Docs update tracker

Updates from: 04/05/2023 01:35:36

Category	Microsoft Docs article	Related commit history on GitHub	Change details
commerce	Manage Multi Tenant Billing	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-multi-tenant-billing.md	Last updated 08/15/2022 You can simplify billing management for your organization by creating multi-tenant billing relationships with other tenants. A multi-tenant billing relationship lets you securely share your organization's billing account with other tenants, while maintaining control over your billing data. You can create subscriptions in different tenants and provide users in those tenants with access to your organization's billing account. This relationship lets users on those tenants do billing activities like viewing and downloading invoices or managing licenses. > [!IMPORTANT] -> This article only applies to organizational account customers with a Microsoft Customer Agreement. +> This article only applies to enterprise customers with a Microsoft Customer Agreement. ## Before you begin
compliance	Apply Retention Labels Automatically	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md	f1.keywords: Previously updated : 03/30/2023 Last updated : 04/04/2023 audience: Admin Other considerations for simulation mode for auto-apply retention policies: - A maximum of 30 simulation jobs can be active in a 12-hour time period. - A maximum of 100 item samples can be collected per mailbox.-- If you use [adaptive scopes](retention.md#adaptive-or-static-policy-scopes-for-retention) for your policy, a maximum of 20,000 locations (any combination of sites and mailboxes) +- If you use [adaptive scopes](retention.md#adaptive-or-static-policy-scopes-for-retention) for your policy: + - A maximum of 20,000 locations (any combination of sites and mailboxes) is supported. + - Because these scopes use dynamic queries that run daily and can take a few days to fully populate, wait and confirm their membership before you start simulation. - You might need to be assigned additional permissions to see the simulation results. For information about the required roles, see the next section, [Before you begin](#before-you-begin). - Simulation counts all items matching the policy criteria at time of simulation. However, when the policy is turned on, only content that isn't already labeled will be eligible for auto-applying retention labels. - Because simulation for Exchange locations always runs against emails stored in mailboxes, rather than emails sent and received, you won't see simulation results for emails when the policy condition is for sensitive information types.
compliance	Data Classification Increase Accuracy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-increase-accuracy.md	This article shows you how to confirm whether items matched by a classifier are The Match, Not a match experience is available in: -- Content Explorer-- Sensitive Information Type Matched Items page-- Trainable Classifier Matched Items page-- Microsoft Purview Data Loss Prevention (DLP) Alerts page +- Content Explorer - for SharePoint Online sites, OneDrive for Business sites +- Sensitive Information Type Matched Items page - for SharePoint Online sites, OneDrive for Business sites +- Trainable Classifier Matched Items page - for SharePoint Online sites, OneDrive for Business sites +- Microsoft Purview Data Loss Prevention (DLP) Alerts page - for SharePoint Online sites, OneDrive for Business sites, and emails in Exchange Online +- Microsoft Threat Protection (MTP) Alerts page - for SharePoint Online sites, OneDrive for Business sites, and emails in Exchange Online [!INCLUDE [purview-preview](../includes/purview-preview.md)] The Match, Not a match experience is available in: \|Custom trainable classifier \|No\| No\| Yes\| > [!IMPORTANT] -> The match/not a match feedback experience supports items in SharePoint Online sites, OneDrive for Business sites, and emails in Exchange Online. +> The match/not a match feedback experience supports items in : +> SharePoint sites & OneDrive sites - for Content Explorer, Sensitive Information Type/ Trainaable Classifier Matched Items, DLP Alerts and MTP Alerts. +> Emails in Exchange - for DLP Alerts and MTP Alerts. ## Licensing and Subscriptions For information on the relevant licensing and subscriptions see the [licensing r The contextual summary experience, where you indicate whether a matched item is a true positive (Match) or a false positive (Not a match), is similar across all of the places it surfaces. > [!IMPORTANT] -> You must have already deployed DLP policies that use either SIT or trainable classifier to OneDrive sites, SharePoint sites, or Exchange mailboxes. You must also have had items match before any items appear in the Contextual summary page. +> You must have already deployed DLP policies that use either SITs or trainable classifiers to OneDrive sites, SharePoint sites, or Exchange mailboxes. You must also have had items match before any items appear in the Contextual summary page. ### Using Content Explorer This example shows you how to use the Contextual Summary tab to give feedbac 1. Open the Microsoft Purview compliance portal > Data classification > Content explorer page. 1. Type the name of the SIT or trainable classifier that you want to check matches for in Filter on labels, info types, or categories. 1. Select the SIT. -1. Select the location. Only SharePoint, OneDrive are supported locations here. Make sure that there's a non-zero value in the File column. +1. Select the location and make sure that there's a non-zero value in the Files column. (The only supported locations are SharePoint and OneDrive.) 1. Open the folder and then select a document. 1. Select the link in the Sensitive info type column for the document to see which SITs the item matched and the [confidence level](/microsoft-365/compliance/sensitive-information-type-learn-about.md#more-on-confidence-levels). -1. Select Close +1. Choose Close 1. Open a document and select the Contextual Summary tab. 1. Review the item and confirm whether or not it's a match. -1. If it's a match, select Close. You're done. -1. If it's not a match, select the Not a match. -1. If you make a mistake and select the wrong option, select Withdraw feedback next to Close. This puts the item back into the Not a match/Match state. +1. If it's a match, choose Close. You're finished. +1. If it's not a match, choose Not a match. +1. If you make a mistake and chose the wrong option, select Withdraw feedback next to Close. This puts the item back into the Not a match/Match state. 1. Review the item and redact or un-redact any text. -1. Select Close. +1. Choose Close. ### Using Sensitive Information Type Matched Items page You can access the same feedback mechanisms in the Sensitive Info types page. -1. Open the Microsoft Purview compliance portal > Data classification > Classifiers > Sensitive info types page. +1. Open the Microsoft Purview compliance portal and navigate to Data classification > Classifiers > Sensitive info types. 1. In the Search field, enter the name of the SIT whose accuracy you want to check. 1. Open the SIT. This brings up Overview tab. Here you can see the count of the number of items that match, a count of the number of items that aren't a match, and the number of items with feedback. 1. Select the Matched items tab. -1. Open the folder and select a document. +1. Open the folder and select a document. Only SharePoint, OneDrive are supported locations here. Make sure that there's a non-zero value in the Files column. 1. Select the link in the Sensitive info type column for an item to see which SITs the item matched and the [confidence level](/microsoft-365/compliance/sensitive-information-type-learn-about.md#more-on-confidence-levels). -1. Select Close. +1. Choose Close. 1. Open a document and then select the Contextual Summary tab. 1. Review the item and confirm whether it's a match. -1. If it's a match, select Match and then Close. -1. If it isn't a match, select Not a Match +1. If it's a match, choose Match and then Close. +1. If it isn't a match, choose Not a Match ** 1. If you make a mistake and select the wrong option, select Withdraw feedback next to Close. This puts the item back into the Not a match/Match state. -1. Select Close. +1. Choose Close. ### Using Trainable Classifier Matched Items page -1. Open the Microsoft Purview compliance portal > Data classification > Trainable classifiers page. +1. Open the Microsoft Purview compliance portal and navigate to Data classification > Trainable classifiers. 1. Select the trainable classifier whose accuracy you want to check. 1. Open the trainable classifier. This brings up Overview tab. Here you can see the count of the number of items that match, a count of the number of items that aren't a match, and the number of items with feedback. 1. Select the Matched items tab. -1. Open the folder and open a document. +1. Open the folder and open a document. Only SharePoint, OneDrive are supported locations here. Make sure that there's a non-zero value in the Files column. 1. Open a document and then select the Contextual Summary tab. 1. Review the item and confirm whether it's a match. -1. If it's a match, select Match and then Close. -1. If it isn't a match, select Not a Match ** -1. If you make a mistake and select the wrong option, select Withdraw feedback next to Close. This puts the item back into the Not a match/Match state. -1. Select Close. +1. If it's a match, choose Match and then choose Close. +1. If it isn't a match, choose Not a Match ** +1. If you make a mistake and select the wrong option, choose Withdraw feedback next to Close. This puts the item back into the Not a match/Match state. +1. Choose Close. ### Using Data Loss Prevention Alerts page -1. Open the Microsoft Purview compliance portal > Data loss prevention > Alerts page. -1. Select an alert. -1. Select View details. -1. Select the Events tab. +1. Open the Microsoft Purview compliance portal and navigate to Data loss prevention > Alerts page. +1. Choose an alert. +1. Choose View details. +1. Choose the Events tab. 1. Maximize the Details tab. 1. Review the item and confirm whether it's a match. -1. Select Actions. +1. Choose Actions. 1. If it's a match, close the window. You're finished. -1. If it's not a match, select Actions and Not a match. +1. If it's not a match, choose Actions and then Not a match**. 1. Review the item and redact or un-redact any text. 1. Close the window.
compliance	Document Fingerprinting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-fingerprinting.md	Title: "About Document Fingerprinting" + Title: "About document fingerprinting" f1.keywords: - NOCSH Previously updated : 09/17/2019 Last updated : 03/28/2023 audience: ITPro search.appverid: MET150 - purview-compliance - tier1 ms.localizationpriority: medium -description: "Document Fingerprinting makes it easier for you to protect information by identifying standard forms that are used by your organization. This topic describes the concepts behind Document Fingerprinting and how to create one by using PowerShell." +description: "Document fingerprinting makes it easier for you to protect information by identifying standard forms that are used by your organization. This article describes the concepts behind document fingerprinting and how to create one by using PowerShell." -# Document Fingerprinting +# Document fingerprinting -Information workers in your organization handle many kinds of sensitive information during a typical day. In the Microsoft Purview compliance portal, Document Fingerprinting makes it easier for you to protect this information by identifying standard forms that are used throughout your organization. This topic describes the concepts behind Document Fingerprinting and how to create a document fingerprint using PowerShell. +Information workers in your organization handle many kinds of sensitive information during a typical day. In the Microsoft Purview compliance portal, document fingerprinting makes it easier for you to protect this information by identifying standard forms that are used throughout your organization. This article describes the concepts behind document fingerprinting and how to create a document fingerprint using the compliance portal or using PowerShell. +Document fingerprinting includes the following features: +- DLP can use document fingerprinting as a detection method in Exchange, SharePoint, OneDrive, Teams, and Devices. +- Document fingerprint features can be managed through the Microsoft Purview compliance portal. +- [Partial matching](#partial-matching) is supported. +- [Exact matching](#exact-matching) is supported. +- Improved detection accuracy +- Support for detection in multiple languages, including dual-byte languages such as Chinese, Japanese, and Korean. -## Basic scenario for Document Fingerprinting +> [!Important] +> If you are an E5 customer, we recommend updating your existing fingerprints to take advantage of the full document fingerprint feature set. +> If you are an E3 customer, we recommend upgrading to an E5 license. If you choose not to, you won't be able to modify existing fingerprints or create new ones after April, 2023. -Document Fingerprinting is a Microsoft Purview Data Loss Prevention (DLP) feature that converts a standard form into a sensitive information type, which you can use in the rules of your DLP policies. For example, you can create a document fingerprint based on a blank patent template and then create a DLP policy that detects and blocks all outgoing patent templates with sensitive content filled in. Optionally, you can set up [policy tips](use-notifications-and-policy-tips.md) to notify senders that they might be sending sensitive information, and that the sender should verify that the recipients are qualified to receive the patents. This process works with any text-based forms used in your organization. Additional examples of forms that you can upload include: +## Basic scenario for document fingerprinting + +Document fingerprinting is a Microsoft Purview Data Loss Prevention (DLP) feature that converts a standard form into a sensitive information type (SIT), which you can use in the rules of your DLP policies. For example, you can create a document fingerprint based on a blank patent template and then create a DLP policy that detects and blocks all outgoing patent templates with sensitive content filled in. Optionally, you can set up [policy tips](use-notifications-and-policy-tips.md) to notify senders that they might be sending sensitive information, and that the sender should verify that the recipients are qualified to receive the patents. This process works with any text-based forms used in your organization. Other examples of forms that you can upload include: - Government forms - Health Insurance Portability and Accountability Act (HIPAA) compliance forms - Employee information forms for Human Resources departments - Custom forms created specifically for your organization -Ideally, your organization already has an established business practice of using certain forms to transmit sensitive information. After you upload an empty form to be converted to a document fingerprint and set up a corresponding policy, the DLP detects any documents in outbound mail that match that fingerprint. - -## How Document Fingerprinting works - -You've probably already guessed that documents don't have actual fingerprints, but the name helps explain the feature. In the same way that a person's fingerprints have unique patterns, documents have unique word patterns. When you upload a file, DLP identifies the unique word pattern in the document, creates a document fingerprint based on that pattern, and uses that document fingerprint to detect outbound documents containing the same pattern. That's why uploading a form or template creates the most effective type of document fingerprint. Everyone who fills out a form uses the same original set of words and then adds his or her own words to the document. As long as the outbound document isn't password protected and contains all the text from the original form, DLP can determine whether the document matches the document fingerprint. +Ideally, your organization already has an established business practice of using certain forms to transmit sensitive information. To enable detection, upload an empty form to be converted to a document fingerprint. Next, set up a corresponding policy. Once you complete these steps, DLP detects any documents in outbound mail that match that fingerprint. -> [!IMPORTANT] -> For now, DLP can use document fingerprinting as a detection method in Exchange online only. - -The following example shows what happens if you create a document fingerprint based on a patent template, but you can use any form as a basis for creating a document fingerprint. +## How document fingerprinting works -### Example of a patent document matching a document fingerprint of a patent template +You have probably already guessed that documents don't have actual fingerprints, but the name helps explain the feature. In the same way that a person's fingerprints have unique patterns, documents have unique word patterns. When you upload a file, DLP identifies the unique word pattern in the document, creates a document fingerprint based on that pattern, and uses that document fingerprint to detect outbound documents containing the same pattern. That's why uploading a form or template creates the most effective type of document fingerprint. Everyone who fills out a form uses the same original set of words and then adds their own words to the document. If the outbound document isn't password protected and contains all the text from the original form, DLP can determine whether the document matches the document fingerprint. ![Diagram of document fingerprinting.](../media/Document-Fingerprinting-diagram.png) -The patent template contains the blank fields "Patent title," "Inventors," and "Description", along with descriptions for each of those fields--that's the word pattern. When you upload the original patent template, it's in one of the supported file types and in plain text. DLP converts this word pattern into a document fingerprint, which is a small Unicode XML file containing a unique hash value representing the original text, and the fingerprint is saved as a data classification in Active Directory. (As a security measure, the original document itself isn't stored on the service; only the hash value is stored, and the original document can't be reconstructed from the hash value.) The patent fingerprint then becomes a sensitive information type that you can associate with a DLP policy. After you associate the fingerprint with a DLP policy, DLP detects any outbound emails containing documents that match the patent fingerprint and deals with them according to your organization's policy. +The patent template contains the blank fields "Patent title," "Inventors," and "Description", along with descriptions for each of those fieldsΓÇöthat's the word pattern. When you upload the original patent template, it's in one of the supported file types and in plain text. DLP converts this word pattern into a document fingerprint, which is a small Unicode XML file containing a unique hash value that represents the original text. The fingerprint is saved as a data classification in Active Directory. (As a security measure, the original document itself isn't stored on the service; only the hash value is stored. The original document can't be reconstructed from the hash value.) The patent fingerprint then becomes a SIT that you can associate with a DLP policy. After you associate the fingerprint with a DLP policy, DLP detects any outbound emails containing content that matches the patent fingerprint and deals with it according to your organization's policy. -For example, you might want to set up a DLP policy that prevents regular employees from sending outgoing messages containing patents. DLP will use the patent fingerprint to detect patents and block those emails. Alternatively, you might want to let your legal department be able to send patents to other organizations because it has a business need for doing so. You can allow specific departments to send sensitive information by creating exceptions for those departments in your DLP policy, or you can allow them to override a policy tip with a business justification. +For example, if you set up a DLP policy that prevents regular employees from sending outgoing messages containing patents, DLP uses the patent fingerprint to detect patents and block those emails. Alternatively, you might want to let your legal department be able to send patents to other organizations because it has a business need for doing so. To allow specific departments to send sensitive information, create exceptions for those departments in your DLP policy. Alternatively, you can allow them to override a policy tip with a business justification. > [!IMPORTANT] -> Text in embedded documents is not considered for fingerprint creation. You should provide sample template files that don't contain embedded documents. +> Text in embedded documents is not considered for fingerprint creation. You need to provide sample template files that don't contain embedded documents. ### Supported file types -Document Fingerprinting supports the same file types that are supported in mail flow rules (also known as transport rules). For a list of supported file types, see [Supported file types for mail flow rule content inspection](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection). One quick note about file types: neither mail flow rules nor Document Fingerprinting supports the .dotx file type, which can be confusing because that's a template file in Word. When you see the word "template" in this and other Document Fingerprinting topics, it refers to a document that you have established as a standard form, not the template file type. +Document fingerprinting supports the same file types that are supported in mail flow rules (also known as transport rules). For a list of supported file types, see [Supported file types for mail flow rule content inspection](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection). One quick note about file types: neither mail flow rules nor document fingerprinting supports the .dotx file type, which is a template file in Microsoft Word. When you see the word "template" in this and other document fingerprinting articles, it refers to a document that you've established as a standard form, not the template file type. #### Limitations of document fingerprinting -Document Fingerprinting won't detect sensitive information in the following cases: +Document fingerprinting doesn't detect sensitive information in the following cases: - Password protected files-- Files that contain only images +- Files that contain images only - Documents that don't contain all the text from the original form used to create the document fingerprint-- Files greater than 10 MB-- Fingerprints are stored in a separate rule pack that has a maximum size limit of 150 KB. Given this limit, you can create around 50 fingerprints per tenant. +- Files larger than 4 MB + +> [!NOTE] +> To use document fingerprinting with devices, Advanced fingerprinting must be turned on. + +Fingerprints are stored in a separate rule pack. This rule pack has a maximum size limit of 150 KB. Given this limit, you can create approximately 50 fingerprints per tenant. + +The following examples show what happens if you create a document fingerprint based on a patent template. However, you can use any form as a basis for creating a document fingerprint. + +### Compliance portal example of a patent document matching a document fingerprint of a patent template + +1. In the Microsoft Purview compliance portal, select Data classification and then choose Classifiers. +1. On the Classifiers page, choose Sensitive info types > Create Fingerprint based SIT. +1. Enter a name and description for your new SIT. +1. Upload the file you wish to use as the fingerprint template. +1. OPTIONAL: Adjust the requirements for each confidence level and then choose Next. For more information, see [[Partial matching](#partial-matching)](#partial-matching) and [Exact matching](#exact-matching). +1. Review your settings > Create. +1. When the confirmation page displays, choose Done. + +### PowerShell example of a patent document matching a document fingerprint of a patent template + +```powershell +>> $Patent_Form = ([System.IO.File]::ReadAllBytes('C:\My Documents\patent.docx')) + +>> New-DlpSensitiveInformationType -Name "Patent SIT" -FileData $Patent_Form -ThresholdConfig @{low=40;medium=60;high=80} -IsExact $false -Description "Contoso Patent Template" +``` + +<br> + +### Partial matching +To configure partial matching of a document fingerprint, when configuring the confidence level, choose Low, Medium or High and designate how much of the text in the file must match the fingerprint in terms of a percentage between 30% - 90%. + +A high confidence level returns the fewest false positives but might result in more false negatives. Low or medium confidence levels return more false positives but few to zero false negatives. + +- low confidence: Matched items will contain the fewest false negatives but the most false positives. Low confidence returns all low, medium, and high confidence matches. +- medium confidence: Matched items will contain an average number of false positives and false negatives. Medium confidence returns all medium, and high confidence matches. +- high confidence: Matched items will contain the fewest false positives but the most false negatives. + +### Exact matching +To configure exact matching of a document fingerprint, select Exact as the value for the high confidence level. When you set the high confidence level to Exact, only files that have exactly the same text as the fingerprint will be detected. If the file has even a small deviation from the fingerprint, it will not be detected. ++ +## Already using fingerprint SITs? +Your existing fingerprints and policies/rules for those fingerprints should continue to work. If you don't want to use the latest fingerprint features, you don't have to do anything. + +If you have an E5 license and want to use the latest fingerprint features, you can either create a new fingerprint or [migrate a policy](#migrate-a-new-policy-using-your-fingerprint-sit-using-the-compliance-portal) to the newer version. + +> [!NOTE] +> Creating new fingerprints using the templates on which a fingerprint already exists is not supported. +<br> +<br> -## Use PowerShell to create a classification rule package based on document fingerprinting +## Create a new policy using your fingerprint SIT using the compliance portal + +1. In the Microsoft Purview compliance portal, select Data loss prevention > Policies > Sensitive info types > + Create policy > Custom to create a new policy. +1. Select your region or country > Next. +1. Name your policy and provide a description > Next. +1. On the Assign admin units page, choose between these two options: + - Apply the policy to all users and groups > Next. </br> + or + - Add specific users and groups that you want to be subject to the policy > Next. +1. Select the locations where you want the policy applied > Next. +1. On the Define policy settings page, choose Create customize advanced DLP rules > Next. +1. On the Customize advanced DLP rules page, choose Create rule. +1. Enter a name and description for your rule. +1. Under Conditions choose Add condition > Content contains. +1. Give your new set of DLP rules a Group name > Add > Sensitive info types. +1. Search for and select the name of your fingerprint SIT > Add. +1. Select your confidence level > Add an action. +1. Select the action to take when the rule is triggered, and then specify the action details > Save > Next. +1. Choose between these two options: + - Test your policy > Next.</br> + or + - turn on your policy right away > Next. +1. Review your settings > Submit > Done. + +## Create a custom sensitive information type based on document fingerprinting using PowerShell Currently, you can create a document fingerprint only in [Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). -DLP uses classification rule packages to detect sensitive content. To create a classification rule package based on a document fingerprint, use the New-DlpFingerprint and New-DlpSensitiveInformationType cmdlets. Because the results of New-DlpFingerprint aren't stored outside the data classification rule, you always run New-DlpFingerprint and New-DlpSensitiveInformationType or Set-DlpSensitiveInformationType in the same PowerShell session. The following example creates a new document fingerprint based on the file C:\My Documents\Contoso Employee Template.docx. You store the new fingerprint as a variable so you can use it with the New-DlpSensitiveInformationType cmdlet in the same PowerShell session. +DLP uses Sensitive information types(SIT) to detect sensitive content. To create a custom SIT based on a document fingerprint, use the New-DlpSensitiveInformationType cmdlet. The following example creates a new document fingerprint named ΓÇ£Contoso Customer ConfidentialΓÇ¥ based on the file C:\My Documents\Contoso Customer Form.docx. ```powershell $Employee_Template = ([System.IO.File]::ReadAllBytes('C:\My Documents\Contoso Employee Template.docx')) $Employee_Fingerprint = New-DlpFingerprint -FileData $Employee_Template -Description "Contoso Employee Template" ``` -Now, let's create a new data classification rule named "Contoso Employee Confidential" that uses the document fingerprint of the file C:\My Documents\Contoso Customer Information Form.docx. - ```powershell -$Customer_Form = ([System.IO.File]::ReadAllBytes('C:\My Documents\Contoso Customer Information Form.docx')) -$Customer_Fingerprint = New-DlpFingerprint -FileData $Customer_Form -Description "Contoso Customer Information Form" -New-DlpSensitiveInformationType -Name "Contoso Customer Confidential" -Fingerprints $Customer_Fingerprint -Description "Message contains Contoso customer information." -``` +$Employee_Form = ([System.IO.File]::ReadAllBytes('C:\My Documents\Contoso Customer Form.docx')) -You can now use the Get-DlpSensitiveInformationType cmdlet to find all DLP data classification rule packages, and in this example, "Contoso Customer Confidential" is part of the data classification rule packages list. +New-DlpSensitiveInformationType -Name "Contoso Customer Confidential" -FileData $Employee_Form -ThresholdConfig @{low=40;medium=60;high=80} -IsExact $false -Description "Message contains Contoso customer information." +``` -Finally, add the "Contoso Customer Confidential" data classification rule package to a DLP policy in the Microsoft Purview compliance portal. This example adds a rule to an existing DLP policy named "ConfidentialPolicy". +Finally, add the "Contoso Customer Confidential" sensitive information type to a DLP policy in the Microsoft Purview compliance portal. This example adds a rule to an existing DLP policy, named "ConfidentialPolicy". ```powershell New-DlpComplianceRule -Name "ContosoConfidentialRule" -Policy "ConfidentialPolicy" -ContentContainsSensitiveInformation @{Name="Contoso Customer Confidential"} -BlockAccess $True ``` -You can also use the data classification rule package in mail flow rules in Exchange Online, as shown in the following example. To run this command, you first need to [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). Also note that it takes time for the rule package to sync from the Microsoft Purview compliance portal to the Exchange admin center. +You can also use the Fingerprint SIT in mail flow rules in Exchange, as shown in the following example. To run this command, you first need to Connect to Exchange PowerShell. Also note that it takes time for the SITs to sync from the Microsoft Purview compliance portal to the Exchange admin center. ```powershell New-TransportRule -Name "Notify :External Recipient Contoso confidential" -NotifySender NotifyOnly -Mode Enforce -SentToScope NotInOrganization -MessageContainsDataClassification @{Name=" Contoso Customer Confidential"} For syntax and parameter information, see: - [Remove-DlpSensitiveInformationType](/powershell/module/exchange/Remove-DlpSensitiveInformationType) - [Set-DlpSensitiveInformationType](/powershell/module/exchange/Set-DlpSensitiveInformationType) - [Get-DlpSensitiveInformationType](/powershell/module/exchange/Get-DlpSensitiveInformationType)+ +## Edit, test, or delete a document fingerprint + +To do this via the user interface, open the fingerprint SIT you want to edit, test, or delete and choose the appropriate icon. + +To do this via PowerShell, run the following command(s). + +Edit a document fingerprint +```powershell +>> Set-DlpSensitiveInformationType -Name "Fingerprint SIT" -FileData ([System.IO.File]::ReadAllBytes('C:\My Documents\file1.docx')) -ThresholdConfig @{low=30;medium=50;high=80} -IsExact $false-Description "A friendly Description" +``` +<br> + +Test a document fingerprint +```powershell +>> $r = Test-DataClassification -TextToClassify "Credit card information Visa: 4485 3647 3952 7352. Patient Identifier or SSN: 452-12-1232" +>> $r.ClassificationResults +``` +<br> + +Delete a document fingerprint +```powershell +>> Remove-DlpSensitiveInformationType "Fingerprint SIT" +``` + +## Migrate a new policy using your fingerprint SIT using the compliance portal + +1. In the Microsoft Purview compliance portal, select Data loss prevention > Policies > Sensitive info types. +1. Open the SIT containing the fingerprint that you want to migrate. +1. Choose Edit. +1. Upload the same fingerprint file again. +1. Review the fingerprint settings > Done. + +## Migrate a fingerprint using PowerShell + +Enter the following command: +```powershell +Set-DlpSensitiveInformationType -Name "Old Fingerprint" -FileData ([System.IO.File]::ReadAllBytes('C:\My Documents\file1.docx')) -ThresholdConfig @{low=30;medium=50;high=80} -IsExact $false-Description "A friendly Description" +```
compliance	Ediscovery Create Draft Collection	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-create-draft-collection.md	You can use the options in the Actions menu on the flyout page of a collecti ![Options on Actions menu for collection estimate.](../media/ediscovery-collection-estimate-actions-menu.png) -Here's the descriptions of the management options. +Here's the descriptions of the pre-collection estimate management options. - Edit collection: Change the settings of the collection estimate. After you make changes, you can rerun the collection and update the search estimates and statistics. As previously explained, you use this option to commit a collection estimate to a review set. - Commit collection: Commit a collection to a review set. This means that you rerun the collection (using the current settings) and add the items returned by the collection to a review set. As previously explained, you can also configure additional settings (such as conversation threading and cloud-based attachments) when you add the collection to a review set. For more information and step-by-step instructions, see [Commit a collection estimate to a review set](ediscovery-commit-draft-collection.md). +- Export item report: Similar to the [exporting items in Content search](/microsoft-365/compliance/ediscovery-export-a-content-search-report), you can choose this option to export the results of the report that is based on the actual items that can be retrieved from the source. After selecting, you have the following export options for collected items: + + - Types of collected items to include in the export: Choose to export collected items with search hits, items with search hits and partially indexed items without hits, or only partially indexed items without search hits. You can also choose to one or more of the following options for collected items: + + - Include Microsoft Teams and Yammer conversations + - Include cloud attachments + - Include all existing versions of Microsoft 365 documents on SharePoint + - Include subfolder contents (insider subfolders of a matched folder) + - Include files in SharePoint lists (and their child items) + +- Export collected items: Export the collected items without adding the items to the review set. This option is useful in scenarios where data residency requirements associated with data storage may be prohibitive and you need collected data as a download. After selecting, you have the following export options for collected items: + + - Types of collected items to include in the export: Choose to export collected items with search hits, items with search hits and partially indexed items without hits, or only partially indexed items without search hits. You can also choose to one or more of the following options for collected items: + + - Include Microsoft Teams and Yammer conversations + - Include cloud attachments + - Include all existing versions of Microsoft 365 documents on SharePoint + - Include subfolder contents (inside subfolders of a matched folder) + - Include files in SharePoint lists (and their child items) + + - How to format emails: Choose an option of how collected emails should be formatted: + + - Individual .pst files for each mailbox + - Individual .msg files for each message + - Individual .eml files for each message + - Delete collection: Delete a collection estimate. After you commit a collection estimate to a review set, it can't be deleted. - Refresh estimates: Rerun the query (against the data sources) specified in the collection estimate to update the search estimates and statistics. - Export as report: Exports information about the collection estimate to a CSV file that you can download to your local computer. The export report contains the following information: Here's the descriptions of the management options. - Copy collection: Create a new collection estimate by copying the settings from an existing collection. You have to use a different name for the new collection. You also have the option to modify the settings before you submit the new collection. After you submit it, the search query runs and new estimates and statistics are generated. This is a good way to quickly create additional collection estimate and then modify selected settings as necessary while still preserving information in the original collection. This also lets you easily compare the results of two similar collections. > [!NOTE] -> After a collection estimate is committed to a review set, you can only copy the collection and export a report. +> After a collection estimate is committed to a review set, you can only select Copy collection and Export as report.
compliance	Ediscovery Managing Jobs	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-managing-jobs.md	f1.keywords: Previously updated : 01/01/2023 Last updated : 03/31/2023 audience: Admin Here's a list of the jobs (which are typically long-running processes) that are \|Adding remediated data to a review set\|Data with processing errors is remediated and loaded back into a review set. For more information, see: <ul><li>[Error remediation when processing data](ediscovery-error-remediation-when-processing-data.md)</li><li>[Single item error remediation](ediscovery-single-item-error-remediation.md)</li></ul>\| \|Comparing load sets\|A user looks at the differences between different load sets in a review set. A load set is an instance of adding data to a review set. For example, if you add the results of two different searches to the same review set, each would represent a load set.\| \|Conversation reconstruction\|When a user adds the results of a search to a conversation review set, instant message conversations (also called threaded conversations) in services like Microsoft Teams are reconstructed in a PDF file. This job is also triggered when a user selects Action > Create conversation PDFs in a review set. For more information, see [Review conversations in eDiscovery (Premium)](ediscovery-conversation-review-sets.md). -\|Converting redacted documents to PDF\|After a user annotates a document in a review set and redacts a portion of it, they can choose to convert the redacted document to a PDF file. This ensures that the redacted portion will not be visible if the document is exported for presentation. For more information, see [View documents in a review set](ediscovery-view-documents-in-review-set.md).\| +\|Converting redacted documents to PDF\|After a user annotates a document in a review set and redacts a portion of it, they can choose to convert the redacted document to a PDF file. This ensures that the redacted portion won't be visible if the document is exported for presentation. For more information, see [View documents in a review set](ediscovery-view-documents-in-review-set.md).\| \|Estimating search results\|After a user creates and runs or reruns a collection estimate, the search tool searches the index for items that match the search query and prepares an estimate that includes the number and total size of all items by the search, and the number of data sources searched. For more information, see [Collect data for a case](collecting-data-for-ediscovery.md).\| \|Preparing data for export\|A user exports documents from a review set. When the export process is complete, they can download the exported data to a local computer. For more information, see [Export case data](ediscovery-exporting-data.md).\| \|Preparing for error resolution\|When a user selects a file and creates a new error remediation in the Error view on the Processing tab of a case, the first step in the process is to upload the file that has the processing error to an Azure Storage location in the Microsoft cloud. This job tracks the progress of the upload process. For more information about the error remediation workflow, see [Error remediation when processing data](ediscovery-error-remediation-when-processing-data.md).\| The following table describes the different status states for jobs. \|Successful\|The job was successfully completed. The date and time that the job completed is displayed in the Completed column on the Jobs tab.\| \|Partially successful\|The job was successful. This status is typically returned when the job didn't find any partially indexed data (also called unindexed data) in some of the custodian data sources.\| \|Failed\|The job failed. You should attempt to rerun the action that triggered the job. If the job fails a second time, we recommend that you contact Microsoft Support and provide the support information from the job.\|+ +## Job data retention + +Data retention for log information for all jobs is retained for up to 29 days by default.
compliance	Ediscovery Teams Investigation	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-teams-investigation.md	+ + Title: Conduct an eDiscovery investigation of content in Microsoft Teams +description: Learn about conducting an eDiscovery investigation of content in Microsoft Teams. +++++ +audience: admin + +- tier1 +- purview-compliance +- M365-collaboration +- ediscovery + Last updated : 04/04/2023 +search.appverid: MET150 +f1.keywords: + - NOCSH +appliesto: + - Microsoft Teams +++ +# Conduct an eDiscovery investigation of content in Microsoft Teams + +Large enterprises are often exposed to high penalty legal proceedings that demand submission of all Electronically Stored Information (ESI). Microsoft Teams content can be searched and used during eDiscovery investigations. + +## Overview + +All Microsoft Teams 1:1 or group chats are journaled through to the respective users' mailboxes. All standard channel messages are journaled through to the group mailbox representing the team. Files uploaded in standard channels are covered under the eDiscovery functionality for SharePoint Online and OneDrive for Business. + +eDiscovery of messages and files in [private channels](/microsoftteams/private-channels.md) works differently than in standard channels. To learn more, see [eDiscovery of private channels](#ediscovery-of-private-and-shared-channels). + +Not all Teams content is eDiscoverable. The following table shows the content types that you can search for using Microsoft eDiscovery tools: + +\|Content type\|Notes\| +\|:\|:--\| +\|Audio recordings\|\| +\|Card content\|See [Search for card content](#search-for-card-content) for more information.\| +\|Chat links\|\| +\|Chat messages\|This includes content in standard Teams channels, 1:1 chats, 1:N group chats, chats with yourself, and chats with guests.\| +\|Code snippets\|\| +\|Edited messages\|If the user is on hold, previous versions of edited messages are also preserved.\| +\|Emojis, GIFs, and stickers\|\| +\|Inline images\|\| +\|Loop components\|Content in a loop component is saved in a .fluid file that's stored in the OneDrive for Business account of the user who sends the loop component. That means you have to include OneDrive as a data source when searching for content in loop components.\| +\|Meeting IM conversations\|\| +\|Meeting metadata<sup>1</sup>\|\| +\|Name of channel\|\| +\|Quotes\|Quoted content is searchable. However, search results don't indicate that the content was quoted.\| +\|Reactions (such as likes, hearts, and other reactions)\|Reactions are supported for all commercial customers after June 1, 2022. Reactions before this date aren't available for eDiscovery. Expanded reactions are now supported. To understand reaction history, the content must be on legal hold.\| +\|Subject\|\| +\|Tables\|\| +\|Teams Video Clip (TVC)\|Search TVC with "Video-Clip" keyword and "save as" a .mp4 file for each TVC attachment by right-clicking the preview (search by keyword will be available in October 2022). TVC data is discoverable in eDiscovery [review sets](/microsoft-365/compliance/add-data-to-review-set). + +<a name="teams-metadata"></a><sup>1</sup> Meeting (and call) metadata includes the following: + +- Meeting start and end time, and duration +- Meeting join and leave events for each participant +- VOIP joins/calls +- Anonymous joins +- Federated user joins +- Guest joins + +Here's an example of a chat conversation between participants during a meeting. + +![Conversation between participants in Teams.](../media/MeetingIMConversations.png) + +Here's an example of the compliance copy of the same chat conversation viewed in an eDiscovery tool. + +![Conversation between participants in eDiscovery search results.](../media/MeetingImConversation2.png) + +Here's an example of the meeting metadata. + +![The meeting metadata from the compliance copy.](../media/conversationOption3.png) + +For more information about conducting an eDiscovery investigation, see [Get started with eDiscovery (Standard)](/microsoft-365/compliance/get-started-core-ediscovery). + +Microsoft Teams data will appear as IM or Conversations in the Excel eDiscovery export output. You can open the `.pst` file in Outlook to view those messages after you export them. + +When viewing the .pst file for the team, all conversations are located in the Team Chat folder under Conversation History. The title of the message contains the team name and channel name. For example, the image below shows a message from Bob who messaged the Project 7 standard channel of the Manufacturing Specs team. + +![Screenshot of a Team Chat folder in a user's mailbox in Outlook.](../media/Conduct_an_eDiscovery_investigation_of_content_in_Microsoft_Teams_image1.png) + +Private chats in a user's mailbox are stored in the Team Chat folder under Conversation History. + +## eDiscovery of private and shared channels + +Compliance copies of messages in private and shared channels are sent to different mailboxes depending on the channel type. That means you have to search different mailbox locations based on the type of channel a user is a member of. + +- Private channels. Compliance copies are sent to the mailbox of all members of the private channel members. That means you have to search the user mailbox when searching for content in private channel messages. + +- Shared channels. Compliance copies are sent to a system mailbox that's associated with the parent team. Because Teams doesn't support an eDiscovery search of a single system mailbox for a shared channel, you have to search the mailbox for the parent team (by selecting the name of the Team mailbox) when searching for message content in shared channels. + +Each private and shared channel has its own SharePoint site that's separate from the parent team site. That means files in private and shared channels are stored in its own site and managed independently of the parent team. This means you must identify and search the specific site associated with a channel when searching for content in files and channel message attachments. + +Use the following sections to help identify the private or shared channel to include in your eDiscovery search. + +### Identifying the members of a private channel + +Use the procedure in this section to identify members of a private channel so that you can use eDiscovery tools to search the member's mailbox for content in private channel messages. + +Before you perform these steps, make sure you have the [latest version of the Teams PowerShell module](/microsoftteams/teams-powershell-overview.md) installed. + +1. Run the following command to get the group ID of the team that contains the shared channels you want to search. + + ```powershell + Get-Team -DisplayName <display name of the the parent team> + ``` + + > [!TIP] + > Run the Get-Team cmdlet without any parameters to display a list of all Teams in your organization. The list contains the group Id and DisplayName for every team. + +2. Run the following command to get a list of private channels in the parent team. Use the group ID for the team that you obtained in step 1. + + ```PowerShell + Get-TeamChannel -GroupId <parent team GroupId> -MembershipType Private + ``` + +3. Run the following command to get a list of private channel owners and members for a specific private channel. + + ```PowerShell + Get-TeamChannelUser -GroupId <parent team GroupId> -DisplayName "Partner Shared Channel" + ``` + +4. Include the mailboxes of owners and members of a private channel as part of your [eDiscovery search query in eDiscovery (Standard)](/microsoft-365/compliance/search-for-content-in-core-ediscovery) or when [identifying and collecting custodian content in eDiscovery (Premium)](/microsoft-365/compliance/add-custodians-to-case). + +### Identifying the SharePoint site for private and shared channels + +As previously explained, files shared in private and shared channels (and files attached to channel messages) are stored in the site collection associated with the channel. Use the procedure in this section to identify the URL for the site associated with a specific private or shared channel. Then you can use eDiscovery tools to search for content in the site. + +Before you perform these steps, [install the SharePoint Online Management Shell and connect to SharePoint Online](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online). + +1. Optionally, run the following to get a list of all SharePoint site collections associated with shared channels in the parent team. + + ```PowerShell + Get-SPOSite + ``` + + > [!TIP] + > The naming convention of the URL for a site that's associated with private and shared channels is `[SharePoint domain]/sites/[Name of parent team]-[Name of private or shared channel]`. For example, the URL for the shared channel named "Partner Collaboration", which is located in the "Engineer Team" parent team in the Contoso organization is `https://contoso.sharepoint.com/sites/EngineeringTeam-PartnerCollaboration`. + +2. Run the following PowerShell commands to display the URL for all SharePoint sites associated with the private and shared channels in your organization. The output of the script also includes the group ID of the parent team, which you need to run the commands in step 3. + + ```PowerShell + $sites = Get-SPOSite -Template "TEAMCHANNEL#1" + foreach ($site in $sites) {$x= Get-SPOSite -Identity $site.url -Detail; $x.relatedgroupID; $x.url} + ``` + + > [!NOTE] + > SharePoint sites for private channels created before June 28, 2021 use the value `"TEAMCHANNEL#0"` for the custom template ID. To displays private channels created after this date, use the value `"TEAMCHANNEL#1"` when running the previous two scripts. Shared channels only use the value of `"TEAMCHANNEL#1"`. + +3. For each parent team, run the following PowerShell commands to identify the private and shared channel sites, where `$groupID` is the group ID of the parent team. + + ```PowerShell + $sites = Get-SPOSite -Template "TEAMCHANNEL#1" + $groupID = "<group ID of parent team)" + foreach ($site in $sites) {$x= Get-SpoSite -Identity $site.url -Detail; if ($x.RelatedGroupId -eq $groupID) {$x.RelatedGroupId;$x.url}} + ``` + +4. Include the site associated with a private or shared channel as part of your [eDiscovery search query in eDiscovery (Standard)](/microsoft-365/compliance/search-for-content-in-core-ediscovery) or when [identifying and collecting custodian content in eDiscovery (Premium)](/microsoft-365/compliance/add-custodians-to-case). + +## Search for content for guests + +You can use eDiscovery tools to search for Teams content related to guests in your organization. Teams chat content that's associated with a guest is preserved in a cloud-based storage location and can be searched for using eDiscovery. This includes searching for content in 1:1 and 1:N chat conversations in which a guest is a participant with other users in your organization. You can also search for private channel messages in which a guest is a participant and search for content in guest:guest chat conversations where the only participants are guests. + +To search for content for guests: + +1. Connect to Azure AD PowerShell. For instructions, see the "Connect with the Azure Active Directory PowerShell" section in [Connect to Microsoft 365 with PowerShell](/microsoft-365/enterprise/connect-to-microsoft-365-powershell#connect-with-the-azure-active-directory-powershell-for-graph-module). Be sure to complete Step 1 and Step 2 in the previous article. + +2. After you successfully connect to Azure AD PowerShell, run the following command to display the user principal name (UPN) for all guests in your organization. You have to use the UPN of the guest when you create the search in step 4. + + ```powershell + Get-AzureADUser -Filter "userType eq 'Guest'" -All $true \| FL UserPrincipalName + ``` + + > [!TIP] + > Instead of displaying a list of user principal names on the computer screen, you can redirect the output of the command to a text file. You can do this by appending `> filename.txt` to the previous command. The text file with the user principal names will be saved to the current folder. + +3. In a different Windows PowerShell window, connect to Security & Compliance PowerShell. For instructions, see [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell). You can connect with or without using multi-factor authentication. + +4. Create a content search that searches for all content (such as chat messages and email messages) in which the specified guest was a participant by running the following command. + + ```powershell + New-ComplianceSearch <search name> -ExchangeLocation <guest UPN> -AllowNotFoundExchangeLocationsEnabled $true -IncludeUserAppContent $true + ``` + + For example, to search for content associated with the guest Sara Davis, you would run the following command. + + ```powershell + New-ComplianceSearch "Sara Davis Guest" -ExchangeLocation "sara.davis_hotmail.com#EXT#@contoso.onmicrosoft.com" -AllowNotFoundExchangeLocationsEnabled $true -IncludeUserAppContent $true + ``` + + For more information about using PowerShell to create content searches, see [New-ComplianceSearch](/powershell/module/exchange/new-compliancesearch). + +5. Run the following command to start the content search that you created in step 4: + + ```powershell + Start-ComplianceSearch <search name> + ``` + +6. Go to [https://compliance.microsoft.com](https://compliance.microsoft.com) and then select Show all > Content search. + +7. In the list of searches, select the search that you created in step 4 to display the flyout page. + +8. On the flyout page, you can do the following things: + + - Select View results to view the search results and preview the content. + + - Next to the Query field, select Edit to edit and then rerun the search. For example, you can add a search query to narrow the results. + + - Select Export results to export and download the search results. + +## Search for card content + +Card content generated by apps in Teams channels, 1:1 chats, and 1xN chats is stored in mailboxes and can be searched. A card is a UI container for short pieces of content. Cards can have multiple properties and attachments, and can include buttons that can trigger card actions. For more information, see [Cards](/microsoftteams/platform/task-modules-and-cards/what-are-cards) + +Like other Teams content, where card content is stored is based on where the card was used. Content for cards used in a Teams channel is stored in the Teams group mailbox. Card content for 1:1 and 1xN chats are stored in the mailboxes of the chat participants. + +To search for card content, you can use the `kind:microsoftteams` or `itemclass:IPM.SkypeTeams.Message` search conditions. When reviewing search results, card content generated by bots in a Teams channel has the Sender/Author email property as `<appname>@teams.microsoft.com`, where `appname` is the name of the app that generated the card content. If card content was generated by a user, the value of Sender/Author identifies the user. + +When viewing card content in Content search results, the content appears as an attachment to the message. The attachment is named `appname.html`, where `appname` is the name of the app that generated the card content. The following screenshots show how card content (for an app named Asana) appears in Teams and in the results of a search. + +### Card content in Teams + +![Card content in Teams channel message.](../media/CardContentTeams.png) + +### Card content in search results + +![Same card content in the results of a Content search.](../media/CardContentEdiscoverySearchResults.png) + +> [!NOTE] +> To display images from card content in search results at this time (such as the checkmarks in the previous screenshot), you have to be signed into Teams (at <https://teams.microsoft.com>) in a different tab in the same browser session that you use to view the search results. Otherwise, image placeholders are displayed. + +## eDiscovery in external access and guest environments + +Admins can use eDiscovery to search for content in chats messages in a Teams meeting in external access and guest access environments based on the following restrictions: + +- External access: In a Teams meeting with users from your organization and users from an external organization where external attendees are using external access, admins in both organizations can search for content in chat messages from the meeting. + +- Guest: In a Teams meeting with users from your organization and guests, only admins in the organization who hosts the Teams meeting can search for content in chat messages from the meeting. + +## Related articles + +- [Microsoft 365 eDiscovery solutions](/microsoft-365/compliance/ediscovery) +- [Get started with eDiscovery (Standard)](/microsoft-365/compliance/get-started-core-ediscovery) +- [Teams workflow in eDiscovery (Premium)](/microsoft-365/compliance/teams-workflow-in-advanced-ediscovery) +- [Teams PowerShell Overview](/microsoftteams/teams-powershell-overview.md)
compliance	Purview Adaptive Scopes	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/purview-adaptive-scopes.md	When you choose to use adaptive scopes, you're prompted to select what type of a The property names for sites are based on SharePoint site managed properties. For information about the custom attributes, see [Using Custom SharePoint Site Properties to Apply Microsoft 365 Retention with Adaptive Policy Scopes](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/using-custom-sharepoint-site-properties-to-apply-microsoft-365/ba-p/3133970). -The attribute names for users and groups are based on [(https://learn.microsoft.com/powershell/exchange/recipientfilter-properties#filterable-recipient-properties) that map to Azure AD attributes. For example: +The attribute names for users and groups are based on [filterable recipient properties](/powershell/exchange/recipientfilter-properties#filterable-recipient-properties) that map to Azure AD attributes. For example: - Alias maps to the LDAP name mailNickname that displays as Email in the Azure AD admin center. - Email addresses maps to the LDAP name proxyAddresses that displays as Proxy address in the Azure AD admin center.
compliance	Sensitivity Labels Meetings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-meetings.md	audience: Admin Previously updated : 03/10/2023 Last updated : 04/03/2023 ms.localizationpriority: high description: "Configure sensitivity labels to protect calendar items, and Teams >[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance). > [!NOTE] -> For this scenario, Outlook calendar events are still rolling out in general availability for Windows and macOS. +> For this scenario, Outlook calendar events are still rolling out in general availability for Windows. > > You won't be able to configure all the options referenced on this page if a [Teams Premium license](/MicrosoftTeams/enhanced-teams-experience) isn't found for your tenant. For those settings, you'll see an information bar in the Microsoft Purview compliance portal that your organization doesn't have this license. Example showing a Teams meeting invite that has the label *Highly confidential To apply a sensitivity label to meeting invites and appointments using Outlook, users must use Outlook on the web from a desktop computer, or use built-in labeling from Microsoft 365 Apps for enterprise: - Outlook for Windows: Rolling out to Current Channel, version 2302+-- Outlook for Mac: Rolling out to version 16.70+ +- Outlook for Mac: Version 16.70+ The AIP add-in for Outlook doesn't support applying labels to meeting invites.
compliance	Sensitivity Labels Versions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-versions.md	Previously updated : 03/14/2023 Last updated : 04/03/2023 audience: Admin The numbers listed are the minimum Office application versions required for each \|--\|-:\|-\|\|-\|-\| \|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)\|Current Channel: Rolling Out to 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Not relevant \|Not relevant \|Not relevant\|Not relevant \| \|Manually apply, change, or remove label <br /> - [Files and emails](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)\|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ \|16.21+ \| 4.7.1+ \| 4.0.39+ \| Yes \| -\|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)\| Current Channel: Rolling out to 2302+ \|Rolling out: 16.70+ <sup>\</sup> \|Under review \|Under review \|Yes \| +\|Manually apply, change, or remove label <br /> - [Calendar items](sensitivity-labels-meetings.md)\| Current Channel: Rolling out to 2302+ \|16.70+ <sup>\</sup> \|Under review \|Under review \|Yes \| \|[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)\|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ \|16.21+ \|4.7.1+ \|4.0.39+ \|Yes \| \|[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) \|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ \|16.21+ \|4.7.1+ \|4.0.39+ \| Yes \| \|[Require a justification to change a label](sensitivity-labels.md#what-label-policies-can-do)\|Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ \|16.21+ \|4.7.1+ \|4.0.39+ \|Yes \| The numbers listed are the minimum Office application versions required for each \|[Different settings for default label and mandatory labeling](sensitivity-labels-office-apps.md#outlook-specific-options-for-default-label-and-mandatory-labeling) \|Current Channel: 2105+ <br /><br> Monthly Enterprise Channel: 2105+ <br /><br> Semi-Annual Enterprise Channel: 2108+ \|16.43+ <sup>\</sup> \|4.2111+ \|4.2111+ \|Yes \| \|[PDF support](sensitivity-labels-office-apps.md#pdf-support) \|Current Channel: 2205+ <br /><br> Monthly Enterprise Channel: 2205+ <br /><br> Semi-Annual Enterprise Channel: Under review\| Under review \|Under review \|Under review \|Under review \| \|[Apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) \|Current Channel: 2211+ <br /><br> Monthly Enterprise Channel: 2211+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \| 16.61+ <sup>\</sup> \|4.2226+ \|4.2203+ \|Under review \| -\|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) \|Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Under review \|Under review \|Under review \|Under review \| -\|[Display label color](sensitivity-labels-office-apps.md#label-colors) \|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\</sup> \|Under review \|Under review \|Under review \| +\|[Sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) \|Current Channel: Rolling Out to 2302+<br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Under review \|Under review \|In preview (4.2313+) \|Under review \| +\|[Display label color](sensitivity-labels-office-apps.md#label-colors) \|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Preview: [Current Channel (Preview)](https://office.com/insider) <sup>\</sup> \|Under review \|In preview (4.2313+) \|Under review \| \|[Default sublabel for parent label](sensitivity-labels-office-apps.md#specify-a-default-sublabel-for-a-parent-label)\|Current Channel: 2302+ <br /><br> Monthly Enterprise Channel: 2302+ <br /><br> Semi-Annual Enterprise Channel: 2302+ \|Under review \|Under review \|Under review \|Under review \| \|[Scope labels to files or emails](sensitivity-labels-office-apps.md#scope-labels-to-just-files-or-emails) \|Current Channel: 2301+ <br /><br> Monthly Enterprise Channel: Under review <br /><br> Semi-Annual Enterprise Channel: Under review \|Rolling out: 16.70+ <sup>\</sup> \| Rolling out 4.2309+ \|Rolling out 4.2309+ \|Yes \| \|[Preventing oversharing as DLP policy tip](dlp-create-deploy-policy.md#scenario-2-show-policy-tip-as-oversharing-popup-preview)\|Preview: Rolling out to [Beta Channel](https://office.com/insider) \|Under review \|Under review \|Under review \|Under review \| -\|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) \|Preview: Rolling out to [Beta Channel](https://office.com/insider) \|Under review \|Under review \|Under review \|Under review \| +\|[Label inheritance from email attachments](sensitivity-labels-office-apps.md#configure-label-inheritance-from-email-attachments) \|Preview: [Current Channel (Preview)](https://office.com/insider) \|Under review \|Under review \|Under review \|Under review \| Footnotes:*
compliance	Whats New	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md	Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ### Sensitivity labels - General availability (GA): [Default sensitivity label for a SharePoint document library](sensitivity-labels-sharepoint-default-label.md) +- General availability (GA): Outlook for Mac [displays label colors](sensitivity-labels-office-apps.md#label-colors) ## March 2023
enterprise	Modern Desktop Deployment And Management Lab	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md	description: Learn about where to access the Windows and Office Deployment Lab K The Windows and Office 365 deployment lab kits are designed to help you plan, test, and validate your deployment and management of desktops running Windows 10 Enterprise or Windows 11 Enterprise and Microsoft 365 Apps. The labs in the kit cover using Microsoft Intune and Microsoft Configuration Manager. This kit is highly recommended for organizations preparing for desktop upgrades. As an isolated environment, the lab is also ideal for exploring deployment tool updates and testing your deployment-related automation. The following lab kits are available for free download: -\|Windows 10 Lab\|Windows 11 Lab\| -\|\|\| -\|[Windows 10 lab environment](https://download.microsoft.com/download/a/5/0/a505dbce-6cc8-4f92-a777-cda556da9266/Win10_21H2_Lab_v2.zip)\|[Windows 11 lab environment](https://download.microsoft.com/download/1/0/3/103138e0-b22c-4c7a-a404-e73220954309/Win11_22H2_Lab_2.28.zip)\| -\|[Windows 10 lab guides](https://download.microsoft.com/download/a/5/0/a505dbce-6cc8-4f92-a777-cda556da9266/Win10_21H2_Lab_Guides_v2.zip)\|[Windows 11 lab guides](https://download.microsoft.com/download/1/0/3/103138e0-b22c-4c7a-a404-e73220954309/Win11_22H2_Guides_02.28.zip)\| +[Windows 10 lab](https://info.microsoft.com/ww-landing-lab-kit.html) + +[Windows 11 lab](https://info.microsoft.com/ww-landing-windows-11-office-365-lab-kit.html) ## A complete lab environment
enterprise	Setup Guides For Microsoft 365	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md	Title: "Advanced deployment guides for Microsoft 365 and Office 365 services" + Title: "Advanced deployment guides for Microsoft 365 and Office 365 products" search.appverid: - MET150 - BCS160 ms.assetid: 165f46e8-3533-4d76-be57-97f81ebd40f2 -description: "Get step-by-step tools to plan, migrate, and implement the features in your tenant's licenses. Find a guide to set up a service or an app you need to run." +description: "Microsoft 365 and Office 365 advanced deployment guides help admins install, update, and configure Microsoft products. Find resources for your Microsoft 365 apps." -# Advanced deployment guides for Microsoft 365 and Office 365 services +# Advanced deployment guides for Microsoft 365 and Office 365 products Microsoft 365 and Office 365 advanced deployment guides give you tailored guidance and resources for planning and deploying your tenant, apps, and services. These guides are created using the same best practices that [Microsoft 365 FastTrack](https://www.microsoft.com/fasttrack/microsoft-365) onboarding specialists share in individual interactions. They provide information on product setup, enabling security features, deploying collaboration tools, and provide scripts to speed up advanced deployments. Advanced deployment guides in the admin center require authentication to a Micro \|Guide - [Setup Portal](https://aka.ms/setupguides) \|Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913) \|Description \| \|\|\|\| -\|\|[Configure multi-factor authentication (MFA) guide](https://go.microsoft.com/fwlink/?linkid=2224780)\|The Configure multi-factor authentication (MFA) guide provides information to secure your organization against breaches due to lost or stolen credentials. MFA immediately increases account security by prompting for multiple forms of verification to prove a user's identity when they sign in to an app or other company resource. This prompt could be to enter a code on the user's mobile device or to provide a fingerprint scan. MFA is enabled through Conditional Access, security defaults, or per-user MFA. This guide will provide the recommended MFA option for your org, based on your licenses and existing configuration.\| +\|\|[Configure multi-factor authentication (MFA) guide](https://go.microsoft.com/fwlink/?linkid=2224780)\|The Configure multi-factor authentication (MFA) guide provides customers with Azure AD Premium P1 or Azure AD Premium P2 customizable Conditional Access templates that include the most common and least intrusive security standards. When Azure AD Premium licensing isnΓÇÖt available, we provide a one-click solution to enable Security Defaults, a baseline protection policy for all users, or we provide steps to enable legacy (per-user) MFA. \|\|[Identity security for Teams guide](https://go.microsoft.com/fwlink/?linkid=2224786)\|The Identity security for Teams guide helps you with some basic security steps you can take to ensure your users are safe and have the most productive time using Teams.\| -\|[Azure AD setup guide](https://go.microsoft.com/fwlink/?linkid=2223229)\|[Azure AD setup guide](https://go.microsoft.com/fwlink/?linkid=2224193)\|The Azure AD setup guide provides information to ensure your organization has a strong security foundation. In this guide you'll set up initial features, like Azure Role-based access control (Azure RBAC) for admins, Azure AD Connect for your on-premises directory, and Azure AD Connect Health, so you can monitor your hybrid identity's health during automated syncs.<br>It also includes essential information on enabling self-service password resets, conditional access and integrated third party sign-on including optional advanced identity protection and user provisioning automation.\| -\|[Add or sync users to Azure AD guide](https://go.microsoft.com/fwlink/?linkid=2223230)\|[Add or sync users to Azure AD guide](https://go.microsoft.com/fwlink/?linkid=2224811)\|The Add or sync users to Azure AD guide walks you through turning on directory synchronization. Directory synchronization brings your on-premises and cloud identities together for easier access and simplified management. Unlock new capabilities, like single sign-on, self-service options, automatic account provisioning, conditional access controls, and compliance policies. These capabilities ensure your users have access to the resources they need from anywhere.\| -\|\|[Plan your passwordless deployment guide](https://go.microsoft.com/fwlink/?linkid=2224194)\|Use the Plan your passwordless deployment guide to discover the best passwordless authentication methods to use and receive guidance on how to upgrade to an alternative sign-in approach that allows users to access their devices securely with one of the following passwordless authentication methods:<ul><li>Windows Hello for Business</li><li>The Microsoft Authenticator app</li><li>Security keys</li></ul>\| -\|\|[Secure your cloud apps with Single Sign on (SSO) guide](https://go.microsoft.com/fwlink/?linkid=2224689)\|The Secure your cloud apps with Single Sign on (SSO) guide helps IT admins configure third-party cloud apps with single sign-on, which reduces or eliminates sign-in prompts.\| +\|[Azure AD setup guide](https://go.microsoft.com/fwlink/?linkid=2223229)\|[Azure AD setup guide](https://go.microsoft.com/fwlink/?linkid=2224193)\|The Azure AD setup guide provides information to ensure your organization has a strong security foundation. In this guide you'll set up initial features, like Azure Role-based access control (Azure RBAC) for admins, Azure AD Connect for your on-premises directory, and Azure AD Connect Health, so you can monitor your hybrid identity's health during automated syncs.<br>It also includes essential information on enabling self-service password resets, conditional access, and integrated third party sign-on including optional advanced identity protection and user provisioning automation.\| +\|[Add or sync users to Azure AD guide](https://go.microsoft.com/fwlink/?linkid=2223230)\|[Add or sync users to Azure AD guide](https://go.microsoft.com/fwlink/?linkid=2224811)\|The Add or sync users to Azure AD guide will help streamline the process of getting your user accounts set up in Microsoft 365. Based on your environment and needs, you can choose to add users individually, migrate your on-premises directory with Azure AD cloud sync or Azure AD Connect, or troubleshoot existing sync problems when necessary.\| +\|\|[Plan your passwordless deployment guide](https://go.microsoft.com/fwlink/?linkid=2224194)\|Use the Plan your passwordless deployment guide to discover the best passwordless authentication methods to use and receive guidance on how to upgrade to an alternative sign-in approach that allows users to access their devices securely with one of the following passwordless authentication methods:<ul><li>Windows Hello for Business</li><li>The Microsoft Authenticator app</li><li>Security keys</li><li>Temporary Access Pass</li></ul>\|\| +\|\|[Secure your cloud apps with Single Sign on (SSO) guide](https://go.microsoft.com/fwlink/?linkid=2224689)\|This guide is designed to help you add cloud apps to Microsoft 365. In our guide, you can add an application to your tenant, add users to the app, assign roles, and more. If the app supports single sign-on (SSO), weΓÇÖll walk you through that configuration. \|[Plan your self-service password reset (SSPR) deployment guide](https://go.microsoft.com/fwlink/?linkid=2223231)\|[Plan your self-service password reset (SSPR) deployment guide](https://go.microsoft.com/fwlink/?linkid=2224781)\|Give users the ability to change or reset their password independently, if their account is locked, or they forget their password without the need to contact a helpdesk engineer.<br>Use the Plan your self-service password reset (SSPR) deployment guide to receive relevant articles and instructions for configuring the appropriate Azure portal options to help you deploy SSPR in your environment.\| +\|[Migrate from AD FS to Microsoft Azure AD](https://go.microsoft.com/fwlink/?linkid=2229256)\|[Migrate from AD FS to Microsoft Azure AD](https://go.microsoft.com/fwlink/?linkid=2225005)\|In Migrate from AD FS to Microsoft Azure AD we offer custom guidance for migrating from Active Directory Federation Services (AD FS) to Azure AD. You'll first answer a few questions about your AD FS infrastructure. Then implement either pass-through authentication (PTA) or password hash sync (PHS) to give users a streamlined experience while accessing your organization's apps.\| ## Guides for security and compliance Advanced deployment guides in the admin center require authentication to a Micro \|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2223409)\|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2224187)\|The Microsoft 365 Apps setup guide helps you get your users' devices running the latest version of Office products like Word, Excel, PowerPoint, and OneNote. You'll get guidance on the various deployment methods that include easy self-install options to enterprise deployments with management tools. The instructions will help you assess your environment, figure out your specific deployment requirements, and implement the necessary support tools to ensure a successful installation.\| \|\|[Mobile apps setup guide](https://go.microsoft.com/fwlink/?linkid=2224813)\|The Mobile apps setup guide provides instructions for the download and installation of Office apps on your Windows, iOS, and Android mobile devices. This guide provides you with step-by-step information to download and install Microsoft 365 and Office 365 apps on your phone and tablet devices.\| \|[Microsoft Teams setup guide]( https://go.microsoft.com/fwlink/?linkid=2222975)\|[Microsoft Teams setup guide](https://go.microsoft.com/fwlink/?linkid=2224815)\|The Microsoft Teams setup guide provides your organization with guidance to set up team workspaces that host real-time conversations through messaging, calls, and audio or video meetings for both team and private communication. Use the tools in this guide to configure Guest access, set who can create teams, and add team members from a .csv file, all without the need to open a PowerShell session. You'll also get best practices for determining your organization's network requirements and ensuring a successful Teams deployment.\| -\|[Microsoft Teams Phone setup guide](https://go.microsoft.com/fwlink/?linkid=2223356)\|[Microsoft Teams Phone setup guide](https://go.microsoft.com/fwlink/?linkid=2224790)\|The Microsoft Teams Phone setup guide helps you stay connected with the use of modern calling solutions. Apply key capabilities with a cloud-based, call-control system that supports the telephony workload for Teams. You can choose and deploy features from the available public switched telephone network (PSTN) connectivity options. You can also find assistance for other features, such as auto attendant, call queues, Audio Conferencing, caller ID, and live events.\| +\|[Plan and implement your Microsoft Teams Phone deployment](https://go.microsoft.com/fwlink/?linkid=2223356)\|[Plan and implement your Microsoft Teams Phone deployment](https://go.microsoft.com/fwlink/?linkid=2224790)\|This guide will help you transition from your existing voice solution to Microsoft Teams Phone. You'll be guided through discovery and planning phases, or you can go straight to deployment. You'll be able to configure a calling plan, Operator Connect, Teams Phone Mobile, Direct Routing, caller ID, and other features.\| \|[SharePoint setup guide](https://go.microsoft.com/fwlink/?linkid=2223320)\|[SharePoint setup guide](https://go.microsoft.com/fwlink/?linkid=2224196)\|The SharePoint setup guide helps you set up your SharePoint document storage and content management, create sites, configure external sharing, migrate data and configure advanced settings, and drive user engagement and communication within your organization. You'll follow steps for configuring your content-sharing permission policies, choose your migration sync tools, and enable the security settings for your SharePoint environment.\| \|[Surface Hub and Microsoft Teams Rooms setup guide](https://go.microsoft.com/fwlink/?linkid=2222974)\|[Surface Hub and Microsoft Teams Rooms setup guide](https://go.microsoft.com/fwlink/?linkid=2224463)\|The Surface Hub and Microsoft Teams Rooms setup guide will customize your experience based on your environment. If you're hosted in Exchange Online and using Microsoft Teams, the guide will automatically create your device account with the correct settings.\| \|[OneDrive setup guide](https://go.microsoft.com/fwlink/?linkid=2223143)\|[OneDrive setup guide](https://go.microsoft.com/fwlink/?linkid=2224690)\|Use the OneDrive setup guide to get started with OneDrive file storage, sharing, collaboration, and syncing capabilities. OneDrive provides a central location where users can sync their Microsoft 365 Apps files, configure external sharing, migrate user data, and configure advanced security and device access settings. The OneDrive setup guide can be deployed using a OneDrive subscription or a standalone OneDrive plan.\|
security	Configure Network Connections Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md	A similar message occurs if you're using Internet Explorer: > [!NOTE] > Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md). - The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md). + The Windows event log will also show [Windows Defender client event ID 1116](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). > [!TIP] > If you're looking for Antivirus related information for other platforms, see:
security	Configure Proxy Internet	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md	- tier1 Previously updated : 12/18/2020 Last updated : 04/04/2023 # Configure device proxy and Internet connectivity settings Last updated 12/18/2020 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +> [!IMPORTANT] +> Devices that are configured for IPv6-only traffic are not supported. + The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service. The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. > [!TIP]
security	Deploy Manage Report Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md	With Windows Management Instrumentation (WMI), you can manage Microsoft Defender - Use the [MSFT_MpComputerStatus](/previous-versions/windows/desktop/defender/msft-mpcomputerstatus) class and the get method of associated classes in the [Windows Defender WMIv2 Provider](/windows/win32/wmisdk/wmi-providers). -For reporting, Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](/windows/whats-new/whats-new-windows-10-version-1507-and-1511). Also see [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md). +For reporting, Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](/windows/whats-new/whats-new-windows-10-version-1507-and-1511). Also see [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview) and [Windows Defender events](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). ## See also
security	Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md	PSComputerName : You can turn on email notifications to receive mail about PUA detections. -See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID 1160. +See [Troubleshoot event IDs](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/) for details on viewing Microsoft Defender Antivirus events. PUA events are recorded under event ID 1160. ## View PUA events using advanced hunting
security	Manage Tamper Protection Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune.md	Using Intune, you can: > [!NOTE] > If devices are not enrolled in Microsoft Defender for Endpoint, tamper protection will show as Not Applicable until the onboarding process completes. -> Tamper protection can prevent changes to security settings from occurring. If you see an error code with Event ID 5013, see [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). +> Tamper protection can prevent changes to security settings from occurring. If you see an error code with Event ID 5013, see [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). ## Turn tamper protection on (or off) in Microsoft Intune
security	Microsoft Defender Antivirus On Windows Server	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md	If you need to install or reinstall Microsoft Defender Antivirus on Windows Serv \| Use PowerShell to install Microsoft Defender Antivirus \| 1. On your Windows Server, open Windows PowerShell as an administrator. <br/><br/>2. Run the following PowerShell cmdlet: `Install-WindowsFeature -Name Windows-Defender` \| > [!NOTE] -> Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender Antivirus Events](troubleshoot-microsoft-defender-antivirus.md). +> Event messages for the antimalware engine included with Microsoft Defender Antivirus can be found in [Microsoft Defender Antivirus Events](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). ## Verify Microsoft Defender Antivirus is running
security	Microsoft Defender Antivirus Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates.md	description: Manage how Microsoft Defender Antivirus receives protection and pro keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus ms.localizationpriority: high Previously updated : 03/27/2023 Last updated : 04/04/2023 audience: ITPro We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). +### 20230330.2 + +- Defender package version: 20230330.2 +- Security intelligence version: 1.385.1537.0 +- Engine version: 1.1.20100.6 +- Platform version: 4.18.2302.7 + +#### Fixes + +- None + +#### Additional information + +- None ### 20230308.1
security	Msda Updates Previous Versions Technical Upgrade Support	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support.md	Microsoft regularly releases [security intelligence updates and product updates ### What's new -- Starting with platform version 4.18.2207.7, the default behavior of dynamic signature expiration reporting changes to reduce potential 2011 event notification flooding. See: Event ID: 2011 in [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md) +- Starting with platform version 4.18.2207.7, the default behavior of dynamic signature expiration reporting changes to reduce potential 2011 event notification flooding. See: Event ID: 2011 in [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/) - Fixed Unified agent installer issues on WS2012R2 Server and Windows Server 2016 - Fixed remediation issue for custom detection - Fixed Race condition related to behavior monitoring Microsoft regularly releases [security intelligence updates and product updates - Added improvements for [troubleshooting mode](enable-troubleshooting-mode.md) - Added fix for Defender WINEVT channels across update/restarts. (For more information about WINEVT, see [Windows Event Log](/windows/win32/api/_wes/).) - Added fix for [Defender WMI management](use-wmi-microsoft-defender-antivirus.md) bug during startup/updates -- Added fix for duplicated 2010/2011 in the [Windows Event Viewer Operational events](troubleshoot-microsoft-defender-antivirus.md) +- Added fix for duplicated 2010/2011 in the [Windows Event Viewer Operational events](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/) - Added support for [Defender for Endpoint](microsoft-defender-endpoint.md) stack processes token hardening ### Known Issues
security	Troubleshoot Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md	- Title: Microsoft Defender Antivirus event IDs and error codes -description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors -keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding - -ms.sitesec: library ---- Previously updated : 01/13/2023------ m365-security-- tier3-- -# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus --- -Applies to: -- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- Microsoft Defender Antivirus- -Platforms -- Windows- -If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. - -The tables list: --- [Microsoft Defender Antivirus event IDs](#windows-defender-av-ids) (these apply to Windows 10, Windows 11, and Windows Server 2016)-- [Microsoft Defender Antivirus client error codes](#error-codes)-- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)-- -<a id="windows-defender-av-ids"></a> -## Microsoft Defender Antivirus event IDs - -Microsoft Defender Antivirus records event IDs in the Windows event log. - -You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Microsoft Defender Antivirus client event IDs](troubleshoot-microsoft-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. - -The table in this section lists the main Microsoft Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. - -## To view a Microsoft Defender Antivirus event - -1. Open Event Viewer. -2. In the console tree, expand Applications and Services Logs, then Microsoft, then Windows, then Windows Defender. -3. Double-click on Operational. -4. In the details pane, view the list of individual events to find your event. -5. Click the event to see specific details about an event in the lower pane, under the General and Details tabs. - -<table> -<tr> -<th colspan="2" >Event ID: 1000</th> -</tr> -<tr> -<td> -Symbolic name: -</td> -<td> -<b>MALWAREPROTECTION_SCAN_STARTED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>An antimalware scan started. -</b> -</td> -</tr> -<tr> -<td > -Description: -</td> -<td > -<dl> -<dt>Scan ID: <ID number of the relevant scan.></dt> -<dt>Scan Type: <Scan type>, for example:<ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -</ul> -</dt> -<dt>Scan Parameters: <Scan parameters>, for example:<ul> -<li>Full scan</li> -<li>Quick scan</li> -<li>Customer scan</li> -</ul> -</dt> -<dt>Scan Resources: <Resources (such as files/directories/BHO) that were scanned.></dt> -<dt>User: <Domain>\<User></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1001</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SCAN_COMPLETED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>An antimalware scan finished.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -<dl> -<dt>Scan ID: <ID number of the relevant scan.></dt> -<dt>Scan Type: <Scan type>, for example:<ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -</ul> -</dt> -<dt>Scan Parameters: <Scan parameters>, for example:<ul> -<li>Full scan</li> -<li>Quick scan</li> -<li>Customer scan</li> -</ul> -</dt> -<dt>User: <Domain>\<User></dt> -<dt>Scan Time: <The duration of a scan.></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1002</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SCAN_CANCELLED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>An antimalware scan was stopped before it finished. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -<dl> -<dt>Scan ID: <ID number of the relevant scan.></dt> -<dt>Scan Type: <Scan type>, for example:<ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -</ul> -</dt> -<dt>Scan Parameters: <Scan parameters>, for example:<ul> -<li>Full scan</li> -<li>Quick scan</li> -<li>Customer scan</li> -</ul> -</dt> -<dt>User: <Domain>&lt;User></dt> -<dt>Scan Time: <The duration of a scan.></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1003</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SCAN_PAUSED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>An antimalware scan was paused. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -<dl> -<dt>Scan ID: <ID number of the relevant scan.></dt> -<dt>Scan Type: <Scan type>, for example:<ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -</ul> -</dt> -<dt>Scan Parameters: <Scan parameters>, for example:<ul> -<li>Full scan</li> -<li>Quick scan</li> -<li>Customer scan</li> -</ul> -</dt> -<dt>User: <Domain>\<User></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1004</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SCAN_RESUMED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>An antimalware scan was resumed. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -<dl> -<dt>Scan ID: <ID number of the relevant scan.></dt> -<dt>Scan Type: <Scan type>, for example:<ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -</ul> -</dt> -<dt>Scan Parameters: <Scan parameters>, for example:<ul> -<li>Full scan</li> -<li>Quick scan</li> -<li>Customer scan</li> -</ul> -</dt> -<dt>User: <Domain>\<User></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1005</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SCAN_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>An antimalware scan failed. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -<dl> -<dt>Scan ID: <ID number of the relevant scan.></dt> -<dt>Scan Type: <Scan type>, for example:<ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -</ul> -</dt> -<dt>Scan Parameters: <Scan parameters>, for example:<ul> -<li>Full scan</li> -<li>Quick scan</li> -<li>Customer scan</li> -</ul> -</dt> -<dt>User: <Domain>\<User></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -The antivirus client encountered an error, and the current scan has stopped. The scan might fail due to a client-side issue. This event record includes the scan ID, type of scan (Microsoft Defender Antivirus, antispyware, antimalware), scan parameters, the user that started the scan, the error code, and a description of the error. -To troubleshoot this event: -<ol> -<li>Run the scan again.</li> -<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li> -<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>. -</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1006</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_MALWARE_DETECTED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine found malware or other potentially unwanted software. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>Detection Origin: <Detection origin>, for example:<ul> -<li>Unknown</li> -<li>Local computer</li> -<li>Network share</li> -<li>Internet</li> -<li>Incoming traffic</li> -<li>Outgoing traffic</li> -</ul> -</dt> -<dt>Detection Type: <Detection type>, for example:<ul> -<li>Heuristics</li> -<li>Generic</li> -<li>Concrete</li> -<li>Dynamic signature</li> -</ul> -</dt> -<dt>Detection Source: <Detection source> for example:<ul> -<li>User: user initiated</li> -<li>System: system initiated</li> -<li>Real-time: real-time component initiated</li> -<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li> -<li>NIS: Network inspection system</li> -<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li> -<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li> -<li>Remote attestation</li> -</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. -UAC</dt> -<dt>Status: <Status></dt> -<dt>User: <Domain>\<User></dt> -<dt>Process Name: <Process in the PID></dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1007</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_MALWARE_ACTION_TAKEN -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following: -<dl> -<dt>User: <Domain>\<User></dt> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Action: <Action>, for example:<ul> -<li>Clean: The resource was cleaned</li> -<li>Quarantine: The resource was quarantined</li> -<li>Remove: The resource was deleted</li> -<li>Allow: The resource was allowed to execute/exist</li> -<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li> -<li>No action: No action</li> -<li>Block: The resource was blocked from executing</li> -</ul> -</dt> -<dt>Status: <Status></dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1008</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_MALWARE_ACTION_FAILED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following: -<dl> -<dt>User: <Domain>\<User></dt> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>Action: <Action>, for example:<ul> -<li>Clean: The resource was cleaned</li> -<li>Quarantine: The resource was quarantined</li> -<li>Remove: The resource was deleted</li> -<li>Allow: The resource was allowed to execute/exist</li> -<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li> -<li>No action: No action</li> -<li>Block: The resource was blocked from executing</li> -</ul> -</dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values. </dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Status: <Status></dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1009</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_QUARANTINE_RESTORE -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform restored an item from quarantine. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has restored an item from quarantine. For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>User: <Domain>\<User></dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1010</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_QUARANTINE_RESTORE_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform could not restore an item from quarantine. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>User: <Domain>\<User></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values. </dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1011</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_QUARANTINE_DELETE</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform deleted an item from quarantine. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has deleted an item from quarantine.<br/>For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>User: <Domain>\<User></dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1012</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_QUARANTINE_DELETE_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform could not delete an item from quarantine.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to delete an item from quarantine. -For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>User: <Domain>\<User></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values. </dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1013</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform deleted history of malware and other potentially unwanted software.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has removed history of malware and other potentially unwanted software. -<dl> -<dt>Time: The time when the event occurred, for example when the history is purged. This parameter isn't used in threat events so that there's no confusion regarding whether it's remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt> -<dt>User: <Domain>\<User></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1014</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_MALWARE_HISTORY_DELETE_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -The antimalware platform couldn't delete history of malware and other potentially unwanted software. -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software. -<dl> -<dt>Time: The time when the event occurred, for example when the history is purged. This parameter isn't used in threat events so that there's no confusion regarding whether it's remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.</dt> -<dt>User: <Domain>\<User></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values. </dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1015</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_BEHAVIOR_DETECTED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform detected suspicious behavior.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has detected a suspicious behavior.<br/>For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>Detection Origin: <Detection origin>, for example: -<ul> -<li>Unknown</li> -<li>Local computer</li> -<li>Network share</li> -<li>Internet</li> -<li>Incoming traffic</li> -<li>Outgoing traffic</li> -</ul> -</dt> -<dt>Detection Type: <Detection type>, for example:<ul> -<li>Heuristics</li> -<li>Generic</li> -<li>Concrete</li> -<li>Dynamic signature</li> -</ul> -</dt> -<dt>Detection Source: <Detection source> for example:<ul> -<li>User: user initiated</li> -<li>System: system initiated</li> -<li>Real-time: real-time component initiated</li> -<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li> -<li>NIS: Network inspection system</li> -<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li> -<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li> -<li>Remote attestation</li> -</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. -UAC</dt> -<dt>Status: <Status></dt> -<dt>User: <Domain>\<User></dt> -<dt>Process Name: <Process in the PID></dt> -<dt>Signature ID: Enumeration matching severity.</dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -<dt>Fidelity Label:</dt> -<dt>Target File Name: <File name> -Name of the file.</dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1116</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_STATE_MALWARE_DETECTED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform detected malware or other potentially unwanted software. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has detected malware or other potentially unwanted software.<br/>For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>Detection Origin: <Detection origin>, for example: -<ul> -<li>Unknown</li> -<li>Local computer</li> -<li>Network share</li> -<li>Internet</li> -<li>Incoming traffic</li> -<li>Outgoing traffic</li> -</ul> -</dt> -<dt>Detection Type: <Detection type>, for example:<ul> -<li>Heuristics</li> -<li>Generic</li> -<li>Concrete</li> -<li>Dynamic signature</li> -</ul> -</dt> -<dt>Detection Source: <Detection source> for example:<ul> -<li>User: user initiated</li> -<li>System: system initiated</li> -<li>Real-time: real-time component initiated</li> -<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li> -<li>NIS: Network inspection system</li> -<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li> -<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li> -<li>Remote attestation</li> -</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. -UAC</dt> -<dt>User: <Domain>\<User></dt> -<dt>Process Name: <Process in the PID></dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -No action is required. Microsoft Defender Antivirus can suspend and take routine action on this threat. If you want to remove the threat manually, in the Microsoft Defender Antivirus interface, click <b>Clean Computer</b>. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1117</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_TAKEN -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform performed an action to protect your system from malware or other potentially unwanted software. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.<br/>For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>Detection Origin: <Detection origin>, for example: -<ul> -<li>Unknown</li> -<li>Local computer</li> -<li>Network share</li> -<li>Internet</li> -<li>Incoming traffic</li> -<li>Outgoing traffic</li> -</ul> -</dt> -<dt>Detection Type: <Detection type>, for example:<ul> -<li>Heuristics</li> -<li>Generic</li> -<li>Concrete</li> -<li>Dynamic signature</li> -</ul> -</dt> -<dt>Detection Source: <Detection source> for example:<ul> -<li>User: user initiated</li> -<li>System: system initiated</li> -<li>Real-time: real-time component initiated</li> -<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li> -<li>NIS: Network inspection system</li> -<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li> -<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li> -<li>Remote attestation</li> -</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. -UAC</dt> -<dt>User: <Domain>\<User></dt> -<dt>Process Name: <Process in the PID></dt> -<dt>Action: <Action>, for example:<ul> -<li>Clean: The resource was cleaned</li> -<li>Quarantine: The resource was quarantined</li> -<li>Remove: The resource was deleted</li> -<li>Allow: The resource was allowed to execute/exist</li> -<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li> -<li>No action: No action</li> -<li>Block: The resource was blocked from executing</li> -</ul> -</dt> -<dt>Action Status: <Description of additional actions></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -NOTE: -Whenever Microsoft Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it restores the following system settings and services that the malware might have changed:<ul> -<li>Default Internet Explorer or Microsoft Edge setting</li> -<li>User Access Control settings</li> -<li>Chrome settings</li> -<li>Boot Control Data</li> -<li>Regedit and Task Manager registry settings</li> -<li>Windows Update, Background Intelligent Transfer Service, and Remote Procedure Call service</li> -<li>Windows Operating System files</li></ul> -The above context applies to the following client and server versions: -<table> -<tr> -<th>Operating system</th> -<th>Operating system version</th> -</tr> -<tr> -<td> -Client Operating System -</td> -<td> -Windows Vista (Service Pack 1, or Service Pack 2), Windows 7 and later -</td> -</tr> -<tr> -<td> -Server Operating System -</td> -<td> -Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016 -</td> -</tr> -</table> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -No action is necessary. Microsoft Defender Antivirus removed or quarantined a threat. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1118</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform attempted to perform an action to protect your system from malware or other potentially unwanted software, but the action failed. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.<br/>For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>Detection Origin: <Detection origin>, for example: -<ul> -<li>Unknown</li> -<li>Local computer</li> -<li>Network share</li> -<li>Internet</li> -<li>Incoming traffic</li> -<li>Outgoing traffic</li> -</ul> -</dt> -<dt>Detection Type: <Detection type>, for example:<ul> -<li>Heuristics</li> -<li>Generic</li> -<li>Concrete</li> -<li>Dynamic signature</li> -</ul> -</dt> -<dt>Detection Source: <Detection source> for example:<ul> -<li>User: user initiated</li> -<li>System: system initiated</li> -<li>Real-time: real-time component initiated</li> -<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li> -<li>NIS: Network inspection system</li> -<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li> -<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li> -<li>Remote attestation</li> -</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. -UAC</dt> -<dt>User: <Domain>\<User></dt> -<dt>Process Name: <Process in the PID></dt> -<dt>Action: <Action>, for example:<ul> -<li>Clean: The resource was cleaned</li> -<li>Quarantine: The resource was quarantined</li> -<li>Remove: The resource was deleted</li> -<li>Allow: The resource was allowed to execute/exist</li> -<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li> -<li>No action: No action</li> -<li>Block: The resource was blocked from executing</li> -</ul> -</dt> -<dt>Action Status: <Description of additional actions></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -No action is necessary. Microsoft Defender Antivirus failed to complete a task related to the malware remediation. This isn't a critical failure. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1119</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_STATE_MALWARE_ACTION_CRITICALLY_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform encountered a critical error when trying to take action on malware or other potentially unwanted software. There are more details in the event message.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.<br/>For more information, see the following: -<dl> -<dt>Name: <Threat name></dt> -<dt>ID: <Threat ID></dt> -<dt>Severity: <Severity>, for example:<ul> -<li>Low</li> -<li>Moderate</li> -<li>High</li> -<li>Severe</li> -</ul> -</dt> -<dt>Category: <Category description>, for example, any threat or malware type.</dt> -<dt>Path: <File path></dt> -<dt>Detection Origin: <Detection origin>, for example: -<ul> -<li>Unknown</li> -<li>Local computer</li> -<li>Network share</li> -<li>Internet</li> -<li>Incoming traffic</li> -<li>Outgoing traffic</li> -</ul> -</dt> -<dt>Detection Type: <Detection type>, for example:<ul> -<li>Heuristics</li> -<li>Generic</li> -<li>Concrete</li> -<li>Dynamic signature</li> -</ul> -</dt> -<dt>Detection Source: <Detection source> for example:<ul> -<li>User: user initiated</li> -<li>System: system initiated</li> -<li>Real-time: real-time component initiated</li> -<li>IOAV: IE Downloads and Outlook Express Attachments initiated</li> -<li>NIS: Network inspection system</li> -<li>IEPROTECT: IE - IExtensionValidation; this protects against malicious webpage controls</li> -<li>Early Launch Antimalware (ELAM). This includes malware detected by the boot sequence</li> -<li>Remote attestation</li> -</ul>Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PowerShell, VBS), though it can be invoked by third parties as well. -UAC</dt> -<dt>User: <Domain>\<User></dt> -<dt>Process Name: <Process in the PID></dt> -<dt>Action: <Action>, for example:<ul> -<li>Clean: The resource was cleaned</li> -<li>Quarantine: The resource was quarantined</li> -<li>Remove: The resource was deleted</li> -<li>Allow: The resource was allowed to execute/exist</li> -<li>User defined: User-defined action that is normally one from this list of actions that the user has specified</li> -<li>No action: No action</li> -<li>Block: The resource was blocked from executing</li> -</ul> -</dt> -<dt>Action Status: <Description of additional actions></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -The Microsoft Defender Antivirus client encountered this error due to critical issues. The endpoint might not be protected. Review the error description then follow the relevant <b>User action</b> steps below. -<table> -<tr> -<th>Action</th> -<th>User action</th> -</tr> -<tr> -<td> -<b>Remove</b> -</td> -<td> -Update the definitions then verify that the removal was successful. -</td> -</tr> -<tr> -<td> -<b>Clean</b> -</td> -<td> -Update the definitions then verify that the remediation was successful. -</td> -</tr> -<tr> -<td> -<b>Quarantine</b> -</td> -<td> -Update the definitions and verify that the user has permission to access the necessary resources. -</td> -</tr> -<tr> -<td> -<b>Allow</b> -</td> -<td> -Verify that the user has permission to access the necessary resources. -</td> -</tr> -</table> - -If this event persists:<ol> -<li>Run the scan again.</li> -<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li> -<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>. -</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1120</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_THREAT_HASH</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Microsoft Defender Antivirus has deduced the hashes for a threat resource.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus client is up and running in a healthy state. -<dl> -<dt>Current Platform Version: <Current platform version></dt> -<dt>Threat Resource Path: <Path></dt> -<dt>Hashes: <Hashes></dt> -</dl> -</td> -</tr> -<tr> -<td></td> -<td > -<div class="alert"><b>Note: This event will only be logged if the following policy is set: <b>ThreatFileHashLogging unsigned</b>.</div> -<div> </div> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1121</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>(TBD)</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Event when an attack surface reduction rule fires in block mode.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -TBD. -<dl> -<dt>Current Platform Version: <Current platform version></dt> -<dt>Threat Resource Path: <Path></dt> -<dt>Hashes: <Hashes></dt> -</dl> -</td> -</tr> -<tr> -<td></td> -<td > -<div class="alert"><b>Note: whatgoeshere?: <b>TBD</b>.</div> -<div> </div> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1127</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_FOLDER_GUARD_SECTOR_BLOCK</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Controlled Folder Access(CFA) blocked an untrusted process from making changes to the memory. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Controlled Folder Access has blocked an untrusted process from potentially modifying disk sectors. -<br/> For more information about the event record, see the following: -<dl> -<dt>EventID: <EventID>, for example: 1127</dt> -<dt>Version: <Version>, for example: 0</dt> -<dt>Level: <Level>, for example: win:Warning</dt> -<dt>TimeCreated: <SystemTime>, time when the event was created</dt> -<dt>EventRecordID: <EventRecordID>, index number of the event in the event log</dt> -<dt>Execution ProcessID: <Execution ProcessID>, process that generated the event</dt> -<dt>Channel: <Event channel>, for example: Microsoft-Windows-Windows Defender/Operational</dt> -<dt>Computer: <Computer name></dt> -<dt>Security UserID: <Security UserID></dt> -<dt>Product Name: <Product Name>, for example: Microsoft Defender Antivirus</dt> -<dt>Product Version: <Product Version></dt> -<dt>Detection Time: <Detection Time>, time when CFA blocked an untrusted process</dt> -<dt>User: <Domain>\<User></dt> -<dt>Path: <Device name>, name of the device or disk that an untrusted process accessed for modification</dt> -<dt>Process Name: <Process path>, the process path name that CFA blocked from accessing the device or disk for modification</dt> -<dt>Security Intelligence Version: <Security intelligence version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -The user can add the blocked process to the <i>Allowed Process</i> list for CFA, using PowerShell or Windows Security Center. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 1150</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SERVICE_HEALTHY</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>If your antimalware platform reports status to a monitoring platform, this event indicates that the antimalware platform is running and in a healthy state. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus client is up and running in a healthy state. -<dl> -<dt>Platform Version: <Current platform version></dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported on an hourly basis. -</td> -</tr> - -<tr> -<th colspan="2">Event ID: 1151</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SERVICE_HEALTH_REPORT</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Endpoint Protection client health report (time in UTC) -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Antivirus client health report. -<dl> -<dt>Platform Version: <Current platform version></dt> -<dt>Engine Version: <Antimalware Engine version></dt> -<dt>Network Realtime Inspection engine version: <Network Realtime Inspection engine version></dt> -<dt>Antivirus signature version: <Antivirus signature version></dt> -<dt>Antispyware signature version: <Antispyware signature version></dt> -<dt>Network Realtime Inspection signature version: <Network Realtime Inspection signature version></dt> -<dt>RTP state: <Realtime protection state> (Enabled or Disabled)</dt> -<dt>OA state: <On Access state> (Enabled or Disabled)</dt> -<dt>IOAV state: <IE Downloads and Outlook Express Attachments state> (Enabled or Disabled)</dt> -<dt>BM state: <Behavior Monitoring state> (Enabled or Disabled)</dt> -<dt>Antivirus signature age: <Antivirus signature age> (in days)</dt> -<dt>Antispyware signature age: <Antispyware signature age> (in days)</dt> -<dt>Last quick scan age: <Last quick scan age> (in days)</dt> -<dt>Last full scan age: <Last full scan age> (in days)</dt> -<dt>Antivirus signature creation time: ?<Antivirus signature creation time></dt> -<dt>Antispyware signature creation time: ?<Antispyware signature creation time></dt> -<dt>Last quick scan start time: ?<Last quick scan start time></dt> -<dt>Last quick scan end time: ?<Last quick scan end time></dt> -<dt>Last quick scan source: <Last quick scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)</dt> -<dt>Last full scan start time: ?<Last full scan start time></dt> -<dt>Last full scan end time: ?<Last full scan end time></dt> -<dt>Last full scan source: <Last full scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)</dt> -<dt>Product status: For internal troubleshooting -</dl> -</td> -</tr> - -<tr> -<th colspan="2">Event ID: 2000</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SIGNATURE_UPDATED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware definitions updated successfully. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Antivirus signature version has been updated. -<dl> -<dt>Current Signature Version: <Current signature version></dt> -<dt>Previous Signature Version: <Previous signature version></dt> -<dt>Signature Type: <Signature type>, for example: <ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Update Type: <Update type>, either Full or Delta.</dt> -<dt>User: <Domain>\<User></dt> -<dt>Current Engine Version: <Current engine version></dt> -<dt>Previous Engine Version: <Previous engine version></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when signatures are successfully updated. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2001</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SIGNATURE_UPDATE_FAILED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The security intelligence update failed. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to update signatures. -<dl> -<dt>New security intelligence version: <New version number></dt> -<dt>Previous security intelligence version: <Previous version></dt> -<dt>Update Source: <Update source>, for example: -<ul> -<li>Security intelligence update folder</li> -<li>Internal security intelligence update server</li> -<li>Microsoft Update Server</li> -<li>File share</li> -<li>Microsoft Malware Protection Center (MMPC)</li> -</ul> -</dt> -<dt>Update Stage: <Update stage>, for example: -<ul> -<li>Search</li> -<li>Download</li> -<li>Install</li> -</ul> -</dt> -<dt>Source Path: File share name for Universal Naming Convention (UNC), server name for Windows Server Update Services (WSUS)/Microsoft Update/ADL.</dt> -<dt>Signature Type: <Signature type>, for example: <ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Update Type: <Update type>, either Full or Delta.</dt> -<dt>User: <Domain>\<User></dt> -<dt>Current Engine Version: <Current engine version></dt> -<dt>Previous Engine Version: <Previous engine version></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -This error occurs when there's a problem updating definitions. -To troubleshoot this event: -<ol> -<li><a href="microsoft-defender-antivirus-updates.md" data-raw-source="[Update definitions](microsoft-defender-antivirus-updates.md)">Update definitions</a> and force a rescan directly on the endpoint.</li> -<li>Review the entries in the %Windir%\WindowsUpdate.log file for more information about this error.</li> -<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>. -</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2002</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ENGINE_UPDATED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine updated successfully. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus engine version has been updated. -<dl> -<dt>Current Engine Version: <Current engine version></dt> -<dt>Previous Engine Version: <Previous engine version></dt> -<dt>Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.</dt> -<dt>User: <Domain>\<User></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the antimalware engine is successfully updated. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2003</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ENGINE_UPDATE_FAILED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine update failed. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to update the engine. -<dl> -<dt>New Engine Version:</dt> -<dt>Previous Engine Version: <Previous engine version></dt> -<dt>Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.</dt> -<dt>User: <Domain>\<User></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -The Microsoft Defender Antivirus client update failed. This event occurs when the client fails to update itself. This event is due to an interruption in network connectivity during an update. -To troubleshoot this event: -<ol> -<li><a href="microsoft-defender-antivirus-updates.md" data-raw-source="[Update definitions](microsoft-defender-antivirus-updates.md)">Update definitions</a> and force a rescan directly on the endpoint.</li> -<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>. -</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2004</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SIGNATURE_REVERSION</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>There was a problem loading antimalware definitions. The antimalware engine will attempt to load the last-known good set of definitions.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures. -<dl> -<dt>Signatures Attempted:</dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Signature Version: <Definition version></dt> -<dt>Engine Version: <Antimalware engine version></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -The Microsoft Defender Antivirus client attempted to download and install the latest definitions file and failed. This error can occur when the client encounters an error while trying to load the definitions, or if the file is corrupt. Microsoft Defender Antivirus attempts to revert back to a known-good set of definitions. -To troubleshoot this event: -<ol> -<li>Restart the computer and try again.</li> -<li>Download the latest definitions from the <a href="https://aka.ms/wdsi">Microsoft Security Intelligence site</a>. -Note: The size of the definitions file downloaded from the site can exceed 60 MB and shouldn't be used as a long-term solution for updating definitions. -</li> -<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>. -</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2005</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ENGINE_UPDATE_PLATFORMOUTOFDATE</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine failed to load because the antimalware platform is out of date. The antimalware platform will load the last-known good antimalware engine and attempt to update.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus couldn't load antimalware engine because current platform version isn't supported. Microsoft Defender Antivirus reverts back to the last known-good engine and a platform update will be attempted. -<dl> -<dt>Current Platform Version: <Current platform version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2006</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_PLATFORM_UPDATE_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The platform update failed. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to update the platform. -<dl> -<dt>Current Platform Version: <Current platform version></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2007</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_PLATFORM_ALMOSTOUTOFDATE</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The platform will soon be out of date. Download the latest platform to maintain up-to-date protection.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus will soon require a newer platform version to support future versions of the antimalware engine. Download the latest Microsoft Defender Antivirus platform to maintain the best level of protection available. -<dl> -<dt>Current Platform Version: <Current platform version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2010</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine used the Dynamic Signature Service to get additional definitions. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus used <i>Dynamic Signature Service</i> to retrieve additional signatures to help protect your machine. -<dl> -<dt>Current Signature Version: <Current signature version></dt> -<dt>Signature Type: <Signature type>, for example: <ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Current Engine Version: <Current engine version></dt> -<dt>Dynamic Signature Type: <Dynamic signature type>, for example: -<ul> -<li>Version</li> -<li>Timestamp</li> -<li>No limit</li> -<li>Duration</li> -</ul> -</dt> -<dt>Persistence Path: <Path></dt> -<dt>Dynamic Signature Version: <Version number></dt> -<dt>Dynamic Signature Compilation Timestamp: <Timestamp></dt> -<dt>Persistence Limit Type: <Persistence limit type>, for example: -<ul> -<li>VDM version</li> -<li>Timestamp</li> -<li>No limit</li> -</ul> -</dt> -<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2011</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The Dynamic Signature Service deleted the out-of-date dynamic definitions. -</b> -</td> -</tr> -<tr> -<td> -Change to default behavior: -</td> -<td > -<dl> -<dt><b>Change to dynamic signature event reporting default behavior</b></dt> -<dt>When a dynamic signature is received by MDE, a 2010 event is reported. However, when the dynamic signature expires or is manually deleted a 2011 event is reported. In some cases, when a new signature is delivered to MDE sometimes hundreds of dynamic signatures will expire at the same time; therefore hundreds of 2011 events are reported. The generation of so many 2011 events can cause a Security information and event management (SIEM) server to become flooded.</dt> -<dt>To avoid the above situation - starting with platform version 4.18.2207.7 - by default, MDE will now <i>not</i> report 2011 events:<ul> -<li>This new default behavior is controlled by registry entry: <b>HKLM\SOFTWARE\Microsoft\Windows Defender\Reporting\EnableDynamicSignatureDroppedEventReporting</b>.</li> -<li>The default value for <b>EnableDynamicSignatureDroppedEventReporting</b> is <b>false</b>, which means <i>2011 events aren't reported</i>. If it's set to true, 2011 events <i>are reported</i>.</li> -</ul> -</dt> -<dt>Because 2010 signature events are timely distributed sporadically - and won't cause a spike - 2010 signature event behavior is unchanged.</dt> -</dl> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus used <i>Dynamic Signature Service</i> to discard obsolete signatures. -<dl> -<dt>Current Signature Version: <Current signature version></dt> -<dt>Signature Type: <Signature type>, for example: <ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Current Engine Version: <Current engine version></dt> -<dt>Dynamic Signature Type: <Dynamic signature type>, for example: -<ul> -<li>Version</li> -<li>Timestamp</li> -<li>No limit</li> -<li>Duration</li> -</ul> -</dt> -<dt>Persistence Path: <Path></dt> -<dt>Dynamic Signature Version: <Version number></dt> -<dt>Dynamic Signature Compilation Timestamp: <Timestamp></dt> -<dt>Removal Reason:</dt> -<dt>Persistence Limit Type: <Persistence limit type>, for example: -<ul> -<li>VDM version</li> -<li>Timestamp</li> -<li>No limit</li> -</ul> -</dt> -<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -No action is necessary. The Microsoft Defender Antivirus client is in a healthy state. This event is reported when the Dynamic Signature Service successfully deletes out-of-date dynamic definitions. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2012</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_UPDATE_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine encountered an error when trying to use the Dynamic Signature Service. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to use <i>Dynamic Signature Service</i>. -<dl> -<dt>Current Signature Version: <Current signature version></dt> -<dt>Signature Type: <Signature type>, for example: <ul> -<li>Antivirus</li> -<li>Antispyware</li> -<li>Antimalware</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Current Engine Version: <Current engine version></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Dynamic Signature Type: <Dynamic signature type>, for example: -<ul> -<li>Version</li> -<li>Timestamp</li> -<li>No limit</li> -<li>Duration</li> -</ul> -</dt> -<dt>Persistence Path: <Path></dt> -<dt>Dynamic Signature Version: <Version number></dt> -<dt>Dynamic Signature Compilation Timestamp: <Timestamp></dt> -<dt>Persistence Limit Type: <Persistence limit type>, for example: -<ul> -<li>VDM version</li> -<li>Timestamp</li> -<li>No limit</li> -</ul> -</dt> -<dt>Persistence Limit: Persistence limit of the fastpath signature.</dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -Check your Internet connectivity settings. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2013</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_SIGNATURE_FASTPATH_DELETED_ALL -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The Dynamic Signature Service deleted all dynamic definitions. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus discarded all <i>Dynamic Signature Service</i> signatures. -<dl> -<dt>Current Signature Version: <Current signature version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2020</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOADED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine downloaded a clean file. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus downloaded a clean file. -<dl> -<dt>Filename: <File name> -Name of the file.</dt> -<dt>Current Signature Version: <Current signature version></dt> -<dt>Current Engine Version: <Current engine version></dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2021</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_CLOUD_CLEAN_RESTORE_FILE_DOWNLOAD_FAILED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine failed to download a clean file. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to download a clean file. -<dl> -<dt>Filename: <File name> -Name of the file.</dt> -<dt>Current Signature Version: <Current signature version></dt> -<dt>Current Engine Version: <Current engine version></dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -Check your Internet connectivity settings. -The Microsoft Defender Antivirus client encountered an error when using the Dynamic Signature Service to download the latest definitions to a specific threat. This error is likely caused by a network connectivity issue. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2030</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALLED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine was downloaded and is configured to run offline on the next system restart.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus downloaded and configured offline antivirus to run on the next reboot. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2031</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_OFFLINE_SCAN_INSTALL_FAILED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine was unable to download and configure an offline scan.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has encountered an error trying to download and configure offline antivirus. -<dl> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2040</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_OS_EXPIRING -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Antimalware support for this operating system version will soon end. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -The support for your operating system will expire shortly. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2041</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_OS_EOL -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Antimalware support for this operating system has ended. You must upgrade the operating system for continued support. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -The support for your operating system has expired. Running Microsoft Defender Antivirus on an out of support operating system isn't an adequate solution to protect against threats. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 2042</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_PROTECTION_EOL -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine no longer supports this operating system, and is no longer protecting your system from malware. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -The support for your operating system has expired. Microsoft Defender Antivirus is no longer supported on your operating system, has stopped functioning, and isn't protecting against malware threats. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 3002</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_RTP_FEATURE_FAILURE -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Real-time protection encountered an error and failed.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus Real-Time Protection feature has encountered an error and failed. -<dl> -<dt>Feature: <Feature>, for example: -<ul> -<li>On Access</li> -<li>Internet Explorer downloads and Microsoft Outlook Express attachments</li> -<li>Behavior monitoring</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -<dt>Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.</dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -You should restart the system then run a full scan because it's possible the system wasn't protected for some time. -The Microsoft Defender Antivirus client's real-time protection feature encountered an error because one of the services failed to start. -If it's followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 3007</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_RTP_FEATURE_RECOVERED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Real-time protection recovered from a failure. We recommend running a full system scan when you see this error. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus Real-time Protection has restarted a feature. It's recommended that you run a full system scan to detect any items that may have been missed while this agent was down. -<dl> -<dt>Feature: <Feature>, for example: -<ul> -<li>On Access</li> -<li>IE downloads and Outlook Express attachments</li> -<li>Behavior monitoring</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Reason: The reason Microsoft Defender Antivirus real-time protection has restarted a feature.</dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -The real-time protection feature has restarted. If this event happens again, contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5000</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_RTP_ENABLED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Real-time protection is enabled. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was enabled. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5001</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_RTP_DISABLED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Real-time protection is disabled. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus real-time protection scanning for malware and other potentially unwanted software was disabled. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5004</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_RTP_FEATURE_CONFIGURED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The real-time protection configuration changed. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus real-time protection feature configuration has changed. -<dl> -<dt>Feature: <Feature>, for example: -<ul> -<li>On Access</li> -<li>IE downloads and Outlook Express attachments</li> -<li>Behavior monitoring</li> -<li>Network Inspection System</li> -</ul> -</dt> -<dt>Configuration: </dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5007</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_CONFIG_CHANGED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform configuration changed.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware. -<dl> -<dt>Old value: <Old value number> -Old antivirus configuration value.</dt> -<dt>New value: <New value number> -New antivirus configuration value.</dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5008</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ENGINE_FAILURE</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware engine encountered an error and failed.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus engine has been terminated due to an unexpected error. -<dl> -<dt>Failure Type: <Failure type>, for example: -Crash -or Hang</dt> -<dt>Exception Code: <Error code></dt> -<dt>Resource: <Resource></dt> -</dl> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -To troubleshoot this event:<ol> -<li>Try to restart the service.<ul> -<li>For antimalware, antivirus and spyware, at an elevated command prompt, type <b>net stop msmpsvc</b>, and then type <b>net start msmpsvc</b> to restart the antimalware engine.</li> -<li>For the <i>Network Inspection System</i>, at an elevated command prompt, type <b>net start nissrv</b>, and then type <b>net start nissrv</b> to restart the <i>Network Inspection System</i> engine by using the NiSSRV.exe file. -</li> -</ul> -</li> -<li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a> and entering the error number in the <b>Search</b> box, and contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.</li> -</ol> -</td> -</tr> -<tr> -<td> -User action: -</td> -<td > -The Microsoft Defender Antivirus client engine stopped due to an unexpected error. -To troubleshoot this event: -<ol> -<li>Run the scan again.</li> -<li>If it fails in the same way, go to the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support site</a>, enter the error number in the <b>Search</b> box to look for the error code.</li> -<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>. -</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5009</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ANTISPYWARE_ENABLED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Scanning for malware and other potentially unwanted software is enabled. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus scanning for malware and other potentially unwanted software has been enabled. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5010</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ANTISPYWARE_DISABLED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Scanning for malware and other potentially unwanted software is disabled.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus scanning for malware and other potentially unwanted software is disabled. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5011</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ANTIVIRUS_ENABLED</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Scanning for viruses is enabled.</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus scanning for viruses has been enabled. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5012</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_ANTIVIRUS_DISABLED -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Scanning for viruses is disabled. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus scanning for viruses is disabled. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5013</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b> -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>Tamper protection blocked a change to Microsoft Defender Antivirus. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5100</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_EXPIRATION_WARNING_STATE -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform will expire soon. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus has entered a grace period and will soon expire. After expiration, this program will disable protection against viruses, spyware, and other potentially unwanted software. -<dl> -<dt>Expiration Reason: The reason Microsoft Defender Antivirus will expire.</dt> -<dt>Expiration Date: The date Microsoft Defender Antivirus will expire.</dt> -</dl> -</td> -</tr> -<tr> -<th colspan="2">Event ID: 5101</th> -</tr> -<tr><td> -Symbolic name: -</td> -<td > -<b>MALWAREPROTECTION_DISABLED_EXPIRED_STATE -</b> -</td> -</tr> -<tr> -<td> -Message: -</td> -<td > -<b>The antimalware platform is expired. -</b> -</td> -</tr> -<tr> -<td> -Description: -</td> -<td > -Microsoft Defender Antivirus grace period has expired. Protection against viruses, spyware, and other potentially unwanted software is disabled. -<dl> -<dt>Expiration Reason:</dt> -<dt>Expiration Date: </dt> -<dt>Error Code: <Error code> -Result code associated with threat status. Standard HRESULT values.</dt> -<dt>Error Description: <Error description> -Description of the error. </dt> -</dl> -</td> -</tr> -</table> - -<a id="error-codes"></a> -## Microsoft Defender Antivirus client error codes -If Microsoft Defender Antivirus experiences any issues, it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. This section provides the following information about Microsoft Defender Antivirus client errors. -- The error code-- The possible reason for the error-- Advice on what to do now- -Use the information in these tables to help troubleshoot Microsoft Defender Antivirus error codes. -- -<table> -<tr> -<th colspan="2">Error code: 0x80508007</th> -</tr> -<tr> -<td>Message</td> -<td> -<b>ERR_MP_NO_MEMORY </b> -</td> -</tr> -<tr> -<td> -Possible reason -</td> -<td> -This error indicates that you might have run out of memory. -</td> -</tr> -<tr> -<td>Resolution</td> -<td> -<ol> -<li>Check the available memory on your device.</li> -<li>Close any unused applications that are running to free up memory on your device.</li> -<li>Restart the device and run the scan again. -</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x8050800C</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_BAD_INPUT_DATA</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that there might be a problem with your security product. -</td> -</tr><tr><td>Resolution</td><td> -<ol> -<li>Update the definitions. Either:<ol> -<li>Get your security intelligence updates in the Windows Security app. <img src="images/defender-updatedefs2.png" alt="Update definitions in Microsoft Defender Antivirus"/>Or, -</li> -<li>Download the latest definitions from the <a href="https://aka.ms/wdsi">Microsoft Security Intelligence site</a>. -Note: The size of the definitions file downloaded from the site can exceed 60 MB and shouldn't be used as a long-term solution for updating definitions. -</li> -</ol> -</li> -<li>Run a full scan. -</li> -<li>Restart the device and try again.</li> -</ol> -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508020</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_BAD_CONFIGURATION -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that there might be an engine configuration error; commonly, this is related to input data that doesn't allow the engine to function properly. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x805080211 -</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_QUARANTINE_FAILED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that Microsoft Defender Antivirus failed to quarantine a threat. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508022 -</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_REBOOT_REQUIRED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that a reboot is required to complete threat removal. -</td> -</tr> -<tr> -<th colspan="2"> -0x80508023 -</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_THREAT_NOT_FOUND -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that the threat might no longer be present on the media, or malware might be stopping you from scanning your device. -</tr><tr><td>Resolution -</td> -<td> -Run the <a href="https://www.microsoft.com/security/scanner/default.aspx">Microsoft Safety Scanner</a> then update your security software and try again. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508024 </th></tr> -<tr> -<td>Message</td> -<td><b>ERR_MP_FULL_SCAN_REQUIRED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that a full system scan might be required. -</td></tr> -<tr> -<td>Resolution</td><td> -Run a full system scan. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508025 -</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_MANUAL_STEPS_REQUIRED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that manual steps are required to complete threat removal. -</td></tr><tr><td>Resolution</td><td> -Follow the manual remediation steps outlined in the <a href="https://www.microsoft.com/security/portal/threat/Threats.aspx">Microsoft Malware Protection Encyclopedia</a>. You can find a threat-specific link in the event history.<br/></td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508026 -</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_REMOVE_NOT_SUPPORTED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that removal inside the container type might not be not supported. -</td></tr><tr><td>Resolution</td><td> -Microsoft Defender Antivirus isn't able to remediate threats detected inside the archive. Consider manually removing the detected resources. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508027 -</th> -</tr><tr><td>Message</td> -<td><b>ERR_MP_REMOVE_LOW_MEDIUM_DISABLED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that removal of low and medium threats might be disabled. -</td></tr><tr><td>Resolution</td><td> -Check the detected threats and resolve them as required. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508029 -</th> -</tr><tr><td>Message</td> -<td><b>ERROR_MP_RESCAN_REQUIRED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates a rescan of the threat is required. -</td></tr><tr><td>Resolution</td><td> -Run a full system scan. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508030 -</th> -</tr><tr><td>Message</td> -<td><b>ERROR_MP_CALLISTO_REQUIRED -</b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that an offline scan is required. -</td></tr><tr><td>Resolution</td><td> -Run offline Microsoft Defender Antivirus. You can read about how to do this in the <a href="https://windows.microsoft.com/windows/what-is-windows-defender-offline">offline Microsoft Defender Antivirus article</a>. -</td> -</tr> -<tr> -<th colspan="2">Error code: 0x80508031 -</th> -</tr><tr><td>Message</td> -<td><b>ERROR_MP_PLATFORM_OUTDATED<br/></b> -</td></tr><tr><td>Possible reason</td> -<td> -This error indicates that Microsoft Defender Antivirus doesn't support the current version of the platform and requires a new version of the platform. -</td></tr><tr><td>Resolution</td><td> -You can only use Microsoft Defender Antivirus in Windows 10 and Windows 11. For Windows 8, Windows 7 and Windows Vista, you can use <a href="https://www.microsoft.com/server-cloud/system-center/endpoint-protection-2012.aspx">System Center Endpoint Protection</a>.<br/></td> -</tr> -</table> - -<a id="internal-error-codes"></a> -The following error codes are used during internal testing of Microsoft Defender Antivirus. - -If you see these errors, you can try to [update definitions](microsoft-defender-antivirus-updates.md) and force a rescan directly on the endpoint. -- -<table> -<tr> -<th colspan="3">Internal error codes</th> -</tr> -<tr> -<th><b>Error code</b></th> -<th>Message displayed</th> -<th>Possible reason for error and resolution</th> -</tr> -<tr> -<td> -0x80501004 -</td> -<td> -<b>ERROR_MP_NO_INTERNET_CONN -</b> -</td> -<td> -Check your Internet connection, then run the scan again. -</td> -</tr> -<tr> -<td> -0x80501000 -</td> -<td> -<b>ERROR_MP_UI_CONSOLIDATION_BAS</b>E -</td> -<td rowspan="34"> -This is an internal error. The cause isn't clearly defined. -</td> -<td rowspan="36"> - -</td> -</tr> -<tr> -<td> -0x80501001 -</td> -<td> -<b>ERROR_MP_ACTIONS_FAILED</b> -</td> -</tr> -<tr> -<td> -0x80501002 -</td> -<td> -<b>ERROR_MP_NOENGINE</b> -</td> -</tr> -<tr> -<td> -0x80501003 -</td> -<td> -<b>ERROR_MP_ACTIVE_THREATS</b> -</td> -</tr> -<tr> -<td> -0x805011011 -</td> -<td> -<b>MP_ERROR_CODE_LUA_CANCELLED </b> -</td> -</tr> -<tr> -<td> -0x80501101 -</td> -<td> -<b>ERROR_LUA_CANCELLATION </b> -</td> -</tr> -<tr> -<td> -0x80501102 -</td> -<td> -<b>MP_ERROR_CODE_ALREADY_SHUTDOWN</b> -</td> -</tr> -<tr> -<td> -0x80501103 -</td> -<td> -<b>MP_ERROR_CODE_RDEVICE_S_ASYNC_CALL_PENDING </b> -</td> -</tr> -<tr> -<td> -0x80501104 -</td> -<td> -<b>MP_ERROR_CODE_CANCELLED</b> -</td> -</tr> -<tr> -<td> -0x80501105 -</td> -<td> -<b>MP_ERROR_CODE_NO_TARGETOS</b> -</td> -</tr> -<tr> -<td> -0x80501106 -</td> -<td> -<b>MP_ERROR_CODE_BAD_REGEXP</b> -</td> -</tr> -<tr> -<td> -0x80501107 -</td> -<td> -<b>MP_ERROR_TEST_INDUCED_ERROR</b> -</td> -</tr> -<tr> -<td> -0x80501108 -</td> -<td> -<b>MP_ERROR_SIG_BACKUP_DISABLED</b> -</td> -</tr> -<tr> -<td> -0x80508001 -</td> -<td> -<b>ERR_MP_BAD_INIT_MODULES</b> -</td> -</tr> -<tr> -<td> -0x80508002 -</td> -<td> -<b>ERR_MP_BAD_DATABASE</b> -</td> -</tr> -<tr> -<td> -0x80508004 -</td> -<td> -<b>ERR_MP_BAD_UFS </b> -</td> -</tr> -<tr> -<td> -0x8050800C -</td> -<td> -<b>ERR_MP_BAD_INPUT_DATA</b> -</td> -</tr> -<tr> -<td> -0x8050800D -</td> -<td> -<b>ERR_MP_BAD_GLOBAL_STORAGE</b> -</td> -</tr> -<tr> -<td> -0x8050800E -</td> -<td> -<b>ERR_MP_OBSOLETE</b> -</td> -</tr> -<tr> -<td> -0x8050800F -</td> -<td> -<b>ERR_MP_NOT_SUPPORTED</b> -</td> -</tr> -<tr> -<td> -0x8050800F -0x80508010 -</td> -<td> -<b>ERR_MP_NO_MORE_ITEMS </b> -</td> -</tr> -<tr> -<td> -0x80508011 -</td> -<td> -<b>ERR_MP_DUPLICATE_SCANID</b> -</td> -</tr> -<tr> -<td> -0x80508012 -</td> -<td> -<b>ERR_MP_BAD_SCANID</b> -</td> -</tr> -<tr> -<td> -0x80508013 -</td> -<td> -<b>ERR_MP_BAD_USERDB_VERSION</b> -</td> -</tr> -<tr> -<td> -0x80508014 -</td> -<td> -<b>ERR_MP_RESTORE_FAILED</b> -</td> -</tr> -<tr> -<td> -0x80508016 -</td> -<td> -<b>ERR_MP_BAD_ACTION</b> -</td> -</tr> -<tr> -<td> -0x80508019 -</td> -<td> -<b>ERR_MP_NOT_FOUND</b> -</td> -</tr> -<tr> -<td> -0x80509001 -</td> -<td> -<b>ERR_RELO_BAD_EHANDLE</b> -</td> -</tr> -<tr> -<td> -0x80509003 -</td> -<td> -<b>ERR_RELO_KERNEL_NOT_LOADED</b> -</td> -</tr> -<tr> -<td> -0x8050A001 -</td> -<td> -<b>ERR_MP_BADDB_OPEN</b> -</td> -</tr> -<tr> -<td> -0x8050A002 -</td> -<td> -<b>ERR_MP_BADDB_HEADER</b> -</td> -</tr> -<tr> -<td> -0x8050A003 -</td> -<td> -<b>ERR_MP_BADDB_OLDENGINE</b> -</td> -</tr> -<tr> -<td> -0x8050A004 -</td> -<td> -<b>ERR_MP_BADDB_CONTENT </b> -</td> -</tr> -<tr> -<td> -0x8050A005 -</td> -<td> -<b>ERR_MP_BADDB_NOTSIGNED</b> -</td> -</tr> -<tr> -<td> -0x8050801 -</td> -<td> -<b>ERR_MP_REMOVE_FAILED</b> -</td> -<td> -This is an internal error. It might be triggered when malware removal isn't successful. -</td> -</tr> -<tr> -<td> -0x80508018 -</td> -<td> -<b>ERR_MP_SCAN_ABORTED -</b> -</td> -<td> -This is an internal error. It might have triggered when a scan fails to complete. -</td> -</tr> -</table> - -> [!TIP] -> If you're looking for Antivirus related information for other platforms, see: -> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md) -> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) -> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) -> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md) -> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -> - [Configure Defender for Endpoint on Android features](android-configure.md) -> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) -- -## Related topics --- [Report on Microsoft Defender Antivirus protection](report-monitor-microsoft-defender-antivirus.md)-- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security	Troubleshoot Reporting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md	Typically, the most common indicators of a problem are: - You do not see any devices at all - The reports and information you do see is outdated (older than a few days) -For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](troubleshoot-microsoft-defender-antivirus.md). +For common error codes and event IDs related to the Microsoft Defender Antivirus service that are not related to Update Compliance, see [Microsoft Defender Antivirus events](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). There are three steps to troubleshooting these problems:
security	Why Use Microsoft Defender Antivirus	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus.md	Although you can use a non-Microsoft antivirus solution with Microsoft Defender \|8\|Auditing events\|Auditing event signals are available in [endpoint detection and response capabilities](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.)\| \|9\|Geographic data\|Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](/microsoft-365/compliance/offering-iso-27001).\| \|10\|File recovery via OneDrive\|If you are using Microsoft Defender Antivirus together with [Office 365](/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).\| -\|11\|Technical support\|By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp)and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md).\| +\|11\|Technical support\|By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp)and [review event logs and error codes with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/).\| > [!TIP] > If you're looking for Antivirus related information for other platforms, see:
security	Attack Simulation Training End User Notifications	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications.md	Click a column header to sort by that column. To add or remove columns, click ![ > [!TIP] > The Γï« (Actions control) is associated with the Notifications column. If you remove that column from view, the Γï« control goes away. -<sup>\</sup> To see all columns, you'll likely need to do one or more of the following steps: +<sup>\</sup> To see all columns, you likely need to do one or more of the following steps: - Horizontally scroll in your web browser. - Narrow the width of appropriate columns.
security	Attack Simulation Training Insights	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md	Last updated 4/3/2023 Applies to [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) -In Attack simulation training in Microsoft Defender for Office Plan 2 or Microsoft 365 E5, Microsoft provides insights and reports from the results of simulations and the corresponding trainings. This information keeps you informed on the threat readiness progress of your users, as well as recommended next steps to better prepare your users for future attacks. +In Attack simulation training in Microsoft Defender for Office Plan 2 or Microsoft 365 E5, Microsoft provides insights and reports from the results of simulations and the corresponding trainings. This information keeps you informed on the threat readiness progress of your users, and recommended next steps to better prepare your users for future attacks. Insights and reports are available in the following locations on the Attack simulation training page in the Microsoft 365 Defender portal: Selecting Launch now starts the new simulation wizard with the specified sim ### Simulation coverage card -The Simulation coverage card on the Overview tab shows the percentage of users in your organization who've received a simulation (Simulated users) vs. those who haven't received a simulation (Non-simulated users). You can hover over a section in the chart to see the actual number of users in each category. +The Simulation coverage card on the Overview tab shows the percentage of users in your organization who have received a simulation (Simulated users) vs. users who haven't received a simulation (Non-simulated users). You can hover over a section in the chart to see the actual number of users in each category. Selecting Launch simulation for non-simulated users starts the new simulation wizard where the users who didn't receive the simulation are automatically selected on the Target user page. For more information, see [Simulate a phishing attack in Defender for Office 365](attack-simulation-training-simulations.md). Selecting View repeat offender report takes you to the [Repeat offenders tab The Behavior impact on compromise rate card on the Overview tab shows how your users responded to your simulations as compared to the historical data in Microsoft 365. You can use these insights to track progress in users threat readiness by running multiple simulations against the same groups of users. -The chart data itself shows the following information: +The chart data shows the following information: - Predicted compromise rate: Historical data across Microsoft 365 that predicts the percentage of people who will be compromised by this simulation (users compromised / total number of users who receive the simulation). To learn more about the predicted compromise rate (PCR), see [Predicted compromise rate](attack-simulation-training-get-started.md#predicted-compromise-rate). To view the details of in-progress or completed simulations, use either of the f - On the Overview tab at <https://security.microsoft.com/attacksimulator?viewid=overview>, select a simulation from the [Recent simulations card](#recent-simulations-card). - On the Simulations tab at <https://security.microsoft.com/attacksimulator?viewid=simulations>, select a simulation by clicking anywhere other than the check box next to the name. -The page that opens contains Report, Users and Details tabs that contain information about the simulation. The rest of this section describe the insights and reports that are available on the Report tab. +The page that opens contains Report, Users and Details tabs that contain information about the simulation. The rest of this section describes the insights and reports that are available on the Report tab. For details about the Users and Details tabs, see [View simulation details](attack-simulation-training-simulations.md#view-simulation-reports).
security	Attack Simulation Training Landing Pages	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-landing-pages.md	Click a column header to sort by that column. To add or remove columns, click ![ > [!TIP] > The Γï« (Actions control) is associated with the Name column. If you remove that column from view, the Γï« control goes away. -<sup>\</sup> To see all columns, you'll likely need to do one or more of the following steps: +<sup>\</sup> To see all columns, you likely need to do one or more of the following steps: - Horizontally scroll in your web browser. - Narrow the width of appropriate columns. Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) Filter to filt When you select a landing page from the list by clicking anywhere in the row other than the check box next to the name, a details flyout appears with the following information: -- Preview tab: View the landing page as users will see it. Use the Select language drop down list to see the landing page in different languages. +- Preview tab: View the landing page as users see it. Use the Select language drop down list to see the landing page in different languages. - Details tab: View details about the landing page: - Description - Status: Ready or Draft.
security	Attack Simulation Training Login Pages	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-login-pages.md	When you select a login page from the list by clicking anywhere in the row other - Select a language: The available values are: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Dutch. - - Make this the default login page: If you select this option, the login page will be the default selection in Credential Harvest or Link in Attachment [payloads](attack-simulation-training-payloads.md) or [payload automations](attack-simulation-training-payload-automations.md). + - Make this the default login page: If you select this option, the login page is the default selection in Credential Harvest or Link in Attachment [payloads](attack-simulation-training-payloads.md) or [payload automations](attack-simulation-training-payload-automations.md). - Create a two-page login: If you don't select this option, the login page is one page. If you select this option, Page 1 and Page 2 tabs appear for you to configure separately.
security	Attack Simulation Training Payload Automations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations.md	Last updated 3/29/2023 Applies to [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) -In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, payload automations (also known as _payload harvesting_) collect information from real-world phishing attack messages that were reported by users in your organization. Although the numbers of these messages are likely low in your organization, you can specify the conditions to look for in phishing attacks (for example, recipients, social engineering technique, sender information, etc.). Attack simulation training will then mimic the messages and payloads used in the attack to automatically launch harmless simulations to targeted users. +In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, payload automations (also known as _payload harvesting_) collect information from real-world phishing attacks that were reported by users in your organization. Although the numbers of these messages are likely low in your organization, you can specify the conditions to look for in phishing attacks (for example, recipients, social engineering technique, sender information, etc.). Attack simulation training will then mimic the messages and payloads used in the attack to automatically launch harmless simulations to targeted users. For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). The following information is shown for each payload automation<sup>\</sup>: - Last modified* - Status: The value is Ready or Draft. -<sup>\</sup> To see all columns, you'll likely need to do one or more of the following steps: +<sup>\</sup> To see all columns, you likely need to do one or more of the following steps: - Horizontally scroll in your web browser. - Narrow the width of appropriate columns. To create a payload automation, do the following steps: 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com/>, go to Email & collaboration \> Attack simulation training \> Automations tab \> Payload automations. To go directly to the Automations tab where you can select Payload automations, use <https://security.microsoft.com/attacksimulator?viewid=automations>. -2. On the Payload automations page, click ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) Create automation to start the new payload automation wizard.. +2. On the Payload automations page, click ![Create automation icon.](../../media/m365-cc-sc-create-icon.png) Create automation to start the new payload automation wizard. :::image type="content" source="../../media/attack-sim-training-sim-automations-create.png" alt-text="The Create simulation button on the Payload automations tab in Attack simulation training in the Microsoft 365 Defender portal" lightbox="../../media/attack-sim-training-sim-automations-create.png":::
security	Attack Simulation Training Payloads	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md	description: Admins can learn how to create and manage payloads for Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 4/3/2023 Last updated : 4/4/2023 # Payloads in Attack simulation training Last updated 4/3/2023 Applies to [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) -In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, a _payload_ is the phishing email message and links or attachment content that's presented to users in simulations. Attack simulation training offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that will work better for your organization. +In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, a _payload_ is the link or attachment in the simulated phishing email message that's presented to users. Attack simulation training offers a robust built-in payload catalog for the available social engineering techniques. However, you might want to create custom payloads that work better for your organization. For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). The following information is shown for each payload on the Global payloads a Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) Customize columns. By default, the only available column that's not selected is Platform. -<sup>\</sup> To see all columns, you'll likely need to do one or more of the following steps: +<sup>\</sup> To see all columns, you likely need to do one or more of the following steps: - Horizontally scroll in your web browser. - Narrow the width of appropriate columns. When you're finished configuring filters, click Apply, Cancel, or ![Clea When you select a payload by clicking anywhere in the row other than the check box next to the name, a details flyout appears with the following information: -- Overview tab: View the payload as users will see it. Payload properties are also visible: +- Overview tab: View the payload as users see it. Payload properties are also visible: - Payload description - From name - From email To see payloads that have been archived (the Status value is Archive), u - Sender details section: Configure the following settings: - From name - - Use first name as display name: By default, this setting is not selected. - - From email: If you choose an internal email address for your payload's sender, the payload will appear to come from a fellow employee. This sender email address will increase a user's susceptibility to the payload, and will help educate employees on the risk of internal threats. + - Use first name as display name: By default, this setting isn't selected. + - From email: If you choose an internal email address for your payload's sender, the payload appears to come from a fellow employee. This sender email address increases a user's susceptibility to the payload, and helps to educate employees on the risk of internal threats. - Email subject - - Add External tag to email: By default, this setting is not selected. + - Add External tag to email: By default, this setting isn't selected. - Attachment details section (Malware Attachment, Link in Attachment, or Link to Malware techniques only): Configure the following settings: - Name your attachment: Enter a filename for the attachment. - Select an attachment type: Select a filetype for the attachment. Available values are Docx or HTML. - - Link for attachment section (Link to Malware technique only): In the Select a URL you want to be your malware attachment link box, select one of the available URLs (the same URLs that are described for the Phishing link section). You'll embed the URL in the body of the message in the Email message section. + - Link for attachment section (Link to Malware technique only): In the Select a URL you want to be your malware attachment link box, select one of the available URLs (the same URLs that are described for the Phishing link section). You embed the URL in the body of the message in the Email message section. - Phishing link section (Credential Harvest, Link in Attachment, Drive-by URL, or OAuth Consent Grant techniques only): - - For Credential Harvest, Drive-by URL, or OAuth Consent Grant, the name of the box is Select a URL you want to be your phishing link. You'll embed the URL in the body of the message in the Email message section. - - For Link in Attachment, the name of the box is Select a URL in this attachment that you want to be your phishing link. You'll embed the URL in the attachment in the Attachment content section. + - For Credential Harvest, Drive-by URL, or OAuth Consent Grant, the name of the box is Select a URL you want to be your phishing link. You embed the URL in the body of the message in the Email message section. + - For Link in Attachment, the name of the box is Select a URL in this attachment that you want to be your phishing link. You embed the URL in the attachment in the Attachment content section. Select one of the available URL values: To see payloads that have been archived (the Status value is Archive), u - Code tab: You can view and modify the HTML code directly. - - Replace all links in the email message with the phishing link (Credential Harvest, Link to Malware, Drive-by URL, or OAuth Consent Grant techniques only): This toggle can save time by replacing all links in the message with the previously selected Phishing link or Link for attachment URL. To do this, toggle the setting to on ![Toggle on icon.](../../media/scc-toggle-on.png). + - Replace all links in the email message with the phishing link (Credential Harvest, Link to Malware, Drive-by URL, or OAuth Consent Grant techniques only): This toggle can save time by replacing all links in the message with the previously selected Phishing link or Link for attachment URL. To take this action, toggle the setting to on ![Toggle on icon.](../../media/scc-toggle-on.png). When you're finished on the Configure payload page, click Next. To see payloads that have been archived (the Status value is Archive), u ## Take action on payloads +All actions on existing payloads start on the Payloads page. To get there, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Content library tab \> Payloads \> Tenant payloads tab. To go directly to the Content library tab where you can select Payloads and the Tenant payloads or Global payloads tabs, use <https://security.microsoft.com/attacksimulator?viewid=contentlibrary>. + > [!TIP] -> To see the Γï« (Actions) control on the Global payloads or Tenant payloads tabs, you'll likely need to do one or more of the following steps: +> To see the Γï« (Actions) control on the Global payloads or Tenant payloads tabs, you likely need to do one or more of the following steps: > > - Horizontally scroll in your web browser. > - Narrow the width of appropriate columns.
security	Attack Simulation Training Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-settings.md	ms.localizationpriority: medium - m365-security - tier2 -description: Admins can learn how to configure the repeat offender threshold and exclude simulations from reporting in Attack simulation training in Microsoft Defender for Office 365 Plan 2. +description: Admins can learn how to configure global settings in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Last updated 4/3/2023 In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Offi - The [Repeat offenders card on the Overview tab](attack-simulation-training-insights.md#repeat-offenders-card) and the [Repeat offenders tab in the Attack simulation report](attack-simulation-training-insights.md#repeat-offenders-tab-for-the-attack-simulation-report). - When you select users in [simulations](attack-simulation-training-simulation-automations.md#target-users), [simulation automations](attack-simulation-training-simulation-automations.md#target-users), and [training simulations](attack-simulation-training-training-campaigns.md#target-users), you can find and filter repeat offenders. -- View exclude simulations from reporting: After a simulation has completed, you can exclude the results of the simulation from reporting. For instructions, see [Exclude completed simulations from reporting](attack-simulation-training-simulations.md#exclude-completed-simulations-from-reporting). You can use the the View all link in this section to see excluded simulations on the Simulations tab. +- View exclude simulations from reporting: After a simulation has completed, you can exclude the results of the simulation from reporting. For instructions, see [Exclude completed simulations from reporting](attack-simulation-training-simulations.md#exclude-completed-simulations-from-reporting). You can use the View all link in this section to see excluded simulations on the Simulations tab. To get to the Settings tab, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Content library tab \> and then select Login pages. To go directly to the Settings tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>.
security	Attack Simulation Training Simulation Automations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md	When you're finished on the Automation name page, click Next. On the Select social engineering techniques page, select one or more of the available social engineering techniques, which were curated from the [MITRE ATT&CK┬« framework](https://attack.mitre.org/techniques/enterprise/). Different payloads are available for different techniques. The following social engineering techniques are available: - Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.-- Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that will help the attacker compromise the target's device. +- Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. - Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.-- Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user will contain a link to this malicious file, opening the file and helping the attacker compromise the target's device. +- Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device. - Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. - OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. When you're finished on the Configure OAuth payload page, click Next. ## Target users -On the Target users page, select who will receive the simulation. Use the following options to select users: +On the Target users page, select who receives the simulation. Use the following options to select users: - Include all users in your organization: The unmodifiable list of users is show in groups of 10. You can use the Next and Previous buttons directly below the list of users to scroll through the list. You can also use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search icon on the page to find specific users. On the Target users page, select who will receive the simulation. Use the fo > [!NOTE] > Clicking the Add filters button clears and replaces any results the User list section with the Filter users by categories. - When you have a list of users or groups in the User list section, select some or all of the results by selecting the circle next to the Name column. The number of selected results appears in the Selected (y/x) users label. + When you have a list of users or groups in the User list section, select some or all of the results by selecting the round check box next to the Name column. The number of selected results appears in the Selected (y/x) users label. Click the Add x users button to add the selected users or groups on the Target users page and to return to the Target users page. On the Target users page, select who will receive the simulation. Use the fo - Filters section: Show how many filter values you used and the names of the filter values. If it's available, click the See all link to see all filter values - User list section: Shows the users or groups that match your category searches. The number of results appears in the Selected (0/x) users label. - When you have a list of users or groups in the User list section, select some or all of the results by selecting the circle next to the Name column. The number of selected results appears in the Selected (y/x) users label. + When you have a list of users or groups in the User list section, select some or all of the results by selecting the round check box next to the Name column. The number of selected results appears in the Selected (y/x) users label. Click the Add x users button to add the selected users or groups on the Target users page and to return to the Target users page.
security	Attack Simulation Training Simulations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulations.md	description: Admins can learn how to simulate phishing attacks and train their users on phishing prevention using Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 4/3/2023 Last updated : 4/4/2023 # Simulate a phishing attack with Attack simulation training Last updated 4/3/2023 Applies to [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) -In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, simulations allow you run benign cyberattack simulations in your organization. These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using Attack simulation training. +In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, simulations are benign cyberattacks that you run in your organization. These simulations test your security policies and practices, as well as train your employees to increase their awareness and decrease their susceptibility to attacks. This article walks you through creating a simulated phishing attack using Attack simulation training. For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). To launch a simulated phishing attack, do the following steps: On the Select technique page, select an available social engineering technique, which was curated from the [MITRE ATT&CK┬« framework](https://attack.mitre.org/techniques/enterprise/). Different payloads are available for different techniques. The following social engineering techniques are available: - Credential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.-- Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that will help the attacker compromise the target's device. +- Malware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device. - Link in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.-- Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user will contain a link to this malicious file. Opening the file will help the attacker compromise the target's device. +- Link to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file. Opening the file helps the attacker compromise the target's device. - Drive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device. - OAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application. When you're finished on the Configure OAuth payload page, click Next. ## Target users -On the Target users page, select who will receive the simulation. Use the following options to select users: +On the Target users page, select who receives the simulation. Use the following options to select users: - Include all users in your organization: The unmodifiable list of users is show in groups of 10. You can use the Next and Previous buttons directly below the list of users to scroll through the list. You can also use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search icon on the page to find specific users. On the Target users page, select who will receive the simulation. Use the fo > [!NOTE] > Clicking the Add filters button clears and replaces any results the User list section with the Filter users by categories. - When you have a list of users or groups in the User list section, select some or all of the results by selecting the circle next to the Name column. The number of selected results appears in the Selected (y/x) users label. + When you have a list of users or groups in the User list section, select some or all of the results by selecting the round check box next to the Name column. The number of selected results appears in the Selected (y/x) users label. Click the Add x users button to add the selected users or groups on the Target users page and to return to the Target users page. On the Target users page, select who will receive the simulation. Use the fo - Filters section: Show how many filter values you used and the names of the filter values. If it's available, click the See all link to see all filter values - User list section: Shows the users or groups that match your category searches. The number of results appears in the Selected (0/x) users label. - When you have a list of users or groups in the User list section, select some or all of the results by selecting the circle next to the Name column. The number of selected results appears in the Selected (y/x) users label. + When you have a list of users or groups in the User list section, select some or all of the results by selecting the round check box next to the Name column. The number of selected results appears in the Selected (y/x) users label. Click the Add x users button to add the selected users or groups on the Target users page and to return to the Target users page. The Training assignment notification page shows the following notifications - Microsoft default training only campaign-training assignment notification - Any custom training assignment notifications that you previously created. -These notifications are also available at Attack simulation training \> Content library tab \> End user notifications: +These notifications are also available at Attack simulation training \> Content library tab \> End user notifications: - Built-in training assignment notifications are available on the Global notifications tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>. - Custom training assignment notifications are available on the Tenant notifications tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>. The Training reminder notification page shows the following notifications an - Microsoft default training only campaign-training reminder notification - Any custom training reminder notifications that you previously created. -These notifications are also available at Attack simulation training \> Content library tab \> End user notifications: +These notifications are also available at Attack simulation training \> Content library tab \> End user notifications: - Built-in training reminder notifications are available on the Global notifications tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>. - Custom training reminder notifications are available on the Tenant notifications tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>. You have the following options for positive reinforcement notifications: - Microsoft default positive reinforcement notification - Any custom positive reinforcement notifications that you previously created. - These notifications are also available at Attack simulation training \> Content library tab \> End user notifications: + These notifications are also available at Attack simulation training \> Content library tab \> End user notifications: - Built-in positive reinforcement notifications are available on the Global notifications tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=global>. - Custom positive reinforcement notifications are available on the Tenant notifications tab at <https://security.microsoft.com/attacksimulator?viewid=contentlibrary&source=tenant>. On the Simulation has been scheduled for launch page, you can use the links When you're finished on the Simulation has been scheduled for launch, click Done. -Back on the Simulations tab, the payload automation that you created is now listed. Dhe Status value depends on your previous selection in the [Configure the simulation launch details](#configure-the-simulation-launch-details) step: +Back on the Simulations tab, the simulation that you created is now listed. The Status value depends on your previous selection in the [Configure the simulation launch details](#configure-the-simulation-launch-details) step: - In progress if you selected Launch this simulation as soon as I'm done. - Scheduled if you selected Schedule this simulation to be launched later. By default, the following information is shown for each simulation<sup>\</sup>: - In progress* - Completed - Failed - - Cancelled + - Canceled - Excluded - Γï« (Actions control): Take action on the simulation. The available actions depend on the Status value of the simulation as described in the procedure sections. This control always appears at the end of the row. Click a column header to sort by that column. To add or remove columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) Customize columns. By default, all available columns are selected. -<sup>\</sup> To see all columns, you'll likely need to do one or more of the following steps: +<sup>\</sup> To see all columns, you likely need to do one or more of the following steps: - Horizontally scroll in your web browser. - Narrow the width of appropriate columns. The rest of the details page contains the following tabs: ## Take action on simulations +All actions on existing simulations start on the Simulations tab. To get there, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Simulations tab. Or, to go directly to the Simulations tab, use <https://security.microsoft.com/attacksimulator?viewid=simulations>. + > [!TIP] -> To see the Γï« (Actions) control that's required to act on simulations on the Simulations tab, you'll likely need to do one or more of the following steps: +> To see the Γï« (Actions) control that's required to act on simulations on the Simulations tab, you likely need to do one or more of the following steps: > > - Horizontally scroll in your web browser. > - Narrow the width of appropriate columns. You can cancel simulations with the Status value In progress or Schedu To cancel a simulation on the Simulations tab, select the simulation by clicking Γï« (Actions) at the end of the row, select ![Cancel simulation icon.](../../media/m365-cc-sc-close-icon.png) Cancel simulation, and then click Confirm in the confirmation dialog. -After you cancel the simulation, the Status value changes to Cancelled. +After you cancel the simulation, the Status value changes to Canceled**. ### Remove simulations
security	Attack Simulation Training Teams	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-teams.md	ms.localizationpriority: medium - m365-security - tier2 -description: Admins can learn about the addition of Microsoft Teams in delivering simulated phishing attacks in in Attack simulation training in Microsoft Defender for Office 365 Plan 2. +description: Admins can learn about the addition of Microsoft Teams in delivering simulated phishing attacks in Attack simulation training in Microsoft Defender for Office 365 Plan 2. search.appverid: met150 Previously updated : 3/30/2023 Last updated : 4/4/2023 # Microsoft Teams in Attack simulation training The addition of Teams in Attack simulation training affects the following featur - [Payloads](attack-simulation-training-payloads.md) - [Simulation automations](attack-simulation-training-simulation-automations.md) -[Payload automations](attack-simulation-training-payload-automations.md), [end-user notifications](attack-simulation-training-end-user-notifications.md), [login pages](attack-simulation-training-login-pages.md), and [landing pages](attack-simulation-training-landing-pages.md) are not affected by Teams in Attack simulation training. +[Payload automations](attack-simulation-training-payload-automations.md), [end-user notifications](attack-simulation-training-end-user-notifications.md), [login pages](attack-simulation-training-login-pages.md), and [landing pages](attack-simulation-training-landing-pages.md) aren't affected by Teams in Attack simulation training. + +## Teams simulation configuration + +In addition to having user reporting for Teams messages turned on as described in [User reported message settings in Microsoft Teams](submissions-teams.md), you also need to configure the Teams accounts that can be used as sources for simulation messages in Attack simulation training. + +To configure the accounts, do the following steps: + +1. Identify or create a user who's a member of the [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator), [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator), or [Attack Simulation Administrator](/azure/active-directory/roles/permissions-reference#attack-simulation-administrator) roles in Azure Active Directory. You need to know the password. +2. Using the account from Step 1, open the Microsoft 365 Defender portal at <https://security.microsoft.com> and go to Email & collaboration \> Attack simulation training \> Settings tab. Or, to go directly to the Settings tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>. +3. On the Settings tab, click Manager user accounts in the Teams simulation configuration section. +4. In the Teams simulation configuration flyout that opens, click Generate token. Read the information in the confirmation dialog, and then click I agree. +5. Back on the Settings tab, click Manager user accounts in the Teams simulation configuration section again to reopen the Teams simulation configuration flyout. The user account that you were logged in as now appears in the User accounts available for Teams phishing section. + +To remove a user from the list, click the round check box that appears next to the user's Display name without clicking anywhere else in the row. Click the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete icon that appears, and then click Delete in the confirmation dialog. + +Or, to prevent the account from being used in Teams simulations but keep the linked simulations history for the account, you can block the account from signing in as described [here](/microsoft-365/admin/add-users/remove-former-employee-step-1). ## Changes in simulations for Microsoft Teams Teams introduces the following changes to viewing and creating simulations as de - If you select ![Launch a simulation icon.](../../media/m365-cc-sc-create-icon.png) Launch a simulation on the Simulations tab to create a simulation, the first page of the new simulation wizard is Select delivery platform where you can select Microsoft Teams. Selecting Microsoft Teams introduces the following changes to the rest of the new simulation wizard: - - On the [Select technique](attack-simulation-training-simulations.md#select-a-social-engineering-technique) page, the Malware Attachment and Link in Attachment social engineering techniques are not available. + - On the [Select technique](attack-simulation-training-simulations.md#select-a-social-engineering-technique) page, the Malware Attachment and Link in Attachment social engineering techniques aren't available. - On the [Name simulation](attack-simulation-training-simulations.md#name-and-describe-the-simulation) page, a Select sender's Microsoft Teams account section and Select user account link are present. Click Select user account to find and select the account to use as the source for the Teams message. Teams introduces the following changes to viewing and creating simulations as de - On the [Target users](attack-simulation-training-simulations.md#target-users) page, the following settings are different for Teams: - As noted on the page, guest users in Teams are excluded from simulations. - - If you select Include only specific users and groups, City is not an available filter in the Filter users by category section. + - If you select Include only specific users and groups, City isn't an available filter in the Filter users by category section. Other settings related to simulations are the same for Teams messages as described in the existing content for email messages. Whether you create a payload on the Payloads page of the Content library - If you click ![Create a payload icon.](../../media/m365-cc-sc-create-icon.png) Create a payload on the Tenant payload tab to create a payload, the first page of the new payload wizard is Select type where you can select Teams. Selecting Teams introduces the following changes to the rest of the new payload wizard: - - On the [Select technique](attack-simulation-training-payloads.md#create-payloads) page, the Malware Attachment and Link in Attachment social engineering techniques are not available for Teams. + - On the [Select technique](attack-simulation-training-payloads.md#create-payloads) page, the Malware Attachment and Link in Attachment social engineering techniques aren't available for Teams. - The Configure payload page has the following changes for Teams: - Sender details section: The only available setting for Teams is Chat topic where you enter a tile for the Teams message. - - The last big section is not named Email message, but it functions the same way for Teams messages as it does for email messages: + - The last section isn't named Email message, but it functions the same way for Teams messages as it does for email messages: - There's an Import Teams message button to import an existing plain text message file to use as a starting point. - The Dynamic tag and Phishing link controls are available on the Text tab, and Code tab is available as with email messages. Teams introduces the following changes to viewing and creating simulation automa - Manually select: This value is selected by default. In the Select sender's Microsoft Teams account section, click the Select user account to find and select the account to use as the source for the Teams message. - Randomize: Randomly select from the available accounts to use as the source for the Teams message. - - On the [Select social engineering techniques](attack-simulation-training-simulation-automations.md#select-one-or-more-social-engineering-techniques) page, the Malware Attachment and Link in Attachment social engineering techniques are not available for Teams. + - On the [Select social engineering techniques](attack-simulation-training-simulation-automations.md#select-one-or-more-social-engineering-techniques) page, the Malware Attachment and Link in Attachment social engineering techniques aren't available for Teams. - On the [Select payloads and login page](attack-simulation-training-simulation-automations.md#select-payloads-and-login-pages) page, no payloads are listed by default because there are no built-in payloads for Teams. You might need to create a payload for the combination of Teams and the social engineering techniques that you selected. Teams introduces the following changes to viewing and creating simulation automa - On the [Target users](attack-simulation-training-simulation-automations.md#target-users) page, the following settings are different for Teams: - As noted on the page, simulation automations that use Teams can target a maximum of 1000 users. - - if you select Include only specific users and groups, City is not an available filter in the Filter users by category section. + - if you select Include only specific users and groups, City isn't an available filter in the Filter users by category section. Other settings related to simulation automations are the same for Teams messages as described in the existing content for email messages.
security	Mdo Support Teams About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-support-teams-about.md	Last updated 3/29/2023 - [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) > [!NOTE] -> This article lists new features in the latest release of Microsoft Defender for Office 365. These features are currently in preview. +> This article lists new features in the latest release of Microsoft Defender for Office 365. These features are currently in preview. Once you run the cmdlet, please be aware that it will take a few days for the features to to be available. With the increased use of collaboration tools like Microsoft Teams, the possibility of malicious attacks using URLs and messages has increased as well. Microsoft Defender for Office 365 already provides protection against malicious URLs in Teams through [Safe Links](safe-links-about.md), and now Microsoft is extending this protection with a new set of capabilities designed to disrupt the attack chain.
security	Submissions User Reported Messages Custom Mailbox	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-user-reported-messages-custom-mailbox.md	When the toggle is On :::image type="icon" source="../../media/scc-toggle-on - Send the reported messages to in the Reported message destinations section: Select one of the following options: - - Microsoft only: User reported messages go directly to Microsoft for analysis. Only metadata from the user reported messages (for example, senders, recipients, reported by, and message details) is available on the User reported tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=user>. + - Microsoft only: User reported messages go directly to Microsoft for analysis. These reports are available on the User reported tab on the Submissions page at <https://security.microsoft.com/reportsubmission?viewid=user>. - My reporting mailbox only: User reported messages go only to the specified reporting mailbox for an admin or the security operations team to analyze.
syntex	Annotations	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/annotations.md	description: Learn how to use universal annotations to mark and collaborate on i Use the annotations feature in Microsoft Syntex to add notes and comments to your content in document librariesΓÇöeither for yourself or for collaborating with others. You can use the annotations feature without modifying the original files, so the original records are preserved. -Annotation tools currently include pen and highlighter, where can choose the colors you want to use, and an eraser for removing ink strokes and previous annotations. The feature is currently available only for .pdf and .tiff file types. More annotation tools and file types will be added in future releases. +Annotation tools currently include pen and highlighter, where can choose the colors you want to use, and an eraser for removing ink strokes and previous annotations. The feature is currently available for .pdf, .tiff, .epub, and .ai file types. More annotation tools and file types will be added in future releases. > [!NOTE] > This feature is available only for users who are licensed for Syntex.
syntex	Site Templates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/site-templates.md	Title: Site templates for Microsoft Syntex + Title: Accelerate your solution using site templates for Microsoft Syntex - enabler-strategic - m365initiative-syntex ms.localizationpriority: medium -description: Learn how to use and customize the ready-to-use site templates for Microsoft Syntex. +description: Learn how to use and customize the ready-to-use SharePoint site templates for Microsoft Syntex. -# Site templates for Microsoft Syntex +# Accelerate your solution using site templates for Microsoft Syntex -SharePoint site templates for Microsoft Syntex are prebuilt, ready-to-deploy, and customizable. Use these templates to create a professional site to manage, process, and track the status of business documents in your organization. +SharePoint site templates for Microsoft Syntex are prebuilt, ready-to-deploy, and customizable. Use these templates to jumpstart a professional site to manage, process, and track the status of business documents in your organization. \|Site template \|Description \| \|\|\|
syntex	Use Content Center Site	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/use-content-center-site.md	description: Learn how to provision and use the content center site template in # Use the content center site template for Microsoft Syntex +> [!NOTE] +> The content center site template is provided in the SharePoint look book service, which is no longer being updated. Some of the information in the template might not reflect the current Syntex features. + The Microsoft Syntex content center site is a ready-to-deploy instructional SharePoint site template designed to help you better understand Syntex capabilities. You'll be introduced to the tools and information youΓÇÖll need to create and train your own models. You'll then be able to use this site as a central content repository or as the control center for managing your own Syntex models. In this site, models can be trained and evaluated using your own content. Howeve ## Provision the site -> [!NOTE] -> The content center site template is provided in the SharePoint look book service, which is no longer being updated. Some of the information in the template might not reflect the current Syntex features. - The content center site can be provisioned from the [SharePoint look book service](https://lookbook.microsoft.com/). ![Screenshot of the content center site template provisioning page.](../media/content-understanding/content-center-site-provisioning-page.png)