-description: "AutoPilot profiles help you control how Windows gets installed on user devices. The profiles contain default and optional settings like skip Cortana installation."

-# About AutoPilot Profile settings

-## AutoPilot profile settings

-> [!NOTE]

-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../../security/defender-business/mdb-overview.md).

-You can use AutoPilot profiles to control how Windows is installed on user devices. The profiles contain the following settings.

-

- **AutoPilot default features (required) that are set automatically:**

-

-|**Setting**|**Description**|

-|:--|:--|

-|Skip Cortana, OneDrive, and OEM registration <br/> |Skips the installation of consumer apps like Cortana and personal OneDrive. The device user can install these later as long as the user is a local admin on the device. The original manufacturer registration is skipped because the device will be managed by Microsoft 365 Business Premium. <br/> |

-|Sign in experience with your company brand <br/> |If your company has a [Add your company branding to Microsoft 365 Sign In page](../setup/customize-sign-in-page.md), the device user will get that experience when signing in. <br/> |

-|MDM auto-enrollment with configured AAD accounts. <br/> |The user identity will be managed by Azure Active Directory, and users will sign in to Windows and Microsoft 365 with their Microsoft 365 Business Premium credentials. <br/> |

-

- **Optional settings:**

-

-|**Setting**|**Description**|

-|:--|:--|

-|Skip privacy settings (Off by default) <br/> |If this option is set to **On**, the device user will not see the license agreement for the device and Windows when he or she first signs in. <br/> |

-|Don't allow the user to become the local admin <br/> |If this option is set to **On**, the device user will not be able to install any personal apps, such as Cortana.<br/> |

-## See also

-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)

-3. On the **Create profile** page, enter a name for the profile that helps you identify it, for example Marketing. Turn on the setting you want, and then choose **Save**. For more information about AutoPilot profile settings, see [About AutoPilot Profile settings](autopilot-profile-settings.md).

-After you create a profile, you can apply it to a device or a group of devices. You can pick an existing profile in the [step-by-step guide](add-autopilot-devices-and-profile.md) and apply it to new devices, or replace an existing profile for a device or group of devices.

-description: "Learn about the various device states in the Device actions list in Admin home in Microsoft 365 for business."

-# Device states

-This article applies to Microsoft 365 Business Premium.

-> [!NOTE]

-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../../security/defender-business/mdb-overview.md).

-Devices in the **Device actions** list (Admin home \> **Device actions**) can have the following states.

-

-

-

-|**Status**|**Description**|

-|:--|:--|

-|Managed by Intune <br/> |Managed by Microsoft 365 Business Premium. <br/> |

-|Retire pending <br/> |Microsoft 365 Business Premium is getting ready to remove company data from the device. <br/> |

-|Retire in progress <br/> |Microsoft 365 Business Premium is currently removing company data from the device. <br/> |

-|Retire failed <br/> | Remove company data action failed. <br/> |

-|Retire canceled <br/> |Retire action was canceled. <br/> |

-|Wipe pending <br/> |Waiting for factory reset to start. <br/> |

-|Wipe in progress <br/> |Factory reset has been issued. <br/> |

-|Wipe failed <br/> |Couldn't do factory reset. <br/> |

-|Wipe canceled <br/> |Factory wipe was canceled. <br/> |

-|Unhealthy <br/> |An action is pending (or in progress), but the device hasn't checked in for 30+ days. <br/> |

-|Delete pending <br/> |Delete action is pending. <br/> |

-|Discovered <br/> |Microsoft 365 Business Premium has detected the device. <br/> |

-

-## See also

-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)

-description: "Learn how protection features in Microsoft 365 Business Premium map to Intune settings. The subscription provides you with a license to modify Intune settings."

-# How do protection features in Microsoft 365 Business Premium map to Intune settings

-> [!NOTE]

-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../../security/defender-business/mdb-overview.md).

-## Android and iOS application protection settings

-The following table details how the Android and iOS application policy settings map to Intune settings.

-

-To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to **Admin centers**, and then **Intune**.

-

- > [!IMPORTANT]

- >

- > A Microsoft 365 Business Premium subscription gives you a license to modify all the Intune settings. See [Introduction to Intune to get started.](/intune/introduction-intune)

-

-Select the Policy name you want &mdash; for example, Application policy for Android &mdash; and then choose **Policy settings**.

-

-Under **Protect work files when devices are lost or stolen**

-

-|**Android or iOS application policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Delete work files from an inactive device after <br/> |Offline interval (days) before app data is wiped <br/> |

-|Force users to save work files to OneDrive for Business <br/> Note that only OneDrive for Business is allowed <br/> |Select which storage services corporate data can be saved to <br/> |

-|||

-

-Under **Manage how user access Office files in mobile devices**

-

-|**Android or iOS application policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Delete work files from an inactive device after <br/> |Offline interval (days) before app data is wiped <br/> |

-|Force users to save work files to OneDrive for Business <br/> Note that only OneDrive for Business is allowed <br/> |Select which storage services corporate data can be saved to <br/> |

-|Encrypt work files <br/> |Encrypt app data <br/> |

-|Under **Manage how user access Office files in mobile devices** <br/> ||

-|Require a PIN or fingerprint to access Office apps <br/> | Require PIN to access <br/> This also sets: <br/> **Allow simple PIN** to **Yes** <br/> **Pin Length** to 4 <br/> **Allow fingerprint instead of PIN** to **Yes** <br/> **Disable app PIN when device PIN is managed** to **No** <br/> |

-|Reset PIN when login fails this many times (this is disabled if PIN isn't required) <br/> |Number of attempts before PIN reset <br/> |

-|Require users to sign in again after Office apps have been idle for (this is disabled if PIN isn't required) <br/> | Recheck the access requirements after (minutes) <br/> This also sets: <br/> **Timeout** is set to minutes <br/> This is same number of minutes you set in Microsoft 365 Business. <br/> **Offline grace period** is set to 720 minutes by default <br/> |

-|Deny access to work files on jailbroken or rooted devices <br/> |Block managed apps from running on jailbroken or rooted devices <br/> |

-|Allow users to copy content from Office apps into personal apps <br/> | Restrict cut, copy, and paste with other apps <br/> If the Microsoft 365 Business Premium option is set to **On**, then these three options are also set to **All Apps** in Intune: <br/> **Allow app to transfer data to other apps** <br/> **Allow app to receive data from other apps** <br/> **Restrict cut, copy, and paste with other apps** <br/> If the Microsoft 365 Business option is set to **On**, then all the Intune options are set to: <br/> **Allow app to transfer data to other apps** is set to **Policy managed apps** <br/> **Allow app to receive data from other apps** is set to **All Apps** <br/> **Restrict cut, copy, and paste with other apps** is set to **Policy Managed apps with Paste-In** <br/> |

-|||

-

-## Windows 10 app protection settings

-The following table details how the Windows 10 application policy settings map to Intune settings.

-

-To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to [Azure portal](https://portal.azure.com). Select **More services**, and type Intune into the **Filter**. Select **Intune App Protection** \> **App Policy**.

-

- > [!IMPORTANT]

- >

- >A Microsoft 365 Business Premium subscription gives you a license to modify only the Intune settings that map to the settings available in Microsoft 365 Business Premium.

-

-To explore the available settings, select the policy name you want, and then choose **General, Assignments**, **Allowed apps**, **Exempt apps**, **Required settings**, or **Advanced settings** from the left navigation pane.

-

-|**Windows 10 application policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Encrypt work files <br/> |**Advanced settings** \> **Data protection**: **Revoke encryption keys on unenroll** and **Revoke access to protected data device enrolls to MDM** are both set to **On**. <br/> |

-|Prevent users from copying company data to personal files. <br/> |**Required settings** \> **Windows Information Protection mode**. **On** in Microsoft 365 Business Premium maps to: **Hide Overrides**, **Off** in Microsoft 365 Business Premium maps to: **Off**. <br/> |

-|Office documents access control <br/> | If this is set to **On** in Microsoft 365 Business Premium, then <br/> **Advanced settings** \> **Access**, **Use Windows Hello for Business as a method for signing into Windows** is set to **On**, with the following additional settings: <br/> **Set the minimum number of characters required for the PIN** is set to **4**. <br/> **Configure the use of uppercase letters in the Windows Hello for Business PIN** is set to **Do not allow use of upper case letters for PIN**. <br/> **Configure the use of lowercase letters in the Windows Hello for Business PIN** is set to **Do not allow use of lower case letters for PIN**. <br/> **Configure the use of special characters in the Windows Hello for Business PIN** is set to **Do not allow the use of special characters in PIN**. <br/> **Specify the period of time (in days) that a PIN can be used before the system requires the user to change** is set to **0**. <br/> **Specify the number of past PINs that can be associated to a user account that can't be reused** is set to **0**. <br/> **Number of authentication failures allowed before the device will be wiped** is set to same as in Microsoft 365 Business (5 by default). <br/> **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked** is set to same as in Microsoft 365 Business. <br/> |

-|Enable recovery of protected data <br/> |**Advanced settings** \> **Data protection**: **Show the enterprise data protection icon** and **Use Azure RMS for WIP** are set to **On**. <br/> |

-|Protect additional company cloud locations <br/> |**Advanced settings** \> **Protected domains** and **Cloud resources** show domains and SharePoint sites. <br/> |

-|Files used by these apps are protected <br/> |The list of protected apps is listed in **Allowed apps**. <br/> |

-|||

-

-## Windows 10 device protection settings

-The following table details how the Windows 10 device configuration settings map to Intune settings.

-

-To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to [Azure portal](https://portal.azure.com), then select **More services**, and type in Intune into the **Filter**, select **Intune** \> **Device configuration** \> **Profiles**. Then select **Device policy for Windows 10** \> **Properties** \> **Settings**.

-

-|**Windows 10 device policy setting**|**Intune setting(s)**|

-|:--|:--|

-|Help protect PCs from viruses and other threats using Windows Defender Antivirus <br/> |Allow Real-time Monitoring = ON <br/> Allow Cloud Protection = ON <br/> Prompt Users for Samples Submission = Send Safe samples automatically (Default Non PII auto submit) <br/> |

-|Help protect PCs from web-based threats in Microsoft Edge <br/> |**SmartScreen** in **Edge Browser settings** is set to **Required**. <br/> |

-|Turn off device screen when idle for (minutes) <br/> |Maximum minutes of inactivity until screen locks (minutes) <br/> |

-|Allow users to download apps from Microsoft Store <br/> |Custom URI policy <br/> |

-|Allow users to access Cortana <br/> |**General** \> **Cortana** is set to **block** in Intune when set to **off** in Microsoft 365 Business Premium. <br/> |

-|Allow users to receive Windows tips and advertisements from Microsoft <br/> |**Windows spotlight**, all blocked if this is set to **off** in Microsoft 365 Business Premium. <br/> |

-|Keep Windows 10 devices up to date automatically <br/> | This setting is in **Microsoft Intune** \> **Service updates - Windows 10 Update Rings**, choose **Update policy for Windows 10 devices**, and then **Properties** \> **Settings**. <br/> When the Microsoft 365 Business Premium setting is set to **On**, all the following settings are set: <br/> **Service branch** is set to **CB** (CBB when this is turned off in Microsoft 365 Business Premium). <br/> **Microsoft product updates** is set to **Allow**. <br/> **Windows drivers** is set to **Allow**. <br/> **Automatic update behavior** is set to **Auto install at maintenance time** with: <br/> **After hours start** is set to **6 AM**. <br/> **Active hours end** is set to **10 PM**. <br/> **Quality update deferral period (days)** is set to **0**. <br/> **Feature update deferral period (days)** is set to **0**. <br/> **Delivery optimization download mode** is set to **HTTP blended with peering behind same NAT**. <br/> |

-|||

-## See also

-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)

-description: "Learn about settings available in Microsoft 365 for business to secure Windows 10 devices."

-# Edit or create device protection settings for Windows 10 PCs

-This article applies to Microsoft 365 Business Premium.

-> [!NOTE]

-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../../security/defender-business/mdb-overview.md).

-After you have set set up default Windows protection settings on the Setup page, you can add new ones that apply to either all users, or a set of users. You can also edit any of the ones you have created.

-## Watch: Create protection settings for Windows 10 devices

-View a video on how to secure Windows 10 devices with Microsoft 365 Business Premium:

-

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/a5734146-620a-4cec-8618-536b3ca37972?autoplay=false]

-

-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

-2. On the left nav, choose **Devices** \> **Policies** \> **Add**.

-3. On the **Add policy** pane, enter a unique name for this policy.

-4. Under **Policy type**, choose **Windows 10 Device Configuration**.

-5. Expand **Secure Windows 10 Devices** \> configure the settings how you would like. For more information, see [Available settings](#available-settings).

-

- You can always use the **Reset default settings** link to return to the default setting.

-

- 

-

-6. Next decide **Who will get these settings?** If you don't want to use the default **All users** security group, Choose **Change**, search for the security group who will get these settings \> **Select**.

-7. Finally, choose **Done** to save the policy, and assign it to devices.

-## Edit Windows 10 protection settings

-

-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

-2. On the left nav, choose **Devices** \> **Policies** .

-1. Choose an existing Windows device policy and then **Edit**.

-1. Choose **Edit** next to a setting you want to change and then **Save**.

-## Available settings

-By default all settings are **On**. The following settings are available.

-

-For more information, see [How do protection features in Microsoft 365 Premium map to Intune settings](map-protection-features-to-intune-settings.md).

-|Setting <br/> |Description <br/> |

-|:--|:--|

-|Help protect PCs from viruses and other threats using Windows Defender Antivirus <br/> |Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet. <br/> |

-|Help protect PCs from web-based threats in Microsoft Edge <br/> |Turns on settings in Edge that help protect users from malicious sites and downloads. <br/> |

-|Use rules that reduce the attack surface of devices <br/> |When turned On, attack surface reduction helps block actions and apps typically used by malware to infect devices. This setting is only available if Windows Defender Antivirus is set to On. See [Reduce attack surfaces](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) to learn more. <br/> |

-|Protect folders from threats such as ransomware <br/> |This setting uses controlled folder access to protect company data from modification by suspicious or malicious apps, such as ransomware. These types of apps are blocked from making changes in protected folders. This setting is only available if Windows Defender Antivirus is set to On. See [Protect folders with Controlled folder access](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy#bkmk_CFA) to learn more. <br/> |

-|Prevent network access to potentially malicious content on the Internet <br/> |Use this setting to block outbound user connections to low-reputation Internet locations that may host phishing scams, exploits, or other malicious content. This setting is only available if Windows Defender Antivirus is set to **On**. For more information, see [Protect your network](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). <br/> |

-|Help protect files and folders on PCs from unauthorized access with BitLocker <br/> |BitLocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. For more information, see [BitLocker FAQ](/windows/security/information-protection/BitLocker/BitLocker-frequently-asked-questions). <br/> |

-|Allow users to download apps from Microsoft Store <br/> |Lets users download and install apps from the Microsoft Store. Apps include everything from games to productivity tools, so we leave this setting **On**, but you can turn it off for extra security. <br/> |

-|Allow users to access Cortana <br/> |Cortana can be very helpful! Cortana can turn settings on or off for you, give directions, and make sure you're on time for appointments, so we keep this setting **On** by default. <br/> |

-|Allow users to receive Windows tips and advertisements from Microsoft <br/> |Windows tips can be handy and help orient users when new features are released. <br/> |

-|Keep Windows 10 devices up to date automatically <br/> |Makes sure that Windows 10 devices automatically receive the latest updates. <br/> |

-|Turn off device screen when idle for this amount of time <br/> |Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off. <br/> |

-## See also

-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)

-After you [set app configurations for Android devices](app-protection-settings-for-android-and-ios.md) to protect the apps, you can follow these steps to validate that the settings you chose work.

-After you [set app configurations for iOS devices](app-protection-settings-for-android-and-ios.md) to protect apps, you can follow these steps to validate that the settings you chose work.

-After you [set up device policies](protection-settings-for-windows-10-pcs.md), it may take up to a few hours for the policy to take effect on users' devices. You can confirm that the policies took effect by looking at various Windows Settings screens on the users' devices. Because the users won't be able to modify the Windows Update and Microsoft Defender Antivirus settings on their Windows 10 devices, many options will be grayed out.

-[Microsoft 365 for business documentation and resources](/admin)\

-[Set device configurations for Windows 10 PCs](protection-settings-for-windows-10-pcs.md)

-[Top 10 ways to secure Microsoft 365 for business plans](../security-and-compliance/secure-your-business-data.md)

-You can use [Set up compliance features](set-up-compliance.md) to help to protect your business's sensitive information. Compliance Manager can help you get started right away! For example, you can [set up a DLP policy](/microsoft-365/compliance/create-a-dlp-policy-from-a-template) that uses the [GDPR template](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr).

-description: "Learn about the requirements for setting up your organization with Microsoft 365 for business and protecting work data on your users' devices."

-# Prerequisites for protecting data on devices with Microsoft 365 for business

-This article applies to Microsoft 365 Business Premium.

-> [!NOTE]

-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../../security/defender-business/mdb-overview.md).

-The first step in setting up your organization with Microsoft 365 for business is to make sure you can meet the prerequisites.

-

-## Requirements for setting up your organization with Microsoft 365 for business

-

- If you're running Windows 10 Home, then you must **purchase** Windows 10 Pro. See [upgrade Windows 10 Home to Windows 10 Pro](../../business-video/upgrade.md) for instructions.

-

-

-

- Google Android 4.0 and later (including Samsung KNOX Standard 4.0 and higher). For more information, see [Intune supported devices](/mem/intune/fundamentals/supported-devices-browsers).

-

-## See also

-[Top 10 ways to secure Microsoft 365 for business plans](secure-your-business-data.md)

-[Top 10 ways to secure Microsoft 365 for business plans](secure-your-business-data.md)

-If you also want to manage domain-joined Windows 10 devices, see [Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium](manage-windows-devices.md) to set up a hybrid Azure AD Join.

-1. Under **Secure your Windows computers** , select **View**.

-1. Select **Get started**.

-1. Under **Who should the policy apply to?**, choose whether your selections will be applied to everyone in your organization or to specific security groups.

-1. Select **Save changes**.

-1. Choose **Apply settings**.

- These settings will apply to all users in your organization. To set up different policies for different security groups, see [Set device protection settings for Windows 10 PCs](../devices/protection-settings-for-windows-10-pcs.md).

-## April 2020

-### Intune roles management

-[April 2020](#april-2020)

-Well, we did it! We've taken the second step towards a unified roles experience and you can now manage Intune roles in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. You can also leverage features such as the ability to search for roles and view role permissions. This means you donΓÇÖt need two separate tools to manage roles for Microsoft 365 and Intune. When you sign into the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, youΓÇÖll see that there are two pivots on the Roles page, one for Azure AD and one for Intune.

-

-### Sync Message Center posts to Planner

-Starting in May, admins who are in Targeted release will start seeing the "Planner syncing" button in the message center. You can now track messages that need action, select the type of messages you'd like to track, assign messages to track as tasks, and tag messages for later attention.

-[Join Targeted Release](manage/release-options-in-office-365.md) to get started!

-### "Need help?" launched in Teams admin center & Security and Compliance centers

-The Teams admin center, Security center, and Compliance center are now using the same "Need help?" feature that the <a href="https://go.microsoft.com/fwlink/p/?linkid=2166757" target="_blank">Microsoft 365 admin center</a> uses for finding help and contacting support. We've received a lot of feedback from admins that you wanted the same level of help and support and we're happy to bring that to you. Try it out and give us your feedback!

-#### Need chat?

-Our support agents have been working from home while still taking customer cases and limitations on internet bandwidth while working from home can impact customer call quality. In order to continue supporting you, we have launched live chat support option for commercial customers in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2166757" target="_blank">Microsoft 365 admin center</a>.

-While creating a service request, you'll now see chat as an option, in addition to phone and email. Select chat as a preferred channel of communication and create the request. Once you've created the request, you can start the chat when you are ready to chat with Microsoft agents.

-### Teams updates

-With the increased usage of Teams, we've added a few features to help you manage them.

-### Productivity score

-Productivity Score gives insights about how people use Microsoft cloud services and the technology experiences that support them. The score reflects your organizationΓÇÖs performance against employee and technology experience measures and compares your score with organizations like yours. This month, we are introducing the following new concepts to the preview experience:

-If you'd like to learn more, check out the blog: [Measure and improve the Microsoft 365 experience with Microsoft Productivity Score](https://techcommunity.microsoft.com/t5/microsoft-365-blog/measure-and-improve-the-microsoft-365-experience-with-microsoft/ba-p/1348618). Productivity score is currently in private preview. [Join the Productivity score private preview](https://aka.ms/productivityscorepreview) to get started.

-### Groups updates

-We've got two updates for Groups this month:

-### Docs, videos, and training (April)

-**What's new in Microsoft 365 video series**: This month, we cover tips and resources to help small businesses transition to remote work including how to roll out Microsoft Teams, remote work training resources to stay connected with clients and partners, and the new Microsoft 365 Business Voice plan. [What's New in Microsoft 365](https://go.microsoft.com/fwlink/p/?linkid=2118096)

-#### For your users

-#### For admins and business owners

-## March 2020

-### Featured Feedback Fix: Improve "add user" reliability for licensing

-We received a lot of feedback from admins about how hard it is to assign licenses when adding users. We've made the first update to this fix and we've migrated to a more reliable behind-the-scenes service to process those requests. And if something goes wrong, you'll now get an error message that lets you try again.

-

-### Microsoft Teams home page card

-With the uptick in Teams usage, some orgs will get a pinned dashboard card that makes turning Teams on more discoverable. The card also has links to training and docs to help your org transition to remote work. Just go to the **Home** page to see the new card.

-

-### Customize your organization's SharePoint mobile app theme

-Using the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, you can now customize your organization's theme in SharePoint mobile app for iOS and SharePoint mobile app for Android. This feature conveniently provides a mobile intranet app experience that can match your SharePoint Online for employees on the go. Theme customization includes your logo image, navigation bar color, text and icon colors, and accent colors, making for easy recognition.

-

-### Improvements to the "Add a group" wizard

-When admins created a new group - and made it a Team at they same time, they could assign owners who don't have a license that includes Teams. And that created some headaches. We've updated the wizard flow to verify that owners have a Teams license and if they don't the option to turn the group into a Team is disabled.

-### Microsoft 365 offerings for small and medium businesses

-We know that this is an announcement for next month, but we want to make sure you're prepared.

-Starting on April 21, we're making changes related to our Office 365 subscriptions for small and medium businesses ΓÇô and to Office 365 ProPlus. These products will now use the Microsoft 365 brand.

-The new product names go into effect on April 21, 2020. This is a change to the product name only, and there are no pricing or feature changes at this time.

-|Current name |New name |

-|||

-|Office 365 Business Essentials | Microsoft 365 Business Basic |

-|Office 365 Business Premium | Microsoft 365 Business Standard |

-|Microsoft 365 Business | Microsoft 365 Business Premium |

-|Office 365 Business | Microsoft 365 Apps for business |

-|Office 365 ProPlus | Microsoft 365 apps for enterprise |

-### Videos, training, and docs

-[What's New in Microsoft 365 web series](https://go.microsoft.com/fwlink/p/?linkid=2118096): In this month's episode, we highlight the 3-year anniversary of Microsoft Teams and cover new features including improved audio quality in online meetings, Targeted Communications for firstline managers with the Shifts app, Teams and Skype consumer interoperability, and more.

-## February 2020

-### Featured Feedback Fix: Multi-organization switcher

-We received a lot of feedback from partners and admins about the challenges of managing multiple Microsoft cloud orgs. One of our first multi-org management features is the **Organization switcher**, which lets you change between the orgs that you manage in just 2 clicks.

-> [!TIP]

-> You don't have to do anything to make the organization switcher appear as long as you are the Partner of record for at least one organization.

-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, select the org name.

-

-2. In the organization switcher, select the org you want to manage.

-

-That's literally it!!!

-### Groups

-A couple of changes in the groups area this month:

-### Videos, training, and docs (February)

-You can set up Bookings so only people in your organization can book appointments. Only users in your organization who've signed and are authenticated can book appointments.

-1. Create an org-wide team for communication with everyone across your organization.

-1. Create teams for specific projects and apply the right amount of protection based on who should be included.

-1. Create specific teams for communication with external partners to keep them separate from anything sensitive for your business.

-1. **Individual teams:** Set up teams for smaller groups to collaborate about their day to day work.

-1. **An external communications team or teams:** Coordinate with your vendors, partners, or clients without allowing them into anything sensitive. Set up different channels for specific groups.

-Follow these [10 tips on how to help reduce spam](https://support.microsoft.com/en-us/office/10-tips-on-how-to-help-reduce-spam-55f756e8-688b-41c3-a086-8f68ccc592f6).

-1. **On the Microsoft 365 Business page**, enter your business details. For **Business email address**, use a current email address. We only need this address to stay in touch with you during the setup process. Select **Next**.

-1. **On the Create your user ID page**:

- > [!IMPORTANT]

- > The name you enter for your .onmicrosoft.com domain will be used for all your SharePoint and OneDrive URLs and you might not be able to change it. Make sure youΓÇÖve considered the name from a branding perspective and spelled it correctly.

-[Remove company data from devices](remove-company-data.md) (article)\

-[Add a managed device](./app-protection-settings-for-android-and-ios.md) (article)

-[Set application protection settings for Windows 10 devices](../protection-settings-for-windows-10-devices.md).

-Microsoft 365 Business Premium lets you set up policies that protect data on your Windows 10 devices. When a device is under mobile device management, you control the entire device, and can wipe data from it, and also reset it to factory settings. For more information, see [Set device protection settings for Windows 10 PCs](../protection-settings-for-windows-10-pcs.md).

-Mobile application management lets you control your business data in your users' personal devices, such as iPhones and Androids, and their personal Win 10 computers. You can use application management policies to prevent your users from copying business data from Office apps to their personal apps. You can also remove all data from the Office apps on their personal devices. For more information, see [Set app protection settings for Android or iOS devices](../app-protection-settings-for-android-and-ios.md) and [Set application protection settings for Windows 10 devices](../protection-settings-for-windows-10-devices.md).

-#### Deleted OneDrive accounts and simulation results

-Expect possible display discrepancies in the simulation results when deleted OneDrive accounts are still in the [retention stage of the deletion process](/onedrive/retention-and-deletion#the-onedrive-deletion-process). For example, an employee has left the organization and their manager has temporary access to that user's OneDrive files.

-In this scenario, if the OneDrive account was specified by URL in the auto-labeling policy, matched files from the deleted OneDrive account are included in the simulation results.

-However, if the OneDrive account wasn't specified by URL, but was included with the **All** default setting:

-In all cases, matched files are labeled until the OneDrive account is permanently deleted. The display discrepancies listed apply only to the simulation results.

-User reported messages from Teams chats are the only messages processed by the User-reported message policy and only the assigned reviewers for the policy can be modified. All other policy properties are not editable. When the policy is created, the initial reviewers assigned to the policy are all members of the *Communication Compliance Admins* role group (if populated with at least one user) or all members of your organization's *Global Admin* role group . The policy creator is a randomly selected user from the *Communication Compliance Admins* role group (if populated with at least one user) or a randomly selected user from your organization's *Global Admin* role group.

-| **Attachment is any of these file types** <br><br> **Attachment is none of these file types** | To supervise communications that include or exclude specific types of attachments, enter the file extensions (such as .exe or .pdf). If you want to include or exclude multiple file extensions, enter these on separate lines. Only one attachment extension must match for the policy to apply.|

-> The assessment templates that are available to your organization depend on your licensing agreement. [Review the details](compliance-manager-templates.md#template-availability-and-licensing).

-Each template (apart from the baseline) is available in at least one version designed for use with a specific product, such as Microsoft 365, along with a universal version that you can use to assess other products of your choice. To learn more about template options, see [Learn about assessment templates](compliance-manager-templates.md).

-### Where to find your templates

-One or more of these templates will be available based on your licensing agreement. The Data Protection Baseline template is included for all users.

-These templates are currently available for preview. Creating assessments using these templates will not count toward your total of licensed templates used.

-These templates may be purchased by your organization.

-## February 2022

- - For enabling Customer Key for assigning DEPs to encrypt content across multiple Microsoft 365 workloads (Exchange Online, Teams, MIP EDM) for all tenant users, contact [m365-ck@service.microsoft.com](mailto:m365-ck@service.microsoft.com).

- - For multi-workload policy (Exchange, Teams, MIP EDM) that applies to all tenant users, replace *Office 365 appID* with `c066d759-24ae-40e7-a56f-027002b5d3e4`

-Follow the instructions from [Intune](/intune/advanced-threat-protection).

-description: "Learn how to edit or remove policies for information barriers."

-# Manage information barrier policies

-After you have [defined information barrier policies](information-barriers-policies.md), you might need to make changes to those policies or to your user segments, as part of [troubleshooting](/office365/troubleshoot/information-barriers/information-barriers-troubleshooting) or as regular maintenance.

-| [Edit user account attributes](#edit-user-account-attributes) | Fill in attributes in Azure Active Directory that can be used to define segments.<br/>Edit user account attributes when users are not included in segments they should be, to change which segments users are in, or to define segments using different attributes. |

-| [Edit a segment](#edit-a-segment) | Edit segments when you want to change how a segment is defined. <br/>For example, you might have originally defined segments using *Department* and now want to use another attribute, such as *MemberOf*. |

-| [Edit a policy](#edit-a-policy) | Edit an information barrier policy when you want to change how a policy works.<br/>For example, instead of blocking communications between two segments, you might decide you want to allow communications to occur only between certain segments. |

-| [Remove a policy](#remove-a-policy) | Remove an information barrier policy when you no longer need a particular policy in place. |

-| [Stop a policy application](#stop-a-policy-application) | Take this action when you want to stop the process of applying information barrier policies.<br/> Stopping a policy application is not instant, and it does not undo policies that are already applied to users. |

-| [Define policies for information barriers](information-barriers-policies.md) | Define an information barrier policy when you do not already have such policies in place, and you must restrict or limit communications between specific groups of users. |

-> [!IMPORTANT]

-> To perform the tasks described in this article, you must be assigned an appropriate role, such as one of the following:<br/>- Microsoft 365 Enterprise Global Administrator<br/>- Global Administrator<br/>- Compliance Administrator<br/>- IB Compliance Management (this is a new role!)<br><br>To learn more about prerequisites for information barriers, see [Prerequisites (for information barrier policies)](information-barriers-policies.md#step-1-make-sure-prerequisites-are-met).<br><br> Make sure to [connect to the Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).

-Use this procedure to edit attributes that are used for segmenting users. For example, if you are using a Department attribute, and one or more user accounts do not currently have any values listed for Department, you must edit those user accounts to include Department information. User account attributes are used for defining segments so that information barrier policies can be assigned.

- | `Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>` <p> You can use any value that uniquely identifies each user, such as name, alias, distinguished name, canonical domain name, email address, or GUID. <p> (You can also use this cmdlet for a single user: `Get-InformationBarrierRecipientStatus -Identity <value>`) |`Get-InformationBarrierRecipientStatus -Identity meganb -Identity2 alexw` <p> In this example, we refer to two user accounts in Office 365: *meganb* for *Megan*, and *alexw* for *Alex*. |

-2. Determine which attribute you want to edit for your user account profile(s). For more information, see [Attributes for information barrier policies](information-barriers-attributes.md).

- You will see a list of segments and details for each, such as segment type, its UserGroupFilter value, who created or last modified it, GUID, and so on.

- | `Set-OrganizationSegment -Identity GUID -UserGroupFilter "attribute -eq 'attributevalue'"` |`Set-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd -UserGroupFilter "Department -eq 'HRDept'"` <p> In this example, for the segment that has the GUID *c96e0837-c232-4a8a-841e-ef45787d8fcd*, we updated the department name to "HRDept". |

-When you have finished editing segments for your organization, you can either [define](information-barriers-policies.md#step-3-define-information-barrier-policies) or [edit](#edit-a-policy) information barrier policies.

-1. To view a list of current information barrier policies, use the **Get-InformationBarrierPolicy** cmdlet.

- In this example, we changed "SegmentsBlocked" to "SegmentsAllowed" and specified the *HR* segment.

-3. When you are finished editing a policy, make sure to apply your changes. (See [Apply information barrier policies](information-barriers-policies.md#step-4-apply-information-barrier-policies).)

-1. To view a list of current information barrier policies, use the **Get-InformationBarrierPolicy** cmdlet.

-2. To set the policy's status to inactive, use the **Set-InformationBarrierPolicy** cmdlet with an Identity parameter and the State parameter set to Inactive.

- | `Set-InformationBarrierPolicy -Identity GUID -State Inactive` | `Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c9377247 -State Inactive` <p> In this example, we set an information barrier policy that has GUID *43c37853-ea10-4b90-a23d-ab8c9377247* to an inactive status. |

- Changes are applied, user by user, for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. (As a general guideline, it takes about an hour to process 5,000 user accounts.)

-At this point, one or more information barrier policies are set to inactive status. From here, you can do any of the following actions:

-1. To view a list of current information barrier policies, use the **Get-InformationBarrierPolicy** cmdlet.

- In the list of results, identify the policy that you want to remove. Note the policy's GUID and name. Make sure the policy is set to inactive status.

-2. Use the **Remove-InformationBarrierPolicy** cmdlet with an Identity parameter.

- | `Remove-InformationBarrierPolicy -Identity GUID` | `Remove-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471` <p> In this example, we are removing the policy that has GUID *43c37853-ea10-4b90-a23d-ab8c93772471*. |

-3. Repeat steps 1-2 for each policy you want to remove.

-4. When you are finished removing policies, apply your changes. To take this action, use the **Start-InformationBarrierPoliciesApplication** cmdlet.

- Syntax: `Start-InformationBarrierPoliciesApplication`

- Changes are applied, user by user, for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete.

-After you have started applying information barrier policies, if you want to stop those policies from being applied, use the following procedure. It will take approximately 30-35 minutes for the process to begin.

-1. To view the status of the most recent information barrier policy application, use the **Get-InformationBarrierPoliciesApplicationStatus** cmdlet.

- | `Stop-InformationBarrierPoliciesApplication -Identity GUID` | `Stop-InformationBarrierPoliciesApplication -Identity 46237888-12ca-42e3-a541-3fcb7b5231d1` <p> In this example, we are stopping information barrier policies from being applied. |

-Office 365 Advanced Message Encryption is included in [Microsoft 365 Enterprise E5](https://www.microsoft.com/microsoft-365/enterprise/home), Office 365 E5, Microsoft 365 E5 (Nonprofit Staff Pricing), Office 365 Enterprise E5 (Nonprofit Staff Pricing), and Office 365 Education A5. If your organization has a subscription that does not include Office 365 Advanced Message Encryption, you can purchase it with the Microsoft 365 E5 Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), or the Office 365 Advanced Compliance SKU add-on for Microsoft 365 E3, Microsoft 365 E3 (Nonprofit Staff Pricing), Office 365 SKUs, or the Microsoft 365 E5/A5 Information Protection and Governance SKU add-on for Microsoft 365 A3/E3.

-> For sensitivity labels to be available to apply to your document understanding models, they need to be [created and published in the Microsoft 365 Compliance Center](../admin/security-and-compliance/set-up-compliance.md).

-> For sensitivity labels to be available to apply to your form processing model, they need to be [created and published in the Microsoft 365 Compliance Center](../admin/security-and-compliance/set-up-compliance.md).

-If you have existing server-based deployments for Exchange, SharePoint, or Skype for Business and want to migrate your entire organization to Microsoft 365 for enterprise, see the [client and server software roadmap](client-server-software-roadmap-microsoft-365.md). This roadmap includes Microsoft Office client products, on-premises Office Server products, and Microsoft Windows&ndash;based devices.

- - [SharePoint Online](/sharepoint/sharepoint-online)

- - [Skype for Business](/SkypeForBusiness/skype-for-business-online)

- - [SharePoint Online](https://support.office.com/article/79eb0420-8cbd-4bcb-a90b-ddc7d3ab4b3a)

- - [Microsoft Teams](//MicrosoftTeams/quality-of-experience-review-guide)

-Start your cloud services implementation. For guidance, see [Configure Microsoft 365 Enterprise services and applications](configure-services-and-applications.md).

-description: Configure Microsoft 365 Enterprise services and applications, such as SharePoint, Exchange, and Skype for Business.

-Our [basic set up instructions](../admin/setup/setup.md) help you get everyone using your Microsoft 365 services and applications in the shortest time possible. Sometimes getting things configured before everyone starts using them is preferred. For example if you want to configure mail routing , file storage, or sharing policies.

-|**Microsoft 365 Suite** |- [Add your company branding to Microsoft 365 Sign In Page](https://support.office.com/article/Add-your-company-branding-to-Office-365-Sign-In-Page-a1229cdb-ce19-4da5-90c7-2b9b146aef0a) <br> - [Add customized help desk info to the Microsoft 365 help pane](https://support.office.com/article/Add-customized-help-desk-info-to-the-Office-365-help-pane-9dd9b104-68f7-4d49-9a30-82561c7d79a3) <br> - [Add integration with Azure AD and other applications](https://support.office.com/article/Integrated-Apps-and-Azure-AD-for-Office-365-administrators-cb2250e3-451e-416f-bf4e-363549652c2a). <br> - [Learn more about using groups](https://support.office.com/Article/Learn-more-about-groups-b565caa1-5c40-40ef-9915-60fdb2d97fa2) to collaborate with email, calendar, documents, and chat <br> - [Activate and use mobile device management in Microsoft 365](https://support.office.microsoft.com/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd) <br> - [Monitor Microsoft 365 connectivity](monitor-connectivity.md) |

-|**Email** <br> (Exchange Online) | - Get ready to migrate with [Exchange Hybrid using the Exchange Deployment Assistant](https://technet.microsoft.com/exdeploy2013) <br> - Use the [Exchange migration advisor](https://aka.ms/office365setup) to get customized set up guidance <br> - [Set up Exchange Online Protection](/exchange/standalone-eop/set-up-your-eop-service) |

-|**Sites** <br> (SharePoint Online) | -Configure hybrid functionality for [SharePoint Server 2013](/SharePoint/hybrid/hybrid)<br> - [Create and use site templates](https://support.office.com/article/Create-and-use-site-templates-60371B0F-00E0-4C49-A844-34759EBDD989) to customize the look and feel of SharePoint Online <br> - Use the [SharePoint Online Planning Guide](https://support.office.com/article/SharePoint-Online-Planning-Guide-for-Office-365-for-business-d5089cdf-3fd2-4230-acbd-20ecda2f9bb8) or the [SharePoint Online deployment advisor](https://aka.ms/spoguidance) to plan and configure additional features <br> - Manage your [Video portal](https://support.office.com/article/Manage-your-Office-365-Video-portal-c059465b-eba9-44e1-b8c7-8ff7793ff5da) |

-|**IM and online meetings** <br> (Skype for Business Online) | - Configure hybrid functionality for [Lync Server 2013](/previous-versions/office/lync-server-2013/lync-server-2013-lync-server-2013-hybrid) or [Skype for Business 2015](/skypeforbusiness/hybrid/plan-hybrid-connectivity?bc=%2fSkypeForBusiness%2fbreadcrumb%2ftoc.json&toc=%2fSkypeForBusiness%2ftoc.json)<br> - [Set up Skype for Business Online](https://support.office.com/article/Set-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e) and configure common features such as call routing, conference calling, and sharing <br> - Use the [Skype for Business deployment advisor](/MicrosoftTeams/faq-journey) to get customized set up guidance |

-| **File storage & sharing** <br> (OneDrive for Business and SharePoint Online) | - [Set up Microsoft 365 file storage and sharing](https://support.office.com/article/7aa9cdc8-2245-4218-81ee-86fa7c35f1de#BKMK_WhatDif): Learn when you should use OneDrive for Business to store files and when you should use SharePoint Online team sites <br> - [Set up file storage and sharing](https://support.office.com/article/7aa9cdc8-2245-4218-81ee-86fa7c35f1de#BKMK_MoveDocsVideo): See how easy it is to upload files in OneDrive for Business and your SharePoint team site <br> - [Set up file storage and sharing](https://support.office.com/article/7aa9cdc8-2245-4218-81ee-86fa7c35f1de#BKMK_Store): Get all the steps for uploading files to OneDrive for Business and your team site. Learn tips for file sharing <br> - Use the [OneDrive for Business setup guide](https://aka.ms/OD4Bguidance) to get customized set up guidance |

-|**Enterprise Social** <br> (Yammer) | - [Use Yammer with Microsoft 365](https://support.office.com/article/Plan-for-Yammer-integration-with-Office-365-4086681f-6de1-4d39-aa72-752b2af1cbd7) <br> - Use the [Yammer Enterprise setup guide](https://aka.ms/yammerdeploy) to get customized set up guidance |

-|**Last updated:** 02/28/2022 - |

-To get started with GDAP, see [Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md).

-For non-customer tenant-related actions in Lighthouse (for example, onboarding, customer deactivating/reactivating, managing tags, reviewing logs), MSP technicians must have an assigned role in the partner tenant. The previous article link details such roles and their permissions in Lighthouse.

- - Must have delegated (DAP) set up for the Managed Service Provider (MSP) to be able to manage the customer tenant*

-*Delegated Admin Privileges (DAP) is required to onboard customers to Lighthouse. We recommend also establishing Granular Delegated Admin Privileges (GDAP) with your customers to enable more secure delegated access. While DAP and GDAP coexist, GDAP will take precedence for customers where both models are in place. Soon, customers with just GDAP (and no DAP) will be able to onboard to Lighthouse.<br><br>

-| Ineligible - Required license is missing | The tenant is missing a required license. They need at least one Microsoft 365 Business Premium or Microsoft 365 E3 license. | Make sure the tenant has at least one Microsoft 365 Business Premium or Microsoft 365 E3 license assigned. |

-**Resolution:** Make sure that an admin from your partner tenant with the appropriate permissions has assigned you to the correct GDAP security group in Azure AD and assigned you the correct role in Partner Center. Also, keep in mind that some actions in Lighthouse require you to be a Global admin. To learn more about the GDAP roles and what each role can do, see [Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md). For a detailed description of all Azure AD built-in roles and permissions for GDAP, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

-**Resolution:** Make sure that an admin from your partner tenant with the appropriate permissions has assigned you to the correct GDAP security group in Azure AD. Also, keep in mind that some actions in Lighthouse require you to be a Global admin. To learn more about the GDAP roles and what each role can do, see [Configure Microsoft 365 Lighthouse portal security](m365-lighthouse-configure-portal-security.md). For a detailed description of all Azure AD built-in roles and permissions for GDAP, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).

-Microsoft Managed Desktop adds two applications to your Azure AD organization for Microsoft Teams. They're deployed to either 64-bit or 32-bit clients as appropriate for the device:

-If you're ordering devices with Windows 10, work directly with your OEM sales preresentative. As of November 1, 2022, OEMs can only sell Windows 10 Pro under the Windows 11 Pro with Windows 10 Pro Downgrade license. For more information, see [Windows 10 support dates](https://docs.microsoft.com/lifecycle/products/windows-10-enterprise-and-education?msclkid=4a74c7b9b04111eca478c6fdafbc51a5) for the retirement dates of Windows 10 versions.

-For customers interested in moving to Windows 11, you can find more information on the recommended process [here](https://docs.microsoft.com/microsoft-365/managed-desktop/intro/win11-overview?view=o365-worldwide).

-## Get the device onboarding guide

-Use the following guide and information to choose the best option for your company.

-[:::image type="content" source="mediB-DeviceOnboardingFlow-March2022.pdf) <br/>

-[PDF](https://download.microsoft.com/download/4/d/2/4d2d8a86-2130-45b4-ba42-2997c854383B-DeviceOnboardingFlow-March2022.vsdx)

- - [Learn about device onboarding with Microsoft Defender for Business security configuration](#microsoft-defender-for-business-security-configuration)

-## Microsoft Defender for Business security configuration

-> [!NOTE]

-> If you're already using Endpoint Manager to manage your devices and security policies, skip this method, and see [Microsoft Endpoint Manager](#microsoft-endpoint-manager) instead.

-Microsoft Defender for Business security configuration was built on a capability known as [Security Management for Microsoft Defender for Endpoint (preview)](/mem/intune/protect/mde-security-integration). It enables you to onboard devices to Defender for Business in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) without requiring those devices to be fully enrolled in Microsoft Endpoint Manager beforehand.

-This method enables you to onboard devices and manage your antivirus and firewall policies in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Here's how it all works:

-1. You download an onboarding package from the Microsoft 365 Defender portal, and then run the package on your devices to onboard those devices to Defender for Business.

-2. Running the package establishes a trust between each device (if the trust doesn't already exist) and Azure Active Directory (Azure AD).

-3. Devices communicate with Endpoint Manager using their Azure AD Identity, and security policies in Defender for Business are pushed to devices.

-4. You can view your devices and policies in both the Microsoft 365 Defender portal and the Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).

-To use this option, certain settings must be configured beforehand. To learn more, including prerequisites and supported operating systems, see [Manage Microsoft Defender for Endpoint on devices with Microsoft Endpoint Manager](/mem/intune/protect/mde-security-integration).

-| Integration with Microsoft Endpoint Manager | If you plan to onboard devices using [Microsoft Defender for Business security configuration](mdb-onboard-devices.md#microsoft-defender-for-business-security-configuration), then the following requirements must be met:<br/><br/>Prerequisites must be met for [Security Management for Microsoft Defender for Endpoint](/mem/intune/protect/mde-security-integration).<br/>- Azure AD must be configured such that trust is created between your company's devices and Azure AD. <br/>- Defender for Business must have security management enabled in Microsoft Endpoint Manager.<br/><br/>Devices must be able to connect to the following URLs:<br/>- `enterpriseregistration.windows.net` (for registration in Azure AD)<br/>- `login.microsoftonline.com` (for registration in Azure AD)<br/>- `*.dm.microsoft.com` (The wildcard (*) supports the cloud-service endpoints that are used for enrollment, check-in, and reporting, and can change as the service scales.) |

-Follow the instructions from [Intune](/intune/advanced-threat-protection).

-There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:

-VDI devices can appear in Defender for Endpoint portal as either:

-For more information on the new ArcSight SmartConnector for Microsoft 365 Defender, see [ArcSight Product documentation](https://community.microfocus.com/cyberres/productdocs/w/connector-documentation/39246/smartconnector-for-microsoft-365-defender).

-The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. However, we recommend keeping EDR in block mode turned on, whether Microsoft Defender Antivirus is running in passive mode or in active mode.

-|**Possible values**|disabled <p> enabled (default)|

-**Exposure level** </br> | The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation. </br> </br> If the exposure level says ΓÇ£No data available,ΓÇ¥ there are a few reasons why this may be the case:</br>- Device stopped reporting for more than 30 days. In that case itΓÇÖs considered inactive, and the exposure isnΓÇÖt computed.</br>- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](https://microsoft-my.sharepoint.com/personal/siosulli_microsoft_com/Documents/Security%20Posture/TVM/minimum-requirements.md).</br>- Device with stale agent (unlikely).

-**Sensor health state** </br> | Filter by the following sensor health states, for devices onboard to Microsoft Defender for Endpoint:</br> - **Active**: Devices that are actively reporting sensor data to the service.</br> - **Inactive**: Devices that have stopped sending signals for more than 7 days. </br> - **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data. </br> Misconfigured devices can further be classified to: </br> - No sensor data </br> - Impaired communications </br> For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](https://microsoft-my.sharepoint.com/personal/siosulli_microsoft_com/Documents/Security%20Posture/TVM/fix-unhealthy-sensors.md).</br></br> (_Computers and mobile only_)

-In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-windows.md) and Windows 11, there are a few key differences on Windows Server:

-The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:

-By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default, but the GUI isnΓÇÖt required. You can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus.

-If the GUI isnΓÇÖt installed on your server, and you want to install it, either the **Add Roles and Features** wizard or PowerShell cmdlets.

-> [!NOTE]

-> This option is not available for Windows Server 2012 R2. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).

-### Turn on the GUI using the Add Roles and Features Wizard

-1. See [Install roles, role services, and features by using the add Roles and Features Wizard](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.

-2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option.

- In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:

- :::image type="content" source="images/server-add-gui.png" alt-text="The Add roles and feature wizard showing the GUI for Windows Defender option." lightbox="images/server-add-gui.png":::

- In Windows Server 2019 and Windows Server 2022, the **Add Roles and Feature Wizard** is similar.

-### Turn on the GUI using PowerShell

-The following PowerShell cmdlet will enable the interface:

-```powershell

-Install-WindowsFeature -Name Windows-Defender-GUI

-```

-If you need to install or reinstall Microsoft Defender Antivirus on Windows Server, you can do that using either the **Add Roles and Features Wizard** or PowerShell.

-### Use the Add Roles and Features Wizard to install Microsoft Defender Antivirus

-1. Refer to [this article](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.

-2. When you get to the **Features** step of the wizard, select the Microsoft Defender Antivirus option. Also select the **GUI for Windows Defender** option.

-### Use PowerShell to install Microsoft Defender Antivirus

-To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet:

-```powershell

-Install-WindowsFeature -Name Windows-Defender

-```

-Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender Antivirus Events](troubleshoot-microsoft-defender-antivirus.md).

-Once Microsoft Defender Antivirus is installed, your next step is to verify that it's running. On your Windows Server endpoint, run the following PowerShell cmdlet:

-```powershell

-Get-Service -Name windefend

-```

-To verify that firewall protection is turned on, run the following PowerShell cmdlet:

-```powershell

-Get-Service -Name mpssvc

-```

-```console

-```console

-To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.

-<br/><br/>

-To ensure that protection from malware is maintained, we recommend that you enable the following

-<br/><br/>

-| Windows Defender Service (WinDefend) | `C:\Program Files\Windows Defender\MsMpEng.exe` | This is the main Microsoft Defender Antivirus service that needs to be running at all times.|

-| Windows Defender Firewall (MpsSvc) | `C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork` | We recommend leaving the Windows Defender Firewall service enabled. |

-<br/><br/>

-If youΓÇÖre using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode.

-For more information, see [Install Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md#install-microsoft-defender-antivirus-on-windows-server).

-### Set Microsoft Defender Antivirus to passive mode using a registry key

-You can set Microsoft Defender Antivirus to passive mode by setting the following registry key:

-### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard

-1. See [Install or Uninstall Roles, Role Services, or Features](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.

-2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.

- If you clear **Windows Defender** by itself under the **Windows Defender Features** section, youΓÇÖll be prompted to remove the interface option **GUI for Windows Defender**.

- Microsoft Defender Antivirus will still run normally without the user interface, but the user interface canΓÇÖt be enabled if you disable the core **Windows Defender** feature.

-### Turn off the Microsoft Defender Antivirus user interface using PowerShell

-To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:

-```powershell

-Uninstall-WindowsFeature -Name Windows-Defender-GUI

-```

-### Are you using Windows Server 2012 R2 or Windows Server 2016?

-You can now run Microsoft Defender Antivirus in passive mode on Windows Server 2012 R2 and Windows Server 2016. For more information, see [Options to install Microsoft Defender for Endpoint](configure-server-endpoints.md#options-to-install-the-microsoft-defender-for-endpoint-packages).

-<br/><br/>

-| Disable Microsoft Defender Antivirus using Group Policy | In your Local Group Policy Editor, navigate to **Administrative Template** > **Windows Component** > **Endpoint Protection** > **Disable Endpoint Protection**, and then select **Enabled** > **OK**. |

-| Disable Microsoft Defender Antivirus using a registry key | To use the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*). |

-2. Execute the following PowerShell command: `Set-MpPreference -AllowNetworkProtectionOnWinServer 1`

-> - Live response

-> - Live response

-<br/><br/>

-<br/><br/>

-|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)|[Windows 10](/windows/release-health/release-information) <br/><br/> [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/><br/> Windows Server 2022 <br/><br/> [Windows Server 1803, or later](/windows-server/get-started/whats-new-in-windows-server-1803) <br/><br/> [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)|[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)|

-<br/> <br/>

-|Windows clients (such as endpoints running Windows 10 and Windows 11)|In general, you do not need to take any action for Windows clients (unless Microsoft Defender Antivirus has been uninstalled). Here's why: <br/><br/> Microsoft Defender Antivirus should still be installed, but is most likely disabled at this point of the migration process. <br/><br/> When a non-Microsoft antivirus/antimalware solution is installed and the clients are not yet onboarded to Defender for Endpoint, Microsoft Defender Antivirus is disabled automatically. <br/><br/> Later, when the client endpoints are onboarded to Defender for Endpoint, if those endpoints are running a non-Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive mode. <br/><br/> If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender Antivirus goes into active mode automatically.|

-|Windows servers|On Windows Server, you'll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus cannot run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually. <br/><br/> To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following tasks: <br/>- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)<br/>- [Reinstall Microsoft Defender Antivirus on Windows Server 2016](#re-enable-microsoft-defender-antivirus-on-windows-server-2016)<br/>- [Reinstall Microsoft Defender Antivirus on Windows Server, version 1803 or later](#re-enable-microsoft-defender-antivirus-on-windows-server-version-1803-or-later)<br/>- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) <br/><br/>If you run into issues reinstalling or re-enabling Microsoft Defender Antivirus on Windows Server, see [Troubleshooting: Microsoft Defender Antivirus is getting uninstalled on Windows Server](switch-to-mde-troubleshooting.md#microsoft-defender-antivirus-is-getting-uninstalled-on-windows-server).|

-### Set DisableAntiSpyware to false on Windows Server

-The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee, Symantec, or others. **In general, you should not have this registry key on your Windows devices and endpoints**; however, if you *do* have `DisableAntiSpyware` configured, here's how to set its value to false:

-1. On your Windows Server device, open Registry Editor.

-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.

-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.

- - If you do not see that entry, you're all set.

- - If you do see **DisableAntiSpyware**, proceed to step 4.

-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.

-5. Set the value to `0`. (This action sets the registry key's value to *false*.)

-> [!TIP]

-> To learn more about this registry key, see [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).

-> - Windows Server 2019

-1. Open Registry Editor, and then navigate to

- ```text

- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection

- ```

-<br/><br/>

-During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list. You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:

-<br/><br/>

-<br/><br/>

-<br/><br/>

-<br/><br/>

-1. Open Registry Editor, and then navigate to:

- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.

-1. [Set the DisableAntiSpyware registry key to false](#set-the-disableantispyware-registry-key-to-false).

-2. [Add Microsoft Defender for Endpoint to the exclusion list](#add-microsoft-defender-for-endpoint-to-the-exclusion-list).

-3. [Set Microsoft Defender Antivirus to passive mode manually](#set-microsoft-defender-antivirus-to-passive-mode-manually).

-### Set the DisableAntiSpyware registry key to false

-The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee, Symantec, or others. **In general, you should not have this registry key on your Windows devices and endpoints**; however, if you *do* have `DisableAntiSpyware` configured, here's how to set its value to false:

-1. On your Windows Server device, open Registry Editor.

-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.

-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.

- - If you do not see that entry, you're all set.

- - If you do see **DisableAntiSpyware**, proceed to step 4.

-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.

-5. Set the value to `0`. (This action sets the registry key's value to *false*.)

-> [!TIP]

-> To learn more about this registry key, see [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).

-Users will see enriched detonation details for known malicious attachments or URLs found in their emails, which got detonated for their specific tenant. It will comprise of Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.

-Trackers are just a few of the many great features you get with [Microsoft Defender for Office 365 Plan 2](office-365-ti.md). Threat Trackers include [Noteworth trackers](#noteworthy-trackers), [Trending trackers](#trending-trackers), [Tracked queries](#tracked-queries), and [Saved queries](#saved-queries).