-1. Sign in to Microsoft 365 with your global admin account.

-2. In your browser, type: [https://protection.office.com](https://protection.office.com/).

-3. Go to **Data loss prevention** > **Device management** > **Device policies**, and select **Manage organization-wide device access settings**.

-After you've set it up, the people in your organization must enroll their devices in the service. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md). Then you can use Basic Mobility and Security to help manage devices in your organization. For example, you can use device security policies to help limit email access or other services, view devices reports, and remotely wipe a device. You'll typically go to the Security & Compliance Center to do these tasks. For more info, see [Microsoft Purview compliance portal](../../compliance/microsoft-365-compliance-center.md).

-4. On the **Send Link** page, leave the default selection **Anyone with the link can view and edit**.

- - Public meetings can be viewed and scheduled by anyone that has your Bookings in Outlook page link. You are in control of who you share that link with. All public meeting types will be visible to anyone that has your Bookings in Outlook page link.

- - Private meetings can only be viewed by people who have the link for that meeting type. The difference between public meetings and private meetings is private meetings can have different links and the links expire after 90 days. You can also set private links to expire after a one-time booking. When accessing the scheduling view for a private meeting, only that meeting type will be visible.

- **C**. If the value of **EwsApplicationAccessPolicy** is empty, all applications are allowed to access EWS and REST.

- Set-CASMailbox -Identity adam@contoso.com -EwsApplicationAccessPolicy  EnforceBlockList @{Add="MicrosoftOWSPersonalBookings"}

- **C**. If the value of EwsApplicationAccessPolicy is empty, all applications are allowed to access EWS and REST.

- - To turn off Bookings in Outlook for this user, set the **EnforceBlockList** policy and add **MicrosoftOWSPersonalBookings** to EWSBlockList by running the following command:

- Set-CASMailbox -Identity Adam -EwsApplicationAccessPolicyΓÇ» EnforceBlockList -EWSBlockList @{Add="MicrosoftOWSPersonalBookings"}

-> If you've been using Conditional Access policies, you'll need to turn them off before using security defaults. You can use either security defaults or Conditional Access policies, but you can't use both at the same time.

-> For more information about security defaults and the policies they enforce, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)

-1. Select the policy that you want to copy. Next, select **Duplicate** or select the ellipsis **(…)** to the right of the policy and select **Duplicate**.

-Make sure members of the organization use Microsoft Teams for all meetings. Teams meetings files include audio, video, and sharing, and because they're online, there is always a meeting space and there's no need for a room with a projector! Microsoft Teams meetings are a great way to come together with your staff both inside and outside of your organization.

-Using Teams, you don’t need to be a member of the organization or even have an account to join a meeting. You can schedule and run online meetings where you can share your screen, share files, assign tasks, and more. Political campaigns can include staff, volunteers, or guests that are outside your organization. You can easily meet with clients, staff or partners over Microsoft Teams, and in a secure and worry-free environment.

-2. In the left navigation pane of the Microsoft Purview compliance portal, select **eDiscovery** > **eDiscovery (Premium)**, and select the [**Cases**](https://go.microsoft.com/fwlink/p/?linkid=2173764) tab.

-After you've either modified the default template or created new branding templates, you can create Exchange mail flow rules to apply your custom branding based on certain conditions. Such a rule will apply custom branding in the following scenarios:

-For information on how to create an Exchange mail flow rule that applies encryption, see [Define mail flow rules to encrypt email messages in Office 365](define-mail-flow-rules-to-encrypt-email.md).

-7. From **Do the following**, select **Modify the message security** \> **Apply custom branding to OME messages**. Next, from the drop-down, select a branding template.

-8. (Optional) You can configure the mail flow rule to apply encryption and custom branding. From **Do the following**, select **Modify the message security**, and then choose **Apply Office 365 Message Encryption and rights protection**. Select an RMS template from the list, choose **Save**, and then choose **OK**.

- Choose **add action** if you want to specify another action.

-1. On the **Map RingCentral users to Microsoft 365 users** page, enable automatic user mapping. The RingCentral items include a property called *Email*, which contains email addresses for users in your organization. If the connector can associate this address with a Microsoft 365 user, the items are imported to that userΓÇÖs mailbox.

-Use a Veritas connector in the Microsoft Purview compliance portal to import and archive data from the Salesforce Chatter platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Salesforce Chatter](http://globanet.com/chatter/) connector that captures items from the third-party data source and imports those items to Microsoft 365. The connector converts the content such as chats, attachments, and posts from Salesforce Chatter to an email message format and then imports those items to the userΓÇÖs mailbox in Microsoft 365.

-Use a Veritas connector in the Microsoft Purview compliance portal to import and archive data from the Skype for Business platform to user mailboxes in your Microsoft 365 organization. Veritas provides a [Skype for Business](https://www.veritas.com/en/au/insights/merge1/skype-for-business) connector that is configured to capture items from the third-party data source (on a regular basis) and import those items to Microsoft 365. The connector converts the content such as messages between users, persistent chats, and conference messages from Skype for Business to an email message format and then imports those items to the userΓÇÖs mailbox in Microsoft 365.

-If you want people to use any of the [eDiscovery-related tools](ediscovery.md) in the Microsoft Purview compliance portal, you have to assign them the appropriate permissions. The easiest way to do this is to add the person the appropriate role group on the **Permissions** page in the compliance center. This topic describes the permissions required to perform eDiscovery tasks.

-

-Trying each solution will help you make informed decisions to meet your organizationΓÇÖs compliance needs.

-Easily and quickly start trying MicrosoftΓÇÖs compliance solutions without changing your organizationΓÇÖs meta data. Depending on your priorities, you can start with any of these solution areas to see immediate value. Below are five top organizational concerns as communicated by our customers and recommended solutions to start with.

-**Conduct investigations**

-### Step 1: [Apply the E5 license to each user for which youΓÇÖd like to generate E5 events](set-up-advanced-audit.md#step-1-set-up-audit-premium-for-users)

-### Step 2: [Create new Audit Log policies to specify how long to retain audit logs in your org for activities performed by users and define priority levels for your policiesΓÇï](audit-log-retention-policies.md#before-you-create-an-audit-log-retention-policy)

-1. [Create an audit log retention policyΓÇï](audit-log-retention-policies.md#create-an-audit-log-retention-policy)

-**Identify and act on code of conduct policy violations**

-### Step 2: [Enable the audit logΓÇï](communication-compliance-configure.md#step-2-required-enable-the-audit-log)

-**Manage your organizational compliance easily**

-### Step 3: [Scaling up: use advanced functionality to meet your custom needsΓÇï](compliance-manager-templates-create.md)

-**Govern at scale with automation**

-**Protect sensitive data**

-### Step 3: [Expand policies in scope or protectionΓÇï](dlp-learn-about-dlp.md#dlp-policy-configuration-overview)

-**Discover more with an end-to-end workflow**

-Take advantage of an end-to-end workflow for preserving, collecting, analyzing, and exporting content thatΓÇÖs responsive to your organizationΓÇÖs internal and external investigations. Legal teams can also manage the entire legal hold notification process by communicating with custodians involved in a case.

-**Discover, classify and protect your sensitive information**

-**Detect and remediate insider risks**

-**Manage high-value items for business, legal, or regulatory record-keeping requirements**

-### Step 2: Review content to approve before itΓÇÖs permanently deleted

-At the end of the retention period, users you specify (ΓÇ£reviewersΓÇ¥) can be notified to review the content and approve the permanent disposal action. This supports if a different action than deletion is more appropriate, such as assigning a different retention period to the content or suspending deletion for an audit.

-**Assess risks and efficiently respond**

-**Identify & prevent privacy risks**

-**WhatΓÇÖs included**: For a full list of Microsoft Purview solutions and features listed by product tier, view the [Feature Matrix](https://go.microsoft.com/fwlink/?linkid=2139145).

-**Microsoft Security Resources**: From antimalware to Zero Trust, get all the relevant resources for your organizationΓÇÖs security needs. [Visit Resources](/security/business/resources).

-4. The **Inactive mailboxes** page displays a list of inactive mailboxes. Select one to see details about that inactive mailbox. Details include how long it's been inactive, the Exchange identifier, when by whom it was put on hold.

-On the **Inactive mailboxes** page, select  **Export** to view or download a CSV file that contains additional information about the inactive mailboxes in your organization.

-Microsoft 365 provides baseline, volume-level encryption enabled through BitLocker and Distributed Key Manager (DKM). Microsoft 365 offers an added layer of encryption for your content. This content includes data from Exchange Online, Skype for Business, SharePoint Online, OneDrive for Business, and Microsoft Teams.

-All messages sent outbound from Exchange Online to MTA-STS protected recipients are being validated with these extra security checks set out by the MTA-STS standard. There's nothing admins need to do to apply it. Our outbound implementation respects the wishes of the recipient domain owners via their MTA-STS policy. MTA-STS forms part of the security infrastructure of Exchange Online, and itΓÇÖs therefore always on (like other core SMTP features).

-Once MTA-STS is set up for your domain, any messages sent from senders who support MTA-STS will perform the validations laid out by the standard to ensure a secure connection. If you're receiving an email from a sender who doesn't support MTA-STS, the email will still be delivered without the extra protection. Likewise, there's no disruption to messages if you aren't using MTA-STS yet but the sender supports it. The only scenario where messages arenΓÇÖt delivered is when both sides are using MTA-STS and MTA-STS validation fails.

-MTA-STS allows a domain to declare support for TLS and communicate the MX record and destination certificate to expect. It also indicates what a sending server should do if there’s a problem. This is done through a combination of a DNS TXT record and a policy file that’s published as an HTTPS web page. The HTTPS-protected policy introduces another security protection that attackers must overcome.

-`_mta-sts.contoso.com. 3600 IN  TXT v=STSv1; id=20220101000000Z;`

-A domain's MTA-STS policy needs to be located at a predefined URL thatΓÇÖs hosted by the domain's web infrastructure. The URL syntax is `https://mta-sts.<domain name>/.well-known/mta-sts.txt`. For example, Microsoft.com's policy is found at: https://mta-sts.microsoft.com/.well-known/mta-sts.txt.

-```

-Once the DNS TXT domain record is created and the policy file is available at the required HTTPS URL, the domain will be protected by MTA-STS. Details about MTA-STS are available inΓÇ»[RFC 8461](https://datatracker.ietf.org/doc/html/rfc8461).

-In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Solutions** > **Records management** > **File plan**.

-To export all retention labels: On the **File plan** page, click **Export**.

-1. On the **File plan** page, click **Import**:

-Certain attributes in Azure Active Directory can be used to segment users. Once segments are defined, those segments can be used as filters for information barrier policies. For example, you might use **Department** to define segments of users by department within your organization (assuming no single employee works for two departments at the same time).

-## How to use attributes in information barrier policies

-The attributes listed in this article can be used to define or edit segments of users. Your defined segments serve as parameters (called *UserGroupFilter* values) in [information barrier policies](information-barriers-policies.md).

-After you have [defined information barrier policies](information-barriers-policies.md), you may need to make changes to those policies or to your user segments, as part of [troubleshooting](/office365/troubleshoot/information-barriers/information-barriers-troubleshooting) or as regular maintenance.

-3. When you have finished editing segments for your organization, you can either [define](information-barriers-policies.md#step-3-define-information-barrier-policies) or [edit](#edit-a-policy) information barriers policies.

-3. When you have finished editing a policy, make sure to apply your changes. (See [Apply information barriers policies](information-barriers-policies.md#step-4-apply-information-barrier-policies).)

-This article describes how to configure information barrier (IB) policies in your organization. Several steps are involved, so make sure you review the entire process before you begin configuring IB policies.

-You must be familiar with [PowerShell cmdlets](/powershell/exchange/scc-powershell) in order to define, validate, or edit IB policies. Although we provide several examples of PowerShell cmdlets in this article, you'll need to know other details (such as parameter values) for your organization.

-When you define policies for IB, you'll work with several objects and concepts.

- > For **allow** policies, non-IB groups and users will not be visible to users included in IB segments and policies. If you need non-IB groups and users to be visible to users included in IB segments and policies, you must use **block** policies.

-## Configuration at a glance

-| **Step 1**: [Make sure prerequisites are met](#step-1-make-sure-prerequisites-are-met) | - Verify that you have the required subscriptions and permissions <br/>- Verify that your directory includes data for segmenting users<br/>- Enable [search by name for Microsoft Teams](/microsoftteams/teams-scoped-directory-search)<br/>- Make sure audit logging is turned on<br/>- Make sure no Exchange address book policies are in place<br/>- Use PowerShell (examples are provided)<br/>- Provide admin consent for Microsoft Teams (steps are included) |

-| **Step 3**: [Define information barrier policies](#step-3-define-information-barrier-policies) | - Define your policies (don't apply yet)<br/>- Choose from two kinds (block or allow) |

-| **Step 4**: [Apply information barrier policies](#step-4-apply-information-barrier-policies) | - Set policies to active status<br/>- Run the policy application<br/>- View policy status |

- - [Attributes for information barrier policies](information-barriers-attributes.md)

- - [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell)

- 1. Run the following PowerShell cmdlets:

- 1. When prompted, sign in using your work or school account for Office 365.

- 1. In the **Permissions requested** dialog box, review the information, and then choose **Accept**. The permissions requested by the App are given below.

- > [!div class="mx-imgBorder"]

- > 

-During this step, you determine what IB policies are needed, make a list of segments to define, and then define your segments.

-The next task is to define segments for your organization. Defining segments doesn't affect users, it just sets the stage for IB policies to be defined and then applied.

- | `New-OrganizationSegment -Name "segmentname" -UserGroupFilter "attribute -eq 'attributevalue'"` |`New-OrganizationSegment -Name "HR" -UserGroupFilter "Department -eq 'HR'"` <p>In this example, a segment called *HR* is defined using *HR*, a value in the *Department* attribute. The **-eq** portion of the cmdlet refers to "equals." (Alternately, you can use **-ne** to mean "not equals". See [Using "equals" and "not equals" in segment definitions](#using-equals-and-not-equals-in-segment-definitions).) |

-After you've defined your segments, proceed to [Step 3: Define information barrier policies](#step-3-define-information-barrier-policies).

-### Using "equals" and "not equals" in segment definitions

-In the following example, we're defining a segment such that "Department equals HR."

-## Step 3: Define information barrier policies

-Determine whether you need to prevent communications between certain segments or limit communications to certain segments. Ideally, you'll use the minimum number of IB policies to ensure your organization is compliant with internal, legal, and industry requirements.

-> **Make sure that as you define policies, you do not assign more than one policy to a segment**. For example, if you define one policy for a segment called *Sales*, do not define an additional policy for *Sales*.<p> In addition, as you define IB policies, make sure to set those policies to inactive status until you are ready to apply them. Defining (or editing) policies does not affect users until those policies are set to active status and then applied.

-For example, suppose you want to block communications between Segment A and Segment B. In this case, you define one policy preventing Segment A from communicating with Segment B, and then define a second policy to prevent Segment B from communicating with Segment A.

- - (After all your policies are defined) [Apply information barrier policies](#step-4-apply-information-barrier-policies)

- - (After all your policies are defined) [Apply information barrier policies](#step-4-apply-information-barrier-policies)

-## Step 4: Apply information barrier policies

-3. When you have finished setting your IB policies to active status, use the **Start-InformationBarrierPoliciesApplication** cmdlet in Security & Compliance Center PowerShell.

-| User accounts | Use the **Get-InformationBarrierRecipientStatus** cmdlet with Identity parameters. <p> Syntax: `Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>` <p> You can use any value that uniquely identifies each user, such as name, alias, distinguished name, canonical domain name, email address, or GUID. <p> Example: `Get-InformationBarrierRecipientStatus -Identity meganb -Identity2 alexw` <p> In this example, we refer to two user accounts in Office 365: *meganb* for *Megan*, and *alexw* for *Alex*. <p> (You can also use this cmdlet for a single user: `Get-InformationBarrierRecipientStatus -Identity <value>`) <p> This cmdlet returns information about users, such as attribute values and any information barrier policies that are applied.|

-| Information barrier policies | Use the **Get-InformationBarrierPolicy** cmdlet. <p> Syntax: `Get-InformationBarrierPolicy` <p> This cmdlet will display a list of information barrier policies that were defined, and their status. |

-| The most recent information barrier policy application | Use the **Get-InformationBarrierPoliciesApplicationStatus** cmdlet. <p> Syntax: `Get-InformationBarrierPoliciesApplicationStatus`<p> This cmdlet will display information about whether policy application completed, failed, or is in progress. |

-| All information barrier policy applications|Use `Get-InformationBarrierPoliciesApplicationStatus -All`<p> This cmdlet will display information about whether policy application completed, failed, or is in progress.|

-| **Implicit** | The IB policy or segments of the Microsoft 365 resource is inherited from the resource members IB policy. The owner can add members as long as they're compatible with the existing members of the resource. This is the default IB mode for Microsoft Teams. | The Sales segment user creates a Microsoft Teams team to collaborate with other compatible segments in the organization. |

-### Contoso's information barrier policies

-| **Policy 1: Prevent Sales from communicating with Research** | `New-InformationBarrierPolicy -Name "Sales-Research" -AssignedSegment "Sales" -SegmentsBlocked "Research" -State Inactive` <p> In this example, the information barrier policy is called *Sales-Research*. When this policy is active and applied, it will help prevent users who are in the Sales segment from communicating with users in the Research segment. This policy is a one-way policy; it won't prevent Research from communicating with Sales. For that, Policy 2 is needed. |

-| **Policy 2: Prevent Research from communicating with Sales** | `New-InformationBarrierPolicy -Name "Research-Sales" -AssignedSegment "Research" -SegmentsBlocked "Sales" -State Inactive` <p> In this example, the information barrier policy is called *Research-Sales*. When this policy is active and applied, it will help prevent users who are in the Research segment from communicating with users in the Sales segment. |

-Microsoft Purview Information Barriers is supported in Microsoft Teams, SharePoint Online, and OneDrive for Business. A compliance administrator or information barriers administrator can define policies to allow or prevent communications between groups of users in Microsoft Teams. Information barrier policies can be used for situations like these:

-Use the following steps to configure information barriers for your organization:

-4. Create and configure [information barrier policies](information-barriers-policies.md#step-3-define-information-barrier-policies)

-5. Apply [information barrier policies](information-barriers-policies.md#step-4-apply-information-barrier-policies)

- - [Disposition review](./disposition.md) to review the content before it's permanently deleted.

- - Automatically apply another retention label

-

- - The existing label is configured to automatically apply a different retention label at the end of the retention period.

- - The existing label was applied as a default label. When you use a default label, there are some scenarios when it can be replaced by another default label, or automatically removed.

-

- For more information about the label behavior when it's applied by using a default label:

- - Default label for SharePoint: [Label behavior when you use a default label for SharePoint](create-apply-retention-labels.md#label-behavior-when-you-use-a-default-label-for-sharepoint)

- - Default label for Outlook: [Applying a default retention label to an Outlook folder](create-apply-retention-labels.md#applying-a-default-retention-label-to-an-outlook-folder)

-**Example for users to override automatic deletion**

-**Example to retain items for longer**

-**Example to delete items in a shorter time period**

-**If you find single quote characters or commas inside a value**: for example the person's name Tom O'Neil or the city 'sΓÇæGravenhage which starts with an apostrophe character, you will need to modify the data export process used to generate the sensitive information table to surround such columns with double quotes.

-[Sensitive information types](sensitive-information-type-learn-about.md) are used to help identify sensitive items so that you can prevent them from being inadvertently or inappropriately shared, to help in locating relevant data in eDiscovery, and to apply governance actions to certain types of information. You define a custom sensitive information type (SIT) based on:

-EDM-based classification enables you to create custom sensitive information types that refer to exact values in a database of sensitive information. The database can be refreshed daily, and contain up to 100 million rows of data. So as employees, patients, or clients come and go, and records change, your custom sensitive information types remain current and applicable. And, you can use EDM-based classification with policies, such as [Microsoft Purview data loss prevention policies](dlp-learn-about-dlp.md) or [Microsoft Cloud App Security file policies](/cloud-app-security/data-protection-policies).

-

-You can use eDiscovery (Premium) and the Microsoft Graph Explorer to respond to data spillage incidents, when content containing confidential or malicious information is released through Teams chat messages.ΓÇï Admins in your organization can search for and delete chat messages in Microsoft Teams. This can help you remove sensitive information or inappropriate content in Teams chat messages. For more information, see [Search and purge chat messages in Teams](search-and-delete-Teams-chat-messages.md).

-After you [set up SharePoint Syntex](set-up-content-understanding.md), you can configure image tagging in the Microsoft 365 admin center.ΓÇ»

-[Overview of permissions in Microsoft 365 Lighthouse](m365-lighthouse-overview-of-permissions.md) (article)\

-[Manage your tenant list in Microsoft 365 Lighthouse](m365-lighthouse-manage-tenant-list.md) (article)

-1. In the Edge **Settings** window, select **Cookies and site permissions** > **Cookies and data stored** > **Manage and delete cookies and site data**.

-2. Turn on **Allow sites to save and read cookie data (recommended)**, and make sure that **Block third-party cookies** is turned off.

-1. In the Edge **Settings** window, select **Cookies and site permissions** > **Cookies and data stored** > **Manage and delete cookies and site data**.

-2. Under **Allow**, select **Add** to add the domain URL of the LMS platform.

-1. In the Chrome **Settings** window, on the **Privacy and security** tab, select **Cookies and other site data**.

-2. Under **Sites that can always use cookies**, select **Add**, and then select the **Including third-party cookies on this site** checkbox.

-1. In the Firefox **Settings** window, select the **Privacy & Security** tab.

-2. UnderΓÇ»**Cookies and Site Data**, selectΓÇ»**Manage Exceptions**.

-3. In the **Address of website** text box, enter the URL of the LMS platform.

-5. SelectΓÇ»**Save Changes**.

-1. SelectΓÇ»**Preferences**ΓÇ»>ΓÇ»**Privacy**.

-2. Clear the **Prevent cross-site tracking** checkbox.

-For general information on managing Microsoft OneLTI tools, see [Manage Microsoft OneLTI for any LMS](manage-microsoft-one-lti.md).

-description: Learn how to conduct key Microsoft OneLTI management tasks including viewing, deleting, editing, and troubleshooting.

-# Manage Microsoft OneLTI for any LMS

-Microsoft OneLTI integrates with several LMSs including Canvas, Blackboard, and Moodle.

-In this article, IT admins will find instructions on key OneLTI management tasks.

-1. Visit [Microsoft LTI Portal](https://lti.microsoft.com/).

-If you would like to delete a Microsoft OneLTI registration, follow the steps below.

-1. Visit [Microsoft LTI Portal](https://lti.microsoft.com/).

-Currently, we don't support editing an existing LTI registration after itΓÇÖs added.

-## Troubleshoot issues with OneLTI

-If you or your educators are experiencing issues with Microsoft OneLTI, here are some things you can do to troubleshoot.

-### Issues while launching an LTI tool from the LMS

-Educators might experience issues launching a Microsoft LTI tool in their LMS.

- - This issue happens when registration of the LTI tool wasn't completed or if the registration was deleted in the OneLTI admin portal.

- - The IT admin will need to complete registration of the LTI tool.

- - This issue happens when the details sent from the LMS in the tool launch request aren't aligned with the IMS LTI 1.3 specification.

-### Issues with signing in to the registration portal

-When signing in to the Microsoft LTI registration portal, you may have issues accessing the registration page or receive a sign-in error.

- - If you see the error message, "Your account doesnΓÇÖt have permission to access this page," then either:

- - The account doesn't belong to a registered tenant, or

- - The account doesn't belong to an educator or an admin.

- - You can also clear cookies and local storage for the LTI registration portal and `https://login.microsoftonline.com/`.

- - If you see the error message, ΓÇ£Authentication failed. Try again," the sign-in session may have expired.

- - You can also clear cookies and local storage for the LTI registration portal and `https://login.microsoftonline.com/`.

- - For all other errors, you'll see the error message, ΓÇ£Something went wrong. Try again later.ΓÇ¥

- - Select the **Go to registration portal** button to go back to the LTI registration portal.

-## Report problems with OneLTI

-To report any issues or submit feedback for Microsoft OneLTI, follow the steps below.

-1. In the Microsoft OneLTI registration portal, select the **question mark icon** in the page header.

-Moodle integration in Microsoft Teams is powered by the open source [Microsoft 365 Moodle plugins set](https://github.com/Microsoft/o365-moodle).

-1. Sign in to your Moodle server and navigate to **Site administration**.

-1. Select the **Plugins** tab then select **Install plugins**.

-1. From the **Install plugins from ZIP file** section, select **Choose a file**.

-1. Select **Upload a file** from the left navigation panel, browse for the file that you downloaded, and select **Upload this file**.

-1. Select **Site administration** from the left navigation panel to return to your admin dashboard.

-1. Scroll down to the **Local plugins** and select the **Microsoft 365 Integration** link.

->

-> * The PowerShell script is not updated with the latest configuration items, therefore, you must complete the configuration manually following the steps outlined on the Moodle [3.10.6 and 3.11.3](https://docs.moodle.org/311/en/Microsoft_365) release page.

->

-> * For more information on registering your Moodle instance manually, see [Register your Moodle instance as an application](https://docs.moodle.org/311/en/Microsoft_365#Register_Application_in_Azure_manually).

-1. To validate [cron](https://docs.moodle.org/310/en/Cron) tasks and to run them manually for the first time, navigate to **Site administration** > **Server** > **Tasks** > **Scheduled tasks**.

- > The Moodle [Cron](https://docs.moodle.org/311/en/Scheduled_tasks) runs according to the task schedule. The default schedule is once a day at 1:00 AM in your server's local time zone. However, the cron should run more frequently to keep everything in sync.

-1. Return to the site administration page.

-1. Configure the required settings to enable the Teams app integration.

- 1. To enable **OpenID Connect**, go to **Site administration** > **Plugins** > **Manage authentication**.

- 1. Find **OpenID Connect**, and select the eye icon if it's greyed out. Save changes.

- 1. To enable frame embedding, go to **Site administration** and select **HTTP Security** in the **Security** section.

- 1. Select the checkbox next to **Allow frame embedding**. Save changes.

- 1. To enable web services, which enable the Moodle API features, go to **Site administration** > **Advanced features**.

- 1. Ensure the checkbox next to **Enable web services** is selected. Save changes.

- 1. To enable the external services for Microsoft 365, go to **Site administration** > **Plugins**, and select **External services** in the **Web services** section.

- Γ£ö In the **Built-in services** section, find **Moodle Microsoft 365 Webservices**.

-

- Γ£ö Select **Edit** on the **Moodle Microsoft 365 Webservices** row.

-

- Γ£ö Select the eye icon if it's greyed out. Save changes.

-

- 1. Edit your authenticated user permissions to allow them to create web service tokens.

- Γ£ö Go to **Site administration**, **Users** tab, and find **Define roles** in the **Permissions** section.

-

- Γ£ö On the **Manage users** tab, find **Authenticated user** role, and select the edit icon.

-

- Γ£ö Scroll down and find the **Create a web service token** capability and select the **Allow** checkbox. Save changes.

-* [Moodle and Microsoft 365 3.10.6](https://docs.moodle.org/310/en/Microsoft_365).

-* [Moodle and Microsoft 365 3.11.3](https://docs.moodle.org/310/en/Microsoft_365).

-For details on managing all OneLTI tools for any LMS, see [Manage Microsoft OneLTI for any LMS](manage-microsoft-one-lti.md).

-1. Visit [Microsoft LTI Portal](https://lti.microsoft.com/) and select **Go to registration portal**.

-7. Open Moodle in another tab. Don't close the Microsoft LTI portal tab.

-14. Go back to the Microsoft LTI portal tab. Select **Next** to go to the **LMS provided registration keys** step.

-### Add Teams LTI tools to educators' Moodle courses

-If your subscription includes Intune, you can onboard Windows clients and other devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you have Intune as part of your subscription.

-9. You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold", or both. The driver must be allowed to be installed. To allow the installation, select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.

-If your subscription includes Microsoft Intune, you can onboard macOS devices in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). For example, if you have [Microsoft 365 Business Premium](../../business/index.yml), you have Intune as part of your subscription.

-| Device enrolllment manager (DEM) | Use this method for large-scale deployments and when there are multiple people in your organization who can help with enrollment setup. Someone with device enrollment manager (DEM) permissions can enroll up to 1,000 devices with a single Azure Active Directory account. This method uses the Company Portal app or Microsoft Intune app to enroll devices. You can't use a DEM account to enroll devices via Automated Device Enrollment.<br/><br/> See [Enroll devices in Intune by using a device enrollment manager account](/mem/intune/enrollment/device-enrollment-manager-enroll). |

-2. If you are using macOS 10.15 (Catalina) or later, grant Defender for Business consent to protect your device. Go to **System Preferences** > **Security & Privacy** > **Privacy** > **Full Disk Access**. Select the lock icon to make changes (bottom of the dialog box), and then select **Microsoft Defender for Business** (or **Defender for Endpoint**, if that's what you see).

-You'll need Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS devices. If you have [Microsoft 365 Business Premium](../../business/index.yml), you have Intune.

-**LetΓÇÖs get started!**

-4. **[View and if necessary, edit your security policies](mdb-configure-security-settings.md)**. Defender for Business includes default security policies for next generation protection and firewall protection that can be applied to your companyΓÇÖs devices. These preconfigured security policies use recommended settings so you're protected as soon as your devices are onboarded to Defender for Business. And you still have the ability to edit policies or create new ones.

-In Microsoft Defender for Endpoint, admins can use the unified submissions feature to submit files and file hashes (SHAs) to Microsoft for review. The unified submissions experience is a one-stop shop for submitting emails, URLs, email attachments, and files in one, easy-to-use submission experience. Admins can use the Microsoft 365 Defender portal or the Microsoft Defender for Endpoint Alert page to submit suspicious files.

- - **Organization Management** or **Security Administrator** in the [Microsoft 365 Defender portal](../office-365-security/permissions-microsoft-365-security-center.md).

-1. Open Microsoft 365 Defender at <https://security.microsoft.com/>, click **Actions & submissions**, click **Submissions**, go to **Files** tab, and then select **Add new submission**.

- > 

-2. Use the **Submit items to Microsoft for review** flyout that appears to submit the **File** or **File hash**.

-3. In the **Select the submission type** box, select **File** or **File hash** from the drop-down list.

-4. When submitting a file, click **Browse files**. In the dialog that opens, find and select the file, and then click **Open**. Note that for **File hash** submissions, you'll either have to copy or type in the file hash.

-

- > 

-8. Click **Submit**.

-

-You can also submit a file or file hash directly from the list of alerts on the **Alerts** page.

-2. Select the alert you want to report. Note that you are submitting a file that is nestled within the alert.

- > 

-4. In the next flyout that opens, select the submission type.

- > 

-

- If you select **File Hash** as the submission type, choose the file hashes that are available from the drop-down. You can select multiple file hashes.

-

-5. Click **Submit**.

-**Deploy Defender for Endpoint on Android on Intune Company Portal - Device Administrator enrolled devices**

-

- 1. In the **Settings** page, go to the **Configuration settings** section and choose **ΓÇÿUse configuration designerΓÇÖ** in Configuration settings format.

-

- :::image type="content" alt-text="Image of selected configuration policies." source="images/listedconfigurations.png" lightbox="images/listedconfigurations.png":::

-

- :::image type="content" source="images/mda-properties.png" alt-text="The Edit option on the Properties page" lightbox="images/mda-properties.png":::

->[!NOTE]

->Microsoft Defender support in Personal profile in Android Enterprise (AE) in Bring-Your-Own-Device (BYOD) mode is now in public preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-With Microsoft defender support in Android personal profiles, user devices can be protected against phishing and malware attacks on a personal profile that could potentially compromise corporate resources on work profile.

-**Set up Microsoft Defender in Personal Profile**

-1. Enter **Name** and **Description** to uniquely identify the configuration policy. Select platform as **ΓÇÿAndroid EnterpriseΓÇÖ**, Profile type as **ΓÇÿPersonally-owned work profile onlyΓÇÖ** and Targeted app as **ΓÇÿMicrosoft DefenderΓÇÖ**.

-

-1. On the settings page, in **ΓÇÿConfiguration settings formatΓÇÖ**, select **ΓÇÿUse configuration designerΓÇÖ** and click on **Add**. From the list of configurations that are displayed, select **ΓÇÿMicrosoft Defender in Personal profileΓÇÖ**.

-**To complete onboarding a device**

-1. Install the Microsoft Defender application in a personal profile with a personal Google Play store account.

-2. Install the Company portal application on personal profile. No sign-in is required.

-3. When a user launches the application, they'll see the sign-in screen. **Login using corporate account only**.

-4. On a successful login, users will see the following screens:

- a. **EULA screen**: Presented only if the user has not consented already in the Work profile.

- b. **Notice screen**: Users need to provide consent on this screen to move forward with onboarding the application. This is required only during the first run of the app.

-5. Provide the required permissions to complete onboarding.

->[!NOTE]

->**Pre-requisite:**

- >1. The Company portal needs to be enabled on personal profile.

- >2. Microsoft Defender needs to be already installed and active in work profile.

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

- > If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-**Windows Server 2012 R2 and Windows Server 2016**

-**Windows Server Semi-Annual Enterprise Channel and Windows Server 2019**

->In order to be eligible to purchase Microsoft Defender for Endpoint Server SKU, you must have already purchased a combined minimum of any of the following, Windows E5/A5, Microsoft 365 E5/A5 or Microsoft 365 E5 Security subscription licenses. For more information on licensing, see the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering/MicrosoftDefenderforEndpointServer/all).

-3. Import the certificate to the Local Computer trusted ΓÇ£Intermediate Certification AuthoritiesΓÇ¥ store.

-**Prerequisites for Windows Server 2012 R2**

-**Prerequisites for Windows Server 2016**

-**Prerequisites for running with third-party security solutions**

-**Update package for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016**

-If youΓÇÖre using Windows Server Update Services (WSUS) and/or Microsoft Endpoint Configuration Manager, this new "Microsoft Defender for Endpoint update for EDR Sensor" is available under the category "Microsoft Defender for Endpoint".

- >

-Use the following steps to download the packages:

-3. Select **Download installation package** and save the .msi file.

-

-In this step you will install the prevention and detection components required before onboarding your device to the Microsoft Defender for Endpoint cloud environment, to prepare the machine for onboarding. Ensure all [prerequisites](#prerequisites) have been met.

- > Microsoft Defender Antivirus will get installed and will be active unless you set it to passive mode.

-In the previous section, you downloaded an installation package. The installation package contains the installer for all Microsoft Defender for Endpoint components.

-Use the installation package from the previous step to install Microsoft Defender for Endpoint.

- ```

- >[!NOTE]

- >If you need to troubleshoot agent installation issues, add '-etl -log' to the install.ps1 script parameters.

- >The recommended execution policy setting is `Allsigned`. This requires importing the script's signing certificate into the Local Computer Trusted Publishers store if the script is running as SYSTEM on the endpoint.

-

- :::image type="content" source="images/atp-verify-passive-mode.png" alt-text="The passive mode verification result" lightbox="images/atp-verify-passive-mode.png":::

- >[!NOTE]

- >This verifcation step is only required if you're using Microsoft Defender Antivirus as your active antimalware solution.

- `sc.exe query Windefend`

- If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender Antivirus.

- `sc.exe query sense`

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-| where OnboardingStatus != "Onboarded"

-By invoking the **SeenBy** function, in your advanced hunting query, you can get detail on which onboarded device a discovered device was seen by. This information can help determine the network location of each discovered device and subsequently, help to identify it in the network. 

-| where OnboardingStatus != "Onboarded"

-| summarize arg_max(Timestamp, *) by DeviceId 

-| where isempty(MergedToDeviceId) 

-| limit 100

-| invoke SeenBy()

-| project DeviceId, DeviceName, DeviceType, SeenBy

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-

-{

-"@odata.context": " https://api.securitycenter.microsoft.com /api/$metadata#Collection(microsoft.windowsDefenderATP.api.AssetBaselineAssessment)",

-{

- "id": "0000682575d5d473e82ed4d8680425d152411251_9e1b90be-e83e-485b-a5ec-4a429412e734_1.1.1",

- "configurationId": "1.1.1",

- "deviceId": "0000682575d5d473242222425d152411251",

- "deviceName": " ComputerPII_365f5c0bb7202c163937dad3d017969b2d760eb4.DomainPII_29596 ",

- "profileId": "9e1b90be-e83e-485b-a5ec-4a429412e734",

- "osPlatform": "WindowsServer2019",

- "osVersion": "10.0.17763.2330",

- "rbacGroupId": 86,

- "rbacGroupName": "UnassignedGroup",

- "isApplicable": true,

- "isCompliant": false,

- "dataCollectionTimeOffset": "2021-12-22T00:08:02.478Z",

- "recommendedValue":ΓÇ»[

-                 "Greater than or equal '24'"

-             ],

-             "currentValue": [

-                 "24"

-             ],

-             "source": [

-                 "password_hist_len"

-             ],

-{

-    "@odata.context": "https://api.securitycenter. contoso.com/api/$metadata#microsoft.windowsDefenderATP.api.ExportFilesResponse",

-    "exportFiles": 

- [

-    "https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-d06a-4aad-ab80-ebc536cec61c/2021-12-22/0500/BaselineAssessmentExport/json/OrgId= OrgId=<Org Id>/_RbacGroupId=<Rbac Group Id>/part-00000-c09dfd00-2278-4735-b23a-71733751fcbc.c000.json.gz?sv=ABCD",

-   "https://tvmexportexternalstgeus.blob.core.windows.net/temp-1ebd3d09-d06a-4aad-ab80-ebc536cec61c/2021-12-22/0500/BaselineAssessmentExport/json/OrgId=<Org Id>/_RbacGroupId=<Rbac Group Id>/part-00001-c09dfd00-2278-4735-b23a-71733751fcbc.c000.json.gz?sv= ABCD",

-    ],

-    "generatedTime": "2021-01-11T11:01:00Z"

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

- - `$filter` on:  `id`,  `category`,  `name`, `CCE`

- - `$top` with max value of 10,000

-GET /api/baselineConfigurationsΓÇ»

-If successful, this method returns 200 OK with the list of baseline configurations in the body.ΓÇ»

-{ΓÇ»

-    "@odata.context": " https://api-df.securitycenter.microsoft.com/api/$metadata#BaselineConfigurations ", 

-    "value": [ 

-        { 

-            "id": "1.1.8", 

-            "name": "(L1) Ensure 'Allow importing of payment info' is set to 'Disabled'", 

-            "description": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">This policy setting controls whether users are able to import payment information from another browser into Microsoft Edge as well as whether payment information is imported on first use.</p>", 

-            "category": "Microsoft Edge", 

-            "complianceLevels": [ 

-                "Level 1 (L1) - Corporate/Enterprise Environment (general use)", 

-                "Level 2 (L2) - High Security/Sensitive Data Environment (limited functionality)" 

-            ], 

-            "cce": "", 

-            "rationale": "<p xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">Having payment information automatically imported or allowing users to import payment data from another browser into Microsoft Edge could allow for sensitive data to be imported into Edge.</p>", 

-            "remediation": "<div xmlns:xhtml=\"http://www.w3.org/1999/xhtml\">\r\n  <p>\r\n    <p>\r\nTo establish the recommended configuration via GP, set the following UI path to                 <span class=\"inline_block\">Disabled</span></p>\r\n    <code class=\"code_block\">Computer Configuration\\Policies\\Administrative Templates\\Microsoft Edge\\Allow importing of payment info\r\n</code>\r\n    <p>\r\n      <strong>Note:</strong>\r\n This Group Policy path may not exist by default. It is provided by the Group Policy template                 <span class=\"inline_block\">MSEdge.admx/adml</span>\r\n that can be downloaded from Microsoft                 <a href=\"https://www.microsoft.com/en-us/edge/business/download\">here</a>\r\n.              </p>\r\n    <p class=\"bold\">Impact:</p>\r\n    <p>\r\n      <p>Users will be unable to perform a payment information import from other browsers into Microsoft Edge.</p>\r\n    </p>\r\n  </p>\r\n</div>", 

-            "benchmarkName": "CIS" 

-"recommendedValue":ΓÇ»[

-                "Equals '0'"

-            ],

-            "source": [

-                "hkey_local_machine\\software\\policies\\microsoft\\windows\\eventlog\\security\\retention"

-            ]

-        }, 

-    ] 

-}ΓÇ»

-

-This API retrieves a list of all security baselines assessment profiles created by the organization.ΓÇ»

- - $filter on : id,name, operatingSystem, operatingSystemVersion, status, settingsNumber, passedDevices, totalDevices 

- - $top with max value of 10,000. 

-GET https://api.securitycenter.microsoft.com/api/baselineProfilesΓÇ»

-{ΓÇ»

-    "@odata.context": "https:// api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicBaselineProfileDto)", 

-    "value": 

- [ΓÇ»

-        { 

-            "id": "02bcbb9d-d197-479e-811e-1cd5a6f9f8fa", 

-            "name": "Windows 10 build 1909 CIS profile", 

-            "description": "important", 

-            "benchmark": "CIS", 

-            "version": "1.0.0", 

-            "operatingSystem": "Windows 10", 

-            "operatingSystemVersion": "1909", 

-            "status": true, 

-            "complianceLevel": "Level 1 (L1) - Corporate/Enterprise Environment (general use)", 

-            "settingsNumber": 51, 

-            "createdBy": "user@org.net", 

-            "lastUpdatedBy": null, 

-            "createdOnTimestampUTC": "0001-01-01T00:00:00Z", 

-            "lastUpdateTimestampUTC": "0001-01-01T00:00:00Z", 

-            "passedDevices": 0, 

-            "totalDevices": 10 

-        } 

-     ] 

-}ΓÇ»

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-Security intelligence updates are also delivered multiple times a day, but this package doesnΓÇÖt contain an engine.

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-In its initial form, ransomware is a commodity threat, pre-programmed and focused on limited, specific outcomes (for example, encrypting a computer). However, ransomware has evolved into a sophisticated threat that is human driven, adaptive, and focused on larger scale and more widespread outcomes; like holding an entire organizationΓÇÖs assets or data for ransom.

-One of the most common post-exploitation frameworks used in human-operated ransomware attacks is CobaltStrike. Threat Intelligence teams across Microsoft track _Tactics, Techniques, and Procedures_ (TTPs) on multiple activity groups that deploy ransomware to identify patterns of behavior that can be used to defend against specific strategies and threat vectors used by malicious actors. These ransomware activity groups all, at some point in the attack life cycle, involve deploying a CobaltStrike Beacon to a victimΓÇÖs computer to enable hands-on keyboard activity.

-CobaltStrike enables customization of multiple aspects of the attack, from the ability to host multiple listeners responding to different protocols, to how the main client-side component (Beacon) should perform code injection and run post exploitation jobs. When Microsoft Defender detects CobaltStrike, it can intelligently find and collect key indicators of compromise (IoC). Once captured, these indicators are shared throughout MicrosoftΓÇÖs product stack for detection and protection purposes.

-Microsoft DefenderΓÇÖs command and control detection isn't limited to CobaltStrike. Microsoft Defender can capture key IoCs of multiple malware families. The indicators are shared across the Microsoft protection stack to protect customers and alert them if there's a compromise.

-A new feature in Microsoft Defender for Endpoint Indicators enables administrators to allow end users to bypass ΓÇ£WarningsΓÇ¥ generated for some URLs and IPs. Depending on why the URL was blocked, when a Smart Screen block is encountered it may offer administrators the ability to unblock the site for up to 24 hours. In such cases, a Windows Security toast notification will appear, permitting the end-user to **Unblock** the URL or IP for the defined period of time.

-You can enable Network Protection in **Audit** mode or **Block** mode. If you want to evaluate the impact of enabling Network Protection before blocking IPΓÇÖs or URLs, you can enable it in Audit mode for a period of time to gather data on what would be blocked. Audit mode logs when end users have connected to an address or site that would otherwise have been blocked by network protection.

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-# Protect macOS security settings with tamper protection

-Tamper protection in macOS helps prevent unwanted changes to security settings from being made by unauthorized users. Tamper protection helps prevent unauthorized removal of Microsoft Defender for Endpoint on macOS. This capability also helps important security files, processes, and configuration settings from being tampered.

-You can set tamper protection in the following modes: 

-

- Topic | Description

-:|:

-Disabled  | Tamper protection is completely off (this is the default mode after installation) 

-Audit  | Tampering operations are logged, but not blocked 

-Block  | Tamper protection is on, tampering operations are blocked 

-When tamper protection is set to audit or block mode, you can expect the following outcomes:

-**Audit mode** 

-**Block mode**

-Here is an example of a system message in response to a blocked action: 

-You can configure the tamper protection mode by providing the mode name as enforcement-level.

->[!NOTE]

->- The mode change will apply immediately. You donΓÇÖt need to change the feature flag nor restart Microsoft Defender for Endpoint.

->- If you used JAMF during the initial configuration, then you'll need to update the configuration using JAMF as well.

-**Highly recommended settings:** 

- 

-There are several ways you can configure tamper protection: 

- 

-Verify that "tamper_protection" is set to "disabled".  

-1. Use the following command: 

- ``` 

- sudo mdatp config tamper-protection enforcement-level --value block

- ```

- 

- >[!NOTE]

- > If you use manual configuration to enable tamper protection, you can also disable tamper protection manually at any time. For example, you can revoke Full Disk Access from Defender in System Preferences manually. You must use MDM instead of manual configuration to prevent a local admin from doing that.

-2. Verify the result. 

-Notice that the "tamper_protection" is now set to "block". 

- 

->[!NOTE]

->If you already have a configuration profile for Microsoft Defender for Endpoint then you need to *add* settings to it. You don’t need to create a second configuration profile. 

- 

-Follow the documented Intune profile example to configure tamper protection through Intune. For more information, see [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md). 

->[!NOTE]

->For Intune configuration, you can create a new profile configuration file to add the Tamper protection configuration, or you can add these parameters to the existing one.

-                 

-Check the tamper protection status by running the following command:

- 

- 

-The result will show "block" if tamper protection is on: 

-You can also run full `mdatp health` and look for the "tamper_protection" in the output: 

-## Verify tamper protection preventive capabilities  

- 

- 

- 

-### Verify block mode and audit modes 

- 

-### DIY scenarios 

- - /Applications/Microsoft Defender ATP.app/ 

- - /Library/LaunchDaemons/com.microsoft.fresno.plist 

- - /Library/LaunchDaemons/com.microsoft.fresno.uninstall.plist 

- - /Library/LaunchAgents/com.microsoft.wdav.tray.plist 

- - /Library/Managed Preferences/com.microsoft.wdav.ext.plist 

- - /Library/Managed Preferences/mdatp_managed.json 

- - /Library/Managed Preferences/com.microsoft.wdav.atp.plist 

- - /Library/Managed Preferences/com.microsoft.wdav.atp.offboarding.plist 

- - /usr/local/bin/mdatp 

- 

-## Turning off tamper protection 

-You can turn off tamper protection using any of the following methods.  

-`sudo mdatp config tamper-protection enforcement-level ΓÇô ΓÇôvalue disabled`

- 

-### Intune

-```

-## Troubleshooting configuration issues

-### Issue: Tamper protection is reported as disabled 

-If running the command `mdatp health` reports that the tamper protection is disabled, even if you enabled it and more than an hour has passed since the onboarding, then you can check if you have the right configuration by running the following command: 

- 

-$ sudo grep -F '\[{tamperProtection}\]: Feature state:' /Library/Logs/Microsoftmdatpmicrosoft_defender_core.log \| tail -n 1 

-\[85246\]\[2021-12-08 15:45:34.184781 UTC\]\[info\]: \[{tamperProtection}\]: Feature state: enabledmode: "block" 

- 

-The mode must be "block" (or "audit"). If it is not, then you haven’t set the tamper protection mode either through `mdatp config` command or through Intune. 

- 

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-If youΓÇÖre looking for Antivirus-related information for other platforms, see:

-The Log4Shell vulnerability is a remote code execution (RCE) vulnerability found in the Apache Log4j 2 logging library. As Apache Log4j 2 is commonly used by many software applications and online services, it represents a complex and high-risk situation for companies across the globe. Referred to as “Log4Shell” ([CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) ) it introduces a new attack vector that attackers can exploit to extract data and deploy ransomware in an organization.

-> Refer to the blogs [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability and](https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/) [Microsoft Security Response Center](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/) for guidance and technical information about the vulnerability and product specific mitigation recommendations to protect your organization.

- - searches for the JndiLookup.class file inside the JAR file by looking for paths that contain the string ΓÇ£/log4j/core/lookup/JndiLookup.classΓÇ¥ - if the JndiLookup.class file exists, threat and vulnerability management determines if this JAR contains a Log4j file with the version defined in pom.properties.

-1. In the Microsoft 365 Defender portal, go to **Vulnerability management** > **Dashboard** > **Threat awareness:**

-2. Select **View vulnerability details** to see the consolidated view of your organizational exposure.

-You can choose to apply the mitigation to all exposed devices or select specific onboarded devices. To complete the process and apply the mitigation on devices, select **Create mitigation action**.

-| Partially mitigated | _Linux + macOS_: Although mitigation action was applied on device, not all running processes have LOG4J_FORMAT_MSG_NO_LOOKUPS=true in its environment variables. |

-|Unknown | The mitigation status couldnΓÇÖt be determined at this time. |

- - */Library/LaunchDaemons/*

- - */Library/LaunchAgents/*

- - */Users/\[username\]/Library/LaunchAgents/ - for all users*

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-> If youΓÇÖre looking for Antivirus related information for other platforms, see:

-## Asset discovery & inventoryΓÇï

-Defender Vulnerability Management built-in and agentless scanners continuously monitor and detect risk in your organization even when devices arenΓÇÖt connected to the corporate network.

-A single inventory with a real-time consolidated view of your organization's software applications, digital certificates, network shares, and browser extensions helps you discover and assess all your organizationΓÇÖs assets.

-View information on extension permissions and associated risk levels, identify certificates before they expire, detect potential vulnerabilities due to weak signature algorithms, and assess misconfigurations in internal network shares.ΓÇï

-Understand and assess your cyber exposure with advanced vulnerability and configuration assessment toolsΓÇï.

-Defender Vulnerability Management leverage MicrosoftΓÇÖs threat intelligence, breach likelihood predictions, business contexts, and device assessments to quickly prioritize the biggest vulnerabilities in your organization. A single view of prioritized recommendations from multiple security feeds, along with critical details including related CVEs and exposed devices helps you quickly remediate the biggest vulnerabilities on your most critical assets. Risk-based intelligent prioritization:

-## Remediation and tracking ΓÇï

-<br>

-****

-|[**Inventories**](tvm-software-inventory.md)|Discover and assess all your organizationΓÇÖs assets in a single view.|

-While taking the remediation steps suggested by a security recommendation, security admins with the proper permissions can perform a mitigation action and block vulnerable versions of an application. File indicators of compromise (IOC)s will be created for each of the executable files that belong to vulnerable versions of that application. Microsoft Defender Antivirus then enforces blocks on the devices that are in the specified scope.  

-For both actions, you can customize the message the users will see. For example, you can encourage them to install the latest version.  

-> [!Note]

-> The block and warn actions are typically enforced within a couple of minutes but can take up to 3 hours.  

-## Minimum requirements  

-## Version requirements  

-## Permissions  

-## How to block vulnerable applications  

-7. Under **Mitigation action**, select **Block** or **Warn**. Once you submit a mitigation action, it will be immediately applied.  

-8. Review the selections you made and **Submit request**. On the final page you can choose to go directly to the remediation page to view the progress of remediation activities and see the list of blocked applications.

-> Based on the available data, the block action will take effect on endpoints in the organization that have Microsoft Defender Antivirus. Microsoft Defender for Endpoint will make a best attempt effort of blocking the applicable vulnerable application or version from running.  

-If you don't see the mitigation option while requesting a remediation, it's because the ability to block the application is currently not supported. Recommendations that don't include mitigation actions include:  

-If you try to block an application and it doesn't work, you may have reached the maximum indicator capacity. If this is the case, you can delete old indicators [Learn more about indicators](../defender-endpoint/manage-indicators.md).  

-  

-## View remediation activities  

-Filter by Mitigation type: Block and/or Warn to view all activities pertaining to block or warn actions.  

-## View blocked applications  

-Select a blocked application to view a flyout with details about the number of vulnerabilities, whether exploits are available, blocked versions, and remediation activities.  

-> [!Note]

-> If you use the Indicators API with programmatic indicator queries as part of your workflows, be aware that the block action will give additional results.ΓÇ»

-## Unblock applications  

-Select a blocked application to view the option to **Unblock software** in the flyout.  

-For applications where the warn mitigation option was applied, users will receive a message informing them that the application has been blocked by their organization, but the user has the option to bypass the block for subsequent launches, by choosing ΓÇ£AllowΓÇ¥. This allow is only temporary, and the application will be blocked again after a while.

-> [!Note]

-## End-user updating blocked applications  

-A commonly asked question is how does an end-user update a blocked application? The block is enforced by blocking the executable file. Some applications, such as Firefox, rely on a separate update executable which, will not be blocked by this feature.ΓÇ» In other cases when the application requires the main executable file to update, it is recommended to either implement the block in warn mode (so that the end-user can bypass the block) or the end-user can delete the application (if no vital information is stored on the client) and reinstalls the application.

-The **Browser extensions** page displays a list of the browser extensions installed across different browsers in your organization. For each installed extension, you can see the devices itΓÇÖs installed on and if itΓÇÖs turned on or off on these devices. The information available will not only help you learn about the installed extensions, but it can help you make decisions on how you would like to manage the extensions.

-1. Go to **Vulnerability management** > **Software inventory** in the [Microsoft 365 Defender portal](https://security.microsoft.com).

-The **Browser extensions** page opens with a list of the browser extensions installed across your organization, including details on the extension name, browser, the number of devices the extension is installed on, and the number that have it turned on.

-You can use the Browser filter to view the relevant list of extensions for a particular browser.  

-The **Requested permissions** and **Permissions risk** columns provide more specific information on the number of permissions requested by the extension, and the permissions risk level based on the type of access to devices or sites it requested.  

-Select the **Permissions** tab, from the browser extension flyout pane, to see information on the permissions the browser extension needs to run, and whether this permission is optional or not.  

->Risk is subjective, and itΓÇÖs up to each organization to determine the types of risk they are willing to take on.

-### View installed devices  

-1. Select the device from the **Installed devices** tab in the flyout panel and select **Open device page** or select the device directly from the **Device inventory** page.

-The **Certificate inventory** allows you view a list of the certificates installed across your organization in a single central certificate inventory page. This can help you:  

-The **Certificate inventory** page opens with a list of the certificates installed across your organization, including details on the expiration date, key size, who issued the certificate, and the number of instances.

-At the top of the page, you can view the number of certificates that have been identified as potentially less secure and introduce risk into your organization. This includes the number of certificates that:  

-You can select the **Issuing details** tab to see information on who the certificate was issued to and who it was issued by.  

-1. Select the device from the **Installed devices** tab in the flyout panel or select the device directly from the **Device inventory** page.

-See how many certificates have expired or are due to expire in the next 30, 60 or 90 days from the **Expiring certificates** widget available in the vulnerability management dashboard.  

-  :::image type="content" source="../../media/defender-vulnerability-management/certificate_dashboard.png" alt-text="Screenshot of the certificate dashboard widget" lightbox="../../media/defender-vulnerability-management/certificate_dashboard.png":::

-By selecting a configuration in the list, youΓÇÖll see a flyout with details for the policy setting, including the recommended value (the expected value range for a device to be considered compliant) and the source used to determine the current device settings.

-By selecting a device in the list, you’ll see a flyout with additional details.  

-By selecting a configuration in the list, youΓÇÖll see a flyout with compliance details for the policy setting on this device.

-If you havenΓÇÖt done so yet, you can apply for Defender Experts for Hunting:

-1. Click [**Apply**](https://aka.ms/expandedMTEprev). Only the global administrators can register and complete the application process. If youΓÇÖre not a global administrator, contact your global administrator to fill out the application form.

-1. In the application acceptance email that youΓÇÖve received, click **Register**. This opens the sign-in dialog box to your Microsoft 365 account.

-2. Ask your global administrator to register your company (the link will be provided in the email youΓÇÖll get). Sign in. The **Settings** page opens.

-In case you change your mind and donΓÇÖt want to continue with the Defender Experts for Hunting preview, you can follow the steps to [cancel a self-service subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#cancel-a-self-service-purchase-subscription).

- |Priority|Email protection|Category|Where to manage|

- |||||

- > If a user is defined in multiple policies of the same type, only the policy with the highest priority is applied to them. Any remaining policies of that type are not evaluated for the user (including the default policy).

-For example, consider the following anti-phishing policies in Microsoft Defender for Office 365 **that apply to the same users**, and a message that's identified as both user impersonation and spoofing:

-|||||

-1. The message is marked and treated as spoof, because spoofing has a higher priority (4) than user impersonation (5).

-2. Policy A is applied to the users because it has a higher priority than Policy B.

-3. Based on the settings in Policy A, no action is taken on the message, because anti-spoofing is turned off in the policy.

-4. Policy processing stops, so Policy B is never applied to the users.

-Because it's possible that the same users are intentionally or unintentionally included in multiple custom policies of the same type, use the following design guidelines for custom policies:

-If an inbound connector is detected as potentially compromised, it is restricted from sending any relaying email. The connector is then added to the **Restricted entities** page in the Microsoft 365 Defender portal. When the connector is used to send email, the message is returned in a non-delivery report (also known as an NDR or bounced message) with the error code 550;5.7.711 and the following text:

-> Your message couldnΓÇÖt be delivered. The most common reason for this is that your organizationΓÇÖs email connector is suspected of sending spam or phish and itΓÇÖs no

-> longer allowed to send email. Contact your email admin for assistance.

-> Remote Server returned '550;5.7.711 Access denied, bad inbound connector. AS(2204).'

-Admins can remove connectors from the Restricted entities page in Microsoft 365 Defender or in Exchange Online PowerShell.

-There are 2 types of restricted entities:

- - If **Sender IP** matches with your organizationΓÇÖs on-prem IP address.