Updates from: 05/26/2023 01:40:36
Category Microsoft Docs article Related commit history on GitHub Change details
business-premium M365bp Admin Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-admin-guide.md
Title: "Administration guide for Microsoft 365 Business Premium"
+ Title: "Tenant administration guide for Microsoft 365 Business Premium"
f1.keywords: - NOCSH
search.appverid:
description: "Get an overview of tasks your administrators perform to maintain your Microsoft 365 Business Premium subscription."
-# Microsoft 365 Business Premium administration guide
+# Microsoft 365 Business Premium tenant administration guide
Maintaining your Microsoft 365 Business Premium environment includes managing user accounts, managing devices, and keeping things up to date and working correctly. Use this article as an admin guide for your organization.
-Admin tasks are typically performed in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)). If you're new to Microsoft 365, take a moment to get an [Overview of the Microsoft 365 admin center](../admin/admin-overview/admin-center-overview.md).
+Many admin tasks can be performed in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)), although some tasks, such as adding/removing devices, can be performed in other portals (such as the Microsoft 365 Defender portal or the Microsoft Intune admin center).
+
+If you're new to Microsoft 365, take a moment to get an [Overview of the Microsoft 365 admin center](../admin/admin-overview/admin-center-overview.md).
## General tasks
business-premium M365bp Maintain Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-maintain-environment.md
The [missions](index.md) that were completed during the setup and configuration
| Area | Description | |||
-| Microsoft 365 administration | Microsoft 365 administration includes tasks that your administrators (also referred to as *admins*) perform in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) (and potentially other admin centers, such as the Exchange admin center). <br/><br/>As new employees come in and other employees leave, it's important to manage user accounts and devices. Your admins can add or remove users, reset passwords, reset devices to factory settings, and more. These kinds of tasks (and more!) are listed in the [Microsoft 365 Business Premium administration guide](m365bp-admin-guide.md). |
+| Microsoft 365 administration<br/>(*tenant administration*) | Microsoft 365 administration includes tasks that your administrators (also referred to as *admins*) perform in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) (and potentially other admin centers, such as the Exchange admin center). <br/><br/>As new employees come in and other employees leave, it's important to manage user accounts and devices. Your admins can add or remove users, reset passwords, reset devices to factory settings, and more. These kinds of tasks (and more!) are listed in the [Microsoft 365 Business Premium tenant administration guide](m365bp-admin-guide.md). |
| Security administration | Security administration includes tasks that your security administrators (also referred to as *security admins*) perform in portals, such as: <br/>- The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) <br/>- The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))<br/>- The Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com))<br/><br/>These kinds of tasks include defining or editing security policies, onboarding or offboarding devices, and so forth, and are listed in the [Microsoft 365 Business Premium security admin guide](m365bp-security-admin-guide.md). | | Security operations | Security operations (also referred to as *SecOps*) and includes tasks that your security team performs in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). <br/><br/>As threats are detected, those threats must be reviewed and addressed. Regular antivirus scans should occur on devices, and you can initiate scans when needed. In addition, you can run automated investigations on devices that have a high risk level or detected threats. These kinds of security tasks (and more!) are listed in the [Microsoft 365 Business Premium security operations guide](m365bp-security-operations-guide.md). |
compliance Audit Log Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-activities.md
You can search the audit log for app-related activities in Power Apps. These act
You can search the audit log for activities in Power Automate (formerly called Microsoft Flow). These activities include creating, editing, and deleting flows, and changing flow permissions. For information about auditing for Power Automate activities, see the blog [Power Automate audit events now available in compliance portal](https://flow.microsoft.com/blog/security-and-compliance-center).
+## Microsoft Project for the web activities
+
+You can search the audit log for activities in Microsoft Project for the web. Microsoft Project for the web is built on the [Microsoft Dataverse](https://powerplatform.microsoft.com/dataverse/) and has an associated Project Power App. To enable auditing for scenarios where the user is using the Microsoft Dataverse or the Project Power App, see the [System Settings Auditing tab](/power-platform/admin/system-settings-dialog-box-auditing-tab) guidance. For a list of entities related to Project for the web, see the [Export user data from Project for the web](/project-for-the-web/export-user-data-from-project-for-the-web#find-user-data-in-dataverse-with-the-advanced-find-search-feature) guidance.
+
+For information about Microsoft Project for the web, see [Microsoft Project for the web](https://support.microsoft.com/office/get-started-with-project-for-the-web-50bf3e29-0f0d-4b7a-9d2c-7c78389b67ad).
+
+>[!NOTE]
+>Auditing events for Microsoft Project for the web activities requires a paid Project Plan 1 license (or higher) in addition to the relevant Microsoft 365 license that includes entitlements to Audit (Premium).
+
+|Friendly name|Operation|Description|
+|:|:--|:-|
+|Created project|ProjectCreated|A project is created by a user or app.|
+|Created roadmap|RoadmapCreated|A roadmap is created by a user or app.|
+|Created roadmap item|RoadmapItemCreated|A roadmap item is created by a user or app.|
+|Created task|TaskCreated|A task is created by a user or app.|
+|Deleted project|ProjectDeleted|A project is deleted by a user or app.|
+|Deleted roadmap|RoadmapDeleted|A roadmap is deleted by a user or app.|
+|Deleted roadmap item|RoadmapItemDeleted|A roadmap item is deleted by a user or app.|
+|Deleted task|TaskDeleted|A task is deleted by a user or app.|
+|Project accessed|ProjectAccessed|A project is read or app.|
+|Project home accessed|ProjectListAccessed|A list of projects and/or roadmaps is queried by a user.|
+|Roadmap accessed|RoadmapAccessed|A roadmap is read by a user or app.|
+|Roadmap item accessed|RoadmapItemAccessed|A roadmap item is read by a user or app.|
+|Task accessed|TaskAccessed|A task is read by a user or app.|
+|Updated project settings|ProjectForTheWebProjectSettings|Project settings is updated by an admin.|
+|Updated roadmap|RoadmapUpdated|A roadmap is modified by a user or app.|
+|Updated roadmap item|RoadmapItemUpdated|A roadmap item is modified by a user or app.|
+|Updated roadmap settings|ProjectForTheWebRoadmaptSettings|Roadmap settings is updated by an admin.|
+|Updated task|TaskUpdated|A task is modified by a user or app.|
+|Updated project|ProjectUpdated|A project is modified by a user or app.|
+ ## Microsoft Stream activities You can search the audit log for activities in Microsoft Stream. These activities include video activities performed by users, group channel activities, and admin activities such as managing users, managing organization settings, and exporting reports. For a description of these activities, see the "Actions logged in Stream" section in [Audit Logs in Microsoft Stream](/stream/audit-logs#actions-logged-in-stream).
If your organization is using the Shifts app in Microsoft Teams, you can search
For a description of Shifts app activities, see [Search the audit log for events in Microsoft Teams](/microsoftteams/audit-log-events#shifts-in-teams-activities).
+## Microsoft To Do activities
+
+The following table lists the activities in Microsoft To Do that are logged in the Microsoft 365 audit log. For more information about Microsoft To Do, see [Support for Microsoft To Do](https://support.microsoft.com/todo).
+
+> [!NOTE]
+> Auditing events for Microsoft To Do activities requires a paid Project Plan 1 license (or higher) in addition to the relevant Microsoft 365 license that includes entitlements to Audit (Premium).
+
+|Friendly name|Operation|Description|
+|:|:--|:-|
+|Accepted sharing link on folder|AcceptedSharingLinkOnFolder|Accepted sharing link for a folder.|
+|Attachment created|AttachmentCreated|An attachment was created for a task.|
+|Attachment updated|AttachmentUpdated|An attachment was updated.|
+|Attachment deleted |AttachmentDeleted|An attachment was deleted.|
+|Folder sharing link shared|FolderSharingLinkShared|Created a sharing link for a folder.|
+|Linked entity deleted|LinkedEntityDeleted|A linked entity was deleted.|
+|Linked entity updated|LinkedEntityUpdated|A linked entity was updated.|
+|Linked entity created|LinkedEntityCreated|A linked entity of task was created.|
+|SubTask created|SubTaskCreated|A subtask was created.|
+|SubTask deleted|SubTaskDeleted|A subtask was deleted.|
+|SubTask updated|SubTaskUpdated|A subtask was updated.|
+|Task created|TaskCreated|A task was created.|
+|Task deleted|TaskDeleted|A task was deleted.|
+|Task read|TaskRead|A task was read.|
+|Task updated|TaskUpdated|A task was updated.|
+|TaskList created|TaskListCreated|A task list was created.|
+|TaskList read|TaskListRead|A task list was read.|
+|TaskList updated|TaskListUpdated |A task list was updated.|
+|User invited|UserInvited|Invited user to a folder.|
+ ## Microsoft Workplace Analytics activities Workplace Analytics provides insight into how groups collaborate across your organization. The following table lists activities performed by users that are assigned the Administrator role or the Analyst roles in Workplace Analytics. Users assigned the Analyst role have full access to all service features and use the product to do analysis. Users assigned the Administrator role can configure privacy settings and system defaults, and can prepare, upload, and verify organizational data in Workplace Analytics. For more information, see [Workplace Analytics](/workplace-analytics/index-orig).
compliance Audit Log Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-search.md
Need to find if a user viewed a specific document or purged an item from their m
## Microsoft 365 services that support auditing
-Why a unified audit log? Because you can search the audit log for activities performed in different Microsoft 365 services. The following table lists the Microsoft 365 services and features that are supported by the unified audit log.
+Why a unified audit log? Because you can search the audit log for activities performed in different Microsoft 365 services. The following table lists the Microsoft 365 services, apps, and features that are supported by the unified audit log.
|Microsoft 365 service or feature|Record types|
-|||
+|:-|:--|
|Azure Active Directory|AzureActiveDirectory, AzureActiveDirectoryAccountLogon, AzureActiveDirectoryStsLogon| |Azure Information Protection|AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat| |Communication compliance|ComplianceSupervisionExchange|
Why a unified audit log? Because you can search the audit log for activities per
|Microsoft Defender Experts|DefenderExpertsforXDRAdmin| |Microsoft Defender for Identity (MDI)|MicrosoftDefenderForIdentityAudit| |Microsoft Planner|PlannerCopyPlan, PlannerPlan, PlannerPlanList, PlannerRoster, PlannerRosterSensitivityLabel, PlannerTask, PlannerTaskList, PlannerTenantSettings |
+|Microsoft Project for the web|ProjectAccessed, ProjectCreated, ProjectDeleted, ProjectTenantSettingsUpdated, ProjectUpdated, RoadmapAccessed,RoadmapCreated, RoadmapDeleted, RoadmapItemAccessed,RoadmapItemCreated,RoadmapItemDeleted, RoadmapItemUpdated, RoadmapTenantSettingsUpdated, RoadmapUpdated, TaskAccessed, TaskCreated,TaskDeleted, TaskUpdated|
|Microsoft Purview Information Protection (MIP) labels|MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation| |Microsoft Teams|MicrosoftTeams|
+|Microsoft To Do|MicrosoftToDo, MicrosoftToDoAudit|
|MyAnalytics|MyAnalyticsSettings| |OneDrive for Business|OneDrive| |Power Apps|PowerAppsApp, PowerAppsPlan|
Why a unified audit log? Because you can search the audit log for activities per
|Workplace Analytics|WorkplaceAnalytics| |Yammer|Yammer| - For more information about the operations that are audited in each of the services listed in the previous table, see the [Audit log activities](audit-log-activities.md) article. The previous table also identifies the record type value to use to search the audit log for activities in the corresponding service using the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell or by using a PowerShell script. Some services have multiple record types for different types of activities within the same service. For a more complete list of auditing record types, see [Office 365 Management Activity API schema](/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype).
compliance Audit Premium https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-premium.md
In addition to the events in Exchange Online and SharePoint Online, there are ev
- [Microsoft Forms](audit-log-activities.md#microsoft-forms-activities) - [Microsoft Stream](/stream/audit-logs#actions-logged-in-stream)
+- [Microsoft Project for the web](audit-log-activities.md#microsoft-project-for-the-web-activities)
- [Microsoft Teams](/microsoftteams/audit-log-events#teams-activities)
+- [Microsoft To Do](audit-log-activities.md#microsoft-to-do-activities)
- [Yammer](audit-log-activities.md#yammer-activities) ## High-bandwidth access to the Office 365 Management Activity API
compliance Classifier Tc Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-tc-definitions.md
Microsoft Purview comes with multiple pre-trained classifiers. They appear in th
| Detects messages that may mention acts to damage or destroy corporate assets or property. This classifier can help customers manage regulatory compliance obligations such as NERC Critical Infrastructure Protection standards or state by state regulations like Chapter 9.05 RCW in Washington state. | Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files.| English | > [!IMPORTANT]
-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the *Message is not sent to any of these domains condition* with a list of domains to exclude.
+> This classifier may capture a large volume of bulk sender/newsletter content. In Communication Compliance, you can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the **Filter email blasts** check box when you create the policy. You can also edit an existing Communication Compliance policy to turn on this feature.
## Customer complaints
Microsoft Purview comes with multiple pre-trained classifiers. They appear in th
| Detects messages that may suggest exchanging gifts or entertainment in return for service, which violates regulations related to bribery. This classifier can help customers manage regulatory compliance obligations such as Foreign Corrupt Practices Act (FCPA), UK Bribery Act and FINRA Rule 2320. | Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files. | English | > [!IMPORTANT]
-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the *Message is not sent to any of these domains condition* with a list of domains to exclude.
+> This classifier may capture a large volume of bulk sender/newsletter content. In Communication Compliance, you can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the **Filter email blasts** check box when you create the policy. You can also edit an existing Communication Compliance policy to turn on this feature.
## Harassment
Microsoft Purview comes with multiple pre-trained classifiers. They appear in th
| Detects signs that may suggest money laundering or engagement in acts to conceal or disguise the origin or destination of proceeds. This classifier helps customers manage regulatory compliance obligations such as the Bank Secrecy Act, the USA Patriot Act, FINRA Rule 3310 and Anti-Money Laundering Act of 2020. | Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files. | English | > [!IMPORTANT]
-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the *Message is not sent to any of these domains condition* with a list of domains to exclude.
+> This classifier may capture a large volume of bulk sender/newsletter content. In Communication Compliance, you can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the **Filter email blasts** check box when you create the policy. You can also edit an existing Communication Compliance policy to turn on this feature.
## Network design files
Microsoft Purview comes with multiple pre-trained classifiers. They appear in th
| Detects messages that may violate regulatory anti-collusion requirements such as an attempted concealment of sensitive information. This classifier can help customers manage regulatory compliance obligations such as the Sherman Antitrust Act, Securities Exchange Act 1933, Securities Exchange Act of 1934, Investment Advisers Act of 1940, Federal Commission Act, and Robinson-Patman Act. | Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files. | English | > [!IMPORTANT]
-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the *Message is not sent to any of these domains condition* with a list of domains to exclude.
+> This classifier may capture a large volume of bulk sender/newsletter content. In Communication Compliance, you can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the **Filter email blasts** check box when you create the policy. You can also edit an existing Communication Compliance policy to turn on this feature.
## Resume
Microsoft Purview comes with multiple pre-trained classifiers. They appear in th
| Detects signs of possible stock manipulation, such as recommendations to buy, sell or hold stocks that may suggest an attempt to manipulate the stock price. This classifier can help customers manage regulatory compliance obligations such as the Securities Exchange Act of 1934, FINRA Rule 2372, and FINRA Rule 5270. | Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files. | English | > [!IMPORTANT]
-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the *Message is not sent to any of these domains condition* with a list of domains to exclude.
+> This classifier may capture a large volume of bulk sender/newsletter content. In Communication Compliance, you can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the **Filter email blasts** check box when you create the policy. You can also edit an existing Communication Compliance policy to turn on this feature.
## Tax documents
Microsoft Purview comes with multiple pre-trained classifiers. They appear in th
| Detects sharing of information containing content that is explicitly designated as confidential or internal to unauthorized individuals. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 2010 and SEC Rule 10b-5. | Detects content in .msg, .docx, .pdf, .txt, .rtf, .jpeg, .jpg, .png, .gif, .bmp, .svg files. | English | > [!IMPORTANT]
-> While in preview, this classifier may capture a large volume of bulk sender/newsletter content due to a known issue. While they're in preview, you can address large volumes of bulk sender/newsletter content by adding the *Message is not sent to any of these domains condition* with a list of domains to exclude.
+> This classifier may capture a large volume of bulk sender/newsletter content. In Communication Compliance, you can mitigate the detection of large volumes of bulk sender/newsletter content by selecting the **Filter email blasts** check box when you create the policy. You can also edit an existing Communication Compliance policy to turn on this feature.
## Wire Transfer
compliance Compliance Manager Connectors Salesforce https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-connectors-salesforce.md
f1.keywords:
Previously updated : 05/16/2023 Last updated : 05/24/2023 audience: Admin
description: "Configure settings in your Salesforce accounts in order to activat
Follow the instructions on this page to enable the connection between your Salesforce account and the Compliance Manager connector for Salesforce.
-This process involves obtaining a token for a given Salesforce account. Therefore, if you activate multiple connectors for multiple Salesforce accounts, you'll need to repeat this process for each account in order to get the token
+This process involves obtaining a token for a given Salesforce account. Therefore, if you activate multiple connectors for multiple Salesforce accounts, you'll need to repeat this process for each account in order to get the token.
+ ## Setup steps
compliance Compliance Manager Connectors Zoom https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-connectors-zoom.md
f1.keywords:
Previously updated : 05/16/2023 Last updated : 05/24/2023 audience: Admin
description: "Configure settings in your Zoom accounts in order to activate conn
Follow the instructions on this page to enable the connection between your Zoom account and the Compliance Manager connector for Zoom.
-## Overview
- Zoom must authenticate each HTTP request made to the Zoom API. Zoom supports different authentication methods. Compliance Manager connectors use the **Server-to-Server OAuth app**, which enables you to securely integrate with Zoom APIs and get your account owner access token without user interaction. This is different from the OAuth app type, which requires user authentication. This app type is added and managed across an account by account admins. This app type also enables you to utilize event subscriptions using Webhooks. + ## Setup steps #### 1. Enable permissions
compliance Compliance Manager Connectors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-connectors.md
f1.keywords:
Previously updated : 05/16/2023 Last updated : 05/24/2023 audience: Admin
description: "Set up connectors to build assessments for non-Microsoft services
Compliance Manager offers a comprehensive set of connectors designed to help you gain a clear understanding of your compliance obligations across the services used in your organization. The connectors provide a seamless link to non-Microsoft services so that you can include them in your assessments and take advantage of automatic monitoring and testing of controls. Connecting your services to Compliance Manager requires a few simple setup steps. Once your connector is activated, you can select it as an in-scope service when creating an assessment. + ## Available connectors The connectors available for Compliance Manager are listed below, with more available in the coming months.
compliance Compliance Manager Multicloud https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-multicloud.md
f1.keywords:
Previously updated : 05/16/2023 Last updated : 05/25/2023 audience: Admin
If you choose subscriptions that are in scope within Defender for Cloud for a ma
View the [list of regulations supported by both Compliance Manager and Defender for Cloud](compliance-manager-cloud-settings.md#standards-supported-by-compliance-manager-and-defender-for-cloud).
-## Known issues
-
-In cases where an infrastructure cloud action in Compliance Manager receives an automated test result from Defender for Cloud, and the corresponding assessment in Defender for Cloud doesn't have any resources listed or all associated resources are listed as **Not applicable**, Compliance Manager will show the test status of this action as **Failed High Risk**. This is a known issue and will be resolved soon.
- ## Get started There are setup steps required before you can start building assessments for your cloud services. Visit [Configure cloud settings](compliance-manager-cloud-settings.md) to get started.
compliance Dlp Policy Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md
The available context options change depending on which location you choose. If
##### Conditions Exchange supports - Content contains-- User's risk level for Adaptice Protection is
+- User's risk level for Adaptive Protection is
- Content is not labeled - Content is shared from Microsoft 365 - Content is received from
When a user overrides a block with override action on an email, the override opt
] } ```
-If you have a automated process that makes use of the business justification values, the process can access that information progamatically in the email X-header data.
+If you have an automated process that makes use of the business justification values, the process can access that information programmatically in the email X-header data.
### Incident reports
compliance Ediscovery Create Draft Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-create-draft-collection.md
Here's the descriptions of the pre-collection estimate management options.
- Include subfolder contents (insider subfolders of a matched folder) - Include files in SharePoint lists (and their child items) -- **Export collected items**: Export the collected items without adding the items to the review set. This option is useful in scenarios where data residency requirements associated with data storage may be prohibitive and you need collected data as a download. After selecting, you have the following export options for collected items:
+- **Export collected items (preview)**: Export the collected items without adding the items to the review set. This option is useful in scenarios where data residency requirements associated with data storage may be prohibitive and you need collected data as a download. After selecting, you have the following export options for collected items:
- **Types of collected items to include in the export**: Choose to export collected items with search hits, items with search hits and partially indexed items without hits, or only partially indexed items without search hits. You can also choose to one or more of the following options for collected items:
Here's the descriptions of the pre-collection estimate management options.
- **Delete collection**: Delete a collection estimate. After you commit a collection estimate to a review set, it can't be deleted. - **Refresh estimates**: Rerun the query (against the data sources) specified in the collection estimate to update the search estimates and statistics.-- **Export as report**: Exports information about the collection estimate to a CSV file that you can download to your local computer. The export report contains the following information:
+- **Export as report (preview)**: Exports information about the collection estimate to a CSV file that you can download to your local computer. The export report contains the following information:
- The identity of each content location that contains items that match the search query in the collection estimate. These locations are typically mailboxes or sites. - The total number of items in each content location.
compliance Ediscovery Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-overview.md
At a high level, here's how eDiscovery (Premium) supports the EDRM workflow:
## Subscriptions and licensing
-For information regarding what licenses provide the rights for a user to benefit from eDiscovery (Premium) please see [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-ediscovery) and see the "eDiscovery and auditing" section in the [Microsoft 365 Comparison table](https://go.microsoft.com/fwlink/?linkid=2139145).
+Microsoft Purview eDiscovery capabilities are included with Microsoft Purview. The licensing requirements may vary even within capabilities, depending on configuration options. For licensing requirements, guidance, and options, see the [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-ediscovery).
For information about how to assign licenses, see [Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users).
compliance Ediscovery Premium Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-premium-get-started.md
This includes ensuring the proper licensing required to access eDiscovery (Premi
## Step 1: Verify and assign appropriate licenses
-Licensing for eDiscovery (Premium) requires the appropriate organization subscription and per-user licensing. For a list of licensing requirements for eDiscovery (Premium), see [Subscriptions and licensing](ediscovery-overview.md#subscriptions-and-licensing).
+Microsoft Purview eDiscovery capabilities are included with Microsoft Purview. The licensing requirements may vary even within capabilities, depending on configuration options. For licensing requirements, guidance, and options, see the [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-ediscovery).
## Step 2: Assign eDiscovery permissions
compliance Ediscovery Standard Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-standard-get-started.md
This article discusses the steps necessary to set up eDiscovery (Standard). This
## Step 1: Verify and assign appropriate licenses
-Licensing for eDiscovery (Standard) requires the appropriate organization subscription and per-user licensing.
--- **Organization subscription:** To access eDiscovery (Standard) in the Microsoft Purview compliance portal and use the hold and export features, your organization must have an Exchange online Plan 2 or Microsoft 365 E3 or Office 365 E3 subscription or higher. Microsoft 365 Frontline organizations must have an F5 subscription.--- **Per-user licensing:** To place an eDiscovery hold on mailboxes and sites, users must be assigned one of the following licenses, depending on your organization subscription:-
- - Exchange online Plan 2 license
-
- OR
-
- - A Microsoft 365 E3 or Office 365 E3 license or higher
-
- OR
-
- - Microsoft 365 Business Premium (Exchange only) license
+Microsoft Purview eDiscovery capabilities are included with Microsoft Purview. The licensing requirements may vary even within capabilities, depending on configuration options. For licensing requirements, guidance, and options, see the [Microsoft 365 guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-ediscovery).
-
- OR
-
- - Office 365 E1 license with an Exchange Online Plan 2 or Exchange Online Archiving add-on license
-
- OR
-
- - Microsoft 365 Frontline F5 Compliance or F5 Security & Compliance add-on license
-
- AND
-
- - Office 365 E1 license with a SharePoint Online Plan 2 or OneDrive for Business Plan 2 add-on license
-
- For information about how to assign licenses, see [Assign licenses to users](../admin/manage/assign-licenses-to-users.md).
-
- For information and guidance on security and compliance licensing and subscriptions, see the [Microsoft 365 guidance for security & compliance service descriptions](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
+For information about how to assign licenses, see [Assign licenses to users](../admin/manage/assign-licenses-to-users.md).
## Step 2: Verify that required eDiscovery apps are enabled
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
Office for the web: You must download the file from the browser. The following m
- Export > Download as PDF > Download - Print > Print > Download as PDF > Download
-When the PDF is created, it inherits the label with any content markings and encryption. Encrypted PDFs can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see [Which PDF readers are supported for protected PDFs?](/azure/information-protection/rms-client/protected-pdf-readers#viewing-protected-pdfs-in-microsoft-edge-on-windows-or-mac)
+When the PDF is created, it inherits the label with any content markings. For Windows, if the label applied encryption, that encryption is also inherited. Encrypted PDFs can be opened with Microsoft Edge on Windows or Mac. For more information, and alternative readers, see [Which PDF readers are supported for protected PDFs?](/azure/information-protection/rms-client/protected-pdf-readers#viewing-protected-pdfs-in-microsoft-edge-on-windows-or-mac)
Outlook doesn't currently support PDF attachments inheriting encryption from a labeled message. However, Outlook does support warning or blocking users from printing to PDF, as described next.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
### Sensitivity labels -- **Rolling out**: [PDF support for Office on the web](sensitivity-labels-office-apps.md#pdf-support) so that when Word, Excel, and PowerPoint converts a labeled Office document into a PDF document, the label with any content markings and encryption persists.
+- **Rolling out**: [PDF support for Office on the web](sensitivity-labels-office-apps.md#pdf-support) so that when Word, Excel, and PowerPoint converts a labeled Office document into a PDF document, the label with any content markings persists.
## April 2023
enterprise Setup Guides For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md
Advanced deployment guides in the admin center require authentication to a Micro
|**Guide - [Setup Portal](https://go.microsoft.com/fwlink/?linkid=2220880)** |**Guide - [Admin Center](https://go.microsoft.com/fwlink/?linkid=2224913)** |**Description** | ||||
-|[Build your employee experience with Microsoft 365 and Microsoft Viva dashboard](https://go.microsoft.com/fwlink/?linkid=2223653)|[Build your employee experience with Microsoft 365 and Microsoft Viva dashboard](https://go.microsoft.com/fwlink/?linkid=2224787)|Transform how your employees work together with the **Build your employee experience with Microsoft 365 and Microsoft Viva dashboard**. For seamless teamwork, use Microsoft 365 to create productive, aligned teams, and keep employees engaged with leadership and the rest of the organization. Help your employees be effective in all work activities. These guides will provide instructions on how to use SharePoint, Teams, and Yammer to build collaboration across your org to help drive productivity.|
+|[Deploy employee experience with Microsoft Viva](https://go.microsoft.com/fwlink/?linkid=2223653)|[Deploy employee experience with Microsoft Viva](https://go.microsoft.com/fwlink/?linkid=2224787)|Viva is an integrated, employee experience platform (EXP) that brings together communications, knowledge, learning, resources, and insights into the flow of work and fosters a culture where people and teams thrive and are empowered to be their best from anywhere. You can use the steps and guidance in the guides linked here to deploy one or more Viva apps and achieve better employee engagement throughout your organization.|
|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2234169)|[Microsoft 365 Apps setup guide](https://go.microsoft.com/fwlink/?linkid=2233871)|The **Microsoft 365 Apps setup guide** provides comprehensive guidance for setting up and deploying the latest versions of Office products like Word, Excel, PowerPoint, and OneNote on your users' devices. You'll be walked through the activation process for your Microsoft 365 product key, as well as various deployment methods including easy self-install options and enterprise deployments with management tools. Additionally, the guide offers instructions on assessing your environment, determining your specific deployment requirements, and implementing the necessary support tools to ensure a successful installation.| ||[Mobile apps setup guide](https://go.microsoft.com/fwlink/?linkid=2224813)|The **Mobile apps setup guide** provides instructions for the download and installation of Office apps on your Windows, iOS, and Android mobile devices. This guide provides you with step-by-step information to download and install Microsoft 365 and Office 365 apps on your phone and tablet devices.| |[Microsoft Teams setup guide]( https://go.microsoft.com/fwlink/?linkid=2222975)|[Microsoft Teams setup guide](https://go.microsoft.com/fwlink/?linkid=2224815)|The **Microsoft Teams setup guide** provides your organization with guidance to set up team workspaces that host real-time conversations through messaging, calls, and audio or video meetings for both team and private communication. Use the tools in this guide to configure Guest access, set who can create teams, and add team members from a .csv file, all without the need to open a PowerShell session. You'll also get best practices for determining your organization's network requirements and ensuring a successful Teams deployment.|
security Mdb Admin Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-admin-guide.md
+
+ Title: "Tenant administration guide for Microsoft Defender for Business"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++ Last updated : 05/25/2023
+ms.localizationpriority: medium
+
+- m365-security
+- tier2
+
+- MiniMaven
+search.appverid:
+- BCS160
+- MET150
+description: "Get an overview of tasks your administrators perform to maintain your Microsoft Defender for Business environment."
++
+# Microsoft Defender for Business tenant administration guide
+
+Maintaining your Defender for Business environment includes managing user accounts, managing devices, and keeping things up to date and working correctly. Use this article as an admin guide for your organization.
+
+Many admin tasks can be performed in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)), although some tasks, such as adding/removing devices, can be performed in other portals (such as the Microsoft 365 Defender portal or the Microsoft Intune admin center).
+
+If you're new to Microsoft 365, take a moment to get an [Overview of the Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview).
+
+## General tasks
+
+| Task | Resources to learn more |
+|:|:|
+| Get started using the Microsoft 365 admin center | [Overview of the Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview) |
+| Learn about new features in the Microsoft 365 admin center | [What's new in the Microsoft 365 admin center](/microsoft-365/admin/whats-new-in-preview) |
+| Find out about new product updates and features so you can help prepare users | [Stay on top of Microsoft 365 product and feature changes](/microsoft-365/admin/manage/stay-on-top-of-updates) |
+| View usage reports to see how people are using Microsoft 365 | [Microsoft 365 Reports in the admin center](/microsoft-365/admin/activity-reports/activity-reports) |
+| Open a technical support ticket | [Get support for Microsoft 365 for business](/microsoft-365/admin/get-help-support) |
+
+## Users, groups, and passwords
+
+| Task | Resources to learn more |
+|:|:|
+| Add a new user | [Add a new employee to Microsoft 365](/microsoft-365/admin/add-users/add-new-employee) |
+| Assign licenses to users | [Assign Microsoft 365 licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users) <br/>[Assign Microsoft 365 licenses to user accounts by using PowerShell](/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell) |
+| Assign admin roles to people who need admin permissions | [Assign admin roles in the Microsoft 365 admin center](/microsoft-365/admin/add-users/assign-admin-roles) <br/>[Assign admin roles to Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/assign-roles-to-user-accounts-with-microsoft-365-powershell)|
+| Remove licenses from users | [Unassign Microsoft 365 licenses from users in the Microsoft 365 admin center](/microsoft-365/admin/manage/remove-licenses-from-users)<br/>[Remove Microsoft 365 licenses from user accounts with PowerShell](/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell) |
+| Remove a user account when someone leaves your organization | [Overview: Remove a former employee and secure data](/microsoft-365/admin/add-users/remove-former-employee) |
+| Reset passwords for user accounts | [Reset passwords in Microsoft 365 for business](/microsoft-365/admin/add-users/reset-passwords) |
+
+## Devices
+
+| Task | Resources to learn more |
+|:|:|
+| View current status of and manage devices | [Manage devices in Defender for Business](mdb-manage-devices.md) |
+| Onboard devices to Defender for Business | [Onboard devices to Defender for Business](mdb-onboard-devices.md) |
+| Offboard devices from Defender for Business | [Offboard a device from Defender for Business](mdb-offboard-devices.md) |
+| Manage devices with Intune | [What does device management with Intune mean?](/mem/intune/fundamentals/what-is-device-management)<br/>[Manage your devices and control device features in Microsoft Intune](/mem/intune/fundamentals/manage-devices) |
+
+## Subscriptions and billing
+
+| Task | Resources to learn more |
+|:|:|
+| View your bill or invoice | [View your Microsoft 365 for business subscription bill or invoice](/microsoft-365//commerce/billing-and-payments/view-your-bill-or-invoice) |
+| Manage your payment methods | [Manage payment methods](/microsoft-365/commerce/billing-and-payments/manage-payment-methods) |
+| Change the frequency of your payments | [Change your Microsoft 365 subscription billing frequency](/microsoft-365/commerce/billing-and-payments/change-payment-frequency) |
+| Change your billing address | [Change your Microsoft 365 for business billing addresses](/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses) |
+| Upgrade your subscription | [Try or buy Microsoft 365 Business Premium](../../business-premium/m365-business-premium-setup.md#sign-up-for-microsoft-365-business-premium) |
+| Add Microsoft Intune to your subscription<br/>(for additional security capabilities) | [Get an overview of Intune](/mem/intune/fundamentals/what-is-intune) <br/>[Microsoft Intune Plans and Pricing](https://www.microsoft.com/en-us/security/business/microsoft-intune-pricing) |
+| Try Defender for Office 365 <br/>(to protect email and collaboration content) | [Try Microsoft Defender for Office 365](../office-365-security/try-microsoft-defender-for-office-365.md) |
+
+## See also
+
+- [Maintain your Defender for Business environment](mdb-maintain-environment.md)
+- [Microsoft 365 admin center help](/microsoft-365/admin/index)
+- [Microsoft 365 Business Premium ΓÇô productivity and cybersecurity for small business](../../business-premium/index.md)
security Mdb Maintain Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-maintain-environment.md
+
+ Title: "Maintain your Microsoft Defender for Business environment"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++ Last updated : 05/25/2023
+ms.localizationpriority: medium
+
+- m365-security
+- tier2
+
+- MiniMaven
+search.appverid:
+- BCS160
+- MET150
+description: "Learn how to maintain Defender for Business environment."
++
+# Maintain your Microsoft Defender for Business environment
+
+After you have [set up and configured Defender for Business](mdb-setup-configuration.md), your next step is to prepare a plan for maintenance and operations. Use this article as a guide to start preparing your plan.
+
+| Area | Description |
+|||
+| **Microsoft 365 administration**<br/>(also referred to as *tenant administration*) | Tenant administration includes tasks that your administrators (also referred to as *admins*) perform in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) (and potentially other admin centers, such as the Exchange admin center). <br/><br/>As new employees come in and other employees leave, it's important to manage user accounts and devices. Your admins can add or remove users, reset passwords, assign roles and permissions, and more. These kinds of tasks (and more!) are listed in the [Defender for Business tenant administration guide](mdb-admin-guide.md). |
+| **Security administration** | Security administration includes tasks that your security administrators (also referred to as *security admins*) perform in portals, such as: <br/>- The Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)) <br/>- The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com))<br/>- The Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com); if you're using Intune)<br/><br/>These kinds of tasks include defining or editing security policies, onboarding or offboarding devices, and so forth, and are listed in the [Defender for Business security admin guide](mdb-security-admin-guide.md). |
+| **Security operations** | Security operations (also referred to as *SecOps*) and includes tasks that your security team performs in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). <br/><br/>As threats are detected, those threats must be reviewed and addressed. Regular antivirus scans should occur on devices, and you can initiate scans when needed. In addition, you can run automated investigations on devices that have a high risk level or detected threats. These kinds of security tasks (and more!) are listed in the [Defender for Business security operations guide](mdb-security-operations-guide.md). |
+
+## See also
+
+[Set up and configure Defender for Business](mdb-setup-configuration.md)
security Mdb Security Admin Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-security-admin-guide.md
+
+ Title: "Security administration guide for Microsoft Defender for Business"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++ Last updated : 05/25/2023
+ms.localizationpriority: medium
+
+- m365-security
+- tier2
+
+- MiniMaven
+search.appverid:
+- BCS160
+- MET150
+description: "Learn about tasks that security admins perform with Microsoft Defender for Business."
++
+# Microsoft Defender for Business security administration guide
+
+Security administrators (also referred to as *security admins*) perform various tasks, such as:
+
+- Defining or editing security policies
+- Onboarding or offboarding devices
+- Taking steps to protect high-risk user accounts or devices
+
+The following table lists common tasks that security admins typically perform, with links to more detailed information.
+
+| Task | Description |
+|||
+| **Manage false positives/negatives** | A false positive is an entity, such as a file or a process that was detected and identified as malicious even though the entity isn't actually a threat. A false negative is an entity that wasn't detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including Defender for Business. Fortunately, steps can be taken to address and reduce these kinds of issues. <br/><br/>See [Address false positives/negatives in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives). |
+| **Strengthen your security posture** | Defender for Business includes a vulnerability management dashboard that provides you with exposure score and enables you to view information about exposed devices and see relevant security recommendations. You can use your Defender Vulnerability Management dashboard to reduce exposure and improve your organization's security posture. <br/><br/>See the following articles:<br/>- [Use your vulnerability management dashboard in Defender for Business](mdb-view-tvm-dashboard.md)<br/>- [Dashboard insights](/microsoft-365/security/defender-vulnerability-management/tvm-dashboard-insights) |
+| **Adjust security policies** | [Reports](mdb-reports.md) are available so that you can view information about detected threats, device status, and more. Sometimes it's necessary to adjust your security policies. For example, you might apply strict protection to some user accounts or devices, and standard protection to others. <br/><br/>See [View or edit policies in Defender for Business](mdb-view-edit-create-policies.md). |
+| **Protect high-risk devices** | The overall risk assessment of a device is based on a combination of factors, such as the types and severity of active alerts on the device. As your security team resolves active alerts, approves remediation activities, and suppresses subsequent alerts, the risk level decreases. <br/><br/>See [Manage devices in Defender for Business](mdb-manage-devices.md). |
+| **Onboard or offboard devices** | As devices are replaced or retired, new devices are purchased, or your business needs change, you can onboard or offboard devices from Defender for Business. <br/><br/>See the following articles: <br/>- [Onboard devices to Defender for Business](mdb-onboard-devices.md) <br/>- [Offboard a device from Defender for Business](mdb-offboard-devices.md) |
+
+## See also
+
+- [Defender for Business security operations guide](mdb-security-operations-guide.md)
+- [Maintain your Defender for Business environment](mdb-maintain-environment.md)
security Mdb Security Operations Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-security-operations-guide.md
+
+ Title: "Security operations guide for Microsoft Defender for Business"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++ Last updated : 05/25/2023
+ms.localizationpriority: medium
+
+- m365-security
+- tier2
+
+- MiniMaven
+search.appverid:
+- BCS160
+- MET150
+description: "Learn about daily, weekly, monthly, and as needed tasks for your security team to perform with Defender for Business."
++
+# Microsoft Defender for Business security operations guide
+
+If you're new to Defender for Business, or if your business doesn't have a security operations guide in place yet, use this article as a starting point. If you do already have a security operations guide, review it against the recommendations in this article.
+
+You can use this guidance to make decisions about security incident priorities and tasks your security team will perform in the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
+
+## Security operations tasks to perform
+
+### Daily tasks
+
+| Task | Description |
+|||
+| **Check your threat vulnerability management dashboard** | Get a snapshot of threat vulnerability by looking at your vulnerability management dashboard, which reflects how vulnerable your organization is to cybersecurity threats. A high exposure score means your devices are more vulnerable to exploitation. <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Vulnerability management > Dashboard**.<br/><br/>2. Take a look at your **Organization exposure score**. If it's in the acceptable or "High" range, you can move on. If it isn't, select **Improve score** to see more details and security recommendations to improve this score. <br/><br/>Being aware of your exposure score helps you to:<br/>- Quickly understand and identify high-level takeaways about the state of security in your organization<br/>- Detect and respond to areas that require investigation or action to improve the current state<br/>- Communicate with peers and management about the impact of security efforts |
+| **Review pending actions in the Action center** | As threats are detected, [remediation actions](#remediation-actions-in-defender-for-business) come into play. Depending on the particular threat and how your security settings are configured, remediation actions might be taken automatically or only upon approval, which is why these should be monitored regularly. Remediation actions are tracked in the Action center.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Action center**.<br/><br/>2. Select the **Pending** tab to view and approve (or reject) any pending actions. Such actions can arise from antivirus or antimalware protection, automated investigations, manual response activities, or live response sessions.<br/><br/>3. Select the **History** tab to view a list of completed actions.|
+| **Review devices with threat detections** | When threats are detected on devices, your security team needs to know so that any needed actions, such as isolating a device, can be taken promptly. <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Reports > General > Security report**.<br/><br/>2. Scroll down to the **Vulnerable devices** row. If threats were detected on devices, you'll see that information in this row.|
+| **Learn about new incidents or alerts** | As threats are detected and alerts are triggered, incidents are created. Your company's security team can view and manage incidents in the Microsoft 365 Defender portal.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation menu, select **Incidents**. Incidents are displayed on the page with associated alerts.<br/><br/>2. Select an alert to open its flyout pane, where you can learn more about the alert.<br/><br/>3. In the flyout, you can see the alert title, view a list of assets (such as endpoints or user accounts) that were affected, take available actions, and use links to view more information and even open the details page for the selected alert. |
+| **Run a scan or automated investigation** | Your security team can initiate a scan or an automated investigation on a device that has a high risk level or detected threats. Depending on the results of the scan or automated investigation, [remediation actions](#remediation-actions-in-defender-for-business) can occur automatically or upon approval.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Assets** > **Devices**.<br/><br/>2. Select a device to open its flyout panel, and review the information that is displayed.<br/>- Select the ellipsis (...) to open the actions menu.<br/>- Select an action, such as **Run antivirus scan** or **Initiate Automated Investigation**. |
+
+## Weekly tasks
+
+| Task | Description |
+|||
+| **Monitor and improve your security score** | Microsoft Secure Score is a measurement of your organization's security posture. Higher numbers indicate that fewer improvement actions are needed. By using Secure Score, you can: <br/>- Report on the current state of your organization's security posture.<br/>- Improve your security posture by providing discoverability, visibility, guidance, and control.<br/>- Compare with benchmarks and establish key performance indicators (KPIs).<br/><br/>To check your score, follow these steps:<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane choose **Secure score**. <br/><br/>2. Review and make decisions about the remediations and actions in order to improve your overall Microsoft secure score. |
+| **Improve your secure score for devices** | Improve your security configuration by remediating issues using the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves and your organization becomes more resilient against cybersecurity threats and vulnerabilities going forward. It's always worth the time it takes to review and improve your score.<br/><br/>To check your secure score, follow these steps: <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane select **Secure score**.<br/><br/>2. From the **Microsoft Secure Score for Devices** card in the Defender Vulnerability Management dashboard, select one of the categories. A list of recommendations related to that category displays, along with recommendations.<br/><br/>3.Select an item on the list to display details related to the recommendation.<br/><br/>4. Select **Remediation options**.<br/><br/>5. Read the description to understand the context of the issue and what to do next. Choose a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. A confirmation message tells you the remediation task has been created.<br/><br/>6. Send a follow-up email to your IT Administrator and allow for the time that you've allotted for the remediation to propagate in the system.<br/><br/>7. Return to the Microsoft Secure Score for Devices card on the dashboard. The number of security controls recommendations has decreased as a result of your actions.<br/><br/>8. Select **Security controls** to go back to the Security recommendations page. The item that you addressed isn't listed there anymore, which results in your Microsoft secure score improving. |
+
+### Monthly tasks
+
+| Task | Description |
+|||
+| **Run security reports** | Several reports are available in the Microsoft 365 Defender portal.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Reports**.<br/><br/>2. Choose a report to review. Each report displays many pertinent categories for that report.<br/><br/>3. Select **View details** to see deeper information for each category.<br/><br/>4. Select the title of a particular threat to see details specific to it.|
+| **Run a simulation tutorial** | It's always a good idea to increase the security preparedness for you and your team through training. You can access simulation tutorials in the Microsoft 365 Defender portal. The tutorials cover several types of cyber threats. To get started, follow these steps:<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Tutorials**.<<br/><br/>2. Read the walk-through for a tutorial you're interested in running, and then download the file, or copy the script needed to run the simulation according to the instructions. |
+| **Explore the Learning hub** | Use the Learning hub to increase your knowledge of cybersecurity threats and how to address them. We recommend exploring the resources that are offered, especially in the Microsoft 365 Defender and Endpoints sections.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Learning hub**.<br/><br/>2. Select an area, such as **Microsoft 365 Defender** or **Endpoints**.<br/><br/>3. Select an item to learn more about each concept. <br/><br/>Note that some resources in the Learning hub might cover functionality that isn't actually included in Defender for Business. For example, advanced hunting capabilities are included in enterprise subscriptions, such as Defender for Endpoint Plan 2 or Microsoft 365 Defender, but not in Defender for Business. [Compare security features in Microsoft 365 plans for small and medium-sized businesses](compare-mdb-m365-plans.md). |
+
+### Tasks to perform as needed
+
+| Task | Description |
+|||
+| **Use the Threat analytics dashboard** | Use the threat analytics dashboard to get an overview of the current threat landscape by highlighting reports that are most relevant to your organization. <br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, select **Threat analytics** to display the Threat analytics dashboard. The dashboard summarizes the threats into the following sections:<br/>- **Latest threats** lists the most recently published or updated threat reports, along with the number of active and resolved alerts.<br/>- **High-impact threats** lists the threats that have the highest impact to your organization. This section lists threats with the highest number of active and resolved alerts first.<br/>- **Highest exposure** lists threats with the highest exposure levels first. The exposure level of a threat is calculated using two pieces of information: how severe the vulnerabilities associated with the threat are, and how many devices in your organization could be exploited by those vulnerabilities.<br/><br/>3. Select the title of the one you want to investigate, and read the associated report.<br/><br/>4. You can also review the full Analyst report for more details, or select other headings to view the related incidents, impacted assets, and exposure and mitigations.|
+| **Remediate an item** | Defender for Business includes several [remediation actions](#remediation-actions-in-defender-for-business). Some actions are taken automatically, and others await approval by your security team.<br/><br/>1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.<br/><br/>2. Select a device, such as one with a high risk level or exposure level. A flyout pane opens and displays more information about alerts and incidents generated for that item.<br/><br/>3. On the flyout, view the information that is displayed. Select the ellipsis (...) to open a menu that lists available actions.<br/><br/>4. Select an available action. For example, you might choose **Run antivirus scan**, which will cause Microsoft Defender Antivirus to start a quick scan on the device. Or, you could select **Initiate Automated Investigation** to trigger an automated investigation on the device. |
++
+## Remediation actions in Defender for Business
+
+The following table summarizes remediation actions that are available in Defender for Business:
+
+| Source | Actions |
+|||
+| **Automated investigations** | Quarantine a file<br/>Remove a registry key<br/>Kill a process<br/>Stop a service<br/>Disable a driver<br/>Remove a scheduled task |
+| **Manual response actions** | Run antivirus scan<br/>Isolate device<br/>Add an indicator to block or allow a file |
+| **Live response** | <br/>Collect forensic data<br/>Analyze a file<br/>Run a script<br/>Send a suspicious entity to Microsoft for analysis<br/>Remediate a file<br/>Proactively hunt for threats |
++
+## See also
+
+- [Maintain your Defender for Business environment](mdb-maintain-environment.md)
+- [Defender for Business security administration guide](mdb-security-admin-guide.md)
security Admin Submissions Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/admin-submissions-mde.md
In Microsoft Defender for Endpoint, admins can use the unified submissions featu
- To submit files to Microsoft, you need to be a member of one of the following role groups:
- - **Organization Management**, **Security Administrator**, or **Security Reader** in the [Microsoft 365 Defender portal](../office-365-security/mdo-portal-permissions.md).
+ - **Organization Management** or **Security Administrator** in the [Microsoft 365 Defender portal](../office-365-security/mdo-portal-permissions.md).
- For more information about how you can submit spam, phish, URLs, and email attachments to Microsoft, see [Report messages and files to Microsoft](../office-365-security/submissions-report-messages-files-to-microsoft.md).
If you have a file that you suspect might be malware or is being incorrectly det
### Submit a file or file hash
-1. Open Microsoft 365 Defender at <https://security.microsoft.com/>, click **Actions & submissions**, click **Submissions**, go to **Files** tab, and then select **Add new submission**.
+1. Open Microsoft 365 Defender at [https://security.microsoft.com](https://security.microsoft.com), click **Actions & submissions**, click **Submissions**, go to **Files** tab, and then select **Add new submission**.
- > [!div class="mx-imgBorder"]
- > ![Add new submission](../../media/unified-admin-submission-new.png)
+ :::image type="content" source="../../media/unified-admin-submission-new.png" alt-text="Screenshot showing how to add a new submission.":::
2. Use the **Submit items to Microsoft for review** flyout that appears to submit the **File** or **File hash**.
If you have a file that you suspect might be malware or is being incorrectly det
6. Next, **Choose the priority**. Note that for **File hash** submissions, **Low - bulk file or file hash submission** is the only choice, and is automatically selected.
- > [!div class="mx-imgBorder"]
- > ![Submit items to Microsoft for review](../../media/unified-admin-submission-file.png)
+ :::image type="content" source="../../media/unified-admin-submission-file.png" alt-text="Screenshot showing how to submit files.":::
7. Click **Submit**.
If you have a file that you suspect might be malware or is being incorrectly det
You can also submit a file or file hash directly from the list of alerts on the **Alerts** page.
-1. Open the Microsoft 365 Defender at <https://security.microsoft.com/>, click **Incidents & alerts**, and then click **Alerts** to view the list of alerts.
+1. Open the Microsoft 365 Defender at [https://security.microsoft.com](https://security.microsoft.com), click **Incidents & alerts**, and then click **Alerts** to view the list of alerts.
2. Select the alert you want to report. Note that you are submitting a file that is nestled within the alert. 3. Click the ellipses next to **Manage alert** to see additional options. Select **Submit items to Microsoft for review**.
- > [!div class="mx-imgBorder"]
- > ![Submit items from alerts queue](../../media/unified-admin-submission-alerts-queue.png)
+ :::image type="content" source="../../media/unified-admin-submission-alerts-queue.png" alt-text="Screenshot showing how to submit items from an alerts queue.":::
4. In the next flyout that opens, select the submission type.
- > [!div class="mx-imgBorder"]
- > ![Complete the required fields](../../media/unified-admin-submission-alert-queue-flyout.png)
+ :::image type="content" source="../../media/unified-admin-submission-alert-queue-flyout.png" alt-text="Screenshot showing how to specify a submission type and fill in required fields.":::
If you select **File** as the submission type, upload the file, categorize your submission, and choose the priority.
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
search.appverid: met150 Previously updated : 04/18/2023 Last updated : 05/24/2023 # Configure advanced features in Defender for Endpoint
For more information, see [Manage indicators](manage-indicators.md).
> Network protection leverages reputation services that process requests in locations that might be outside of the location you've selected for your Defender for Endpoint data. ## Tamper protection
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices.
-Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods.
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods.
-This feature is available if your organization uses Microsoft Defender Antivirus and Cloud-based protection is enabled. For more information, see [Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md).
-
-Keep tamper protection turned on to prevent unwanted changes to your security solution and its essential features.
+For more information, including how to configure tamper protection, see [Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md).
## Show user details
security Built In Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/built-in-protection.md
f1.keywords: NOCSH
## What is built-in protection, and how does it work?
-Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats. Initially, built-in protection will include turning [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) on for your tenant, with other default settings coming soon. For more information, see the Tech Community blog post, [Tamper protection will be turned on for all enterprise customers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/tamper-protection-will-be-turned-on-for-all-enterprise-customers/ba-p/3616478).
+Built-in protection is a set of default settings that are rolling out to help ensure your devices are protected. These default settings are designed to protect devices from ransomware and other threats. Initially, built-in protection includes turning [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) on for your tenant, with other default settings coming soon. For more information, see the Tech Community blog post, [Tamper protection will be turned on for all enterprise customers](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/tamper-protection-will-be-turned-on-for-all-enterprise-customers/ba-p/3616478).
| Phase | What happens | |:|:|
-| Built-in protection is rolling out | Customers are receiving [notification](#what-does-the-notification-look-like) that built-in protection is coming. If it's not already configured, tamper protection will be turned on for customers who have Defender for Endpoint Plan 2 or Microsoft 365 E5. |
+| Built-in protection is rolling out | Customers are receiving [notification](#what-does-the-notification-look-like) that built-in protection is coming. If it's not already configured, tamper protection is turned on for customers who have Defender for Endpoint Plan 2 or Microsoft 365 E5. |
| Built-in protection becomes available for your tenant | You'll be [notified](#what-does-the-notification-look-like) that your tenant is about to receive built-in protection and when tamper protection will be turned on (if it's not already configured). |
-| Built-in protection arrives | Tamper protection will be turned on for your tenant, and will be applied to your organization's Windows devices. You can [opt out](#can-i-opt-out) or [change your built-in protection settings](#can-i-change-built-in-protection-settings). |
-| After built-in protection has arrived | Whenever new devices are onboarded to Defender for Endpoint, built-in protection settings will be applied to any new devices running Windows. You can always [change your built-in protection settings](#can-i-change-built-in-protection-settings). |
+| Built-in protection arrives | Tamper protection is turned on for your tenant, and is applied to your organization's Windows devices. You can [opt out](#can-i-opt-out) or [change your built-in protection settings](#can-i-change-built-in-protection-settings). |
+| After built-in protection has arrived | Whenever new devices are onboarded to Defender for Endpoint, built-in protection settings are applied to any new devices running Windows. You can always [change your built-in protection settings](#can-i-change-built-in-protection-settings). |
> [!NOTE] > Built-in protection sets default values for Windows and Mac devices. If endpoint security settings change, such as through baselines or policies in [Microsoft Intune](/mem/endpoint-manager-overview), those settings override the built-in protection settings.
You can expect to receive two types of notifications:
:::image type="content" source="media/bip-notification-m365defender.png" alt-text="Screenshot showing yellow banner highlighting built in protection in Microsoft 365 Defender portal.":::
-Your notification will tell you when built-in protection is coming and when tamper protection will be turned on (if it's not already configured) for your tenant.
+Your notification tells you when built-in protection is coming and when tamper protection will be turned on (if it's not already configured) for your tenant.
## Can I opt out?
Built-in protection is a set of default settings. You aren't required to keep th
| Task | Description | |:|:|
-| Determine whether tamper protection is turned on for your organization | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/>2. Go to **Settings** > **Endpoints** > **Advanced features** > **Tamper protection**. |
-| Manage tamper protection tenant wide using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/>2. Go to **Settings** > **Endpoints** > **Advanced features**.<br/>3. Set **Tamper protection** to **On** (*recommended*) or **Off**.<br/>4. Select **Save preferences**.<br/>See [Manage tamper protection for your organization using Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md). |
-| Set tamper protection settings for some, but not all, devices | Use endpoint security policies and profiles that are applied to specific devices. See the following articles:<br/>- [Manage tamper protection using Microsoft Intune](manage-tamper-protection-intune.md)<br/>- [Manage tamper protection using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md)|
-| Turn tamper protection on or off on an individual Windows device | 1. On your Windows device, select **Start**, and start typing *Security*.<br/>2. In the search results, select **Windows Security**.<br/>3. Select **Virus & threat protection** > **Virus & threat protection settings**.<br/>4. Set **Tamper Protection** to **On** (*recommended*) or **Off**. <br/><br/>If the device is onboarded to Defender for Endpoint, or the device is managed in the Microsoft Intune admin center, those settings will override user settings on the individual device. See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). |
-| Turn tamper protection on or off manually on a Mac | 1. On your Mac, open Finder, and go to **Applications** > **Utilities** > **Terminal**.<br/>2. In Terminal, type the following command `sudo mdatp config tamper-protection enforcement-level --value (chosen mode)`.<br/><br/>See [Manual configuration](tamperprotection-macos.md#manual-configuration). |
+| Determine whether tamper protection is turned on for your organization | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/><br/>2. Go to **Settings** > **Endpoints** > **Advanced features** > **Tamper protection**. |
+| Manage tamper protection tenant wide using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/><br/>2. Go to **Settings** > **Endpoints** > **Advanced features**.<br/><br/>3. Set **Tamper protection** to **On** (*recommended*) or **Off**.<br/><br/>4. Select **Save preferences**.<br/><br/>See [Manage tamper protection for your organization using Microsoft 365 Defender portal](manage-tamper-protection-microsoft-365-defender.md). |
+| Set tamper protection settings for some, but not all, devices | Use endpoint security policies and profiles that are applied to specific devices. <br/><br/>See the following articles:<br/>- [Manage tamper protection using Microsoft Intune](manage-tamper-protection-intune.md)<br/>- [Manage tamper protection using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md)|
+| Turn tamper protection on or off on an individual Windows device | 1. On your Windows device, select **Start**, and start typing *Security*.<br/><br/>2. In the search results, select **Windows Security**.<br/><br/>3. Select **Virus & threat protection** > **Virus & threat protection settings**.<br/><br/>4. Set **Tamper Protection** to **On** (*recommended*) or **Off**. <br/><br/>If the device is onboarded to Defender for Endpoint, or the device is managed in the Microsoft Intune admin center, those settings will override user settings on the individual device. See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). |
+| Turn tamper protection on or off manually on a Mac | 1. On your Mac, open Finder, and go to **Applications** > **Utilities** > **Terminal**.<br/><br/>2. In Terminal, type the following command `sudo mdatp config tamper-protection enforcement-level --value (chosen mode)`.<br/><br/>See [Manual configuration](tamperprotection-macos.md#manual-configuration). |
| Change tamper protection settings using a Mobile Device Management (MDM) solution | To change the tamper protection mode using an MDM, go to the configuration profile and change the enforcement level in [Intune](tamperprotection-macos.md#intune) or [JAMF](tamperprotection-macos.md#jamf).<br/><br/>The configuration profile set with the MDM will be your first point of reference. Any settings defined in the profile will be enforced on the device, and built-in-protection default settings won't override these applied settings. | | Temporarily disable tamper protection on a device for troubleshooting purposes | See the following articles:<br/>- [Get started with troubleshooting mode in Microsoft Defender for Endpoint](enable-troubleshooting-mode.md)<br/>- [Troubleshooting mode scenarios in Microsoft Defender for Endpoint](troubleshooting-mode-scenarios.md) |
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
There might be associated challenges when onboarding VDI instances. The followin
In a VDI environment, VDI instances can have short lifespans. VDI devices can appear in the Microsoft 365 Defender portal as either single entries for each VDI instance or multiple entries for each device. -- Single entry for each VDI instance. If the VDI instance was already onboarded to Microsoft Defender for Endpoint, and at some point deleted, and then recreated with the same host name, a new object representing this VDI instance will NOT be created in the portal.
+- Single entry for each VDI instance. If the VDI instance was already onboarded to Microsoft Defender for Endpoint, and at some point deleted, and then recreated with the same host name, a new object representing this VDI instance is NOT be created in the portal.
> [!NOTE] > In this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
In a VDI environment, VDI instances can have short lifespans. VDI devices can ap
> [!IMPORTANT] > If you're deploying non-persistent VDIs through cloning technology, make sure that your internal template VMs are not onboarded to Defender for Endpoint. This recommendation is to avoid cloned VMs from being onboarded with the same senseGuid as your template VMs, which could prevent VMs from showing up as new entries in the Devices list.
-The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
+The following steps guide you through onboarding VDI devices and highlight steps for single and multiple entries.
> [!WARNING] > For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.
The following steps will guide you through onboarding VDI devices and will highl
### Onboarding steps > [!NOTE]
-> Windows Server 2016 and Windows Server 2012 R2 will need to be prepared by applying the installation package first using the instructions in [Onboard Windows servers](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2012-r2-and-windows-server-2016) for this feature to work.
+> Windows Server 2016 and Windows Server 2012 R2 must be prepared by applying the installation package first using the instructions in [Onboard Windows servers](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2012-r2-and-windows-server-2016) for this feature to work.
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>: 1. In the navigation pane, select **Settings** > **Endpoints** > **Device management** > **Onboarding**.
- 1. Select the operating system.
+ 2. Select the operating system.
- 1. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
+ 3. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
- 1. Click **Download package** and save the .zip file.
+ 4. Click **Download package** and save the .zip file.
2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/primary image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.+ 1. If you are implementing multiple entries for each device - one for each session, copy WindowsDefenderATPOnboardingScript.cmd.+ 2. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd. > [!NOTE]
The following steps will guide you through onboarding VDI devices and will highl
> Domain Group Policy may also be used for onboarding non-persistent VDI devices. 4. Depending on the method you'd like to implement, follow the appropriate steps:+ - For single entry for each device:
- Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it will be triggered automatically.
+ Select the **PowerShell Scripts** tab, then select **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. There's no need to specify the other file, as it is triggered automatically.
- For multiple entries for each device:
- Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
+ Select the **Scripts** tab, then click **Add** (Windows Explorer opens directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
5. Test your solution:+ 1. Create a pool with one device.+ 2. Log on to device.
+
3. Log off from device.
+
4. Log on to device with another user.
+
5. Depending on the method you'd like to implement, follow the appropriate steps:
+
- For single entry for each device: Check only one entry in Microsoft 365 Defender portal. - For multiple entries for each device: Check multiple entries in Microsoft 365 Defender portal.
The following configuration settings are recommended:
- Defender Cloud Extended Timeout In Seconds: 20 #### Exclusions+ - Disable local admin merge: Not configured+ - Defender processes to exclude:+ - `%Programfiles%\FSLogix\Apps\frxccd.exe` - `%Programfiles%\FSLogix\Apps\frxccds.exe` - `%Programfiles%\FSLogix\Apps\frxsvc.exe` - File extensions to exclude from scans and real-time protection:+ - `%Programfiles%\FSLogix\Apps\frxccd.sys` - `%Programfiles%\FSLogix\Apps\frxdrv.sys` - `%Programfiles%\FSLogix\Apps\frxdrvvt.sys`
The following configuration settings are recommended:
- Turn on all settings and set to monitor all files #### Remediation+ - Number of days to keep quarantined malware: 30 - Submit samples consent: Send all samples automatically - Action to take on potentially unwanted apps: Enable
The following configuration settings are recommended:
- Check for signature updates before running scan: Yes #### Updates+ - Enter how often to check for security intelligence updates: 8 - Leave other settings in default state #### User experience+ - Allow user access to Microsoft Defender app: Not configured #### Enable Tamper protection+ - Enable tamper protection to prevent Microsoft Defender being disabled: Enable #### Attack surface reduction
The following configuration settings are recommended:
- Block unverified file download: Yes #### Attack surface reduction rules+ - Configure all available rules to Audit. > [!NOTE]
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
Title: Enable and configure Microsoft Defender Antivirus protection capabilities
+ Title: Enable and configure Microsoft Defender Antivirus always-on protection
description: Enable and configure Microsoft Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine learning keywords: antivirus, real-time protection, rtp, machine learning, behavior monitoring, heuristics
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium Previously updated : 10/22/2021 Last updated : 05/24/2023
search.appverid: met150
-# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
+# Enable and configure Microsoft Defender Antivirus always-on protection
**Applies to:**
search.appverid: met150
**Platforms** - Windows
-Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
+Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as autostart extensibility points, or ASEPs), and other changes to the file system or file structure. Always-on protection is an important part of your antivirus protection and should be enabled.
-These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as autostart extensibility points, or ASEPs), and other changes to the file system or file structure.
+> [!NOTE]
+> [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps keep always-on protection and other security settings from being changed. As a result, when tamper protection is enabled, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
-## Enable and configure always-on protection in Group Policy
+## Manage antivirus settings with Microsoft Intune
+You can use Intune to configure antivirus policies, and then apply those policies across devices in your organization. Antivirus policies help security admins focus on managing the discrete group of antivirus settings for managed devices. Each antivirus policy includes several profiles. Each profile contains only the settings that are relevant for Microsoft Defender Antivirus for macOS and Windows devices, or for the user experience in the Windows Security app on Windows devices. For more information, see [Antivirus policy for endpoint security in Intune](/mem/intune/protect/endpoint-security-antivirus-policy).
+
+1. Go to the [Intune admin center](https://intune.microsoft.com/) and sign in.
+
+2. In the navigation pane, choose **Endpoint security** and then, under **Manage**, choose **Antivirus**.
+
+3. Select an existing policy, or choose **+ Create Policy** to create a new policy.
+
+ | Task | What to do |
+ |||
+ | Create a new policy for Windows devices | 1. In the **Create a profile** step, in the **Platform** list, select **Windows 10, Windows 11, and Windows Server**. For **Profile**, select **Microsoft Defender Antivirus**. Then choose **Create**.<br/><br/>2. On the **Basics** step, type a name and description for your policy, and then choose **Next**.<br/><br/>3. On the **Configuration settings** step, expand **Defender**, select the settings you want to use for your policy, and then choose **Next**. To get help with your settings, refer to [Policy CSP - Defender](/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx). <br/><br/>4. On the **Scope tags** step, choose **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile, and then select **Next** to continue.<br/><br/>5. On the **Assignments** page, select the groups to receive this profile, and then select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).<br/><br/>6. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. |
+ | Create a new policy for macOS devices | 1. In the **Create a profile** step, in the **Platform** list, select **macOS**. For **Profile**, select **Antivirus**. Then choose **Create**.<br/><br/>2. On the **Basics** step, type a name and description for your policy, and then choose **Next**.<br/><br/>3. On the **Configuration settings** step, select the settings you want to use for your policy, and then choose **Next**. To get help with your settings, refer to [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md).<br/><br/>4. On the **Scope tags** step, choose **Select scope tags** to open the *Select tags* pane to assign scope tags to the profile, and then select **Next** to continue.<br/><br/>5. On the **Assignments** page, select the groups to receive this profile, and then select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).<br/><br/>6. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list when you select the policy type for the profile you created. |
+ | Edit an existing policy for Windows devices | 1. Select an antivirus policy for Windows devices. <br/><br/>2. Next to **Configuration settings**, choose **Edit**. <br/><br/>3. Expand **Defender**, and then edit settings for your policy. To get help with your settings, refer to [Policy CSP - Defender](/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx). <br/><br/>4. select **Review + save**, and then select **Save**. |
+ | Edit an existing policy for macOS devices | 1. Select an antivirus policy for macOS devices. <br/><br/>2. Select **Properties**, and then, next to **Configuration settings**, choose **Edit**. <br/><br/>3. Under **Microsoft Defender for Endpoint**, edit settings for your policy. To get help with your settings, refer to [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md).<br/><br/>4. select **Review + save**, and then select **Save**. |
+
+## Are you using Group Policy?
+
+> [!IMPORTANT]
+> We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage Microsoft Defender Antivirus settings for your organization. With Intune, you can control where tamper protection is enabled (or disabled) through policies. You can also protect Microsoft Defender Antivirus exclusions. See [Tamper protection: Microsoft Defender Antivirus exclusions](prevent-changes-to-security-settings-with-tamper-protection.md#what-about-exclusions).
+
+You can use Group Policy to manage some Microsoft Defender Antivirus settings. Note that if [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled in your organization, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. You can't turn off tamper protection by using Group Policy.
+
+If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
+
You can use **Local Group Policy Editor** to enable and configure Microsoft Defender Antivirus always-on protection settings.
-To enable and configure always-on protection:
+### Enable and configure always-on protection using Group Policy
1. Open **Local Group Policy Editor**, as follows:
To enable and configure always-on protection:
### Real-time protection policy settings
-|Setting|Default setting|
-|||
-|Turn on behavior monitoring <p> The antivirus engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity.|Enabled|
-|Scan all downloaded files and attachments <p> Downloaded files and attachments are automatically scanned. This scan operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading.|Enabled|
-|Monitor file and program activity on your computer <p> The Microsoft Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run).|Enabled|
-|Turn on raw volume write notifications <p> Information about raw volume writes will be analyzed by behavior monitoring.|Enabled|
-|Turn on process scanning whenever real-time protection is enabled <p> You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled.|Enabled|
-|Define the maximum size of downloaded files and attachments to be scanned <p> You can define the size in kilobytes.|Enabled|
-|Configure local setting override for turn on behavior monitoring <p> Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
-|Configure local setting override for scanning all downloaded files and attachments <p> Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
-|Configure local setting override for monitoring file and program activity on your computer <p> Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
-|Configure local setting override to turn on real-time protection <p> Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
-|Configure local setting override for monitoring for incoming and outgoing file activity <p> Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.|Enabled|
-|Configure monitoring for incoming and outgoing file and program activity <p> Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This action is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.|Enabled (both directions)|
-
-## Disable real-time protection in Group Policy
-
-> [!WARNING]
-> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
+For the most current settings, get the latest ADMX files in your central store. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files.
-The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
+### Disable real-time protection in Group Policy
-### To disable real-time protection in Group policy
+> [!WARNING]
+> **Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended**. In addition, if [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled, you cannot turn it off by using Group Policy. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
1. Open **Local Group Policy Editor**.
The main real-time protection capability is enabled by default, but you can disa
6. Close **Local Group Policy Editor**.
-> [!TIP]
-> If you're looking for Antivirus related information for other platforms, see:
-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-> - [Configure Defender for Endpoint on Android features](android-configure.md)
-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
- ## See also - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)+
+If you're looking for antivirus-related information for other platforms, see:
+- [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
+- [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
+- [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
+- [Configure Defender for Endpoint on Android features](android-configure.md)
+- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
ms.localizationpriority: medium
Previously updated : 02/08/2023 Last updated : 05/24/2023
search.appverid: met150
**Platforms** - Windows
-[Cloud protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) delivers accurate, real-time, and intelligent protection. Cloud protection should be enabled by default; however, you can configure cloud protection to suit your organization's needs.
+[Cloud protection in Microsoft Defender Antivirus](cloud-protection-microsoft-defender-antivirus.md) delivers accurate, real-time, and intelligent protection. Cloud protection should be enabled by default.
+
+> [!NOTE]
+> [Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps keep cloud protection and other security settings from being changed. As a result, when tamper protection is enabled, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
## Why cloud protection should be turned on
You can also use [Configuration Manager](/mem/configmgr/protect/deploy-use/defen
For more information about the specific network-connectivity requirements to ensure your endpoints can connect to the cloud protection service, see [Configure and validate network connections](configure-network-connections-microsoft-defender-antivirus.md). > [!NOTE]
-> In Windows 10 and Windows 11, there is no difference between the **Basic** and **Advanced** reporting options described in this article. This is a legacy distinction and choosing either setting will result in the same level of cloud protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839).
+> In Windows 10 and Windows 11, there is no difference between the **Basic** and **Advanced** reporting options described in this article. This is a legacy distinction and choosing either setting results in the same level of cloud protection. There is no difference in the type or amount of information that is shared. For more information on what we collect, see the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839).
## Use Microsoft Intune to turn on cloud protection
For more information about the specific network-connectivity requirements to ens
- **Send all samples** (3) > [!NOTE]
- > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
- > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
+ > The **Send safe samples** (1) option means that most samples are sent automatically. Files that are likely to contain personal information prompt the user for additional confirmation.
+ > Setting the option to **Always Prompt** (0) lowers the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work.
7. Select **OK**.
For more information on how to use PowerShell with Microsoft Defender Antivirus,
> [!IMPORTANT] > You can set **-SubmitSamplesConsent** to `SendSafeSamples` (the default, recommended setting), `NeverSend`, or `AlwaysPrompt`.
-> The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will result in a prompt to continue and will require confirmation.
+> The `SendSafeSamples` setting means that most samples are sent automatically. Files that are likely to contain personal information result in a prompt for the user to continue, and require confirmation.
> The `NeverSend` and `AlwaysPrompt` settings lower the protection level of the device. Furthermore, the `NeverSend` setting means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. ## Use Windows Management Instruction (WMI) to turn on cloud protection
For more information about allowed parameters, see [Windows Defender WMIv2 APIs]
## Turn on cloud protection on individual clients with the Windows Security app > [!NOTE]
-> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings are greyed out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting is updated in Windows Settings.
1. Open the Windows Security app by selecting the shield icon in the task bar, or by searching the start menu for **Windows Security**.
For more information about allowed parameters, see [Windows Defender WMIv2 APIs]
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. > [!NOTE]
- > If automatic sample submission has been configured with Group Policy, then the setting will be greyed-out and unavailable.
+ > If automatic sample submission has been configured with Group Policy, then the setting is greyed out and unavailable.
## See also
security Enable Troubleshooting Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode.md
Last updated 04/18/2023
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
-Microsoft Defender for Endpoint troubleshooting mode allows you to troubleshoot various Microsoft Defender antivirus features by enabling them from the device and testing different scenarios, even if they're controlled by the organization policy. The troubleshooting mode is disabled by default and requires you to turn it on for a device (and/or group of devices) for a limited time. Note that this is exclusively an Enterprise-only feature, and requires Microsoft 365 Defender access.
+Troubleshooting mode in Microsoft Defender for Endpoint enables you to troubleshoot various Microsoft Defender Antivirus features by enabling them on a device and testing different scenarios, even if they're controlled by organization policy. For example, if [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled, [certain settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) cannot be modified or turned off, but you can use troubleshooting mode on a device to edit those settings temporarily.
+
+Troubleshooting mode is disabled by default, and requires you to turn it on for a device (and/or group of devices) for a limited time. Note that this is exclusively an Enterprise-only feature, and requires Microsoft 365 Defender access.
+ ## What do you need to know before you begin?+ During troubleshooting mode, you can use the PowerShell command `Set-MPPreference -DisableTamperProtection $true` or, on client operating systems, the Security Center app to temporarily disable tamper protection on your device and make your necessary configuration changes. - Use troubleshooting mode to disable/change the tamper protection setting to perform: - Microsoft Defender Antivirus functional troubleshooting /application compatibility (false positive application blocks).
- - Microsoft Defender Antivirus performance troubleshooting by using the troubleshooting mode and manipulating tamper protection and other antivirus settings.
-- If a tampering event occurs (for example, the `MpPreference` snapshot is altered or deleted), troubleshooting mode will end and tamper protection will be enabled on the device.
+ - Microsoft Defender Antivirus performance troubleshooting by using troubleshooting mode and manipulating tamper protection and other antivirus settings.
+
+- If a tampering event occurs (for example, the `MpPreference` snapshot is altered or deleted), troubleshooting mode ends and tamper protection is re-enabled on the device.
- Local admins, with appropriate permissions, can change configurations on individual endpoints that are usually locked by policy. Having a device in troubleshooting mode can be helpful when diagnosing Microsoft Defender Antivirus performance and compatibility scenarios. - Local admins won't be able to turn off Microsoft Defender Antivirus, or uninstall it.
- - Local admins will be able to configure all other security settings in the Microsoft Defender Antivirus suite (for example, cloud protection, tamper protection).
-- Admins with "Manage Security settings" permissions will have access to turn on troubleshooting mode.
+ - Local admins can configure all other security settings in the Microsoft Defender Antivirus suite (for example, cloud protection, tamper protection).
+
+- Admins with "Manage Security settings" permissions have access to turn on troubleshooting mode.
- Microsoft Defender for Endpoint collects logs and investigation data throughout the troubleshooting process.
- - Snapshot of `MpPreference` will be taken before troubleshooting mode begins.
- - Second snapshot will be taken just before troubleshooting mode expires.
- - Operational logs from during troubleshooting mode will also be collected.
+ - A snapshot of `MpPreference` is taken before troubleshooting mode begins.
+
+ - A second snapshot is taken just before troubleshooting mode expires.
+
+ - Operational logs from during troubleshooting mode are also collected.
- - All the above logs and snapshots will be collected and will be available for an admin to collect using the [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) feature on the device page. Note that Microsoft won't remove this data from the device until an admin collects them.
+ - Logs and snapshots are collected and are available for an admin to collect using the [Collect investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) feature on the device page. Note that Microsoft won't remove this data from the device until an admin collects them.
- Admins can also review the changes in settings that take place during Troubleshooting mode in **Event Viewer** on the device page. -- Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 3 hours). After expiration, all policy-managed configurations will become read-only again and will revert back to how it was before setting the troubleshooting mode on.
+- Troubleshooting mode automatically turns off after reaching the expiration time (it lasts for 3 hours). After expiration, all policy-managed configurations become read-only again and revert back to how the device was configured before enabling troubleshooting mode.
- It could take up to 15 minutes from the time the command is sent from Microsoft 365 Defender to when it becomes active on the device. -- Notification will be sent to the end user when the troubleshooting mode begins and when the troubleshooting mode ends. A warning will also be sent notifying that it will end soon.
+- Notifications are sent to the user when troubleshooting mode begins and when troubleshooting mode ends. A warning is also sent to indicate that troubleshooting mode is ending soon.
-- The beginning and ending of troubleshooting mode will be identified in the **Device Timeline** on the device page.
+- The beginning and ending of troubleshooting mode is identified in the **Device Timeline** on the device page.
- You can query all troubleshooting mode events in advanced hunting. > [!NOTE]
-> Policy management changes will be applied to the machine when it is actively in Troubleshooting mode. However, the changes will not take effect until the Troubleshooting mode expires. Additionally, Microsoft Defender Antivirus Platform updates will not be applied during Troubleshooting mode. Platform updates will be applied once Troubleshooting mode ends with a Windows update.
+> Policy management changes are applied to the device when it is actively in troubleshooting mode. However, the changes do not take effect until troubleshooting mode expires. Additionally, Microsoft Defender Antivirus Platform updates are not applied during Troubleshooting mode. Platform updates are applied when troubleshooting mode ends with a Windows update.
## Prerequisites
During troubleshooting mode, you can use the PowerShell command `Set-MPPreferenc
- Sense version 10.8049.22439.1084 or later ([KB5005292: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005292))
- - Defender Antivirus - Platform: 4.18.2207.7 or later ([KB4052623: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623))
+ - Microsoft Defender Antivirus - Platform: 4.18.2207.7 or later ([KB4052623: Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4052623))
- - Defender Antivirus - Engine: 1.1.19500.2 or later ([KB2267602: Microsoft Update Catalog](https://www.microsoft.com/en-us/wdsi/defenderupdates))
+ - Microsoft Defender Antivirus - Engine: 1.1.19500.2 or later ([KB2267602: Microsoft Update Catalog](https://www.microsoft.com/en-us/wdsi/defenderupdates))
- For troubleshooting mode to be applied, Microsoft Defender for Endpoint must be tenant-enrolled and active on the device. - The device must be actively running Microsoft Defender Antivirus, version 4.18.2203 or later.
-## Enable the troubleshooting mode
+## Enable troubleshooting mode
1. Go to the Microsoft 365 Defender portal (<https://security.microsoft.com>), and sign in.
DeviceEvents
| where count_ > 5 // choose your max # of TS mode instances for your time range ```
-## Related topic
+## Related articles
> [!TIP]
-> **Performance tip** Due to a variety of factors (examples listed below) Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are:
+> **Performance tip** Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are:
> > - Top paths that impact scan time > - Top files that impact scan time
security Manage Tamper Protection Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager.md
description: Turn tamper protection on or off using tenant attach with Configura
keywords: malware, defender, antivirus, tamper protection, Configuration Manager ms.localizationpriority: medium Previously updated : 03/09/2023 Last updated : 05/19/2023 audience: ITPro
search.appverid: met150
Using Configuration Manager with tenant attach, you can turn tamper protection on (or off) for some or all devices. > [!IMPORTANT]
-> When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-is-tamper-protection) cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. You can use [Intune](manage-tamper-protection-intune.md) and Configuration Manager to exclude devices from tamper protection. And, if you're managing tamper protection through Intune, you can change [tamper-protected antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).
+> When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-is-tamper-protection) cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:
+> - If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device.
+> - You can use [Intune](manage-tamper-protection-intune.md) or Configuration Manager to exclude devices from tamper protection.
:::image type="content" source="media/tamper-protect-configmgr.png" alt-text="Screenshot showing Windows Security settings with tamper protection enabled.":::
Using Configuration Manager with tenant attach, you can turn tamper protection o
- [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings) - [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) - [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
+- [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration)
+
security Manage Tamper Protection Individual Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device.md
search.appverid: met150
# Manage tamper protection on an individual device **Applies to:**-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)-- [Microsoft Defender for Business](../defender-business/mdb-overview.md)-- [Microsoft 365 Business Premium](../../business-premium/index.md) **Platforms** - Windows
Here's what you see in the Windows Security app:
> To help ensure that tamper protection doesn't interfere with non-Microsoft security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).) > > After you've made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.+
+## See also
+
+[Protect security settings with tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
+
+[Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
security Manage Tamper Protection Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-intune.md
description: Turn tamper protection on or off for your organization in Microsoft
keywords: malware, defender, antivirus, tamper protection, Microsoft Intune ms.localizationpriority: medium Previously updated : 05/04/2023 Last updated : 05/24/2023 audience: ITPro
Using Intune, you can:
> [!IMPORTANT] > If you're using Microsoft Intune to manage Defender for Endpoint settings, make sure to set [DisableLocalAdminMerge](/windows/client-management/mdm/defender-csp#configurationdisablelocaladminmerge) to true on devices. >
-> When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) cannot be changed. To avoid breaking management experiences, including Intune and Configuration Manager, keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. You can use Intune and [Configuration Manager](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection. And, if you're managing tamper protection through Intune, you can change [tamper-protected antivirus exclusions](#tamper-protection-for-antivirus-exclusions).
+> When tamper protection is turned on, [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) cannot be changed. To avoid breaking management experiences, including Intune (and [Configuration Manager](manage-tamper-protection-configuration-manager.md)), keep in mind that changes to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:
+> - If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
+> - You can use Intune or [Configuration Manager](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection.
+> - If you're managing tamper protection through Intune, you can change [tamper-protected antivirus exclusions](#tamper-protection-for-antivirus-exclusions).
## Requirements for managing tamper protection in Intune
Using Intune, you can:
- Your devices must be onboarded to Defender for Endpoint. > [!NOTE]
-> If devices are not enrolled in Microsoft Defender for Endpoint, tamper protection will show as **Not Applicable** until the onboarding process completes.
+> If devices are not enrolled in Microsoft Defender for Endpoint, tamper protection shows up as **Not Applicable** until the onboarding process completes.
> Tamper protection can prevent changes to security settings from occurring. If you see an error code with Event ID 5013, see [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus/). ## Turn tamper protection on (or off) in Microsoft Intune
You can use a registry key to determine whether the functionality to protect Mic
- If **TPExclusions** has a value of `0`, then tamper protection isn't currently protecting exclusions on the device. (*If you meet all the requirements and this state seems incorrect, contact support*.) > [!CAUTION]
-> **Do not change the value of the registry keys**. Use the preceding procedure for information only. Changing keys will have no effect on whether tamper protection applies to exclusions.
+> **Do not change the value of the registry keys**. Use the preceding procedure for information only. Changing keys has no effect on whether tamper protection applies to exclusions.
## See also - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md) - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos) - [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
+- [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration)
security Manage Tamper Protection Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-365-defender.md
search.appverid: met150
[Tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) helps protect certain [security settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on), such as virus and threat protection, from being disabled or changed. If you're part of your organization's security team, you can turn tamper protection on (or off) tenant wide by using the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). > [!IMPORTANT]
-> If tamper protection is [deployed and managed through Intune](manage-tamper-protection-intune.md), turning tamper protection on or off in the Microsoft 365 Defender portal won't impact the state of tamper protection. It will restrict tamper-protected settings to their secure default values. For more information, see [What happens when tamper protection is turned on](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on)?
+> If tamper protection is [deployed and managed through Intune](manage-tamper-protection-intune.md), turning tamper protection on or off in the Microsoft 365 Defender portal won't impact the state of tamper protection. It restricts tamper-protected settings to their secure default values. For more information, see [What happens when tamper protection is turned on](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on)?
## Requirements for managing tamper protection in the Microsoft 365 Defender portal
search.appverid: met150
- [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be turned on. > [!NOTE]
-> When tamper protection is enabled via the Microsoft 365 Defender portal, [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) is required so that the enabled state of tamper protection can be controlled.
-> Starting with the November 2021 update (platform version `4.18.2111.5`), if cloud-delivered protection is not already turned on for a device, when tamper protection is turned on, cloud-delivered protection will be turned on automatically on the device.
+> When tamper protection is enabled via the Microsoft 365 Defender portal, [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) is required so that the enabled state of tamper protection can be controlled. Starting with the November 2021 update (platform version `4.18.2111.5`), if cloud-delivered protection is not already turned on for a device, when tamper protection is turned on, cloud-delivered protection is turned on automatically on the device.
## Turn tamper protection on (or off) in the Microsoft 365 Defender portal
search.appverid: met150
## Important points to keep in mind -- When you enable tamper protection in the Microsoft 365 Defender portal, the setting is applied tenant wide, and will restrict [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) to their secure defaults. You can use [Intune](manage-tamper-protection-intune.md) or [Configuration Manager with tenant attach](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection. You can also use Intune to [tamper-protect antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions). - - Currently, the option to manage tamper protection in the Microsoft 365 Defender portal is on by default for new deployments, as part of [built-in protection, which helps guard against ransomware](built-in-protection.md). For existing deployments, tamper protection is available on an opt-in basis. To opt in, in the [Microsoft 365 Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2077139), choose **Settings** \> **Endpoints** \> **Advanced features** \> **Tamper protection**.
+- When you enable tamper protection in the Microsoft 365 Defender portal, the setting is applied tenant wide and restricts [tamper-protected settings](prevent-changes-to-security-settings-with-tamper-protection.md#what-happens-when-tamper-protection-is-turned-on) to their secure defaults. Any changes made to tamper-protected settings are ignored. Depending on your particular scenario, you have several options available:
+
+ - If you must make changes to a device and those changes are blocked by tamper protection, you can use [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device.
+
+ - You can use [Intune](manage-tamper-protection-intune.md) or [Configuration Manager](manage-tamper-protection-configuration-manager.md) to exclude devices from tamper protection.
+
+ - If you're managing tamper protection through Intune and certain other conditions are met, you can [manage tamper-protected antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).
+ ## See also - [Built-in protection helps guard against ransomware](built-in-protection.md)
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
description: Use tamper protection to prevent malicious apps from changing impor
keywords: malware, defender, antivirus, tamper protection ms.localizationpriority: medium Previously updated : 03/15/2023 Last updated : 05/24/2023 audience: ITPro
When tamper protection is turned on, tamper-protected settings can't be changed.
- Notifications are visible in the Windows Security app on Windows devices. - Archived files are scanned.
-> [!NOTE]
-> As of signature release `1.383.1159.0`, due to confusion around the default value for "Allow Scanning Network Files", tamper protection no longer locks this setting to its default value. In managed environments, the default value is enabled.
+*As of signature release `1.383.1159.0`, due to confusion around the default value for "Allow Scanning Network Files", tamper protection no longer locks this setting to its default value. In managed environments, the default value is enabled.*
> [!IMPORTANT]
-> When tamper protection is turned on, the tamper-protected settings listed above cannot be changed. To avoid breaking management experiences, including [Intune](manage-tamper-protection-intune.md) and [Configuration Manager](manage-tamper-protection-configuration-manager.md), keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. You can use Intune and Configuration Manager to exclude devices from tamper protection. And, if you're managing tamper protection through Intune, you can [change tamper-protected antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions).
+> When tamper protection is turned on, tamper-protected settings cannot be changed. To avoid breaking management experiences, including [Intune](manage-tamper-protection-intune.md) and [Configuration Manager](manage-tamper-protection-configuration-manager.md), keep in mind that changes made to tamper-protected settings might appear to succeed but are actually blocked by tamper protection. Depending on your particular scenario, you have several options available:
+> - If you must make changes to a device and those changes are blocked by tamper protection, you can use [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device.
+> - You can use Intune or Configuration Manager to exclude devices from tamper protection.
Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how non-Microsoft antivirus apps register with the Windows Security app. If your organization is using Defender for Endpoint, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team. For more information, see [How do I configure or manage tamper protection](#how-do-i-configure-or-manage-tamper-protection)?
You can use Microsoft Intune and other methods to configure or manage tamper pro
| Method | What you can do | |:|:|
-| The [Microsoft 365 Defender portal](https://security.microsoft.com) | Turn tamper protection on (or off), tenant wide. This method won't override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach. <br/><br/>See [Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md). |
-| The [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) | Turn tamper protection on (or off), tenant wide, for some or all devices. Using this method, you can also [tamper protect antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions) that are defined for Microsoft Defender Antivirus. <br/><br/>See [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md). |
-| [Configuration Manager](manage-tamper-protection-configuration-manager.md) | Turn tamper protection on (or off) for some or all devices by using Configuration Manager with tenant attach. This method won't override settings managed in Intune. <br/><br/>See [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). |
-| [Windows Security app](manage-tamper-protection-individual-device.md) | Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). This method won't override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. <br/><br/>See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). |
+| Use the [Microsoft 365 Defender portal](https://security.microsoft.com). | Turn tamper protection on (or off), tenant wide. This method won't override settings that are managed in Microsoft Intune or Configuration Manager with tenant attach. <br/><br/>See [Manage tamper protection for your organization using Microsoft 365 Defender](manage-tamper-protection-microsoft-365-defender.md). |
+| Use the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). | Turn tamper protection on (or off), tenant wide, for some or all devices. Using this method, you can also [tamper protect antivirus exclusions](manage-tamper-protection-intune.md#tamper-protection-for-antivirus-exclusions) that are defined for Microsoft Defender Antivirus. <br/><br/>See [Manage tamper protection for your organization using Intune](manage-tamper-protection-intune.md). |
+| Use [Configuration Manager](manage-tamper-protection-configuration-manager.md). | Turn tamper protection on (or off) for some or all devices by using Configuration Manager with tenant attach. This method won't override settings managed in Intune. <br/><br/>See [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](manage-tamper-protection-configuration-manager.md). |
+| Use the [Windows Security app](manage-tamper-protection-individual-device.md). | Turn tamper protection on (or off) on an individual device that isn't managed by a security team (such as devices for home use). This method won't override tamper protection settings that are managed by the Microsoft 365 Defender portal, Intune, or Configuration Manager, and it isn't intended to be used by organizations. <br/><br/>See [Manage tamper protection on an individual device](manage-tamper-protection-individual-device.md). |
> [!TIP]
-> If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings will be ignored. We recommend using the Microsoft 365 Defender portal, Intune, or Configuration Manager to manage tamper protection.
+> If you're using Group Policy to manage Microsoft Defender Antivirus settings, keep in mind that any changes made to tamper-protected settings are ignored. If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
## What about exclusions?
To learn more about Microsoft Defender Vulnerability Management, see [Dashboard
- [Built-in protection helps guard against ransomware](built-in-protection.md) - [Frequently asked questions on tamper protection](faqs-on-tamper-protection.yml) - [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)-- [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
+- [Troubleshoot problems with tamper protection](troubleshoot-problems-with-tamper-protection.yml)
+- [Manage Microsoft Defender for Endpoint on devices with Microsoft Intune](/mem/intune/protect/mde-security-integration)
security Use Group Policy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
Title: Configure Microsoft Defender Antivirus with Group Policy
description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint. keywords: group policy, GPO, configuration, settings
-ms.sitesec: library
ms.localizationpriority: medium Previously updated : 01/04/2022 Last updated : 05/24/2023
search.appverid: met150
**Platforms** - Windows
-You can use [Group Policy](/windows/win32/srvnodes/group-policy) to configure and manage Microsoft Defender Antivirus on your endpoints.
+We recommend using [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) to manage Microsoft Defender Antivirus settings for your organization. However, you can use [Group Policy](/windows/win32/srvnodes/group-policy) to configure and manage some settings for Microsoft Defender Antivirus.
+
+> [!IMPORTANT]
+> If [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled in your organization, any changes made to [tamper-protected settings](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection#what-happens-when-tamper-protection-is-turned-on) are ignored. In addition, you cannot turn off tamper protection by using Group Policy.
+>
+> If you must make changes to a device and those changes are blocked by tamper protection, we recommend using [troubleshooting mode](/microsoft-365/security/defender-endpoint/enable-troubleshooting-mode) to temporarily disable tamper protection on the device. Note that after troubleshooting mode ends, any changes made to tamper-protected settings are reverted to their configured state.
+>
## Configure Microsoft Defender Antivirus using Group Policy
-In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
+In general, you can use the following procedure to configure or change some settings for Microsoft Defender Antivirus.
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
In general, you can use the following procedure to configure or change Microsoft
The following table lists commonly used Group Policy settings that are available in Windows 10. > [!TIP]
-> Download the Group Policy Reference Spreadsheet, which lists the policy settings for computer and user configurations that are included in the Administrative template files delivered with for Windows. You can configure refer to the spreadsheet when you edit Group Policy Objects. <br/><br/> Here are the most recent versions:
-> - [Group Policy Settings Reference Spreadsheet for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/details.aspx?id=101451)
-> - [Group Policy Settings Reference Spreadsheet for Windows 11 October 2021 Update (21H2)](https://www.microsoft.com/download/details.aspx?id=103506)
+> For the most current settings, see get the latest ADMX files in your central store to access the correct policy options. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) and download the latest files.
-<br/><br/>
|Location|Setting|Article| ||||
The following table lists commonly used Group Policy settings that are available
|Exclusions|Path Exclusions|[Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)| |Exclusions|Process Exclusions|[Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)| |Exclusions|Turn off Auto Exclusions|[Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)|
-|MAPS|Configure the 'Block at First Sight' feature|[Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)|
+|MAPS|Configure the "Block at First Sight" feature|[Enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)|
|MAPS|Join Microsoft MAPS|[Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)| |MAPS|Send file samples when further analysis is required|[Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)| |MAPS|Configure local setting override for reporting to Microsoft MAPS|[Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)|
security Advanced Hunting Schema Tables https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-schema-tables.md
The following reference lists all the tables in the schema. Each table name link
| Table name | Description | ||-|
+| **[AADSignInEventsBeta](advanced-hunting-aadsignineventsbeta-table.md)** | Azure Active Directory interactive and non-interactive sign-ins |
+| **[AADSpnSignInEventsBeta](advanced-hunting-aadspnsignineventsbeta-table.md)** | Azure Active Directory service principal and managed identity sign-ins |
| **[AlertEvidence](advanced-hunting-alertevidence-table.md)** | Files, IP addresses, URLs, users, or devices associated with alerts | | **[AlertInfo](advanced-hunting-alertinfo-table.md)** | Alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity, including severity information and threat categorization |
+| **[BehaviorEntities](advanced-hunting-behaviorentities-table.md)** | Behavior data types in Microsoft Defender for Cloud Apps |
+| **[BehaviorInfo](advanced-hunting-behaviorinfo-table.md)** | Alerts from Microsoft Defender for Cloud Apps |
| **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)** | Events involving accounts and objects in Office 365 and other cloud apps and services | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection | | **[DeviceFileCertificateInfo](advanced-hunting-DeviceFileCertificateInfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
The following reference lists all the tables in the schema. Each table name link
| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains | | **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events | | **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
+| **[DeviceTvmHardwareFirmware](advanced-hunting-devicetvmhardwarefirmware-table.md)** | Hardware and firmware information of devices as checked by Defender Vulnerability Management |
+| **[DeviceTvmInfoGathering](advanced-hunting-devicetvminfogathering-table.md)** | Defender Vulnerability Management assessment events including configuration and attack surface area states |
+| **[DeviceTvmInfoGatheringKB](advanced-hunting-devicetvminfogatheringkb-table.md)** | Metadata for assessment events collected in the `DeviceTvmInfogathering` table|
| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Microsoft Defender Vulnerability Management assessment events, indicating the status of various security configurations on devices | | **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Microsoft Defender Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
+| **[DeviceTvmSoftwareEvidenceBeta](advanced-hunting-devicetvmsoftwareevidencebeta-table.md)** | Evidence info about where a specific software was detected on a device |
| **[DeviceTvmSoftwareInventory](advanced-hunting-devicetvmsoftwareinventory-table.md)** | Inventory of software installed on devices, including their version information and end-of-support status | | **[DeviceTvmSoftwareVulnerabilities](advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)** | Software vulnerabilities found on devices and the list of available security updates that address each vulnerability | | **[DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
The following reference lists all the tables in the schema. Each table name link
| **[IdentityInfo](advanced-hunting-identityinfo-table.md)** | Account information from various sources, including Azure Active Directory | | **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)** | Authentication events on Active Directory and Microsoft online services | | **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)** | Queries for Active Directory objects, such as users, groups, devices, and domains |
+| **[UrlClickEvents](advanced-hunting-urlclickevents-table.md)** | Safe Links clicks from email messages, Teams, and Office 365 apps |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
ms.mktglfcycl: secure ms.sitesec: library ms.pagetype: security--++ ms.localizationpriority: medium Previously updated : 04/24/2023 Last updated : 05/25/2023 audience: ITPro
You can also get product updates and important notifications through the [messag
## May 2023
+- (Preview) [Alert tuning](investigate-alerts.md#public-preview-tune-an-alert) is now available in public preview. Alert tuning lets you fine-tune alerts to reduce investigation time and focus on resolving high priority alerts. Alert tuning replaces the Alert suppression feature.
- (Preview) [Custom functions](advanced-hunting-custom-functions.md) are now available in advanced hunting. You can now create your own custom functions so you can reuse any query logic when you hunt in your environment. ## April 2023- - (GA) The [unified Assets tab in the Incidents page](investigate-incidents.md) is now generally available. - Microsoft is using a new weather-based naming taxonomy for threat actors. This new naming schema will provide more clarity and will be easier to reference. [Learn more about the new naming taxonomy](/microsoft-365/security/intelligence/microsoft-threat-actor-naming).
security Microsoft Threat Actor Naming https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/microsoft-threat-actor-naming.md
Last updated 04/18/2023
# How Microsoft names threat actors
+> [!IMPORTANT]
+> Learn about how [Volt Typhoon targets US critical infrastructure with living-off-the-land techniques](https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/#:~:text=Volt%20Typhoon%20has%20been%20active%20since%20mid-2021%20and,construction%2C%20maritime%2C%20government%2C%20information%20technology%2C%20and%20education%20sectors)
+ Microsoft has shifted to a new naming taxonomy for threat actors aligned with the theme of weather. With the new taxonomy, we intend to bring better clarity to customers and other security researchers already confronted with an overwhelming amount of threat intelligence data and offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves. :::image type="content" source="../../media/threat-actor-naming/threat-actor-naming-categories.png" alt-text="Nation-state actors based on Microsoft naming" lightbox="../../media/threat-actor-naming/threat-actor-naming-categories2.png":::
security Submissions Admin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md
description: "Admins can learn how to use the Submissions page in the Microsoft 365 Defender portal to submit messages, URLs, and email attachments to Microsoft for analysis. Reasons for submission include: legitimate messages that were blocked, suspicious messages that were allowed, suspected phishing email, spam, malware, and other potentially harmful messages." Previously updated : 2/24/2023 Last updated : 5/25/2023 # Use the Submissions page to submit suspected spam, phish, URLs, legitimate email getting blocked, and email attachments to Microsoft
When you submit an email message for analysis, Microsoft does the following chec
- **Grader analysis**: Review done by human graders in order to confirm whether or not messages are malicious. > [!IMPORTANT]
-> In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can't use the **Submissions** page in the Microsoft 365 Defender portal to submit messages to Microsoft. Instead, admins in those organizations need to open a support case to submit messages.
+> In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), admins can use the **Submissions** page in the Microsoft 365 Defender portal to submit messages to Microsoft. The messages are only analyzed for email authentication check and policy check.
>
-> Payload reputation/detonation and grader analysis are not done in all tenants. Information is blocked from going outside the organization when data is not supposed to leave the tenant boundary for compliance purposes.
+>Payload reputation/detonation and grader analysis are not done as data is not supposed to leave the tenant boundary for compliance purposes.
For other ways to submit email messages, URLs, attachments and files to Microsoft, see [Report messages and files to Microsoft](submissions-report-messages-files-to-microsoft.md).
syntex Content Assembly Conditional Sections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly-conditional-sections.md
+
+ Title: Create conditional sections for templates in Microsoft Syntex
+++
+audience: admin
+ Last updated : 05/25/2023++
+search.appverid:
+
+ - enabler-strategic
+ - m365initiative-syntex
+ms.localizationpriority: medium
+description: Learn how to create conditional sections for templates in Microsoft Syntex.
++
+# Create conditional sections for templates in Microsoft Syntex
+
+When you create a modern template, you can specify which parts of a document will be included and under what conditions. This lets you control which sections of the template will be included when you generate a document.
+
+## Create a conditional section
+
+Before you can create a conditional section, you first need to [create form fields in the template](content-assembly-modern-template.md#create-and-reuse-fields). Then, follow these steps to create a conditional section.
+
+1. In the document, select the block of text for which you want to specify the condition.
+
+2. On the **Set up the template** panel, select **Conditional section**.
+
+ ![Screenshot of the Set up the template panel and template document.](../media/content-understanding/content-assembly-conditional-1.png)
+
+3. On the **New conditional section** panel, in the **Name** box, enter a name that reflects the content you've selected. (For this example, we named it **Compensation Section**.)
+
+ ![Screenshot of the New condition section panel and template document.](../media/content-understanding/content-assembly-conditional-2.png)
+
+4. Select **Next**.
+
+### Set conditions
+
+You can add conditions to specify whether this section of the template will be included in the final generated document.
+
+For this example, we want to show the selected content for two conditions: if the fees are greater than zero and if the nature of employment is full time.
+
+#### To add the first condition
+
+1. On the **Set condition** panel, from the **Choose a field** dropdown list, select the appropriate field. (For this example, we selected **Fees**.)
+
+ ![Screenshot of the Set condition panel and template document for the first condition.](../media/content-understanding/content-assembly-conditional-3.png)
+
+2. From the **Choose a condition** dropdown list, select the appropriate condition. (For this example, we selected **greater than**.)
+
+3. In the **Enter a value** box, enter the appropriate value. (For this example, we entered **0**.)
+
+#### To add additional conditions
+
+1. On the **Set condition** panel, select **+ And** or **Or**, depending how you want the additional condition to be linked to the first condition. (For this example, we chose **And**.)
+
+2. On the **Set condition** panel, from the **Choose a field** dropdown list, the appropriate field. (For this example, we selected **Nature of Employment**.)
+
+ ![Screenshot of the Set condition panel and template document for the second condition.](../media/content-understanding/content-assembly-conditional-4.png)
+
+3. From the **Choose a condition** dropdown list, select the appropriate condition. (For this example, we selected **exact match**.)
+
+4. In the **Enter a value** box, enter the appropriate value. (For this example, we entered **Full Time**.)
+
+5. When you're done entering conditions, select **Save**. The new field is displayed in the **Set up the template** panel and shows the conditions based on which this section will be included in the final document.
+
+ ![Screenshot of the Set up the template panel and template document showing the conditions.](../media/content-understanding/content-assembly-conditional-5.png)
+
+## Edit a conditional section
+
+To edit the conditions in a conditional section, you can use either of these two methods:
+
+- Select the **+1 more condition** hyperlink, which takes you to the **Set conditions** page.
+- Select the three dots, and then select **Edit**.
+
+ ![Screenshot of a conditional section with the edit options highlighted.](../media/content-understanding/content-assembly-conditional-edit.png)
+
+> [!NOTE]
+> - Currently, you can create conditional sections around text and complete paragraphs. Conditional sections around images and tables is not yet supported.<br>
+>- You can't add nested conditions. To achieve nested conditions, you'll need to create conditional sections around every section and specify all the required conditions.
+
+## See also
+
+[Create a document from a modern template](content-assembly-create-document.md)
syntex Content Assembly Map Fields https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/content-assembly-map-fields.md
After you generate the document, the values against the mapped fields will autom
> - If you change the data type of a mapped field and republish the template with the new settings, the new changes are reflected in the corresponding library column. If you choose to proceed with [incompatible data type change such as **Single line of text** to **Number**, or **Number** to **Date and time**](https://support.microsoft.com/office/0d8ddb7b-7dc7-414d-a283-ee9dca891df7), the mapped field will be deslected by default to prevent potential loss of data from the column. If you still choose to reselect the field to be mapped to column, you might lose data from the column values of previously created documents. The content of the documents that are already been generated won't be affected.<br> > - Mapping image and table fields to library columns is not supported.
+## See also
+
+[Create conditional sections for templates](content-assembly-conditional-sections.md)
+[Create a document from a modern template](content-assembly-create-document.md)