need to add locations in the in the **Locations page** or to import them from a CSV file. The locations added must include your office LAN subnet information.
+You also need to add locations in the **Locations page** or to import them from a CSV file. The locations added must include your office LAN subnet information.
This option allows you to have multiple offices defined within a city.
All test measurements from client machines include the LAN subnet information, w
### 3. Manually gather test reports with the Microsoft 365 network connectivity test tool
-For this option, you need to identify a person at each location. Ask them to browse to [Microsoft 365 network connectivity test](https://connectivity.office.com) on a Windows machine on which they have administrative permissions. On the web site, they need to sign-in to their Office 365 account for the same organization that you want to see the results. Then they should click **Run test**. During the test there is a downloaded Connectivity test EXE. They need to open and execute that. Once the tests are completed, the test result is uploaded to the Admin Center.
+For this option, you need to identify a person at each location. Ask them to browse to [Microsoft 365 network connectivity test](https://connectivity.office.com) on a Windows machine on which they have administrative permissions. On the web site, they need to sign in to their Office 365 account for the same organization that you want to see the results. Then they should click **Run test**. During the test there is a downloaded Connectivity test EXE. They need to open and execute that. Once the tests are completed, the test result is uploaded to the Admin Center.
Test reports are linked to a location if it was added with LAN subnet information, otherwise they are shown at the city location only.
Many enterprises have network perimeter configurations which have grown over tim
## How we can solve these challenges
-Enterprises can improve general user experience and secure their environment by following [Office 365 connectivity principles](./microsoft-365-network-connectivity-principles.md) and by using the Microsoft 365 Admin Center network connectivity feature. In most cases, following these general principles will have a significant positive impact on end user latency, service reliability and overall performance of Microsoft 365.
+Enterprises can improve general user experience and secure their environment by following [Office 365 connectivity principles](./microsoft-365-network-connectivity-principles.md) and by using the Microsoft 365 Admin Center network connectivity feature. In most cases, following these general principles will have a significant positive impact on end-user latency, service reliability and overall performance of Microsoft 365.
Microsoft is sometimes asked to investigate network performance issues with Microsoft 365 for large enterprise customers, and these frequently have a root cause related to the customer's network perimeter infrastructure. When a common root cause of a customer network perimeter issue is found we seek to identify simple test measurements that identifies it. A test with a measurement threshold that identifies a specific problem is valuable because we can test the same measurement at any location, tell whether this root cause is present there and share it as a network insight with the administrator.
You can view a table view of the locations where they can be filtered, sorted, a
> [!div class="mx-imgBorder"] > ![Network insights locations](../media/m365-mac-perf/m365-mac-perf-locations.png)
+## Remote worker assessment and user connection metrics
+
+We classify network traffic logs as remote or onsite users and show their percentages in the user connection metrics section of the overview pane. For cities where you have remote users, you will find the location specific remote network assessment score when you open that locationΓÇÖs page. The locations list will have both office locations and remote worker cities, which can be filtered and sorted. We provide the remote worker assessment score, with points breakdown for Exchange, SharePoint and Teams.
+
+Home user networking insights are aggregated and reported at a city level and limited to cities with a minimum of 5 remote employees. We are not identifying individual employees working from home.
+
+Locations are auto classified as onsite or remote, however, you have the option to enter all your onsite egress IP addresses manually to ensure a 100% classification. If you decide to go this route, you will have to check the **Enter all onsite egress IP addresses manually** checkbox in the Locations Settings flyout after adding all your egress IP addresses. When this is done, all network traffic logs from egress IP addresses you have marked as onsite will always be classified as offices and every other egress IP address will be classified as remote.
+ ## Specific office location network performance summary and insights Selecting an office location opens a location-specific summary page showing details of the network egress that has been identified from measurements for that office location.
You require a license that provides access to the Microsoft 365 admin center.
[Microsoft 365 connectivity test tool (preview)](office-365-network-mac-perf-onboarding-tool.md)
-[Microsoft 365 Network Connectivity Location Services (preview)](office-365-network-mac-location-services.md)
+[Microsoft 365 Network Connectivity Location Services (preview)](office-365-network-mac-location-services.md)
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### Troubleshooting Microsoft Defender Antivirus ##### [Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
+##### [Troubleshoot performance issues](troubleshoot-performance-issues.md)
##### [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md) ##### [Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution](troubleshoot-microsoft-defender-antivirus-when-migrating.md)
##### [Detect and block Potentially Unwanted Applications](linux-pua.md) ##### [Schedule scans with Microsoft Defender for Endpoint on Linux](linux-schedule-scan-atp.md) ##### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-MDE-Linux.md)
+##### [Deploy Defender for Endpoint on Linux with Chef](linux-deploy-defender-for-endpoint-with-chef.md)
#### [Troubleshoot]() ##### [Troubleshoot installation issues](linux-support-install.md)
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
ms.technology: mde
Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+## 1.1.15140101
+
+- The Microsoft Defender ATP product name has now been updated to Microsoft Defender for Endpoint in the app store.
+- Improved sign-in experience.
+- Bug fixes.
+ ## 1.1.15010101 - With this version, we are announcing support for iPadOS/iPad devices.-- Bug fixes.
+- Bug fixes.
security Linux Deploy Defender For Endpoint With Chef https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md
+
+ Title: How to Deploy Defender for Endpoint on Linux with Chef
+description: Learn how to deploy Defender for Endpoint on Linux with Chef
+keywords: microsoft, defender, atp, linux, scans, antivirus, microsoft defender for endpoint (linux)
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
++
+ms.technology: mde
++
+# Deploy Defender for Endpoint on Linux with Chef
+
+Before you begin:
+
+- Install unzip if itΓÇÖs not already installed.
+The Chef components are already installed and a Chef repository exists (chef generate repo <reponame>) to store the cookbook that will be used to deploy to Defender for Endpoint on Chef managed Linux servers.
+
+You can create a new cookbook in your existing repository by running the following command from inside the cookbooks folder that is in your chef repository:</br>
+`chef generate cookbook mdatp`
+
+This command will create a new folder structure for the new cookbook called mdatp. You can also use an existing cookbook if you already have one youΓÇÖd like to use to add the MDE deployment into.
+After the cookbook is created, create a files folder inside the cookbook folder that just got created:
+
+`mkdir mdatp/files`
+
+Transfer the Linux Server Onboarding zip file that can be downloaded from the Microsoft Defender Security Center portal to this new files folder.
+
+On the Chef Workstation, navigate to the mdatp/recipes folder. This folder is created when the cookbook was generated. Use your preferred text editor (like vi or nano) to add the following instructions to the end of the default.rb file:
+- include_recipe '::onboard_mdatp'
+- include_recipe '::install_mdatp'
+
+Then save and close the default.rb file.
+Next create a new recipe file named install_mdatp.rb in the recipes folder and add this text to the file:
+
+```powershell
+
+#Add Microsoft Defender
+Repo
+case node['platform_family']
+when 'debian'
+ apt_repository 'MDAPRepo' do
+ arch 'amd64'
+ cache_rebuild true
+ cookbook false
+ deb_src false
+ key 'BC528686B50D79E339D3721CEB3E94ADBE1229CF'
+ keyserver "keyserver.ubuntu.com"
+ distribution 'focal'
+ repo_name 'microsoft-prod'
+ components ['main']
+ trusted true
+ uri "https://packages.microsoft.com/ubuntu/20.04/prod"
+ end
+ apt_package "mdatp"
+when 'rhel'
+ yum_repository 'microsoft-prod' do
+ baseurl "https://packages.microsoft.com/rhel/7/prod/"
+ description "Microsoft Defender for Endpoint"
+ enabled true
+ gpgcheck true
+ gpgkey "https://packages.microsoft.com/keys/microsoft.asc"
+ end
+ if node['platform_version'] <= 8 then
+ yum_package "mdatp"
+ else
+ dnf_package "mdatp"
+ end
+end
+```
+
+YouΓÇÖll need to modify the version number, distribution, and repo name to match the version youΓÇÖre deploying to and the channel youΓÇÖd like to deploy.
+Next you should create an onboard_mdatp.rb file in the mdatp/recipies folder. Add the following text to that file:
+
+```powershell
+
+#Create MDATP Directory
+mdatp = "/etc/opt/microsoft/mdatp"
+zip_path = "/path/to/chef-repo/cookbooks/mdatp/files/WindowsDefenderATPOnboardingPackage.zip"
+
+directory "#{mdatp}" do
+ owner 'root'
+ group 'root'
+ mode 0755
+ recursive true
+end
+
+#Extract WindowsDefenderATPOnbaordingPackage.zip into /etc/opt/microsoft/mdatp
+
+bash 'Extract Onbaording Json MDATP' do
+ code <<-EOS
+ unzip #{zip_path} -d #{mdatp}
+ EOS
+ not_if { ::File.exist?('/etc/opt/microsoft/mdatp/mdatp_onboard.json') }
+end
+```
+
+Make sure to update the path name to the location of the onboarding file.
+To test deploy it on the Chef workstation, just run ``sudo chef-client -z -o mdatp``.
+After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender ATP for Linux - Windows security | Microsoft Docs](/windows/security/threat-protection/microsoft-defender-atp/linux-preferences).
+After you've created and tested your configuration file, you can place it into the cookbook/mdatp/files folder where you also placed the onboarding package. Then you can create a settings_mdatp.rb file in the mdatp/recipies folder and add this text:
+
+```powershell
+#Copy the configuration file
+cookbook_file '/etc/opt/microsoft/mdatp/managed/mdatp_managed.json' do
+ source 'mdatp_managed.json'
+ owner 'root'
+ group 'root'
+ mode '0755'
+ action :create
+end
+```
+
+To include this step as part of the recipe just add include_recipe ':: settings_mdatp' to your default.rb file within the recipe folder.
+You can also use crontab to schedule automatic updates [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-MDE-Linux.md).
+
+Uninstall MDATP cookbook:
+
+```powershell
+#Uninstall the Defender package
+case node['platform_family']
+when 'debian'
+ apt_package "mdatp" do
+ action :remove
+ end
+when 'rhel'
+ if node['platform_version'] <= 8
+then
+ yum_package "mdatp" do
+ action :remove
+ end
+ else
+ dnf_package "mdatp" do
+ action :remove
+ end
+ end
+end
+```
+
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
Title: Troubleshoot performance issues for Microsoft Defender ATP for Linux
-description: Troubleshoot performance issues in Microsoft Defender ATP for Linux.
+ Title: Troubleshoot performance issues for Microsoft Defender for Endpoint for Linux
+description: Troubleshoot performance issues in Microsoft Defender Endpoint for Linux.
keywords: microsoft, defender, atp, linux, performance search.product: eADQiWindows 10XVcnh search.appverid: met150
security Linux Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md
Title: Deploy updates for Microsoft Defender ATP for Linux
+ Title: Deploy updates for Microsoft Defender for Endpoint for Linux
-description: Describes how to deploy updates for Microsoft Defender ATP for Linux in enterprise environments.
+description: Describes how to deploy updates for Microsoft Defender for Endpoint for Linux in enterprise environments.
keywords: microsoft, defender, atp, linux, updates, deploy search.product: eADQiWindows 10XVcnh search.appverid: met150
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
Title: Investigate entities on devices using live response in Microsoft Defender ATP
+ Title: Investigate entities on devices using live response in Microsoft Defender for Endpoint
description: Access a device using a secure remote shell connection to do investigative work and take immediate response actions on a device in real time. keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, search.product: eADQiWindows 10XVcnh
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
Title: Configure and validate exclusions for Microsoft Defender ATP for Mac
-description: Provide and validate exclusions for Microsoft Defender ATP for Mac. Exclusions can be set for files, folders, and processes.
+ Title: Configure and validate exclusions for Microsoft Defender for Endpoint for Mac
+description: Provide and validate exclusions for Microsoft Defender for Endpoint for Mac. Exclusions can be set for files, folders, and processes.
keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Install With Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-jamf.md
Title: Deploying Microsoft Defender ATP for macOS with Jamf Pro
-description: Deploying Microsoft Defender ATP for macOS with Jamf Pro
+ Title: Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro
+description: Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
Title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac on other management solutions.
+ Title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint for Mac
+description: Install Microsoft Defender for Endpoint for Mac on other management solutions.
keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Jamfpro Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md
Title: Set up device groups in Jamf Pro
-description: Learn how to set up device groups in Jamf Pro for Microsoft Defender ATP for macOS
+description: Learn how to set up device groups in Jamf Pro for Microsoft Defender for Endpoint for macOS
keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
Title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
-description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
+ Title: Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro
+description: Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
Title: Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
-description: Learn how to set up the Microsoft Defender ATP for macOS policies in Jamf Pro
+ Title: Set up the Microsoft Defender for Endpoint for macOS policies in Jamf Pro
+description: Learn how to set up the Microsoft Defender Endpoint for macOS policies in Jamf Pro
keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
These steps are applicable of macOS 10.15 (Catalina) or newer.
- **Distribution Method**: Install Automatically *(default)* - **Level**: Computer Level *(default)*
- ![Image of configuration profile settings mdatpmdav](images/c9820a5ff84aaf21635c04a23a97ca93.png)
+ ![Image of new macOS configuration profile screen](images/c9820a5ff84aaf21635c04a23a97ca93.png)
- Tab **Notifications**, click **Add**, and enter the following values: - **Bundle ID**: `com.microsoft.wdav.tray`
security Mac Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md
Title: Set preferences for Microsoft Defender ATP for Mac
-description: Configure Microsoft Defender ATP for Mac in enterprise organizations.
+ Title: Set preferences for Microsoft Defender for Endpoint for Mac
+description: Configure Microsoft Defender for Endpoint for Mac in enterprise organizations.
keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
Title: Privacy for Microsoft Defender ATP for Mac
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Mac.
+ Title: Privacy for Microsoft Defender for Endpoint for Mac
+description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender for Endpoint for Mac.
keywords: microsoft, defender, atp, mac, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md
Title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Mac
-description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Mac.
+ Title: Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Mac
+description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender for Endpoint for Mac.
keywords: microsoft, defender, atp, mac, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-resources.md
Title: Resources for Microsoft Defender ATP for Mac
-description: Resources for Microsoft Defender ATP for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
+ Title: Resources for Microsoft Defender for Endpoint for Mac
+description: Resources for Microsoft Defender for Endpoint for Mac, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150
There are several ways to uninstall Microsoft Defender for Endpoint on macOS. No
### Interactive uninstallation -- Open **Finder > Applications**. Right click on **Microsoft Defender ATP > Move to Trash**.
+- Open **Finder > Applications**. Right click on **Microsoft Defender for Endpoint > Move to Trash**.
### From the command line
security Mac Schedule Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md
Title: How to schedule scans with MDATP for macOS
-description: Learn how to schedule an automatic scanning time for Microsoft Defender ATP in macOS to better protect your organization's assets.
+description: Learn how to schedule an automatic scanning time for Microsoft Defender for Endpoint in macOS to better protect your organization's assets.
keywords: microsoft, defender, atp, mac, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-install.md
Title: Troubleshoot installation issues for Microsoft Defender ATP for Mac
-description: Troubleshoot installation issues in Microsoft Defender ATP for Mac.
+ Title: Troubleshoot installation issues for Microsoft Defender for Endpoint for Mac
+description: Troubleshoot installation issues in Microsoft Defender for Endpoint for Mac.
keywords: microsoft, defender, atp, mac, install search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
Title: Troubleshoot license issues for Microsoft Defender ATP for Mac
-description: Troubleshoot license issues in Microsoft Defender ATP for Mac.
+ Title: Troubleshoot license issues for Microsoft Defender for Endpoint for Mac
+description: Troubleshoot license issues in Microsoft Defender for Endpoint for Mac.
keywords: microsoft, defender, atp, mac, performance search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mac Sysext Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-sysext-preview.md
Title: Microsoft Defender ATP for Mac - system extensions (Preview)
-description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender ATP for Mac. This functionality is currently in public preview.
+ Title: Microsoft Defender for Endpoint for Mac - system extensions (Preview)
+description: This article contains instructions for trying out the system extensions functionality of Microsoft Defender for Endpoint for Mac. This functionality is currently in public preview.
keywords: microsoft, defender, atp, mac, kernel, system, extensions, catalina search.product: eADQiWindows 10XVcnh search.appverid: met150
These steps assume you already have Defender for Endpoint running on your device
defaults write com.microsoft.autoupdate2 ChannelName -string Beta ```
- Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender ATP for Mac: Set the channel name](mac-updates.md#set-the-channel-name).
+ Alternatively, if you're in a managed environment (JAMF or Intune), you can configure the update channel remotely. For more information, see [Deploy updates for Microsoft Defender for Endpoint for Mac: Set the channel name](mac-updates.md#set-the-channel-name).
## Deployment steps
security Mac Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md
Title: Deploy updates for Microsoft Defender ATP for Mac
-description: Control updates for Microsoft Defender ATP for Mac in enterprise environments.
+ Title: Deploy updates for Microsoft Defender for Endpoint for Mac
+description: Control updates for Microsoft Defender for Endpoint for Mac in enterprise environments.
keywords: microsoft, defender, atp, mac, updates, deploy search.product: eADQiWindows 10XVcnh search.appverid: met150
The `Current` channel contains the most stable version of the product.
|Section|Value| |:--|:--|
-| **Domain** | com.microsoft.autoupdate2 |
+| **Domain** | `com.microsoft.autoupdate2` |
| **Key** | ChannelName | | **Data type** | String | | **Possible values** | Beta <br/> Preview <br/> Current |
Change how often MAU searches for updates.
|Section|Value| |:--|:--|
-| **Domain** | com.microsoft.autoupdate2 |
+| **Domain** | `com.microsoft.autoupdate2` |
| **Key** | UpdateCheckFrequency | | **Data type** | Integer | | **Default value** | 720 (minutes) |
Change how MAU searches for updates.
|Section|Value| |:--|:--|
-| **Domain** | com.microsoft.autoupdate2 |
+| **Domain** | `com.microsoft.autoupdate2` |
| **Key** | HowToCheck | | **Data type** | String | | **Possible values** | Manual <br/> AutomaticCheck <br/> AutomaticDownload |
Change whether local users will be able to click the "Check for Updates" option
|Section|Value| |:--|:--|
-| **Domain** | com.microsoft.autoupdate2 |
+| **Domain** | `com.microsoft.autoupdate2` |
| **Key** | EnableCheckForUpdatesButton | | **Data type** | Boolean | | **Possible values** | True (default) <br/> False |
Set to true to make the "Join the Office Insider Program..." checkbox unavailabl
|Section|Value| |:--|:--|
-| **Domain** | com.microsoft.autoupdate2 |
+| **Domain** | `com.microsoft.autoupdate2` |
| **Key** | DisableInsiderCheckbox | | **Data type** | Boolean | | **Possible values** | False (default) <br/> True |
Set to false to send minimal heartbeat data, no application usage, and no enviro
|Section|Value| |:--|:--|
-| **Domain** | com.microsoft.autoupdate2 |
+| **Domain** | `com.microsoft.autoupdate2` |
| **Key** | SendAllTelemetryEnabled | | **Data type** | Boolean | | **Possible values** | True (default) <br/> False |
security Machine Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-groups.md
Title: Create and manage device groups in Microsoft Defender ATP
+ Title: Create and manage device groups in Microsoft Defender for Endpoint
description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh
security Machine Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-reports.md
Title: Device health and compliance report in Microsoft Defender ATP
+ Title: Device health and compliance report in Microsoft Defender for Endpoint
description: Track device health state detections, antivirus status, OS platform, and Windows 10 versions using the device health and compliance report keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state search.product: eADQiWindows 10XVcnh
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
Title: View and organize the Microsoft Defender ATP devices list
+ Title: View and organize the Microsoft Defender for Endpoint devices list
description: Learn about the available features that you can use from the Devices list such as sorting, filtering, and exporting the list to enhance investigations. keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-incidents.md
Title: Manage Microsoft Defender ATP incidents
+ Title: Manage Microsoft Defender for Endpoint incidents
description: Manage incidents by assigning it, updating its status, or setting its classification. keywords: incidents, manage, assign, status, classification, true alert, false alert search.product: eADQiWindows 10XVcnh
security Manage Suppression Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md
Title: Manage Microsoft Defender for Endpoint suppression rules
-description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender ATP.
+description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender for Endpoint.
keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off search.product: eADQiWindows 10XVcnh search.appverid: met150
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
Title: Overview of management and APIs
-description: Learn about the management tools and API categories in Microsoft Defender ATP
+description: Learn about the management tools and API categories in Microsoft Defender for Endpoint
keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mcafee To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-onboard.md
To verify that your onboarded devices are properly connected to Microsoft Defend
|Operating system |Guidance | ||| |- Windows 10 <br/>- Windows Server 2019 <br/>- Windows Server, version 1803 <br/>- Windows Server 2016 <br/>- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/run-detection-test). <br/><br/>Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac). |
-|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/><br/>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/><br/>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-linux). |
+|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-mac). |
+|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/><br/>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/><br/>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Microsoft Defender for Endpoint for Linux](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-atp-linux). |
## Uninstall McAfee
security Mcafee To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mcafee-to-microsoft-defender-prepare.md
Title: McAfee to Microsoft Defender for Endpoint - Prepare
-description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP.
+description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender for Endpoint.
keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
Title: Microsoft Defender ATP on iOS
+ Title: Microsoft Defender for Endpoint on iOS
-description: Describes how to install and use Microsoft Defender ATP for iOS
+description: Describes how to install and use Microsoft Defender for Endpoint for iOS
keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
Title: Microsoft Defender for Endpoint on Linux
-description: Describes how to install and use Microsoft Defender ATP for Linux.
+description: Describes how to install and use Microsoft Defender for Endpoint for Linux.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150
If you experience any installation failures, refer to [Troubleshooting installat
> Running Defender for Endpoint for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. - Disk space: 1GB-- /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender ATP for Linux](/microsoft-365/security/defender-endpoint/linux-support-install).
+- /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint for Linux](/microsoft-365/security/defender-endpoint/linux-support-install).
- Memory: 1GB > [!NOTE] > Please make sure that you have free disk space in /var.
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
Title: Microsoft Defender for Endpoint description: Microsoft Defender for Endpoint is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
+keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender for Endpoint, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Mssp List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-list.md
Title: Supported managed security service providers
-description: See the list of MSSPs that Microsoft Defender ATP integrates with
+description: See the list of MSSPs that Microsoft Defender for Endpoint integrates with
keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150
security Mssp Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-support.md
Title: Managed security service provider (MSSP) partnership opportunities
-description: Understand how Microsoft Defender ATP integrates with managed security service providers (MSSP)
+description: Understand how Microsoft Defender for Endpoint integrates with managed security service providers (MSSP)
keywords: mssp, integration, managed, security, service, provider search.product: eADQiWindows 10XVcnh search.appverid: met150
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
ms.technology: mde
>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+> [!NOTE]
+> The [Network device discovery and vulnerability assessments](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548) Blog \(published 04-13-2021\) provides insights into the new **Network device discovery** capabilities in Defender for Endpoint. This article provides an overview of the challenge that **Network device discovery** is designed to address, and detailed information about how get started using these new capabilities.
+ Network discovery capabilities are available in the **Device inventory** section of the Microsoft 365 security center and Microsoft Defender Security Center consoles. A designated Microsoft Defender for Endpoint device will be used on each network segment to perform periodic authenticated scans of preconfigured network devices. Once discovered, Defender for EndpointΓÇÖs threat and vulnerability management capabilities provide integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.
Your first step is to select a device that will perform the authenticated networ
- login.microsoftonline.com - *.blob.core.windows.net/networkscannerstable/ *
- Note: Not all URLs are specified in the Defender for Endpoint documented list of allowed data collection.
+ > [!NOTE]
+ > Not all URLs are specified in the Defender for Endpoint documented list of allowed data collection.
## Permissions
-To configure assessment jobs, the following user permission option is required: **Manage security settings in Security Center**. You can find the permission by going to **Settings** > **Roles**. For more information, see [Create and manage roles for role-based access control](user-roles.md)
+To configure assessment jobs, the following user permission option is required: **Manage security settings in Security Center**. You can find the permission by going to **Settings** > **Roles**. For more information, see [Create and manage roles for role-based access control](user-roles.md).
## Install the network scanner
-1. Go to **Microsoft 365 security** > **Settings** > **Endpoints** > **Assessment jobs** (under 'Network assessments').
+1. Go to **Microsoft 365 security** > **Settings** > **Endpoints** > **Assessment jobs** (under **Network assessments**).
1. In the Microsoft Defender Security Center, go to Settings > Assessment jobs page. 2. Download the network scanner and install it on the designated Defender for Endpoint assessment device.
-![Download scanner button](images/assessment-jobs-download-scanner.png)
+ > [!div class="mx-imgBorder"]
+ > ![Download scanner button](images/assessment-jobs-download-scanner.png)
## Network scanner installation & registration
The signing-in process can be completed on the designated assessment device itse
To complete the network scanner registration process: 1. Copy and follow the URL that appears on the command line and use the provided installation code to complete the registration process.
- - Note: You may need to change Command Prompt settings to be able to copy the URL.
+
+ > [!NOTE]
+ > You may need to change Command Prompt settings to be able to copy the URL.
2. Enter the code and sign in using a Microsoft account that has the Defender for Endpoint permission called "Manage security settings in Security Center."
In the Assessment jobs page in **Settings**, select **Add network assessment job
To prevent device duplication in the network device inventory, make sure each IP address is configured only once across multiple assessment devices.
-![Add network assessment job button](images/assessment-jobs-add.png)
+> [!div class="mx-imgBorder"]
+> ![Add network assessment job button](images/assessment-jobs-add.png)
Adding a network assessment job steps:
-1. Choose an ΓÇÿAssessment jobΓÇÖ name and the ΓÇÿAssessment deviceΓÇÖ on which the network scanner was installed. This device will perform the periodic authenticated scans.
+1. Choose an ΓÇÿAssessment jobΓÇÖ name and the ΓÇÿAssessment deviceΓÇÖ on which the network scanner was installed. This device will perform the periodic authenticated scans.
+ 2. Add IP addresses of target network devices to be scanned (or the subnets where these devices are deployed). + 3. Add required SNMP credentials of the target network devices. + 4. Save the newly configured network assessment job to start the periodic network scan. ### Scan and add network devices
Once the results show up, you can choose which devices will be included in the p
Newly discovered devices will be shown under the new **Network devices** tab in the **Device inventory** page. It may take up to two hours after adding an assessment job until the devices are updated.
-![Network devices section in the Device inventory](images/assessment-jobs-device-inventory.png)
+> [!div class="mx-imgBorder"]
+> ![Network devices section in the Device inventory](images/assessment-jobs-device-inventory.png)
## Troubleshooting ### Network scanner installation has failed
-Verify that the required URLs are added to the allowed domains in your firewall settings. Also, make sure proxy settings are configured as described in [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)
+Verify that the required URLs are added to the allowed domains in your firewall settings. Also, make sure proxy settings are configured as described in [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
### The Microsoft.com/devicelogin web page did not show up
security Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md
Network protection extends the protection in [Web protection](web-protection-ove
For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. > [!TIP]
-> See the Microsoft Defender ATP testground site at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how network protection works.
+> See the Microsoft Defender for Endpoint testground site at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how network protection works.
Network protection works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into exploit protection events and blocks as part of [alert investigation scenarios](investigate-alerts.md).
security Next Gen Threat And Vuln Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt.md
Title: Threat and vulnerability management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation
+keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender for endpoint, microsoft defender atp, endpoint vulnerabilities, next generation
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
Title: Microsoft Defender ATP for non-Windows platforms
-description: Learn about Microsoft Defender ATP capabilities for non-Windows platforms
+ Title: Microsoft Defender for Endpoint for non-Windows platforms
+description: Learn about Microsoft Defender for Endpoint capabilities for non-Windows platforms
keywords: non windows, mac, macos, linux, android search.product: eADQiWindows 10XVcnh ms.prod: m365-security
security Offboard Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md
Title: Offboard devices from the Microsoft Defender ATP service
-description: Onboard Windows 10 devices, servers, non-Windows devices from the Microsoft Defender ATP service
+ Title: Offboard devices from the Microsoft Defender for Endpoint service
+description: Onboard Windows 10 devices, servers, non-Windows devices from the Microsoft Defender for Endpoint service
keywords: offboarding, microsoft defender for endpoint offboarding, windows atp offboarding search.product: eADQiWindows 10XVcnh search.appverid: met150
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
Title: Onboard devices to the Microsoft Defender ATP service
+ Title: Onboard devices to the Microsoft Defender for Endpoint service
description: Onboard Windows 10 devices, servers, non-Windows devices and learn how to run a detection test. keywords: onboarding, microsoft defender for endpoint onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
Title: Onboard previous versions of Windows on Microsoft Defender ATP
-description: Onboard supported previous versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor
+ Title: Onboard previous versions of Windows on Microsoft Defender for Endpoint
+description: Onboard supported previous versions of Windows devices so that they can send sensor data to the Microsoft Defender for Endpoint sensor
keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level search.product: eADQiWindows 10XVcnh search.appverid: met150
security Onboard Offline Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md
Title: Onboard devices without Internet access to Microsoft Defender for Endpoint
-description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor
+description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender for Endpoint sensor
keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma search.product: eADQiWindows 10XVcnh search.appverid: met150
security Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard.md
Title: Configure and manage Microsoft Defender ATP capabilities
+ Title: Configure and manage Microsoft Defender for Endpoint capabilities
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, and next-generation protection
+description: Configure and manage Microsoft Defender for Endpoint capabilities such as attack surface reduction and next-generation protection
keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls search.product: eADQiWindows 10XVcnh search.appverid: met150
localization_priority: Normal audience: ITPro-+
+ - M365-security-compliance
+ - m365initiative-m365-defender
ms.technology: mde
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:**+ - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+Learn how to configure and manage Defender for Endpoint features, to get the best security protection for your organization.
-Configure and manage all the Defender for Endpoint capabilities to get the best security protection for your organization.
+For practical advice on connecting new devices in your organization, see [Onboard devices to the Microsoft Defender for Endpoint service](./onboard-configure.md).
+## In this section
-## In this section
-Topic | Description
+Topic | Description
:|:
-[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
+[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal-related settings such as general settings, advanced features, or enable the preview experience.
+[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | Configure attack surface reduction capabilities, to ensure that settings are properly applied, and exploit mitigation techniques are set.
[Configure next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) | Configure next-generation protection to catch all types of emerging threats.
-[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
-[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration)| Configure other solutions that integrate with Defender for Endpoint.
-[Management and API support](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
-[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal-related settings such as general settings, advanced features, enable the preview experience and others.
---
+[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage cybersecurity threat intelligence from Microsoft Threat Experts.
+[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration) | Configure other solutions that integrate with Defender for Endpoint.
+[Management and API support](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/management-apis) | Pull alerts to your Security Information and Event Management (SIEM) or use APIs to create custom alerts. Create and build Power BI reports.
security Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md
Title: Onboard to the Microsoft Defender for Endpoint service description: Learn how to onboard endpoints to Microsoft Defender for Endpoint service
-keywords:
+keywords: microsoft defender for endpoint, onboard, deploy
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
Title: Overview of attack surface reduction
-description: Learn about the attack surface reduction capabilities of Microsoft Defender ATP.
+description: Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint.
keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender for endpoint, microsoft defender, antivirus, av, windows defender search.product: eADQiWindows 10XVcnh search.appverid: met150
security Overview Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response.md
Title: Overview of endpoint detection and response capabilities
-description: Learn about the endpoint detection and response capabilities in Microsoft Defender ATP
-keywords:
+description: Learn about the endpoint detection and response capabilities in Microsoft Defender for Endpoint
+keywords: microsoft defender for endpoint, endpoint detection and response, response, detection, cybersecurity, protection
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
Title: Partner applications in Microsoft Defender ATP
+ Title: Partner applications in Microsoft Defender for Endpoint
description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
security Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-integration.md
Title: Microsoft Defender ATP partner opportunities and scenarios
+ Title: Microsoft Defender for Endpoint partner opportunities and scenarios
-description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender ATP
+description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender for Endpoint
keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence search.product: eADQiWindows 10XVcnh search.appverid: met150
security Prepare Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prepare-deployment.md
Title: Prepare Microsoft Defender ATP deployment
-description: Prepare stakeholder approval, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
+ Title: Prepare Microsoft Defender for Endpoint deployment
+description: Prepare stakeholder approval, timelines, environment considerations, and adoption order when deploying Microsoft Defender for Endpoint
keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption search.product: eADQiWindows 10XVcnh search.appverid: met150
security Preview Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview-settings.md
Title: Turn on the preview experience in Microsoft Defender ATP
+ Title: Turn on the preview experience in Microsoft Defender for Endpoint
description: Turn on the preview experience in Microsoft Defender for Endpoint to try upcoming features. keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
Title: Microsoft Defender ATP preview features
+ Title: Microsoft Defender for Endpoint preview features
description: Learn how to access Microsoft Defender for Endpoint preview features. keywords: preview, preview experience, Microsoft Defender for Endpoint, features, updates search.product: eADQiWindows 10XVcnh
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md
Title: Stream Microsoft Defender for Endpoint events to Azure Event Hubs
-description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub.
+description: Learn how to configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Event Hub.
keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150
security Troubleshoot Performance Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md
+
+ Title: Troubleshoot performance issues
+description: Troubleshoot high CPU usage related to the real-time protection service in Microsoft Defender for Endpoint.
+keywords: troubleshoot, performance, high CPU utilization, high CPU usage, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: normal
+ Last updated : 04/14/2021
+audience: ITPro
+
+ms.technology: mde
++
+# Troubleshoot performance issues related to real-time protection
++++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+If your system is having high CPU usage or performance issues related to the real-time protection service in Microsoft Defender for Endpoint, you can submit a ticket to Microsoft support. Follow the steps in [Collect Microsoft Defender AV diagnostic data](/collect-diagnostic-data.md).
+
+As an admin, you can also troubleshoot these issues on your own.
+
+First, you might want to check if the issue is being caused by another software. Read [Check with vendor for antivirus exclusions](#check-with-vendor-for-antivirus-exclusions).
+
+Otherwise, you can identify which software is related to the identified performance issue by following the steps in [Analyze the Microsoft Protection Log](#analyze-the-microsoft-protection-log).
+
+You can also provide additional logs to your submission to Microsoft support by following the steps in:
+- [Capture process logs using Process Monitor](#capture-process-logs-using-process-monitor)
+- [Capture performance logs using Windows Performance Recorder](#capture-performance-logs-using-windows-performance-recorder)
+
+## Check with vendor for antivirus exclusions
+
+If you can readily identify the software affecting system performance, go to the software vendor's knowledge base or support center. Search if they have recommendations about antivirus exclusions. If the vendor's website does not have them, you can open a support ticket with them and ask them to publish one.
+
+We recommend that software vendors follow the various guidelines in [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/). The vendor can submit their software through the [Microsoft Defender Security Intelligence portal (MDSI)](https://www.microsoft.com/wdsi/filesubmission?persona=SoftwareDeveloper).
++
+## Analyze the Microsoft Protection Log
+
+In **MPLog-xxxxxxxx-xxxxxx.log**, you can find the estimated performance impact information of running software as *EstimatedImpact*:
+
+`Per-process counts:ProcessImageName: smsswd.exe, TotalTime: 6597, Count: 1406, MaxTime: 609, MaxTimeFile: \Device\HarddiskVolume3\_SMSTaskSequence\Packages\WQ1008E9\Files\FramePkg.exe, EstimatedImpact: 65%`
+
+| Field name | Description |
+|||
+|ProcessImageName | Process image name |
+| TotalTime | The cumulative duration in milliseconds spent in scans of files accessed by this process |
+|Count | The number of scanned files accessed by this process |
+|MaxTime | The duration in milliseconds in the longest single scan of a file accessed by this process |
+| MaxTimeFile | The path of the file accessed by this process for which the longest scan of `MaxTime` duration was recorded |
+| EstimatedImpact | The percentage of time spent in scans for files accessed by this process out of the period in which this process experienced scan activity |
+
+If the performance impact is high, try adding the process to the Path/Process exclusions by following the steps in [Configure and validate exclusions for Microsoft Defender Antivirus scans](collect-diagnostic-data.md).
+
+If the previous step doesn't solve the problem, you can collect more information through the [Process Monitor](#capture-process-logs-using-process-monitor) or the [Windows Performance Recorder](#capture-performance-logs-using-windows-performance-recorder) in the following sections.
+  
+## Capture process logs using Process Monitor
+
+Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time processes. You can use this to capture the performance issue as it is occurring.
+
+1. Download [Process Monitor v3.60](/sysinternals/downloads/procmon) to a folder like `C:\temp`.
+
+2. To remove the file's mark of the web:
+ 1. Right-click **ProcessMonitor.zip** and select **Properties**.
+ 1. Under the *General* tab, look for *Security*.
+ 1. Check the box beside **Unblock**.
+ 1. Select **Apply**.
+
+ ![Remove MOTW](images/procmon-motw.png)
+
+3. Unzip the file in `C:\temp` so that the folder path will be `C:\temp\ProcessMonitor`.
+
+4. Copy **ProcMon.exe** to the Windows client or Windows server you're troubleshooting.
+
+5. Before running ProcMon, make sure all other applications not related to the high CPU usage issue are closed. Doing this will minimize the number of processes to check.
+
+6. You can launch ProcMon in two ways.
+ 1. Right-click **ProcMon.exe** and select **Run as administrator**.
+
+
+ Since logging starts automatically, select the magnifying glass icon to stop the current capture or use the keyboard shortcut **Ctrl+E**.
+
+ ![magnifying glass icon](images/procmon-magglass.png)
+
+ To verify that you have stopped the capture, check if the magnifying glass icon now appears with a red X.
+
+ ![red slash](images/procmon-magglass-stop.png)
+
+ Next, to clear the earlier capture, select the eraser icon.
+
+ ![clear icon](images/procmon-eraser-clear.png)
+
+ Or use the keyboard shortcut **Ctrl+X**.
+
+ 2. The second way is to run the **command line** as admin, then from the Process Monitor path, run:
+
+ ![cmd procmon](images/cmd-procmon.png)
+
+ ```console
+ Procmon.exe /AcceptEula /Noconnect /Profiling
+ ```
+
+ >[!TIP]
+ >Make the ProcMon window as small as possible when capturing data so you can easily start and stop the trace.
+ >
+ >![Minimize Procmon](images/procmon-minimize.png)
+
+7. After following one of the procedures in step 6, you'll next see an option to set filters. Select **OK**. You can always filter the results after the capture is completed.
+
+ ![Filter out Process Name is System Exclude](images/procmon-filter-options.png)
+
+8. To start the capture, select the magnifying glass icon again.
+  
+9. Reproduce the problem.
+
+ >[!TIP]
+ >Wait for the problem to be fully reproduced, then take note of the timestamp when the trace started.
+
+
+10. Once you have two to four minutes of process activity during the high CPU usage condition, stop the capture by selecting the magnifying glass icon.
+
+11. To save the capture with a unique name and with the .pml format, select **File** then select **Save...**. Make sure to select the radio buttons **All events** and **Native Process Monitor Format (PML)**.
+
+ ![save settings](images/procmon-savesettings1.png)
+
+12. For better tracking, change the default path from `C:\temp\ProcessMonitor\LogFile.PML` to `C:\temp\ProcessMonitor\%ComputerName%_LogFile_MMDDYEAR_Repro_of_issue.PML` where:
+ - `%ComputerName%` is the device name
+ - `MMDDYEAR` is the month, day, and year
+ - `Repro_of_issue` is the name of the issue you're trying to reproduce
+
+ >[!TIP]
+ > If you have a working system, you might want to get a sample log to compare.
+
+13. Zip the .pml file and submit it to Microsoft support.
++
+## Capture performance logs using Windows Performance Recorder
+
+You can use Windows Performance Recorder (WPR) to include additional information in your submission to Microsoft support. WPR is a powerful recording tool that creates Event Tracing for Windows recordings.
+
+WPR is part of the Windows Assessment and Deployment Kit (Windows ADK) and can be downloaded from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). You can also download it as part of the Windows 10 Software Development Kit at [Windows 10 SDK](https://developer.microsoft.com/windows/downloads/windows-10-sdk/).
+
+You can use the WPR user interface by following the steps in [Capture performance logs using the WPR UI](#capture-performance-logs-using-the-wpr-ui).
+
+Alternatively, you can also use the command-line tool *wpr.exe*, which is available in Windows 8 and later versions by following the steps in [Capture performance logs using the WPR CLI](#capture-performance-logs-using-the-wpr-cli).
++
+### Capture performance logs using the WPR UI
+
+>[!TIP]
+>If you have multiple devices where the issue is occurring, use the one which has the most amount of RAM.
+
+1. Download and install WPR.
+
+2. Under *Windows Kits*, right-click **Windows Performance Recorder**.
+
+ ![Start menu](images/wpr-01.png)
+
+ Select **More**. Select **Run as administrator**.
+
+3. When the User Account Control dialog box appears, select **Yes**.
+
+ ![UAC](images/wpt-yes.png)
+
+4. Next, download the [Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp) profile and save as `WD.wprp` to a folder like `C:\temp`.
+
+5. On the WPR dialog box, select **More options**.
+
+ ![Select more options](images/wpr-03.png)
+
+6. Select **Add Profiles...** and browse to the path of the `WD.wprp` file.
+
+7. After that, you should see a new profile set under *Custom measurements* named *Microsoft Defender for Endpoint analysis* underneath it.
+ ![in-file](images/wpr-infile.png)
+ >[!WARNING]
+ >If your Windows Server has 64 GB of RAM or more, use the custom measurement `Microsoft Defender for Endpoint analysis for large servers` instead of `Microsoft Defender for Endpoint analysis`. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability. You can choose which profiles to add by expanding **Resource Analysis**.
+ This custom profile provides the necessary context for in-depth performance analysis.
+
+8. To use the custom measurement Microsoft Defender for Endpoint verbose analysis profile in the WPR UI:
+
+ 1. Ensure no profiles are selected under the *First-level triage*, *Resource Analysis* and *Scenario Analysis* groups.
+ 2. Select **Custom measurements**.
+ 3. Select **Microsoft Defender for Endpoint analysis**.
+ 4. Select **Verbose** under *Detail* level.
+ 1. Select **File** or **Memory** under Logging mode.
+
+ >[!important]
+ >You should select *File* to use the file logging mode if the performance issue can be reproduced directly by the user. Most issues fall under this category. However, if the user cannot directly reproduce the issue but can easily notice it once the issue occurs, the user should select *Memory* to use the memory logging mode. This ensures that the trace log will not inflate excessively due to the long run time.
+
+9. Now you're ready to collect data. Exit all the applications that are not relevant to reproducing the performance issue. You can select **Hide options** to keep the space occupied by the WPR window small.
+
+ ![Hipe options](images/wpr-08.png)
+
+ >[!TIP]
+ >Try starting the trace at whole number seconds. For instance, 01:30:00. This will make it easier to analyze the data. Also try to keep track of the timestamp of exactly when the issue is reproduced.
+
+10. Select **Start**.
+
+ ![Select start of trace](images/wpr-09.png)
+
+11. Reproduce the issue.
+
+ >[!TIP]
+ >Keep the data collection to no more than five minutes. Two to three minutes is a good range since a lot of data is being collected.
+
+12. Select **Save**.
+
+ ![Select save](images/wpr-10.png)
+
+13. Fill up **Type in a detailed description of the problem:** with information about the problem and how you reproduced the issue.
+
+ ![Fill up details](images/wpr-12.png)
+
+ 1. Select **File Name:** to determine where your trace file will be saved. By default, it 1.is saved to `%user%\Documents\WPR Files\`.
+ 1. Select **Save**. 
+
+14. Wait while the trace is being merged.
+
+    ![WPR gathering general trace](images/wpr-13.png)
+
+15. Once the trace is saved, select **Open folder**.
+
+ ![WPR trace saved](images/wpr-14.png)
+
+ Include both the file and the folder in your submission to Microsoft support.
+
+ ![File and folder](images/wpr-15.png)
+
+### Capture performance logs using the WPR CLI
+
+The command-line tool *wpr.exe* is part of the operating system starting with Windows 8. To collect a WPR trace using the command-line tool wpr.exe:
+
+1. Download **[Microsoft Defender for Endpoint analysis](https://github.com/YongRhee-MDE/Scripts/blob/master/MDAV.wprp)** profile for performance traces to a file named `WD.wprp` in a local directory such as `C:\traces`.
+
+3. Right-click the **Start Menu** icon and select **Windows Powershell (Admin)** or **Command Prompt (Admin)** to open an Admin command prompt window.
+
+4. When the User Account Control dialog box appears, select **Yes**.
+
+5. At the elevated prompt, run the following command to start a Microsoft Defender for Endpoint performance trace:
+
+ ```console
+ wpr.exe -start C:\traces\WD.wprp!WD.Verbose -filemode
+ ```
+
+ >[!WARNING]
+ >If your Windows Server has 64 GB or RAM or more, use profiles `WDForLargeServers.Light` and `WDForLargeServers.Verbose` instead of profiles `WD.Light` and `WD.Verbose`, respectively. Otherwise, your system could consume a high amount of non-paged pool memory or buffers which can lead to system instability.
+
+6. Reproduce the issue.
+
+ >[!TIP]
+ >Keep the data collection no to more than five minutes. Depending on the scenario, two to three minutes is a good range since a lot of data is being collected.
+
+7. At the elevated prompt, run the following command to stop the performance trace, making sure to provide information about the problem and how you reproduced the issue:
+
+ ```console
+ wpr.exe -stop merged.etl "Timestamp when the issue was reproduced, in HH:MM:SS format" "Description of the issue" "Any error that popped up"
+ ```
+
+8. Wait until the trace is merged.
+
+9. Include both the file and the folder in your submission to Microsoft support.
+
+## See also
+
+- [Collect Microsoft Defender AV diagnostic data](collect-diagnostic-data.md)
+- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
security Get Incident Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-incident-notifications.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-You can set up Microsoft 365 Defender to notify you by email every time there are new incidents or new updates to existing incidents.
+You can set up Microsoft 365 Defender to notify your staff with an email about new incidents or updates to existing incidents. You can choose to get notifications based on:
-You can choose to get notifications based on incident severity or by device group. You can also choose to get a notification only on the first update per incident.
+- Incident severity.
+- Device group.
+- Only on the first update per incident.
-You can add or remove recipients in the email notifications. Newly added recipients get notified about incidents after they're added.
+The email notification contains important details about the incident like the incident name, severity, and categories, among others. You can also go directly to the incident and start your investigation right away. For more information, see [Investigate incidents](investigate-incidents.md).
-The email notification contains important details about the incident like the incident name, severity, and categories, among others. You can also directly go to incidents so you can start your investigation right away. For more on investigating incidents, see [Investigate incidents in Microsoft 365 Defender](./investigate-incidents.md).
+You can add or remove recipients in the email notifications. New recipients get notified about incidents after they're added.
>[!NOTE]
->You need 'Manage security settings' permissions to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications for you. <br> <br>
+>You need the 'Manage security settings' permission to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications for you. <br> <br>
Likewise, if your organization is using role-based access control (RBAC), you can only create, edit, delete, and receive notifications based on device groups that you are allowed to manage.
-## Create rules for incident notifications
+## Create a rule for email notifications
-To set up your first email notification for incidents, create a new rule and customize email notification settings.
+Follow these steps to create a new rule and customize email notification settings.
-1. In the navigation pane, select **Settings** > **Incident email notifications**.
+1. In the navigation pane, select **Settings > Microsoft 365 Defender > Incident email notifications**.
2. Select **Add item**.
-3. Give the rule a name in **Name** and supply a **Description**.
+3. On the **Basics** page, type the rule name and a description, and then select **Next**.
+4. On the **Notification settings** page, configure:
+ - **Alert severity** - Choose the alert severities that will trigger an incident notification. For example, if you only want to be informed about high-severity incidents, select **High**.
+ - **Device group scope** - You can specify all device groups or select from the list of device groups in your tenant.
+ - **Only notify on first occurrence per incident** - Select if you want a notification only on the first alert that matches your other selections. Later updates or alerts related to the incident won't send additional notifications.
+ - **Include organization name in the email** - Select if you want your organization name to appear in the email notification.
+ - **Include tenant-specific portal link** - Select if you want to add a link with the tenant ID in the email notification for access to a specific Microsoft 365 tenant.
- ![Create rule window for incident email notifs](../../media/incidentemailnotif1.png)
-4. Select **Next** to go to **Notification settings**. Here you can specify:
- - **Alert severity** - Choose the alert severity that will trigger an incident notification. For example, if you only want to be informed about High severity incidents, select High.
- - **Device group scope** - This dropdown displays all the device groups the user can access. Select which device groups you're creating the incident notification rules for.
- - **Only notify on first occurrence per incident** - Selecting this option will send an email notification only on the first alert that matches your other selections. Later updates or alerts related to the incident won't trigger a notification.
- - **Include organization name** - Indicates whether the customer name appears on the email notification or not.
- - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
-
- ![Notif settings window for incident email notifs](../../media/incidentemailnotif2.png)
-5. Select **Next** to go the **Recipients** section. Here you can specify email addresses that will receive the incident email notifications. Select **Add a recipient** after typing every email address.
+ :::image type="content" source="../../media/get-incident-notifications/incidents-ss-email-notification-settings.png" alt-text="Notification settings for incident email notifications":::
- ![Add recipients window for incident email notifs](../../media/incidentemailnotif3.png)
+5. Select **Next**. On the **Recipients** page, add the email addresses that will receive the incident notifications. Select **Add** after typing each new email address. To test notifications and ensure that the recipients receive them in the inboxes, select **Send test email**.
+6. Select **Next**. On the **Review rule** page, review the settings of the rule, and then select **Create rule**. Recipients will start receiving incident notifications through email based on the settings.
-6. Finally, select **Next** to go to **Review rule** so you can see all the settings associated with your new rule. Recipients will start receiving incident notifications through email based on the settings.
+To edit an existing rule, select it from the list of rules. On the pane with the rule name, select **Edit rule** and make your changes on the **Basics**, **Notification settings**, and **Recipients** pages.
+
+To edit an existing rule, select it from the list of rules. On the pane with the rule name, select **Delete**.
## See also-- [Incidents overview in Microsoft 365 Defender](./incidents-overview.md)-- [Prioritize incidents in Microsoft 365 Defender](./incident-queue.md)-- [Investigate incidents in Microsoft 365 Defender](./investigate-incidents.md)
+- [Incidents overview](incidents-overview.md)
+- [Prioritize incidents](incident-queue.md)
+- [Investigate incidents](investigate-incidents.md)
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
You get to the incident queue from **Incidents & alerts > Incidents** on the qui
:::image type="content" source="../../media/incidents-queue/incidents-ss-incidents.png" alt-text="Example of the incident queue":::
-By default, the queue in the Microsoft 365 security center displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first.
+By default, the incident queue in the Microsoft 365 security center displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first.
-The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This helps you make an informed decision regarding the prioritization of incidents for anaylsis.
+The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This helps you make an informed decision regarding the prioritization of incidents for analysis.
For additional visibility at a glance, automatic incident naming generates incident names based on alert attributes such as the number of endpoints affected, users affected, detection sources, or categories. This allows you to quickly understand the scope of the incident.
After you resolve the incident, take a moment to learn from it to:
- Understand the type of the attack and its impact. - Research the attack in the security community for a security attack trend.-- Recall the workflow you used to resolve the incident and update your standard workflows and plalbooks as needed.
+- Recall the workflow you used to resolve the incident and update your standard workflows and playbooks as needed.
Here's a summary of the basic process.
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
Because piecing the individual alerts together to gain insight into an attack ca
Watch this short overview of incidents in Microsoft 365 Defender (4 minutes). <br>
-<br>
+ >[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bzwz?] Grouping related alerts into an incident gives you a comprehensive view of an attack. For example, you can see:
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide pieces of clues about an incident.
+Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide clues about an incident.
-In Microsoft 365 Defender, related alerts are aggregated together to form incidents. Incidents will always provide the broader context of an attack, however, investigating alerts can be valuable when deeper analysis is required.
+In Microsoft 365 Defender, related alerts are aggregated together to form [incidents](incidents-overview.md). Incidents will always provide the broader context of an attack, however, investigating alerts can be valuable when deeper analysis is required.
+The **Alerts queue** shows the current set of alerts. You get to the alerts queue from **Incidents & alerts > Alerts** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)).
-## Using alert pages in investigations
+Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft 365 Defender appear here.
-From the Alerts tab of any incident page, selecting an alert brings you to the individual alert pages. An alert page is composed of three sections: affected assets, alert story, and the details pane.
+By default, the alerts queue in the Microsoft 365 security center displays the new and in progress alerts from the last 30 days. The most recent alert is at the top of the list so you can see it first.
-![Image of example alert page](../../media/new-alert-page2.png)
+From the default alerts queue, you can select **Filters** to see a **Filters** pane, from which you can specify a subset of the alerts. Here's an example.
-Throughout an alert page, you can select the three-dot icon (**...**) beside any entity so you can see available actions like opening the specific asset page or doing specific remediation steps.
+
+You can filter alerts according to these criteria:
+
+- Severity
+- Status
+- Category
+- Detection source
+- Tags
+- Policy
+- Impacted assets
+
+## Analyze an alert
+
+To see the main alert page, select the name of the alert. Here's an example.
++
+You can also select the **Open the main alert page** action from the **Manage alert** pane.
+
+An alert page is composed of these sections:
+
+- Alert story
+- Actions taken (including impacted assets)
+- Related events
+- Summary details
++
+Throughout an alert page, you can select the ellipses (**...**) beside any entity to see available actions, such as opening the specific asset page or taking specific remediation steps.
### Analyze affected assets
-The affected assets section lists mailboxes, devices, and users affected by this alert. Selecting any of the asset cards populates the details side pane with information, including other alerts that occurred involving the assets, if any.
+The **Actions taken** section has a list of impacted assets, such as mailboxes, devices, and users affected by this alert.
+
+You can also select **View in action center** to view the **History** tab of the **Action center** in the Microsoft 365 security center.
### Trace an alert's role in the alert story
-The alert story displays all assets or entities related to the alert in a process tree view. The alert in the title is the one in focus when you first land on your selected alert's page. Assets in the alert story are expandable and clickable. They provide additional information and expedite response by allowing you to take actions right in the context of the alert page.
+
+The alert story displays all assets or entities related to the alert in a process tree view. The alert in the title is the one in focus when you first land on your selected alert's page. Assets in the alert story are expandable and clickable. They provide additional information and expedite your response by allowing you to take action right in the context of the alert page.
> [!NOTE] > The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
-### View more alert information in the details pane
+### View more alert information on the details page
-The details pane shows the details of the selected alert at first, with details and actions related to it. If you select any of the affected assets or entities in the alert story, the details pane changes to provide contextual information and actions for the selected object.
+The details page shows the details of the selected alert, with details and actions related to it. If you select any of the affected assets or entities in the alert story, the details page changes to provide contextual information and actions for the selected object.
-Once you've selected an entity of interest, the details pane changes to display information about the selected entity type, historic information when it's available, and options to take action on this entity directly from the alert page.
+Once you've selected an entity of interest, the details page changes to display information about the selected entity type, historic information when it's available, and options to take action on this entity directly from the alert page.
-### Manage alerts
+## Manage alerts
-Once you're done investigating the alerts, you can go back to the alert you started with, mark the alert's status as Resolved and classify it as either a False alert or True alert. Classifying alerts helps tune your product to provide more true alerts and less false alerts.
-
-> [!NOTE]
-> One way of managing alerts it through the use of tags. The tagging capability for Microsoft Defender for Office 365 in incrementally being rolled out and is currently in preview. <br>
-> Currently, modified tag names are only applied to alerts created *after* the update. Alerts that were generated prior to the modification will not reflect the updated tag name.
+To manage an alert, select the alert in the alerts queue on its row to see a **Manage alert** pane. Here's an example.
-## Manage the unified alert queue
+The **Manage alert** pane allows you to specify:
-Selecting Alerts under Incidents & Alerts in the Microsoft 365 security center navigation pane brings you to the unified alert queue. Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft 365 Defender appear in this section.
+- The alert status (New, Resolved, In progress).
+- The alert's classification (Not set, True alert, False Alert).
+- For the classification as a true alert, the type of threat for the alert in **Determination** field.
+- A comment on the alert.
-![Image of sample alert page](../../media/unified-alert-queue.png)
+> [!NOTE]
+> One way of managing alerts it through the use of tags. The tagging capability for Microsoft Defender for Office 365 is incrementally being rolled out and is currently in preview. <br>
+> Currently, modified tag names are only applied to alerts created *after* the update. Alerts that were generated before the modification will not reflect the updated tag name.
-The Alerts queue shows a list of alerts that were flagged in your network. By default, the queue displays alerts seen in the last 30 days. The most recent alerts are shown at the top of the list helping you see the most recent alerts first.
+From this pane, you can also perform these additional actions:
-> [!NOTE]
-> At the time of launch, the unified alerts queue will only have 7 daysΓÇÖ worth of Microsoft Defender for Office 365 alerts available.
-The queue will continue to build over time. If you need to triage alerts prior to the launch of the unified alerts queue, use the alerts queue in the [Security and Compliance Center](https://protection.office.com/viewalerts).
+- Open the main alert page
+- Consult a Microsoft threat expert
+- View submission
+- Link to another incident
+- See the alert in a timeline
+- Create a suppression rule
+Here's an example.
-On the top navigation, you can:
-- Apply filters-- Customize columns to add or remove columns-- Export data
+The list of additional actions depends on the type of alert.
-You can also filter alerts according to different criteria:
+## Resolve an alert
-- Severity-- Status-- Category-- Detection source-- Policy-- Impacted assets-- First activity-- Last activity
+Once you're done investigating an alert and it can be resolved, go to the **Manage alert** pane for the alert and mark the it status as **Resolved** and classify it as either a **False alert** or **True alert**. For true alerts, specify the alert's threat type in the **Determination** field.
+Classifying alerts and specifying their determination helps tune Microsoft 365 Defender to provide more true alerts and less false alerts.
-To start an investigation on an incident, read [Investigate incidents in Microsoft 365 Defender](investigate-incidents.md)
## See also - [Incidents overview](incidents-overview.md)
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
ms.technology: m365d
- Microsoft 365 Defender
-Microsoft 365 Defender aggregates all related alerts, assets, investigations and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.
+Microsoft 365 Defender aggregates all related alerts, assets, investigations, and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.
Within an incident, you investigate the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
You can start by selecting the incident from the check mark column. Here's an ex
:::image type="content" source="../../media/investigate-incidents/incidents-ss-incident-select.png" alt-text="Example of selecting an incident from the check mark column":::
-When you do, a summary pane opens with key information about the incident, such as severity, who it is assigned to, and the [MITRE ATT&CK&trade;](https://attack.mitre.org/) categories for the incident. Here's an example.
+When you do, a summary pane opens with key information about the incident, such as severity, to whom it is assigned, and the [MITRE ATT&CK&trade;](https://attack.mitre.org/) categories for the incident. Here's an example.
:::image type="content" source="../../media/investigate-incidents/incidents-ss-incident-side-panel.png" alt-text="Example of the summary pane for an incident":::
The scope section gives you a list of top impacted assets that are part of this
The alerts timeline provides a sneak peek into the chronological order in which the alerts occurred, as well as the reasons that these alerts are linked to this incident.
-And last - the evidence section provides a summary of how many different artifacts were included in the incident and their remediation status, so you can immediately identify if any action is needed on your end.
+And last - the evidence section provides a summary of how many different artifacts were included in the incident and their remediation status, so you can immediately identify if any action is needed by you.
This overview can assist in the initial triage of the incident by providing insight into the top characteristics of the incident that you should be aware of.
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
ms.technology: m365d
- Microsoft 365 Defender
-As part of your investigation, you might find that a user has been compromised.
+Part of your incident investigation can include user accounts. Start with the **Users** tab for an incident from **Incidents & alerts >** *incident* **> Users**.
-The Microsoft 365 security center user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security (depending on what licenses you have). This page is the ideal starting place for investigating users and potential incidents.
-![User page](../../media/m3d-userpage.png)
-This page shows information specific to the security risk of a user. This includes a score that helps assess risk, recent events and alerts that contributed to the overall risk of the user, and more.
+To get a quick summary of a user account for the incident, select the check mark next to the user account name. Here's an example.
+
+From here, you can select **Go to user page** to see the details of a user account. Here's an example.
++
+You can also see this page by selecting the name of the user account from the list on the **Users** page.
+
+The Microsoft 365 security center user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security (depending on what licenses you have).
+
+This page shows information specific to the security risk of a user account. This includes a score that helps assess risk and recent events and alerts that contributed to the overall risk of the user.
+
+From this page, you can do these additional actions:
+
+- Mark the user account as compromised
+- Require the user to sign in again
+- Suspend the user account
+- See the Azure Active Directory (Azure AD) user account settings
+- View the files owned by the user account
+- View files shared with this user.
+
+Here's an example.
+++
+<!--
You can access this page from multiple areas in the Microsoft 365 security center. You can access this page from a specific incident in the **Users** tab. Some alerts might include users as a specific affected asset. You can also search for users. Learn more about how to investigate users and potential risk [in this Cloud App Security tutorial](/cloud-app-security/tutorial-ueba#:~:text=To%20identify%20who%20your%20riskiest,user%20page%20to%20investigate%20them).
+-->
+ ## Related topics - [Incidents overview](incidents-overview.md)
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
In cases where, while investigating you would like to move alerts from one incid
## Edit the incident name
-Incidents are automatically assigned a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident. For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
+Microsoft 365 Defender automatically assigns a name based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident. For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
You can edit the incident name from the **Incident name** field on the **Manage incident** pane. > [!NOTE]
-> Incidents that existed prior the rollout of the automatic incident naming feature will retain their name.
+> Incidents that existed before the rollout of the automatic incident naming feature will retain their name.
## Add incident tags
If it was a true alert, you should also specify what type of threat it was with
## Add comments
-You can add multiple comments to an incident with the **Comment** field. Each comment is added to the historical events of the incident. You can see the comments and history of an incident from the **Comments and history** link on the **Summary** page.
+You can add multiple comments to an incident with the **Comment** field. Each comment gets added to the historical events of the incident. You can see the comments and history of an incident from the **Comments and history** link on the **Summary** page.
+
+## Related topics
+
+- [Incidents overview](incidents-overview.md)
+- [Prioritize incidents](incident-queue.md)
+- [Investigate incidents](investigate-incidents.md)
security Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboard.md
- Title: Configure and manage Microsoft Defender for Endpoint capabilities-
-description: Configure and manage Microsoft Defender for Endpoint capabilities such as attack surface reduction and next generation protection
-keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
--
-localization_priority: Normal
--
- - M365-security-compliance
- - m365initiative-m365-defender
---
-# Configure and manage Microsoft Defender for Endpoint capabilities
--
-**Applies to:**
--- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)-
-Configure and manage all the Microsoft Defender for Endpoint capabilities to get the best security protection for your organization.
--
-## In this section
-Topic | Description
-:|:
-[Configure attack surface reduction capabilities](/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
-[Configure next generation protection](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) | Configure next generation protection to catch all types of emerging threats.
-[Configure Microsoft Threat Experts capabilities](/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
-[Configure Microsoft 365 Defender integration](/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender for Endpoint.
-[Management and API support](/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
-[Configure Microsoft Defender Security Center settings](/windows/security/threat-protection/microsoft-defender-atp/preferences-setup) | Configure portal-related settings such as general settings, advanced features, enable the preview experience and others.