Updates from: 05/21/2021 03:05:28
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Guest Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-guest-users.md
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Learn how the Guest users list is populated in the Microsoft 365 admin center."
+description: "Learn how to create a team with guests in the Microsoft 365 admin center and how to join a team as a guest."
# Guest users in Microsoft 365 admin center
Once a user shows up in the **Guest users** list, you can remove their access th
To view guest users, in the Microsoft 365 admin center, in the left nav, expand **Users**, and then choose **Guest users**.
-## Add guests to Teams
+## Watch: Create a team with guests
To see how to add a guest to Teams, see the following video: <br><br> > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FQMp]
-## Join a team as a guest
+## Watch: Join a team as a guest
To join a team as a guest, see the following video:<br><br>
After a user is added to the **Guest users** list, they can be [added to Groups]
See [add guests in bulk](/azure/active-directory/b2b/tutorial-bulk-invite) to invite multiple guests to collaborate with your organization. - ## Remove a guest 1. In the Microsoft 365 admin center, expand **Users** and then choose **Guest users**. 1. On the **Guest users** page, choose the user you want to remove and then choose **Delete a user**.
-To remove users in the Azure AD portal, see [remove a guest user and resources](/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal#clean-up-resources).
+To remove users in the Azure AD portal, see [remove a guest user and resources](/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal#clean-up-resources).
+
+## Related content
+
+[Manage guest access in Microsoft 365 groups](../create-groups/manage-guest-access-in-groups.md) (article)\
+[Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams team](../../solutions/per-group-guest-access.md)
admin Delete A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/delete-a-user.md
search.appverid: - MET150 ms.assetid: d5155593-3bac-4d8d-9d8b-f4513a81479e
-description: "Learn how to delete a user account. Decide what to do with the user's email and OneDrive content. And decide whether to keep the product license or stop paying for it."
+description: "Learn how to delete a user account and what to do with the user's email and OneDrive content and whether to keep the product license."
# Delete a user from your organization **Looking for how to delete your *own* Microsoft 365 user account that you use at work or school? Contact the technical support at your work or university to do these steps for you.**
-## What you need to know about deleting users
+## Before you begin
- Only people who have [Microsoft 365 global admin](about-admin-roles.md) or User management permissions for the business or school can delete user accounts. - You have 30 days to [restore](restore-user.md) the account before the user's data is permanently deleted.
Here are the most common issues people encounter when deleting a user:
**Do you want to delete Microsoft 365 from your computer? Go to [Cancel your subscription](../../commerce/subscriptions/cancel-your-subscription.md).**
-## Related articles
+## Related content
-[Restore a user](restore-user.md)
+[Restore a user](restore-user.md) (article)
-[Permanently delete a mailbox](/exchange/permanently-delete-a-mailbox-exchange-2013-help)
+[Permanently delete a mailbox](/exchange/permanently-delete-a-mailbox-exchange-2013-help) (article)
-[Remove a former employee from Office 365](remove-former-employee.md)
+[Remove a former employee from Office 365](remove-former-employee.md) (article)
-[Add a new employee to Office 365](add-new-employee.md)
+[Add a new employee to Office 365](add-new-employee.md) (article)
-[Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)): Use these instructions if your business uses **Active Directory** that is synchronizing with Azure AD. You can't do it through Office 365.
+[Delete a User Account](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753730(v=ws.11)): Use these instructions if your business uses **Active Directory** that is synchronizing with Azure AD. You can't do it through Office 365. (article)
admin Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/set-up.md
- AdminSurgePortfolio search.appverid: - MET150
-description: "Set up Basic Mobility and Security to secure and manage your users' mobile devices ."
+description: "Set up Basic Mobility and Security to secure and manage your users' mobile devices by performing actions such as remotely wiping a device."
# Set up Basic Mobility and Security
After you've created and deployed a mobile device management policy, each licens
Users with Android or iOS devices are required to install the Company Portal app as part of the enrollment process.
-## Related Topics
+## Related content
-[Capabilities of Basic Mobility and Security](capabilities.md)<br/>
-[Create device security policies in Basic Mobility and Security](create-device-security-policies.md)
+[Capabilities of Basic Mobility and Security](capabilities.md) (article)
+
+[Create device security policies in Basic Mobility and Security](create-device-security-policies.md) (article)
admin Add Or Remove Members From Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/add-or-remove-members-from-groups.md
By default, the person who created the group is the group owner. Often a group w
- [Assign a new owner to an orphaned group](https://support.microsoft.com/office/86bb3db6-8857-45d1-95c8-f6d540e45732)
-## Articles about managing groups
+## Related content
-- [Upgrade distribution lists to Microsoft 365 groups in Outlook](../manage/upgrade-distribution-lists.md)
+[Upgrade distribution lists to Microsoft 365 groups in Outlook](../manage/upgrade-distribution-lists.md) (article)
-- [Why you should upgrade your distribution lists to groups in Outlook](https://support.microsoft.com/office/7fb3d880-593b-4909-aafa-950dd50ce188)
+[Why you should upgrade your distribution lists to groups in Outlook](https://support.microsoft.com/office/7fb3d880-593b-4909-aafa-950dd50ce188) (article)
-- [Manage guest access in Microsoft 365 groups](manage-guest-access-in-groups.md)
+[Manage guest access in Microsoft 365 groups](manage-guest-access-in-groups.md) (article)
-- [Manage Microsoft 365 groups with PowerShell](../../enterprise/manage-microsoft-365-groups-with-powershell.md): this article introduces you to key cmdlets and provides examples
+[Manage Microsoft 365 groups with PowerShell](../../enterprise/manage-microsoft-365-groups-with-powershell.md): this article introduces you to key cmdlets and provides examples (article)
-- [Microsoft 365 groups naming policy](../../solutions/groups-naming-policy.md)
+[Microsoft 365 groups naming policy](../../solutions/groups-naming-policy.md) (article)
admin Add User Or Contact To Distribution List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/add-user-or-contact-to-distribution-list.md
search.appverid:
- MET150 - MOE150 ms.assetid: ba256583-03ca-429e-be4d-a92d9c221ad6
-description: "Learn how to add a Microsoft 365 user or contact to a distribution group. For example, you can add an employee, partner, or a vendor to your email distribution group."
+description: "Learn how to add a Microsoft 365 user or contact such as an employee, partner, or vendor to an email distribution group."
# Add a user or contact to a distribution group
-As the admin of an organization, you may need to add one of your users or contacts to a distribution group (see [Create distribution groups in Microsoft 365](../setup/create-distribution-lists.md).) For example, you can add employees or external partners or vendors to an email distribution group.
+As the admin of an organization, you may need to add one of your users or contacts to a distribution group (see [Create distribution groups in Microsoft 365](../setup/create-distribution-lists.md)). For example, you can add employees or external partners or vendors to an email distribution group.
## Add a user or contact to a distribution group
As the admin of an organization, you may need to add one of your users or contac
![Add members to distribution group](../../media/f79f59f8-1606-43fe-bae6-df74f5b6259d.png) 5. Select **Save** and then **Close**.+
+## Watch: Add a user to a distribution list
> [!VIDEO https://www.microsoft.com/videoplayer/embed/ed4e6095-9a6a-4d3d-999d-698c39bb7ec8?autoplay=false]
-Learn how to [send email as a distribution group in Microsoft 365](../manage/send-email-as-distribution-list.md).
-
+## Next steps
+
+Learn to [send email as a distribution group in Microsoft 365](../manage/send-email-as-distribution-list.md).
+
+## Related content
+
+[Manage clutter for your organization](configure-clutter.md) (article)
+
+[Create a shared mailbox](create-a-shared-mailbox.md) (article)
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
Centralized Deployment supports three desktop platforms Windows, Mac and Online
It can take up to 24 hours for an add-in to show up for client for all users.
-## Requirements
+## Before you begin
Centralized deployment of add-ins requires that the users are using Microsoft 365 Enterprise SKUs: E3/E5/F3 or Business SKUs: Business Basic, Business Standard, Business Premium (and are signed into Office using their organizational ID), and have Exchange Online and active Exchange Online mailboxes. Your subscription directory must either be in, or federated to Azure Active Directory. You can view specific requirements for Office and Exchange below, or use the [Centralized Deployment Compatibility Checker](#centralized-deployment-compatibility-checker).
admin Manage Addins In The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/manage-addins-in-the-admin-center.md
If the deployed add-in doesn't support add-in commands or if you want to view al
2. Select **Admin-managed** in the left nav.
-## Learn more
+## Related content
-[Deploy add-ins in the admin center](./manage-deployment-of-add-ins.md)
+[Deploy add-ins in the admin center](./manage-deployment-of-add-ins.md) (article)
-Learn more about creating and building [Office Add-ins](/office/dev/add-ins/overview/office-add-ins).
+Learn more about creating and building [Office Add-ins](/office/dev/add-ins/overview/office-add-ins) (article)
-[Use Centralized Deployment PowerShell cmdlets to manage add-ins](../../enterprise/use-the-centralized-deployment-powershell-cmdlets-to-manage-add-ins.md).
+[Use Centralized Deployment PowerShell cmdlets to manage add-ins](../../enterprise/use-the-centralized-deployment-powershell-cmdlets-to-manage-add-ins.md) (article)
-[Troubleshoot: User not seeing add-ins](/office365/troubleshoot/access-management/user-not-seeing-add-ins)
+[Troubleshoot: User not seeing add-ins](/office365/troubleshoot/access-management/user-not-seeing-add-ins) (article)
-[Minors and acquiring add-ins from the Microsoft Store](./minors-and-acquiring-addins-from-the-store.md)
+[Minors and acquiring add-ins from the Microsoft Store](./minors-and-acquiring-addins-from-the-store.md) (article)
admin Message Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/message-center.md
search.appverid:
- MET150 - MOE150 ms.assetid: 38fb3333-bfcc-4340-a37b-deda509c2093
-description: "Get an overview of Microsoft 365 Message center and its role in change management."
+description: "Get an overview of Microsoft 365 Message center and its role in tracking new and changed features and other important announcements."
# Message center
admin Release Options In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/release-options-in-office-365.md
You can change how your organization receives Microsoft 365 updates by following
8. Choose **Select users** to add users one at a time, or **Upload users** to add them in bulk. 9. When you're done adding users, select **Save changes**.--
-## Learn more
+## Next steps
Discover how to [manage messages](/office365/admin/manage/message-center) in your [Microsoft 365 Message center](https://admin.microsoft.com/Adminportal/Home?source=applauncher#/MessageCenter) to get notifications about upcoming Microsoft 365 updates and releases.
-## Related Articles
+## Related content
-[Office Insider](https://insider.office.com/join/windows)
+[Join the Office Insider Program](https://insider.office.com/join/windows) (article)
admin Become The Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/become-the-admin.md
search.appverid:
- MET150 - MOE150 ms.assetid: b9707ec8-2247-4e25-9bad-f11ddbc686e4
-description: "Learn how to verify your email and domain ownership to take over an unmanaged tenant in Microsoft 365"
+description: "Learn how to verify your email and domain ownership to take over an unmanaged tenant created by a self-service user signup in Microsoft 365."
# Perform an internal admin takeover
If you are an admin and want to take over an unmanaged tenant created by a self-
> [!NOTE] > Taking over the shadow tenant will not impact any existing information or services. However, if any users in the domain have signed up for services that require a license, you'll be asked to buy licenses for them as part of taking over the admin role. You can buy or remove licenses once the admin setup process is finished.
-## Related articles
+## Related content
-YouTube: [3 steps to do an IT Admin Takeover for Power BI and Microsoft 365](https://www.youtube.com/watch?v=xt5EsrQBZZk)
+YouTube: [3 steps to do an IT Admin Takeover for Power BI and Microsoft 365](https://www.youtube.com/watch?v=xt5EsrQBZZk) (video)
-[Admin takeover in Azure AD](/azure/active-directory/users-groups-roles/domains-admin-takeover)
+[Admin takeover in Azure AD](/azure/active-directory/users-groups-roles/domains-admin-takeover) (article)
-[Using self-service sign up in your organization](self-service-sign-up.md)
+[Using self-service sign up in your organization](self-service-sign-up.md) (article)
-[Understanding the Power BI service administrator role](/power-bi/service-admin-role)
+[Understanding the Power BI service administrator role](/power-bi/service-admin-role) (article)
admin Password Policy Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/password-policy-recommendations.md
For more information about Microsoft 365 passwords, see:
[Reset passwords](../add-users/reset-passwords.md) (article)
-[Set an individual user's password to never expire](../add-users/set-password-to-never-expire.md) (artice)
+[Set an individual user's password to never expire](../add-users/set-password-to-never-expire.md) (article)
[Let users reset their own passwords](../add-users/let-users-reset-passwords.md) (article)
Risk-based multi-factor authentication ensures that when our system detects susp
[Let users reset their own passwords](../add-users/let-users-reset-passwords.md) (article)
-[Resend a user's password - Admin Help](../add-users/resend-user-password.md) (article)
+[Resend a user's password - Admin Help](../add-users/resend-user-password.md) (article)
admin Productivity Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/productivity/productivity-score.md
search.appverid: - MET150 - MOE150
-description: "Overview of Microsoft productivity score."
+description: "Learn how Microsoft Productivity Score reflects people and technology experience measurements and compare to organizations of similar size."
# Microsoft Productivity Score
We provide metrics, insights, and recommendations in two areas:
- **Technology experiences:** Your organization depends on reliable and well performing technology as well as the efficient use of Microsoft 365. [Endpoint analytics](https://aka.ms/endpointanalytics) helps you understand how your organization can be impacted by performance and health issues with your hardware and software. Microsoft 365 apps health helps you understand whether the devices in your organization are running Microsoft 365 apps on recommended channels.
-See [What is Endpoint Analytics](/mem/analytics/overview) for an overview and prerequisite details. To learn more about Microsoft 365 network connectivity insights, read [the network connectivity overview](../../enterprise/microsoft-365-networking-overview.md).
-
-
-## How the score is calculated
-
-Your Productivity Score is based on the combined scores of your people and technology experiences categories. Each category is weighted equally, with a total of 100 points. The highest possible Productivity Score is 800.
-
-### Score categories
--- Communication (100 points)-- Meetings (100 points)-- Content collaboration (100 points)-- Teamwork (100 points)-- Mobility (100 points)-- Endpoint analytics (100 points)-- Network connectivity (100 points)-- Microsoft 365 Apps Health (100 points)-- **Total possible = 800 points**
-
-In each score category, we quantify the key indicators for how your organization is using Microsoft 365 in its journey towards digital transformation. We provide 28-day and 180-day views of the key activities. We also provide supporting metrics that are not part of the score calculation, but are important for helping you identify underlying usage statistics and configurations that you can address.
-
-### Products included in Productivity Score
-
-Productivity Score includes data from Exchange, SharePoint, OneDrive, Teams, Word, Excel, PowerPoint, OneNote, Outlook, Yammer, and Skype.
-
-Your organization's score is updated daily and reflects user actions completed in the last 28 (including the current day).
+## Before you begin
-
-## Prerequisites
+See [What is Endpoint Analytics](/mem/analytics/overview) for an overview and prerequisite details. To learn more about Microsoft 365 network connectivity insights, read [the network connectivity overview](../../enterprise/microsoft-365-networking-overview.md).
For people experiences data, you need a Microsoft 365 for business or Office 365 for enterprise subscription. For endpoint analytics data for your tenant, you need to add Microsoft Intune to your subscription. Intune helps protect your organization's data by managing devices and apps. Once you have Intune, you can turn on endpoint analytics within the Intune experience. To learn more about Microsoft Intune, see the [Microsoft Intune documentation](/mem/intune/).
The role-based access control model for Productivity Score helps organizations f
Microsoft is committed to protecting individual privacy. This [privacy document](privacy.md) explains the controls we provide you, as your organization's IT administrator, to ensure that the information is actionable while not compromising the trust you place in Microsoft. You can access the experience from Microsoft 365 Admin home under **Reports** > **Productivity Score**.
+
+## How the score is calculated
+
+Your Productivity Score is based on the combined scores of your people and technology experiences categories. Each category is weighted equally, with a total of 100 points. The highest possible Productivity Score is 800.
+
+### Score categories
+
+- Communication (100 points)
+- Meetings (100 points)
+- Content collaboration (100 points)
+- Teamwork (100 points)
+- Mobility (100 points)
+- Endpoint analytics (100 points)
+- Network connectivity (100 points)
+- Microsoft 365 Apps Health (100 points)
+- **Total possible = 800 points**
+
+In each score category, we quantify the key indicators for how your organization is using Microsoft 365 in its journey towards digital transformation. We provide 28-day and 180-day views of the key activities. We also provide supporting metrics that are not part of the score calculation, but are important for helping you identify underlying usage statistics and configurations that you can address.
+
+### Products included in Productivity Score
+
+Productivity Score includes data from Exchange, SharePoint, OneDrive, Teams, Word, Excel, PowerPoint, OneNote, Outlook, Yammer, and Skype.
+
+Your organization's score is updated daily and reflects user actions completed in the last 28 (including the current day).
## Interpreting your organization's Productivity Score
Share your thoughts about Productivity Score and your ideas about how to improve
## Related content
-[Monitor Microsoft 365 activity by using reports](/microsoft-365/admin/activity-reports/activity-reports) (article)\
-[Enable Microsoft 365 usage analytics](/microsoft-365/admin/usage-analytics/enable-usage-analytics) (article)\
-[Overview of the Microsoft 365 admin center](/microsoft-365/business-video/admin-center-overview) (video)
+[Monitor Microsoft 365 activity by using reports](../../admin/activity-reports/activity-reports.md) (article)\
+[Enable Microsoft 365 usage analytics](../../admin/usage-analytics/enable-usage-analytics.md) (article)\
+[Overview of the Microsoft 365 admin center](../../business-video/admin-center-overview.md) (video)
admin Customize Your Organization Theme https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/customize-your-organization-theme.md
search.appverid:
- MET150 - MOE150 ms.assetid: 8275da91-7a48-4591-94ab-3123a3f79530
-description: "Learn to change the default theme of Microsoft 365 and customize it to match your company logo or color. "
+description: "Learn to change the default theme for the top of the navigation bar in Microsoft 365 and customize it to match your company logo or color."
# Customize the Microsoft 365 theme for your organization
The recommended contrast ratio between text, icon or button color and background
Any theme will be appear in the top navigation bar for everyone in the organization as part of the Microsoft 365 suite header.
-## Related articles
+## Related content
-[Add custom tiles to the My apps page and app launcher](../manage/customize-the-app-launcher.md)
+[Add custom tiles to the My apps page and app launcher](../manage/customize-the-app-launcher.md) (article)
-[Overview of Microsoft 365 Groups for administrators](https://docs.microsoft.com/microsoft-365/admin/create-groups/office-365-groups)
+[Overview of Microsoft 365 Groups for administrators](../create-groups/office-365-groups.md) (article)
admin Install Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/install-applications.md
- seo-marvel-may2020 - AdminSurgePortfolio - okr_smb
-description: Now that you've set up Microsoft 365, learn how to install individual Office applications on your Mac, PC, or mobile devices and set up email in Outlook.
+description: "Now that you've set up Microsoft 365, learn how to install individual Office applications on your Mac, PC, or mobile devices."
# Install Office applications
If you purchased Azure Active Directory Premium (AADP) Plan 1 or Plan 2, you're
::: moniker-end
-Having trouble? These troubleshooting resources can help:
+## Related content
-- [Troubleshoot installing Office and Microsoft 365](https://support.microsoft.com/office/35ff2def-e0b2-4dac-9784-4cf212c1f6c2)
+[Troubleshoot installing Office and Microsoft 365](https://support.microsoft.com/office/35ff2def-e0b2-4dac-9784-4cf212c1f6c2) (article)
admin Enable Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/usage-analytics/enable-usage-analytics.md
To make the data that is collected for all reports anonymous, you have to be a g
2. Select **Reports**, and then choose to **Display anonymous identifiers**. This setting gets applied both to the usage reports as well as to the template app. 3. Select **Save changes**.+
+## Related content
+
+[About usage analytics](usage-analytics.md) (article)
+
+[Get the latest version of usage analytics](get-the-latest-version-of-usage-analytics.md) (article)
+
+[Navigate and utilize the reports in Microsoft 365 usage analytics](navigate-and-utilize-reports.md) (article)
business Manage Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/manage-windows-devices.md
At this point you should be able to see the policy **Enable automatic MDM enroll
## Related content [Synchronize domain users to Microsoft 365](manage-domain-users.md) (article)+ [Create a group in the admin center](../admin/create-groups/create-groups.md) (article)+ [Tutorial: Configure hybrid Azure Active Directory join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains.md) (article)
business Set Up Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/set-up-windows-devices.md
search.appverid:
- BCS160 - MET150 ms.assetid: 2d7ff45e-0da0-4caa-89a9-48cabf41f193
-description: "Learn how to set up Windows devices running Windows 10 Pro for Microsoft 365 Business Premium users, enabling centralized management and security controls."
+description: "Set up Windows devices running Windows 10 Pro for Microsoft 365 Business Premium users, enabling centralized management and security controls."
# Set up Windows devices for Microsoft 365 Business Premium users
-## Prerequisites for setting up Windows devices for Microsoft 365 Business Premium users
+## Before you begin
Before you can set up Windows devices for Microsoft 365 Business Premium users, make sure all the Windows devices are running Windows 10 Pro, version 1703 (Creators Update). Windows 10 Pro is a prerequisite for deploying Windows 10 Business, which is a set of cloud services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business Premium.
Verify that your Azure AD joined Windows 10 devices are upgraded to Windows 10 B
To set up your mobile devices, see [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md), To set device protection or app protection policies, see [Manage Microsoft 365 for business](manage.md).
-## For more on setting up and using Microsoft 365 Business Premium
+## Related content
-[Microsoft 365 for business training videos](../business-video/index.yml)
+[Microsoft 365 for business training videos](../business-video/index.yml) (link page)
commerce Change Your Billing Addresses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses.md
- AdminSurgePortfolio - commerce_billing search.appverid: MET150
-description: "Learn how to update your billing addresses for Microsoft 365 for business. You can also update the email address used to receive billing notifications."
+description: "Learn how to update your billing addresses or the email address used to receive billing notifications for Microsoft 365 for business."
Last updated 04/07/2021
You can also change the alternate email address of other global and billing admi
## Related content
-[View your bill or invoice](view-your-bill-or-invoice.md)\
-[Understand your bill or invoice](understand-your-invoice2.md)\
-[Pay for your subscription](pay-for-your-subscription.md)\
-[Subscriptions and billing - Admin Help](../index.yml)
+[View your bill or invoice](view-your-bill-or-invoice.md) (article)\
+[Understand your bill or invoice](understand-your-invoice2.md) (article)\
+[Pay for your subscription](pay-for-your-subscription.md) (article)\
+[Subscriptions and billing - Admin Help](../index.yml) (link page)
commerce Understand Your Invoice2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/understand-your-invoice2.md
- AdminSurgePortfolio - commerce_billing search.appverid: MET150
-description: "Learn how to interpret the charges, billing, and payment information on your Microsoft 365 for business bill or invoice, and how to change the purchase order number."
+description: "Interpret charges, billing, and payment info on your Microsoft 365 for business bill or invoice, and how to change a purchase order number."
Last updated 05/04/2021
If you pay by invoice, you can add or change the purchase order (PO) number for
[Change your organization's address, technical contact email, and other information](../../admin/manage/change-address-contact-and-more.md) (article)
-[Pay for your Microsoft 365 for business subscription](pay-for-your-subscription.md) (article)\
+[Pay for your Microsoft 365 for business subscription](pay-for-your-subscription.md) (article)
[Minecraft: Education Edition payment options](/education/windows/school-get-minecraft) (article)
commerce Enter Your Product Key https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/enter-your-product-key.md
- okr_SMB - AdminSurgePortfolio - commerce_purchase
-description: "Learn how to redeem a Microsoft 365 Business Standard product key purchased at a retail store."
+description: "If you purchased Microsoft 365 Business Standard from a retail store, learn how to redeem the product key and activate your subscription."
Last updated 11/13/2020
If you're new to Microsoft 365 for business, learn how to [set up Microsoft 365]
Check out this list of common errors and solutions: [Problems with your Microsoft 365 for business product key?](product-key-errors-and-solutions.md) Or, [call Microsoft Support](../business-video/get-help-support.md).+
+## Related content
+
+[Upgrade to a different plan](./subscriptions/upgrade-to-different-plan.md) (article)
+
+[What happens to my data and access when my Microsoft 365 for business subscription ends?](./subscriptions/what-if-my-subscription-expires.md) (article)
+
+[Understand subscriptions and licenses in Microsoft 365 for business](./licenses/subscriptions-and-licenses.md) (article)
commerce Renew Your Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/renew-your-subscription.md
- AdminSurgePortfolio - commerce_subscriptions search.appverid: MET150
-description: "Learn how to renew your Microsoft 365 by turning recurring billing off or on."
+description: "Learn how to renew most Microsoft 365 for business subscriptions by turning recurring billing off or on."
Last updated 05/04/2021
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
Communication compliance filters allow you to filter and sort alert messages for
| **Size** | The size of the message in KB. | | **Subject/Title** | The message subject or chat title. | | **Tags** | The tags assigned to a message, either *Questionable*, *Compliant*, or *Non-compliant*. |
+| **Language** | The detected language of text in the message. The message is classified according to the language of the majority of the message text. For example, for a message containing both German and Italian text, but the majority of text is German, the message is classified as German (DE). The following languages are supported: Chinese (Simplified - ZH), English (EN), French (FR), German (DE), Italian (IT), Japanese (JP), Portuguese (PT), and Spanish (ES). For example, to filter messages classified as German and Italian, enter 'DE,IT' (the 2-digit language codes) in the Language filter search box. To view the detected language classification for a message, select a message, select View message details, and scroll to the EmailDetectedLanguage field. |
| **Escalated To** | The user name of the person included as part of a message escalation action. | | **Classifiers** | The name of built-in and custom classifiers that apply to the message. Some examples include *Offensive Language*, *Targeted Harassment*, *Profanity*, *Threat*, and more.
compliance Communication Compliance Investigate Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-investigate-remediate.md
For a complete list of filters and field details, see [Filters](communication-co
5. Select the **Filters** control to open the **Filters** details page.
-6. Select one or more checkboxes to enable filters for these alerts. You can choose from numerous filters, including *Date*, *Sender*, *Subject/Title*, *Classifiers*, and more.
+6. Select one or more checkboxes to enable filters for these alerts. You can choose from numerous filters, including *Date*, *Sender*, *Subject/Title*, *Classifiers*, *Language*, and more.
7. If you'd like to save the filter selected as the default filter, select **Save as default**. If you want to use this filter as a saved filter, select **Done**.
After reviewing the message basics, it's time to open a message to examine the d
- **Text view**: Text view displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms or keywords matched in the associated communication compliance policy. Keyword highlighting can help you quickly scan long messages and attachments for the area of interest. In some cases, highlighted text may be only in attachments for messages matching policy conditions. Keyword highlighting isn't supported for terms identified by built-in classifiers assigned to a policy. Embedded files aren't displayed and the line numbering this view is helpful for referencing pertinent details among multiple reviewers. - **Annotate view**: This view allows reviewers to add annotations directly on the message that are saved to the view of the message. If [OCR is enabled](communication-compliance-feature-reference.md#optical-character-recognition-ocr-preview) for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view and may be annotated. - **User history**: User history view displays all other alerts generated by any communication compliance policy for the user sending the message.-- **Message detail view**: Advanced view of message metadata and configuration information. - **Pattern detected notification**: Many harassing and bullying actions over time and involve reoccurring instances of the same behavior by a user. The *Pattern detected* notification is displayed in the alert details and raises attention to the alert. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the alert as appropriate. - **Show Translate view**: This view automatically converts alert message text to the language configured in the *Displayed language* setting in the Microsoft 365 subscription for each reviewer. The Translate view helps broaden investigative support for organizations with multilingual users and eliminates the need for additional translation services outside of the communication compliance review process. Using Microsoft Translate services, the Translate view can be turned on and off as needed and supports a wide range of languages. For a complete list of supported languages, see [Microsoft Translator Languages](https://www.microsoft.com/translator/business/languages/). Languages listed in the *Translator Language List* are supported in the Translate view.
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
description: "Monitor and manage the disposal of content for when you use a disp
Use the **Disposition** page from **Records Management** in the Microsoft 365 compliance center to manage disposition reviews and view the metadata of [records](records-management.md#records) that have been automatically deleted at the end of their retention period. > [!NOTE]
-> Rolling out in preview: **multi-stage disposition review**
+> In preview: **multi-stage disposition review**
> > An administrator can now add up to five consecutive stages of disposition review in a retention label, and reviewers can add others users to their disposition review stage. You can also customize the email notifications and reminders. The following sections have more information about the changes in this preview.
+>
+> To read the release announcement, see the blog post [Announcing Multi-Stage Disposition in Microsoft Records Management](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-multi-stage-disposition-in-microsoft-records/ba-p/2361849).
## Prerequisites for viewing content dispositions
contentunderstanding Solution Manage Contracts Step3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step3.md
audience: admin Previously updated : 05/10/2021 Last updated : 05/19/2021 ms.prod: microsoft-365-enterprise search.appverid: localization_priority: None
The following diagram shows the Power Automate flow for the contract management
## Prepare your contract for review
-When a contract is identified and classified by your SharePoint Syntex document understanding model, the Power Automate flow will first change the status to "In review."
+When a contract is identified and classified by your SharePoint Syntex document understanding model, the Power Automate flow will first change the status to **In review**.
![Update status.](../media/content-understanding/flow-overview.png)
-After checking out the file, change the status value to "In review."
+After checking out the file, change the status value to **In review**.
![In review status.](../media/content-understanding/in-review.png)
When a contract has been approved, the following things occur:
![Card status approved.](../media/content-understanding/approved-contracts-tab.png) -- In your flow, the status is changed to "Approved."
+- In your flow, the status is changed to **Approved**.
![Flow status approved.](../media/content-understanding/status-approved.png)
includes Microsoft 365 Client Support Certificate Based Authentication Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-certificate-based-authentication-include.md
|STICKY NOTES|N/A|N/A|N/A|N/A|Γ£ö| |STREAM|Γ£ö|Γ£ö|N/A|N/A|N/A| |SWAY|N/A|N/A|N/A|N/A|Γ£ö|
-|TEAMS|Γ£ö|Γ£ö|Γ£ö|Planned|N/A|
+|TEAMS|Γ£ö|Γ£ö|Γ£ö|Γ£ö|N/A|
|TO-DO|Γ£ö|Γ£ö|Γ£ö|N/A|Γ£ö| |VISIO|N/A|Γ£ö|N/A|Γ£ö|N/A| |WHITEBOARD|Γ£ö|Planned|N/A|N/A|Γ£ö|
includes Microsoft 365 Client Support Conditional Access Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-conditional-access-include.md
|STICKY NOTES|N/A|N/A|N/A|N/A|Planned| |STREAM|Planned|Planned|N/A|N/A|N/A| |SWAY|N/A|N/A|N/A|N/A|Planned|
-|TEAMS|Γ£ö|Γ£ö|Γ£ö|Planned|N/A|
+|TEAMS|Γ£ö|Γ£ö|Γ£ö|Γ£ö|N/A|
|TO-DO|Planned|Planned|Planned|N/A|Planned| |VISIO|N/A|Γ£ö|N/A|Planned|N/A| |WHITEBOARD|Γ£ö|Planned|N/A|N/A|Planned|
includes Microsoft 365 Client Support Modern Authentication Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-modern-authentication-include.md
|AZURE ACTIVE DIRECTORY ADMIN|N/A|N/A|N/A|Γ£ö|N/A| |AZURE ADMIN|N/A|N/A|N/A|N/A|N/A| |COMPANY PORTAL|Γ£ö|Γ£ö|Γ£ö|N/A|Γ£ö|
-|CORTANA|Γ£ö|Γ£ö|N/A|N/A|Γ£ö|
+|CORTANA|N/A|N/A|N/A|N/A|Γ£ö|
|DELVE|Γ£ö|Γ£ö|N/A|N/A|N/A| |EXCEL|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Γ£ö| |EXCHANGE ADMIN|N/A|N/A|N/A|Γ£ö|N/A|
includes Microsoft 365 Client Support Single Sign On Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-single-sign-on-include.md
|STICKY NOTES|N/A|N/A|N/A|N/A|Γ£ö| |STREAM|Planned|Planned|N/A|N/A|N/A| |SWAY|N/A|N/A|N/A|N/A|Γ£ö|
-|TEAMS|Γ£ö|Γ£ö|Planned|Γ£ö|N/A|
+|TEAMS|Γ£ö|Γ£ö|Γ£ö|Γ£ö|N/A|
|TO-DO|Γ£ö|Γ£ö|N/A|N/A|Γ£ö| |VISIO|N/A|Γ£ö|N/A|Γ£ö|N/A| |WHITEBOARD|Γ£ö|Γ£ö|N/A|N/A|Γ£ö|
knowledge Scale Topics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/scale-topics.md
First, a reminder of the [four stages for topics](manage-topics.md#topic-stages)
- **Suggested**: A topic has been identified by AI and has enough supporting resources, connections, and properties. (These are marked as a **Suggested Topic** in the UI.) -- **Confirmed**: A topic that has been suggested by AI is validated. Topic validation must be confirmed by a knowledge manager. For a topic to be confirmed, there must be a net of two positive votes received from users who voted using the feedback mechanism on the topic card. For example, if one user voted positive and one user voted negative for a particular topic, you would still need two more positive votes for the topic to be confirmed.
+- **Confirmed**: A topic that has been suggested by AI needs to be validated. Topic validation occurs when either:
+
+ - A knowledge manager confirms a topic. A knowledge manager [confirms a topic](manage-topics.md#confirmed-topics) on the **Manage topics** page.
+
+ - Multiple users confirm a topic. There must be a net of two positive votes received from users who voted using the feedback mechanism on the topic card. For example, if one user voted positive and one user voted negative for a particular topic, you would still need two more positive votes for the topic to be confirmed.
-- **Published**: A confirmed topic that has been curated: manual edits have been made to improve its quality.
+- **Published**: A confirmed topic that has been curated. Manual edits have been made to improve its quality.
+
+- **Removed**: A topic that has been rejected and will no longer be visible to viewers. A topic can be removed in any state (suggested, confirmed, or published). Topic removal occurs when either:
+ - A knowledge manager removes a topic. A knowledge manager removes a topic on the **Manage topics** page.
+
+ - Multiple users cast negative votes using the feedback mechanism on the topic card. For a topic to be removed, there must be a net of two negative votes received from users. For example, if one user voted negative and one user voted positive for a particular topic, you would still need two more negative votes for the topic to be removed.
-- **Removed**: A topic is rejected by a knowledge manager and will no longer be visible to viewers. A topic can be removed in any state (suggested, confirmed, or published). For a topic to be removed, there must be a net of two negative votes received from users who voted using the feedback mechanisms on the topic card. For example, if one user voted negative and one user voted positive for a particular topic, you would still need two more negative votes for the topic to be removed. When a published topic is removed, the page with the curated details will need to be deleted manually through the Pages Library of the topic center.
+ When a published topic is removed, the page with the curated details will need to be deleted manually through the Pages Library of the topic center.
## Knowledge manager role
-When you configure Viva Topics, you'll add a group of users who are granted permissions to see the **Manage topics** experience in the topic center. It will appear only for these users who hold the role of primary curation for the topics. They'll have access to data about the topics and will be able to see lists of all topics that they have access to review and curate.
+When you configure Viva Topics, you'll add a group of users who are granted permissions to see the **Manage topics** page in the topic center. It will appear only for these users who hold the role of primary curation for the topics. They'll have access to data about the topics and will be able to see lists of all topics that they have access to review and curate.
Employees in this role should have broad permissions to view a wide array of topics. Or if permissions are segmented, you might want to select a group of users that represent different areas of the business and can curate for their own areas.
knowledge Topic Center Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-center-overview.md
The topic center is created during Viva Topics setup. After setup completes, an
![Connect people to knowledge](../media/admin-org-knowledge-options-completed.png)
-3. Select the **Topic center** tab. Under **Site address** is a link to your Topic center.
+3. Select the **Topic center** tab. Under **Site address** is a link to your topic center.
![knowledge-network-settings](../media/knowledge-network-settings-topic-center.png)
On the **Manage topics** page, the topic dashboard shows all the topics, you hav
- Remove the topic: Makes the topic undiscoverable to end users. The topic is moved to the **Removed** tab and can be confirmed later if needed.
-For more information about how to manage topics on the **Manage topics page, see [Manage topics](manage-topics.md).
+For more information about how to manage topics on the **Manage topics** page, see [Manage topics](manage-topics.md).
## Create or edit a topic
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Onboard supported devices](onboard-configure.md) ## [Migration guides](migration-guides.md)
+### [Switch from non-Microsoft endpoint protection to Defender for Endpoint]()
+#### [Overview of migration](switch-to-microsoft-defender-migration.md)
+#### [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md)
+#### [Phase 2: Setup](switch-to-microsoft-defender-setup.md)
+#### [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md)
### [Switch from McAfee to Microsoft Defender for Endpoint]() #### [Overview of migration](mcafee-to-microsoft-defender-migration.md) #### [Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md)
#### [Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) #### [Phase 2: Setup](symantec-to-microsoft-defender-atp-setup.md) #### [Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md)
-### [Switch from your non-Microsoft endpoint security solution to Microsoft Defender for Endpoint]()
-#### [Overview of migration](switch-to-microsoft-defender-migration.md)
-#### [Phase 1: Prepare](switch-to-microsoft-defender-prepare.md)
-#### [Phase 2: Setup](switch-to-microsoft-defender-setup.md)
-#### [Phase 3: Onboard](switch-to-microsoft-defender-onboard.md)
### [Manage Microsoft Defender for Endpoint after migration]() #### [Overview of managing Microsoft Defender for Endpoint](manage-atp-post-migration.md) #### [Intune (recommended)](manage-atp-post-migration-intune.md)
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
For more information about configuring attack surface reduction rules, see [Enab
## Assess rule impact before deployment
-You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/#tvm).
+You can assess how an attack surface reduction rule might affect your network by opening the security recommendation for that rule in [threat and vulnerability management](/windows/security/threat-protection/#tvm).
:::image type="content" source="images/asrrecommendation.png" alt-text="Security reco for attack surface reduction rule":::
Warn mode helps your organization have attack surface reduction rules in place w
Warn mode is supported on devices running the following versions of Windows: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later
+- [Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809) or later
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809) or later
-Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
+Microsoft Defender Antivirus must be running with real-time protection in [Active mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state).
-In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
+In addition, make sure [Microsoft Defender Antivirus and antimalware updates](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed.
- Minimum platform release requirement: `4.18.2008.9` - Minimum engine release requirement: `1.1.17400.5`
For more information about advanced hunting, see [Proactively hunt for threats w
You can set attack surface reduction rules for devices that are running any of the following editions and versions of Windows: -- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- Windows 10 Pro, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows 10 Enterprise, [version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- Windows Server, [version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
-Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-endpoint.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/defender/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
+Although attack surface reduction rules don't require a [Windows E5 license](/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-endpoint.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](/microsoft-365/security/defender/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
## Review attack surface reduction events in the Microsoft Defender Security Center
You can create a custom view that filters events to only show the following even
|5007|Event when settings are changed| |1121|Event when rule fires in Block-mode| |1122|Event when rule fires in Audit-mode|
-|
The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
If you are configuring attack surface reduction rules by using Group Policy or P
|Rule name|GUID|File & folder exclusions|Minimum OS supported| ||::|||
-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|`56a863a9-875e-4185-98a7-b882c64b5ce5`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater) |
+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|`56a863a9-875e-4185-98a7-b882c64b5ce5`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater) |
|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)|`7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater| |[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes)|`D4F940AB-401B-4EFC-AADC-AD5F3C50688A`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|`9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|`BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)|`01443614-cd74-433a-b99e-2ecdc07bfc25`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)|`5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content)|`D3E037E1-3EB8-44C8-A917-57927947596D`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content)|`3B576869-A4EC-4529-8536-B80A7769E899`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)|`75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|`26190899-1602-49e8-8b27-eb1d0a1ce869`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)|`e6db77e5-3df2-4cf1-b95a-636979351e5b`|Not supported|[Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater|
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)|`d1e49aac-8f56-4280-b9ba-993a6d77406c`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)|`b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)|`92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)|`c1db55ab-c21a-4637-bb3f-a12568109d35`|Supported|[Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|`9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|`BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)|`01443614-cd74-433a-b99e-2ecdc07bfc25`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)|`5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content)|`D3E037E1-3EB8-44C8-A917-57927947596D`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content)|`3B576869-A4EC-4529-8536-B80A7769E899`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)|`75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|`26190899-1602-49e8-8b27-eb1d0a1ce869`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)|`e6db77e5-3df2-4cf1-b95a-636979351e5b`|Not supported|[Windows 10, version 1903](/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater|
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)|`d1e49aac-8f56-4280-b9ba-993a6d77406c`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)|`b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)|`92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)|`c1db55ab-c21a-4637-bb3f-a12568109d35`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
| ### Block abuse of exploited vulnerable signed drivers
This rule does not block a driver already existing on the system from being load
This rule is supported in all versions in which ASR is supported; which is: -- [Windows 10 Pro, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- [Windows 10 Enterprise, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later-- [Windows Server, version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Windows 10 Pro, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- [Windows 10 Enterprise, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later
+- [Windows Server, version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
Intune Name: `Block abuse of exploited vulnerable signed drivers`
Through social engineering or exploits, malware can download and launch payloads
This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
Intune name: `Process creation from Adobe Reader (beta)`
Creating malicious child processes is a common malware strategy. Malware that ab
This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)
Intune name: `Office apps launching child processes`
LSASS authenticates users who sign in on a Windows computer. Microsoft Defender
This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)
Intune name: `Flag credential stealing from the Windows local security authority subsystem`
This rule blocks the following file types from launching from email opened withi
This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Microsoft Endpoint Manager CB 1710](/configmgr/core/servers/manage/updates)
Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
This rule blocks the following file types from launching unless they meet preval
Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious. > [!IMPORTANT]
-> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
+> You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
> > The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly. >
Launching untrusted or unknown executable files can be risky, as it may not be i
This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)
Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
Script obfuscation is a common technique that both malware authors and legitimat
This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)
Intune name: `Obfuscated js/vbs/ps/macro code`
Although not common, line-of-business applications sometimes use scripts to down
This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)
Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)`
Malware that abuses Office as a vector may attempt to break out of Office and sa
This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [System Center Configuration Manager](/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
Intune name: `Office apps/macros creating executable content`
This rule applies to Word, Excel, and PowerPoint.
This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)
Intune name: `Office apps injecting code into other processes (no exceptions)`
This rule prevents Outlook from creating child processes, while still allowing l
This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised. > [!NOTE]
-> This rule applies to Outlook and Outlook.com only.
+> This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.
This rule was introduced in: -- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
Intune name: `Process creation from Office communication products (beta)`
Fileless threats employ various tactics to stay hidden, to avoid being seen in t
This rule was introduced in: -- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)-- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
+- [Windows 10, version 1903](/windows/whats-new/whats-new-windows-10-version-1903)
+- [Windows Server 1903](/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
Intune name: Not available
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
### Block process creations originating from PSExec and WMI commands
-This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
+This rule blocks processes created through [PsExec](/sysinternals/downloads/psexec) and [WMI](/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
> [!WARNING]
-> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
+> Only use this rule if you're managing your devices with [Intune](/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
+- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
Intune name: `Process creation from PSExec and WMI commands`
With this rule, admins can prevent unsigned or untrusted executable files from r
This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)
Intune name: `Untrusted and unsigned processes that run from USB`
Office VBA enables Win32 API calls. Malware can abuse this capability, such as [
This rule was introduced in: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)
Intune name: `Win32 imports from Office macro code`
This rule provides an extra layer of protection against ransomware. It uses both
The rule tends to err on the side of caution to prevent ransomware. > [!NOTE]
-> You must [enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
+> You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
This rule was introduced in: -- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
+- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)
Intune name: `Advanced ransomware protection`
GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
- [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)-- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
+- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
You can use Group Policy (GP) to configure settings, such as settings for the sa
4. Click **Policies**, then **Administrative templates**.
-5. Click **Windows components** and then **Windows Defender ATP**.
+5. Click **Windows components** and then **Windows Defender SmartScreen**.
6. Choose to enable or disable sample sharing from your devices.
After configuring the onboarding script, continue editing the same group policy
All policies are located under `Computer Configuration\Policies\Administrative Templates`.
-**Policy location:** \Windows Components\Windows Defender ATP
+**Policy location:** \Windows Components\Windows Defender SmartScreen*
Policy | Setting :|:
Enable\Disable Sample collection| Enabled - "Enable sample collection on machine
<br/>
-**Policy location:** \Windows Components\Windows Defender Antivirus
+**Policy location:** \Windows Components\Microsoft Defender Antivirus
Policy | Setting :|:
Configure detection for potentially unwanted applications | Enabled, Block
<br/>
-**Policy location:** \Windows Components\Windows Defender Antivirus\MAPS
+**Policy location:** \Windows Components\Microsoft Defender Antivirus\MAPS
Policy | Setting :|:
Send file samples when further analysis is required | Enabled, Send safe samples
<br/>
-**Policy location:** \Windows Components\Windows Defender Antivirus\Real-time Protection
+**Policy location:** \Windows Components\Microsoft Defender Antivirus\Real-time Protection
Policy | Setting :|:
Monitor file and program activity on your computer|Enabled
<br/>
-**Policy location:** \Windows Components\Windows Defender Antivirus\Scan
+**Policy location:** \Windows Components\Microsoft Defender AntivirusScan
These settings configure periodic scans of the endpoint. We recommend performing a weekly quick scan, performance permitting.
Check for the latest virus and spyware security intelligence before running a sc
<br/>
-**Policy location:** \Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction
+**Policy location:** \Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction
Get the current list of attack surface reduction GUIDs from [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The embedded Defender for Endpoint sensor runs in system context using the Local
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: - Auto-discovery methods:+ - Transparent proxy+ - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). - Manual static proxy configuration:+ - Registry based configuration+ - WinHTTP configured using netsh command ΓÇô Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) ## Configure the proxy server manually using a registry-based static proxy
-Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet.
+Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not permitted to connect to the Internet.
> [!NOTE]
-> - When using this option on Windows 10 or Windows Server 2019, it is recommended to have the following (or later) build and cumulative update rollup:</br>
-> Windows 10, version 1809 or Windows Server 2019 - https://support.microsoft.com/kb/5001384 <br>
-> Windows 10, version 1909 - https://support.microsoft.com/kb/4601380</br>
-> Windows 10, version 2004 - https://support.microsoft.com/kb/4601382</br>
-> Windows 10, version 20H2 - https://support.microsoft.com/kb/4601382</br>
-> These updates improve the connectivity and reliability of the CnC (Command and Control) channel.</br>
+> When using this option on Windows 10 or Windows Server 2019, it is recommended to have the following (or later) build and cumulative update rollup:
+>
+> - Windows 10, version 1809 or Windows Server 2019 - https://support.microsoft.com/kb/5001384
+> - Windows 10, version 1909 - https://support.microsoft.com/kb/4601380
+> - Windows 10, version 2004 - https://support.microsoft.com/kb/4601382
+> - Windows 10, version 20H2 - https://support.microsoft.com/kb/4601382
+>
+> These updates improve the connectivity and reliability of the CnC (Command and Control) channel.
The static proxy is configurable through Group Policy (GP). The group policy can be found under: -- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**
+
+ Set it to **Enabled** and select **Disable Authenticated Proxy usage**.
+ ![Image of Group Policy setting1](images/atp-gpo-proxy1.png)+ - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- - Configure the proxy:<br>
- ![Image of Group Policy setting2](images/atp-gpo-proxy2.png)
- The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+ Configure the proxy
- The registry value `TelemetryProxyServer` takes the following string format:
+ ![Image of Group Policy setting2](images/atp-gpo-proxy2.png)
- ```text
- <server name or ip>:<port>
- ```
+ The policy sets two registry values, `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD, under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+
+ The registry value `TelemetryProxyServer` takes the following string format:
- For example: 10.0.0.6:8080
+ ```text
+ <server name or ip>:<port>
+ ```
- The registry value `DisableEnterpriseAuthProxy` should be set to 1.
+ For example: 10.0.0.6:8080
+
+ The registry value `DisableEnterpriseAuthProxy` should be set to 1.
## Configure the proxy server manually using netsh command
Use netsh to configure a system-wide static proxy.
1. Open an elevated command-line:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command and press **Enter**:
Use netsh to configure a system-wide static proxy.
netsh winhttp set proxy <proxy>:<port> ```
- For example: netsh winhttp set proxy 10.0.0.6:8080
+ For example: `netsh winhttp set proxy 10.0.0.6:8080`
-To reset the winhttp proxy, enter the following command and press **Enter**
+To reset the winhttp proxy, enter the following command and press **Enter**:
```PowerShell netsh winhttp reset proxy ```
-See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
+See [Netsh Command Syntax, Contexts, and Formatting](/windows-server/networking/technologies/netsh/netsh-contexts) to learn more.
## Enable access to Microsoft Defender for Endpoint service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only spec
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
-|**Spreadsheet of domains list**|**Description**|
+| Spreadsheet of domains list | Description |
|:--|:--| |![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the
> [!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
+> URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, `us-v20.events.data.microsoft.com` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
> [!NOTE]
-> If you are using Microsoft Defender Antivirus in your environment, see [Configure network connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus).
+> If you are using Microsoft Defender Antivirus in your environment, see [Configure network connections to the Microsoft Defender Antivirus cloud service](/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus).
If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
Please see the following guidance to eliminate the wildcard (*) requirement for
4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://download.microsoft.com/download/8/e-urls.xlsx)).
-![Image of administrator in Windows PowerShell](images/admin-powershell.png)
+ ![Image of administrator in Windows PowerShell](images/admin-powershell.png)
The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal.
Verify the proxy configuration completed successfully, that WinHTTP can discover
3. Open an elevated command-line:
- a. Go to **Start** and type **cmd**.
+ 1. Go to **Start** and type **cmd**.
- b. Right-click **Command prompt** and select **Run as administrator**.
+ 1. Right-click **Command prompt** and select **Run as administrator**.
4. Enter the following command and press **Enter**:
Verify the proxy configuration completed successfully, that WinHTTP can discover
HardDrivePath\MDATPClientAnalyzer.cmd ```
- Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example
+ Replace *HardDrivePath* with the path where the MDATPClientAnalyzer tool was downloaded to, for example:
```PowerShell C:\Work\tools\MDATPClientAnalyzer\MDATPClientAnalyzer.cmd
Verify the proxy configuration completed successfully, that WinHTTP can discover
5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*.
-6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. <br><br>
+6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
+ The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example: ```text
Verify the proxy configuration completed successfully, that WinHTTP can discover
5 - Command line proxy: Doesn't exist ```
-If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method. <br><br>
+If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
+> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> [!NOTE]
security Switch To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration.md
Title: Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
+ Title: Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint
description: Make the switch to Microsoft Defender for Endpoint. Read this article for an overview. keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr search.product: eADQiWindows 10XVcnh
- m365solution-overview Previously updated : 05/14/2021 Last updated : 05/20/2021 ms.technology: mde
-# Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
+# Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint
-If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), you're in the right place. Use this article as a guide.
+If you are thinking about switching from your non-Microsoft endpoint protection to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), you're in the right place. Use this article as a guide.
:::image type="content" source="images/nonms-mde-migration.png" alt-text="Overview of migrating to Defender for Endpoint":::
-When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, and then set Defender for Endpoint to active mode and remove the non-Microsoft solution.
+When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution operating in active mode, configure Defender for Endpoint in passive mode, onboard to Defender for Endpoint, set Defender for Endpoint to active mode, and then remove the non-Microsoft solution.
> [!TIP] > - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
When you make the switch to Defender for Endpoint, you begin with your non-Micro
## The migration process
-When you switch to Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
+The process of migrating to Defender for Endpoint can be divided into three phases, as described in the following table:
![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png) |Phase |Description | |--|--|
-|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
-|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and set it to passive mode. You also configure settings & exclusions for Microsoft Defender Antivirus and your existing endpoint protection solution. Then, you create your device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Defender for Endpoint, confirm that Microsoft Defender Antivirus is running in passive mode, and verify that your endpoints are communicating with Defender for Endpoint. Then, you uninstall your existing endpoint protection solution and make sure that Defender for Endpoint working correctly. |
+|[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md): <p>1. Update your organization's devices. <p>2. Get Defender for Endpoint. <p>3. Plan your roles and permissions, and grant access to the Microsoft Defender Security Center. <p>4. Configure your device proxy and internet settings to enable communication between your organization's devices and Defender for Endpoint. |
+|[Set up Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md): <p>1. Enable/reinstall Microsoft Defender Antivirus. <p>2. Configure Defender for Endpoint. <p>3. Add Defender for Endpoint to the exclusion list for your existing solution. <p>4. Add your existing solution to the exclusion list for Microsoft Defender Antivirus. <p>5. Set up your device groups, collections, and organizational units. <p>6. Configure your antimalware policies and real-time protection settings.|
+|[Onboard to Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md): <p>1. Onboard your devices to Defender for Endpoint. <p>2. Run a detection test. <p>3. Confirm that Microsoft Defender Antivirus is running in passive mode. <p>4. Get updates for Microsoft Defender Antivirus. <p>5. Uninstall your existing endpoint protection solution. <p>6. Make sure that Defender for Endpoint working correctly. |
## What's included in Microsoft Defender for Endpoint?
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
- m365solution-migratetomdatp Previously updated : 05/14/2021 Last updated : 05/20/2021
**Welcome to Phase 3 of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: 1. [Onboard devices to Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).- 2. [Run a detection test](#run-a-detection-test).- 3. [Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode-on-your-endpoints).- 4. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).- 5. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution). - 6. [Make sure Defender for Endpoint is working correctly](#make-sure-defender-for-endpoint-is-working-correctly). ## Onboard devices to Microsoft Defender for Endpoint
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. Choose **Settings** > **Device management** > **Onboarding**.
Deployment methods vary, depending on operating system and preferred methods. Th
| Windows 8.1 Enterprise <p>Windows 8.1 Pro <p>Windows 7 SP1 Enterprise <p>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](onboard-downlevel.md)<p>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). | | Windows Server 2019 and later <p>Windows Server 2019 core edition <p>Windows Server version 1803 and later | [Local script](configure-endpoints-script.md) <p>[Group Policy](configure-endpoints-gp.md) <p>[Configuration Manager](configure-endpoints-sccm.md) <p>[System Center Configuration Manager](configure-endpoints-sccm.md) <p>[VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) <p>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | | Windows Server 2016 <p>Windows Server 2012 R2 <p>Windows Server 2008 R2 SP1 | [Microsoft Defender Security Center](configure-server-endpoints.md)<p>[Azure Defender](/azure/security-center/security-center-wdatp) |
-|macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave)|[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-|iOS |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
-|Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+| macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+| iOS | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
+| Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 | [Onboard non-Windows devices](configure-endpoints-non-windows.md) |
## Run a detection test
To verify that your onboarded devices are properly connected to Defender for End
|Operating system |Guidance | |||
-| Windows 10 <p>Windows Server 2019 <p>Windows Server, version 1803 <p>Windows Server 2016 <p>Windows Server 2012 R2 | See [Run a detection test](run-detection-test.md). <p>Visit the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-| macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
-| Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
+| Windows 10 <p>Windows Server 2019 <p>Windows Server, version 1803 <p>Windows Server 2016 <p>Windows Server 2012 R2 | See [Run a detection test](run-detection-test.md). <p>Visit the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
+| macOS:<p>11.3.1 (Big Sur) <p>10.15 (Catalina)<p>10.14 (Mojave) | Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <p>For more information, see [Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md). |
+| Linux:<p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 | 1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <p>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <p>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <p>For more information, see [Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md). |
## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-|Method |What to do |
-|||
+| Method | What to do |
+|:-|:-|
|Command Prompt | 1. On a Windows device, open Command Prompt as an administrator.<p>2. Type `sc query windefend`, and then press Enter.<p>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+| PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
If you are using Windows Server 2016, you might have to start Microsoft Defender
## Get updates for Microsoft Defender Antivirus
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in passive mode. (See [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).)
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:+ - Security intelligence updates - Product updates
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
## Uninstall your non-Microsoft solution
-Now that you have onboarded your organization's devices to Defender for Endpoint, and Microsoft Defender Antivirus is installed and enabled, your next step is to uninstall your non-Microsoft endpoint protection solution. To get help with this task, reach out to your solution provider's technical support team.
+If at this point you have:
+
+- Onboarded your organization's devices to Defender for Endpoint, and
+- Microsoft Defender Antivirus is installed and enabled,
+
+Then your next step is to uninstall your non-Microsoft endpoint protection solution.
+
+To get help with this task, reach out to your solution provider's technical support team.
## Make sure Defender for Endpoint is working correctly Now that you have onboarded to Defender for Endpoint, and you have uninstalled your former non-Microsoft solution, your next step is to make sure that Defender for Endpoint working correctly. One good way to do this is by visiting the Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:+ - Cloud-delivered protection - Potentially Unwanted Applications (PUA) - Network Protection (NP)
Now that you have onboarded to Defender for Endpoint, and you have uninstalled y
**Congratulations**! You have completed your [migration to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)! -- [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). -
+- [Visit your security operations dashboard](security-operations-dashboard.md) in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
- [Manage Defender for Endpoint, post migration](manage-atp-post-migration.md).
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
- m365solution-migratetomdatp Previously updated : 05/14/2021 Last updated : 05/20/2021
This migration phase includes the following steps: 1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)- 2. [Get Defender for Endpoint](#get-microsoft-defender-for-endpoint).- 3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).- 4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). ## Get and deploy updates across your organization's devices
Now that you've updated your organization's devices, the next step is to get Def
4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Defender for Endpoint setup: Network configuration](production-deployment.md#network-configuration).
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
+At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Defender for Endpoint portal, and can be accessed at [https://aka.ms/MDATPportal](https://aka.ms/MDATPportal).
+> The Microsoft Defender Security Center is sometimes referred to as the Defender for Endpoint portal, and can be accessed at [https://securitycenter.windows.com](https://securitycenter.windows.com).
## Grant access to the Microsoft Defender Security Center
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
+The Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) is where you access and configure features and capabilities of Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](use.md).
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
Permissions to the Microsoft Defender Security Center can be granted by using ei
If your organization requires a method other than Intune, choose one of the following options: - [Configuration Manager](/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)- - [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm)- - [Windows Admin Center](/windows-server/manage/windows-admin-center/overview) 3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](rbac.md)).
Permissions to the Microsoft Defender Security Center can be granted by using ei
To enable communication between your devices and Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-|Capabilities | Operating System | Resources |
-|--|--|--|
-|[Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) |[Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
-|EDR |[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) |[Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
-|Antivirus |macOS: <p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) |[Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
-|Antivirus |Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 |[Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
+| Capabilities | Operating System | Resources |
+|:--|:--|:--|
+| [Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) | [Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) | [Configure machine proxy and internet connectivity settings](configure-proxy-internet.md) |
+| EDR | [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016) <p>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<p>[Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<p>[Windows 7 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](onboard-downlevel.md#configure-proxy-and-internet-connectivity-settings) |
+| EDR | macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+| [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) | [Windows 10](/windows/release-health/release-information) <p>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<p>[Windows Server 1803 or later](/windows-server/get-started/whats-new-in-windows-server-1803) <p>[Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016) | [Configure and validate Microsoft Defender Antivirus network connections](configure-network-connections-microsoft-defender-antivirus.md)<br/> |
+| Antivirus | macOS:<p>11.3.1 (Big Sur)<p>10.15 (Catalina)<p>10.14 (Mojave) | [Defender for Endpoint on macOS: Network connections](microsoft-defender-endpoint-mac.md#network-connections) |
+| Antivirus | Linux: <p>RHEL 7.2+<p>CentOS Linux 7.2+<p>Ubuntu 16 LTS, or higher LTS<p>SLES 12+<p>Debian 9+<p>Oracle Linux 7.2 | [Defender for Endpoint on Linux: Network connections](microsoft-defender-endpoint-linux.md#network-connections) |
## Next step
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
- m365solution-migratetomdatp Previously updated : 05/14/2021 Last updated : 05/20/2021
**Welcome to the Setup phase of [switching to Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: 1. [Reinstall/enable Microsoft Defender Antivirus on your endpoints](#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).- 2. [Configure Defender for Endpoint](#configure-defender-for-endpoint).- 3. [Add Defender for Endpoint to the exclusion list for your existing solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).- 4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).- 5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).- 6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). ## Reinstall/enable Microsoft Defender Antivirus on your endpoints
-On certain versions of Windows, Microsoft Defender Antivirus is likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. For more information, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
+On certain versions of Windows, Microsoft Defender Antivirus was likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. Unless and until devices are onboarded to Defender for Endpoint, Microsoft Defender Antivirus does not run in active mode alongside a non-Microsoft antivirus solution. To learn more, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
-On Windows clients, when a non-Microsoft antivirus/antimalware solution is installed, Microsoft Defender Antivirus is disabled automatically until those devices are onboarded to Defender for Endpoint. When the client endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode until the non-Microsoft antivirus solution is uninstalled. Microsoft Defender Antivirus should still be installed, but is likely disabled at this point of the migration process. Unless Microsoft Defender Antivirus has been uninstalled, you do not need to take any action for your Windows clients.
+Now that you're planning to switch to Defender for Endpoint, you might need to take certain steps to reinstall or enable Microsoft Defender Antivirus.
-On Windows servers, when a non-Microsoft antivirus/antimalware in installed, Microsoft Defender Antivirus is disabled manually (if not uninstalled). The following tasks help ensure that Microsoft Defender Antivirus is installed and set to passive mode on Windows Server.
-- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)
+| Endpoint type | What to do |
+|||
+| Windows clients (such as endpoints running Windows 10) | In general, you do not need to take any action for Windows clients (unless Microsoft Defender Antivirus has been uninstalled). Here's why: <p>Microsoft Defender Antivirus should still be installed, but is most likely disabled at this point of the migration process.<p> When a non-Microsoft antivirus/antimalware solution is installed and the clients are not yet onboarded to Defender for Endpoint, Microsoft Defender Antivirus is disabled automatically. <p>Later, when the client endpoints are onboarded to Defender for Endpoint, if those endpoints are running a non-Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive mode. <p>If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender Antivirus goes into active mode automatically. |
+|Windows servers | On Windows Server, you'll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. Here's why: <p>On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus cannot run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually. <p>To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following taks: <p>- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)<br/>- [Reinstall Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server)<br/>- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) |
-- [Reinstall Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server) -- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
+To learn more about Microsoft Defender Antivirus states with non-Microsoft antivirus protection, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
### Set DisableAntiSpyware to false on Windows Server
-The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee, Symantec, or others. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee, Symantec, or others. **In general, you should not have this registry key on your Windows devices and endpoints**; however, if you *do* have `DisableAntiSpyware` configured, here's how to set its value to false:
1. On your Windows Server device, open Registry Editor.
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <p> `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Example:<br/>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<p>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+ > [!NOTE]
+ > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+ > Example:<br/>
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<p>
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/> `Get-Service -Name windefend`
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md).
-If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet:
+If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, follow these steps:
-`mpcmdrun -wdenable`
+1. On the device, open PowerShell as an administrator.
-For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
+2. Type the following PowerShell cmdlet: `mpcmdrun -wdenable`
+
+> [!TIP]
+> For more information, see [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
## Configure Defender for Endpoint
During this step of the setup process, you add your existing solution to the Mic
### Keep the following points about exclusions in mind
-When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions.
-- *Path exclusions* exclude specific files and whatever those files access.
+Keep the following points in mind:
+- *Path exclusions* exclude specific files and whatever those files access.
- *Process exclusions* exclude whatever a process touches, but does not exclude the process itself.- - List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)- - If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
Device groups, device collections, and organizational units enable your security
Using Configuration Manager and your device collection(s), configure your antimalware policies. - See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).- - While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md). > [!TIP]
security Advanced Hunting Aadsignineventsbeta Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadsignineventsbeta-table.md
ms.technology: m365d
- Microsoft 365 Defender >[!IMPORTANT]
-> The `AADSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.<br><br>
-> Customers who can access Microsoft 365 Defender through the Azure DefenderΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
+> The `AADSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.
 
security Advanced Hunting Aadspnsignineventsbeta Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-aadspnsignineventsbeta-table.md
ms.technology: m365d
- Microsoft 365 Defender >[!IMPORTANT]
-> The `AADSpnSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) service principal and managed identity sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.<br><br>
-> Customers who can access Microsoft 365 Defender through the Azure DefenderΓÇÖs integrated Microsoft Defender for Endpoint solution, but do not have licenses for Microsoft Defender for Office, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.
+> The `AADSpnSignInEventsBeta` table is currently in beta and is being offered on a short-term basis to allow you to hunt through Azure Active Directory (AAD) service principal and managed identity sign-in events. We will eventually move all sign-in schema information to the `IdentityLogonEvents` table.
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
This table lists the filter names that are available.
After you've determined which incident requires the highest priority, select it and: -- [Manage](manage-incidents.md) the properties of the incident for tags, assignment to a security analyst, and comments.
+- [Manage](manage-incidents.md) the properties of the incident for tags, assignment, immediate resolution for false positive incidents, and comments.
- Begin your [investigation](investigate-incidents.md). ## See also
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
Here are the ways you can manage your incidents:
- [Edit the incident name](#edit-the-incident-name) - [Add incident tags](#add-incident-tags)-- [Assign the incident to a user account](#assign-incidents)
+- [Assign the incident to yourself](#assign-incidents)
- [Resolve them](#resolve-an-incident) - [Set its classification and determination](#set-the-classification-and-determination) - [Add comments](#add-comments)
When you start typing, you have the option to select from a list of selected tag
## Assign incidents
-If an incident has not yet been assigned, you can select **Assign to** and specify the user account. Doing so assigns ownership of the incident and all the alerts associated with it.
+To assign an incident, select **Assign to me**. Doing so assigns ownership of the incident and all the alerts associated with it to your user account.
+
+You can get a list of incidents assigned to you by filtering the incident queue.
+
+1. From the incident queue, select **Filters**.
+2. in the **Incident assignment** section, clear **Select all** and select **Assigned to me**.
+3. Select **Apply**, and then close the **Filters** pane.
+
+You can then save the resulting URL in your browser as a bookmark to quickly see the list of incidents assigned to you.
## Resolve an incident
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
description: Admins can learn how to use the advanced delivery policy in Exchange Online Protection (EOP) to identify messages that should not be filtered in specific supported scenarios (third-party phishing simulations and messages delivered to security operations (SecOps) mailboxes. ms.technology: mdo ms.prod: m365-security- # Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes
security Configure The Outbound Spam Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-the-outbound-spam-policy.md
To increase the effectiveness of outbound spam filtering, you can create custom
For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
- **Notes**:
-
- - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
- - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
+ > [!NOTE]
+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+ >
+ > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
- For our recommended settings for outbound spam policies, see [EOP outbound spam filter policy settings](recommended-settings-for-eop-and-office365.md#eop-outbound-spam-policy-settings).
Creating an outbound spam policy in PowerShell is a two-step process:
1. Create the outbound spam filter policy. 2. Create the outbound spam filter rule that specifies the outbound spam filter policy that the rule applies to.
- **Notes**:
--- You can create a new outbound spam filter rule and assign an existing, unassociated outbound spam filter policy to it. An outbound spam filter rule can't be associated with more than one outbound spam filter policy.--- You can configure the following settings on new outbound spam filter policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:-
- - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedOutboundSpamFilterRule** cmdlet).
- - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedOutboundSpamFilterRule** cmdlet).
--- A new outbound spam filter policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to a spam filter rule.
+> [!NOTE]
+> - You can create a new outbound spam filter rule and assign an existing, unassociated outbound spam filter policy to it. An outbound spam filter rule can't be associated with more than one outbound spam filter policy.
+>
+> - You can configure the following settings on new outbound spam filter policies in PowerShell that aren't available in the Security & Compliance Center until after you create the policy:
+>
+> - Create the new policy as disabled (_Enabled_ `$false` on the **New-HostedOutboundSpamFilterRule** cmdlet).
+> - Set the priority of the policy during creation (_Priority_ _\<Number\>_) on the **New-HostedOutboundSpamFilterRule** cmdlet).
+>
+> - A new outbound spam filter policy that you create in PowerShell isn't visible in the Security & Compliance Center until you assign the policy to a spam filter rule.
#### Step 1: Use PowerShell to create an outbound spam filter policy
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
This guidance discusses how to deploy the recommended policies in a newly-provis
The following diagram illustrates the recommended set of policies. It shows which tier of protections each policy applies to and whether the policies apply to PCs or phones and tablets, or both categories of devices. It also indicates where you configure these policies.
-[![Common policies for configuring identity and device access](../../media/microsoft-365-policies-configurations/Identity-device-access-policies-byplan.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/Identity-device-access-policies-byplan.png)
+[![Common policies for configuring identity and device access](../../media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png)
Here's a one-page PDF summary with links to the individual policies:
To give you time to accomplish these tasks, we recommend implementing the baseli
||[Apply Application Protection Policies (APP) data protection](#apply-app-data-protection-policies)|One Intune App Protection policy per platform (Windows, iOS/iPadOS, Android).|Microsoft 365 E3 or E5| ||[Require approved apps and app protection](#require-approved-apps-and-app-protection)|Enforces mobile app protection for phones and tablets using iOS, iPadOS, or Android.|Microsoft 365 E3 or E5| ||[Define device compliance policies](#define-device-compliance-policies)|One policy for each platform.|Microsoft 365 E3 or E5|
-||[Require compliant PCs](#require-compliant-pcs-but-not-compliant-phones-and-tablets)|Enforces Intune management of PCs using Windows or MacOS.|Microsoft 365 E3 or E5|
+||[Require compliant PCs](#require-compliant-pcs-but-not-compliant-phones-and-tablets)|Enforces Intune management of PCs using Windows or macOS.|Microsoft 365 E3 or E5|
|**Sensitive**|[Require MFA when sign-in risk is *low*, *medium*, or *high*](#require-mfa-based-on-sign-in-risk)||Microsoft 365 E5 or Microsoft 365 E3 with the E5 Security add-on|
-||[Require compliant PCs *and* mobile devices](#require-compliant-pcs-and-mobile-devices)|Enforces Intune management for both PCs (Windows or MacOS) and phones or tablets (iOS, iPadOS, or Android).|Microsoft 365 E3 or E5|
+||[Require compliant PCs *and* mobile devices](#require-compliant-pcs-and-mobile-devices)|Enforces Intune management for both PCs (Windows or macOS) and phones or tablets (iOS, iPadOS, or Android).|Microsoft 365 E3 or E5|
|**Highly regulated**|[*Always* require MFA](#assigning-policies-to-groups-and-users)||Microsoft 365 E3 or E5| |
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
It's important to use consistent levels of protection across your data, identiti
The **Identity and device protection for Microsoft 365** architecture model shows you which capabilities are comparable.
-[![Thumb image for Identity and device protection for Microsoft 365 poster](../../media/microsoft-365-policies-configurations/O365-Identity-device-protection-thumb.png)](../../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) <br> [View as a PDF](../../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.vsdx)
+[![Thumb image for Identity and device protection for Microsoft 365 poster](../../media/microsoft-365-policies-configurations/o365-identity-device-protection-thumb.png)](../../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) <br> [View as a PDF](../../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.vsdx)
Additionally, see the [Deploy information protection for data privacy regulations](../../solutions/information-protection-deploy.md) solution to protect information stored in Microsoft 365.
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
Safe Links protection is available in the following locations:
- **Email messages**: Safe Links protection for links in email messages is controlled by Safe Links policies. There is no default Safe Links policy, **so to get the protection of Safe Links in email messages, you need to create one or more Safe Links policies**. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md). For more information about Safe Links protection for email messages, see the [Safe Links settings for email messages](#safe-links-settings-for-email-messages) section later in this article.
+
+ > [!NOTE]
+ > Safe Links does not work on mail-enabled public folders.
- **Microsoft Teams** (currently in TAP Preview): Safe Links protection for links in Teams conversations, group chats, or from channels is also controlled by Safe Links policies. There is no default Safe Links policy, **so to get the protection of Safe Links in Teams, you need to create one or more Safe Links policies**.
The settings in Safe Links policies that apply to email messages are described i
- **Priority**: If you create multiple policies, you can specify the order that they're applied. No two policies can have the same priority, and policy processing stops after the first policy is applied. For more information about the order of precedence and how multiple policies are evaluated and applied, see [Order and precedence of email protection](how-policies-and-protections-are-combined.md).-
+
### How Safe Links works in email messages At a high level, here's how Safe Links protection works on URLs in email messages:
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
Delivering user reported messages to a custom mailbox instead of directly to Mic
Use the following articles to configure the prerequisites required so user reported messages go to your custom mailbox: -- Skip spam filtering on the custom mailbox by creating an exchange mail flow rule to set the spam confidence level. See [Use the EAC to create a mail flow rule that sets the SCL of a message](use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages.md#use-the-eac-to-create-a-mail-flow-rule-that-sets-the-scl-of-a-message) to set the SCL to **-1**.
+- Skip spam filtering on the custom mailbox by creating an exchange mail flow rule to set the spam confidence level. See [Use the EAC to create a mail flow rule that sets the SCL of a message](use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages.md#use-the-eac-to-create-a-mail-flow-rule-that-sets-the-scl-of-a-message) to set the SCL to **Bypass spam filtering**.
- Turn off scanning attachments for malware in the custom mailbox. Use [Set up Safe Attachments policies in Defender for Office 365](set-up-safe-attachments-policies.md) to create a Safe Attachments policy with the setting **Off** for **Safe Attachments unknown malware response**.
solutions Configure Teams Highly Sensitive Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-highly-sensitive-protection.md
Each time you create a new team with the highly sensitive label, there are two s
- Update the guest sharing settings for the site in the SharePoint admin center to update the default sharing link to *People with existing access*. - Update the site sharing settings in the site itself to prevent members from sharing files, folders, or the site, and turn off access requests.
-### Site guest sharing settings
+### Site default sharing link settings
-The guest sharing setting that you chose when you created the label (which only affects team membership) should match the guest sharing settings for the associated SharePoint site as follows:
+To update the site default sharing link type
-|Label setting|SharePoint site setting|
-|:|:-|
-|**Let Office 365 group owners add people outside the organization to the group** selected|**New and existing guests** (default for new teams)|
-|**Let Office 365 group owners add people outside the organization to the group** not selected|**Only people in your organization**|
-
-To update site settings
1. Open the [SharePoint admin center](https://admin.microsoft.com/sharepoint). 2. Under **Sites**, click **Active sites**. 3. Click the site that is associated with team. 4. On the **Policies** tab, under **External sharing**, click **Edit**.
-5. If you allowed guest sharing when you created the Highly sensitive label, ensure that **New and existing guests** is selected. If you didn't allow sharing when you created the label, choose **Only people in your organization**.
-6. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **People with existing access**.
-7. Click **Save**.
-
-If you want to script this as part of your team creation process, you can use [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) with the following parameters:
--- `-SharingCapability Disabled` to turn off guest sharing (it's on by default)-- `-DefaultSharingLinkType Internal` to change the default sharing link to *Specific people*
+5. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **People with existing access**.
+6. Click **Save**.
#### Private channels
solutions Configure Teams Sensitive Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/configure-teams-sensitive-protection.md
Each time you create a new team with the sensitive label, there are two steps to
- Update the guest sharing settings for the site in the SharePoint admin center to update the default sharing link to *Specific people*. - Update the site sharing settings in the site itself to prevent members from sharing the site.
-### Site guest sharing settings
+### Site default sharing link settings
-The guest sharing setting that you chose when you created the label (which only affects team membership) should match the guest sharing settings for the associated SharePoint site as follows:
+To update the site default sharing link type
-|Label setting|SharePoint site setting|
-|:|:-|
-|**Let Office 365 group owners add people outside the organization to the group** selected|**New and existing guests** (default for new teams)|
-|**Let Office 365 group owners add people outside the organization to the group** not selected|**Only people in your organization**|
-
-To update site settings
1. Open the [SharePoint admin center](https://admin.microsoft.com/sharepoint). 2. Under **Sites**, click **Active sites**. 3. Click the site that is associated with team. 4. On the **Policies** tab, under **External sharing**, click **Edit**.
-5. If you allowed guest sharing when you created the sensitive label, ensure that **New and existing guests** is selected. If you didn't allow sharing when you created the label, choose **Only people in your organization**.
-6. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **Specific people (only the people the user specifies)**.
-7. Click **Save**.
-
-If you want to script this as part of your team creation process, you can use [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) with the following parameters:
+5. Under Default sharing link type, clear the **Same as organization-level setting** check box, and select **Specific people (only the people the user specifies)**.
+6. Click **Save**.
-- `-SharingCapability Disabled` to turn off guest sharing (it's on by default)-- `-DefaultSharingLinkType Internal` to change the default sharing link to *Specific people*
+If you want to script this as part of your team creation process, you can use [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) with the `-DefaultSharingLinkType Direct` parameter to change the default sharing link to *Specific people*.
#### Private channels
solutions Deploy Threat Protection Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/deploy-threat-protection-configure.md
Follow these steps to configure threat protection across Microsoft 365.
Microsoft has tested and recommends a specific set of Conditional Access and related policies for protecting access to all of your SaaS applications, especially Microsoft 365. Policies are recommended for baseline, sensitive, and highly regulated protection. Begin by implementing the policies for baseline protection.
-[![Common policies for configuring identity and device access](../media/microsoft-365-policies-configurations/Identity-device-access-policies-byplan.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/Identity-device-access-policies-byplan.png)
-[See a larger version of this image](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/Identity-device-access-policies-byplan.png)
+[![Common policies for configuring identity and device access](../media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png)](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png)
+[See a larger version of this image](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/media/microsoft-365-policies-configurations/identity-device-access-policies-byplan.png)
### To implement baseline protection for Microsoft 365
solutions Productivity Illustrations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/productivity-illustrations.md
Recommended capabilities for protecting identities and devices that access Micro
| Item | Description | |:--|:--|
-|[![Model poster: Identity and device protection for Microsoft 365](../media/microsoft-365-policies-configurations/O365-Identity-device-protection-thumb.png)](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.vsdx) <br/> Updated September 2020|It's important to use consistent levels of protection across your data, identities, and devices. This model shows you which capabilities are comparable with more information on capabilities to protect identities and devices. <br/> |
+|[![Model poster: Identity and device protection for Microsoft 365](../media/microsoft-365-policies-configurations/o365-identity-device-protection-thumb.png)](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) <br/> [View as a PDF](../downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a PDF](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.pdf) \| [Download as a Visio](https://github.com/MicrosoftDocs/microsoft-365-docs/raw/public/microsoft-365/downloads/MSFT_cloud_architecture_identity&device_protection.vsdx) <br/> Updated September 2020|It's important to use consistent levels of protection across your data, identities, and devices. This model shows you which capabilities are comparable with more information on capabilities to protect identities and devices. <br/> |
<a name="BKMK_ediscovery"></a> ## Advanced eDiscovery architecture in Microsoft 365