Updates from: 05/06/2021 03:10:08
Category Microsoft Docs article Related commit history on GitHub Change details
admin Let Users Reset Passwords https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/let-users-reset-passwords.md
If you found this video helpful, check out the [complete training series for sma
## Steps: Let people reset their own passwords These steps turn on self-service password reset for everyone in your business.
-
1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>, go to the **Settings** > **Org settings** page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Settings** \> **Security &amp; privacy** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Settings** \>**Settings** \> **Security &amp; privacy** page.
-- 2. At the top of the **Org settings** page, select the **Security & Privacy** tab. 3. Select **Self-service Password Reset**.
admin Remove Former Employee https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee.md
description: "Follow the steps in this solution to remove a former employee from
A question we often get is, "What should I do to secure data and protect access when an employee leaves my organization?" This article series explains how to block access to Microsoft 365, the steps you should take to secure your data, and how to allow other employees to access the data.
+Watch a short video about removing an employee. <br><br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FOfR]
+
+If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
+
+To prevent an employee from logging in:
+
+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.
+2. Select the box next to the user's name, and then select **Reset password**.
+3. Enter a new password, and then select **Reset**. (Don't send it to them.)
+4. Select the user's name to go to their properties pane, and on the **Account** tab, select **Initiate sign-out**.
+
+> [!NOTE]
+> You need to be a global administrator to initiate sign-out.
+
+Within an hour - or after they leave the current Microsoft 365 page they are on - they're prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether they navigate out of their current webpage.
+ > [!IMPORTANT] > Although we've numbered the steps in this solution and you don't have to complete the solution using the exact order, we do recommend doing the steps this way.
admin Resend User Password https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/resend-user-password.md
You must be an [global admin or password administrator](about-admin-roles.md) to
## Resend user password
-
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. --
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-- 2. On the **Active users** page, select the user and then select **Reset password**. 3. Follow the instructions on the **Reset password** page to auto-generate a new password for the user or create one for them, and then select **Reset**.
admin Reset Passwords https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/reset-passwords.md
If you found this video helpful, check out the [complete training series for sma
## Steps: Reset a business password for a user - 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. --
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-- 2. On the **Active users** page, select the user and then select **Reset password**. 3. Follow the instructions on the **Reset password** page to auto-generate a new password for the user or create one for them, and then select **Reset**.
admin Restore User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/restore-user.md
Here are a couple of tips:
## Restore one or more user accounts You must be a Microsoft 365 global admin or user management admin to do these steps.
-
-
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2071581" target="_blank">Deleted users</a> page. --
-1. Go to the [admin center](https://go.microsoft.com/fwlink/p/?linkid=848041), and then select **Users** \> **Deleted users**.
---
-1. Go to the [admin center](https://go.microsoft.com/fwlink/p/?linkid=850627), and then select **Users** \> **Deleted users**.
-- 2. On the **Deleted users** page, select the names of the users who you want to restore, and then select **Restore**.
-
3. Follow the prompts to set their password, and then select **Restore**. 4. If the user is successfully restored, select **Send email and close**. If you encounter a name conflict or proxy address conflict, see the instructions below for how to restore those accounts.
You must be a Microsoft 365 global admin or user management admin to do these st
After you've restored a user, make sure you notify them that their password changed and you follow up with them. ## Restore a user that has a user name conflict
-<a name="RestoreUserNameConflict"> </a>
A user name conflict occurs when you delete a user account, create a new user account with the same user name (either for the same user or another user with a similar name), and later try to restore the deleted account. To fix this, replace the active user account with the one that you are restoring. Or, assign a different user name to the account that you are restoring so that there aren't two accounts with the same user name. Here are the steps.
-
- 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2071581" target="_blank">Deleted users</a> page.---
-1. Go to the [admin center](https://go.microsoft.com/fwlink/p/?linkid=848041), and then select **Users** \> **Deleted users**.
---
-1. Go to the [admin center](https://go.microsoft.com/fwlink/p/?linkid=850627), and then select **Users** \> **Deleted users**.
-- 2. On the **Deleted users** page, select the names of the users that you want to restore, and then select **Restore**.
To fix this, replace the active user account with the one that you are restoring
A proxy address conflict occurs when you delete a user account that contains a proxy address, assign the same proxy address to another account, and then try to restore the deleted account. Follow the steps below to fix this issue. You must have [admin permissions](about-admin-roles.md) in Microsoft 365 to do this.
-
- 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2071581" target="_blank">Deleted users</a> page. --
-Go to the [admin center](https://go.microsoft.com/fwlink/p/?linkid=848041), and then select **Users** \> **Deleted users**.
---
-1. Go to the [admin center](https://go.microsoft.com/fwlink/p/?linkid=850627), and then select **Users** \> **Deleted users**.
-- 2. On the **Deleted users** page, select the user that you want to restore, and then select **Restore**. 3. On the **Restore** page, follow the instructions to set the password and select **Restore**. Any conflicting proxy addresses are automatically removed from the user you are restoring.
admin About The Admin Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/about-the-admin-center.md
If you found this video helpful, check out the [complete training series for sma
## How to get to the admin center - 1. Sign in at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin.microsoft.com</a> with your admin account. --
-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center </a> with your admin account.
---
-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a> with your admin account.
-- 2. Select the app launcher icon in the upper-left and choose **Admin**. The **Admin** tile appears only to people who have Microsoft 365 [admin permissions](../add-users/about-admin-roles.md). If you don't see the tile, then you don't have permissions to access the admin center for your organization.
admin What Subscription Do I Have https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/admin-overview/what-subscription-do-i-have.md
If you're an admin, you can verify which subscriptions your organization has by
**Not an admin?** See [What Microsoft 365 for business product or license do I have?](https://support.microsoft.com/office/f8ab5e25-bf3f-4a47-b264-174b1ee925fd) - 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page. 2. On the **Products** tab, you see all your subscriptions. Each subscription line includes information about licenses, subscription status, and billing. 3. If you want to change the columns that appear in the list, select **Choose columns**. Change the selection of columns, then select **Save**. 4. To see more details for a single subscription, select that subscription.
-
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Subscriptions</a> page.
-
-2. If you have only one subscription, it will be displayed on the **Subscriptions** page, along with the subscription name, information about the subscription, and its status. In the following screenshot, you can see that I have an Microsoft 365 Apps for business subscription.
-
- ![The Subscriptions page that shows which subscription you have as well as its status.](../../media/4d51dfcc-e9f3-4414-964a-6ef182f49eba.png)
-
-3. If you have multiple subscriptions, you'll see a column next to the detailed subscription information that lists the subscriptions that have been purchased, as well as any trial subscriptions. By default, the subscription at the top of the list is automatically selected, and the detailed information for that subscription is shown.
-
- If you have multiple subscriptions, choose the one for which you want to see detailed information. The subscription card will update with information about that subscription.
-
- ![The Subscriptions page of the admin center showing a list of multiple subscriptions grouped by their status.](../../media/548ab8e9-bf9c-46d1-8c7c-ef5b631f3faa.png)
-
- > [!NOTE]
- > If you have subscriptions that have expired or have been disabled, they'll be listed based on their current state.
---
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Subscriptions</a> page.
-
-2. If you have only one subscription, it will be displayed on the **Subscriptions** page, along with the subscription name, information about the subscription, and its status. In the following screenshot, you can see that I have an Microsoft 365 Apps for business subscription.
-
- ![The Subscriptions page that shows which subscription you have as well as its status.](../../media/4d51dfcc-e9f3-4414-964a-6ef182f49eba.png)
-
-3. If you have multiple subscriptions, you'll see a column next to the detailed subscription information that lists the subscriptions that have been purchased, as well as any trial subscriptions. By default, the subscription at the top of the list is automatically selected, and the detailed information for that subscription is shown.
-
- If you have multiple subscriptions, choose the one for which you want to see detailed information. The subscription card will update with information about that subscription.
-
- ![The Subscriptions page of the admin center showing a list of multiple subscriptions grouped by their status.](../../media/548ab8e9-bf9c-46d1-8c7c-ef5b631f3faa.png)
-
- > [!NOTE]
- > If you have subscriptions that have expired or have been disabled, they'll be listed based on their current state.
--
-## Related articles
+## Related content
-[Subscriptions and billing](../../commerce/index.yml)
+[Subscriptions and billing](../../commerce/index.yml) (links)
admin Create Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/create-groups.md
While users can create a Microsoft 365 group from Outlook or other apps, as an a
Once the group has been created, you can add members and configure additional settings. - Users can [add themselves or request approval](https://support.microsoft.com/office/2e59e19c-b872-44c8-ae84-0acc4b79c45d), or you can add them now. 1. In the admin center, refresh the page so your new group appears, and then select the name of the group that you want to add members to.
Users can [add themselves or request approval](https://support.microsoft.com/off
The group will appear in Outlook with members assigned to it. --
-Users can [add themselves or request approval](https://support.microsoft.com/office/2e59e19c-b872-44c8-ae84-0acc4b79c45d), or you can add them now.
-1. In the admin center, refresh the page so your new group appears, select **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">Groups</a>, and then select the group that you want to add members to.
-
-2. Next to **Members**, select **Edit**.
-3. Select **Add members**.
-
-4. Select the users you want to add, and then select **Save**.
-
-5. Select **Close** three times.
-
-The group will appear in Outlook with members assigned to it.
-
--
-Users can [add themselves or request approval](https://support.microsoft.com/office/2e59e19c-b872-44c8-ae84-0acc4b79c45d), or you can add them now.
-1. In the admin center, refresh the page so your new group appears, select **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">Groups</a>, and then select the group that you want to add members to.
-
-2. Next to **Members**, select **Edit**.
-3. Select **Add members**.
-
-4. Select the users you want to add, and then select **Save**.
-
-5. Select **Close** three times.
-
-The group will appear in Outlook with members assigned to it.
-
- ## Who can delete email from the Group inbox? The Group owner can delete any emails from the Group Inbox, regardless of whether they were the initial author.
When an email is deleted from the group mailbox, it is not deleted from any of t
After creating a new group and adding members, you can further configure your group, such as editing the group name or description, changing owners or members, and specifying whether external senders can email the group and whether to send copies of group conversations to members. See [Manage a Microsoft 365 group](manage-groups.md) for information.
-## Related articles
+## Related content
-[Manage guest access to Microsoft 365 groups](https://support.microsoft.com/office/bfc7a840-868f-4fd6-a390-f347bf51aff6)
+[Manage guest access to Microsoft 365 groups](https://support.microsoft.com/office/bfc7a840-868f-4fd6-a390-f347bf51aff6) (article)
-[Choose the domain to use when creating Microsoft 365 groups](../../solutions/choose-domain-to-create-groups.md)
+[Choose the domain to use when creating Microsoft 365 groups](../../solutions/choose-domain-to-create-groups.md) (article)
-[Upgrade distribution lists to Microsoft 365 groups](../manage/upgrade-distribution-lists.md)
+[Upgrade distribution lists to Microsoft 365 groups](../manage/upgrade-distribution-lists.md) (article)
admin Add Another Email Alias For A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/add-another-email-alias-for-a-user.md
You can create up to 400 aliases for a user. No additional fees or licenses are
> If you want multiple people to manage email sent to a single email address like info@NodPublishers.com or sales@NodPublishers.com, create a shared mailbox. To learn more, see [Create a shared mailbox](create-a-shared-mailbox.md). ## Add email aliases to a user
-<a name="AddEmailPreview"> </a>
You must have [admin permissions](../add-users/about-admin-roles.md) to do this.
-
- 1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. 2. On the **Active Users** page, select the user > **Manage username and email**. You won't see this option if the person doesn't have a license assigned to them.
You must have [admin permissions](../add-users/about-admin-roles.md) to do this.
7. **When the user replies, the *From* address will depend on her Outlook client. Outlook on the web will use the alias at which the email was received (we'll call this the ping-pong principle). Outlook desktop will use her primary email alias.** For example, let's say a message is sent to Sales@NodPublishers.com, and it arrives in Eliza's inbox. When Eliza replies to the message using Outlook desktop, her primary email address will appear as Eliza@NodPublishers.com, not Sales@NodPublishers.com. -
-
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847686" target="_blank">Active users</a> page.
-
-
-2. On the **Active Users** page, select the name of the person you want to edit.
-
-3. Next to **Username / Email Aliases**, select **Edit**.
-
- > [!Important]
- > If you get the error message "**A parameter cannot be found that matches parameter name 'EmailAddresses**," it means that it's taking a bit longer to finish setting up your tenant, or your custom domain if you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the set up process has time to finish, and then try again. If the problem persists, call Support and they will do a full sync for you.
-
-4. In the text box under **Alias**, type the first part of the new email alias. If you added your own domain to Microsoft 365, you can choose the domain for the new email alias by using the drop-down list. Then select **Add**.
-
- > [!IMPORTANT]
- > If you purchased your subscription from GoDaddy or another Partner, to set the new alias as the primary, you must go to the GoDaddy/partner management console.
-
- > [!TIP]
- > The email alias must end with a domain from the drop-down list. To add another domain name to the list, see [Add a domain to Microsoft 365](../setup/add-domain.md).
-
-5. When you're done, select **Save**.
-
-6. Wait 24 hours for the new aliases to populate throughout Microsoft 365.
-
- The user will now have a primary address and an alias. For example, all mail sent to Eliza Hoffman's primary address, Eliza@NodPublishers.com, and her alias, Sales@NodPublishers.com, will go to Eliza's Inbox.
-
-
-7. **When the user replies, the *From* address will depend on her Outlook client. Outlook on the web will use the alias at which the email was received (we'll call this the ping-pong principle). Outlook desktop will use her primary email alias.** For example, let's say a message is sent to Sales@NodPublishers.com, and it arrives in Eliza's inbox. When Eliza replies to the message using Outlook desktop, her primary email address will appear as Eliza@NodPublishers.com, not Sales@NodPublishers.com.
---
-1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a> page.
-
-
-2. On the **Active Users** page, select the name of the person you want to edit.
-
-3. Next to **Username / Email Aliases**, select **Edit**.
-
- > [!Important]
- > If you get the error message "**A parameter cannot be found that matches parameter name 'EmailAddresses**," it means that it's taking a bit longer to finish setting up your tenant, or your custom domain if you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the set up process has time to finish, and then try again. If the problem persists, call Support and they will do a full sync for you.
-
-4. In the text box under **Alias**, type the first part of the new email alias. If you added your own domain to Microsoft 365, you can choose the domain for the new email alias by using the drop-down list. Then select **Add**.
-
- > [!IMPORTANT]
- > If you purchased your subscription from GoDaddy or another Partner, to set the new alias as the primary, you must go to the GoDaddy/partner management console.
-
- > [!TIP]
- > The email alias must end with a domain from the drop-down list. To add another domain name to the list, see [Add a domain to Microsoft 365](../setup/add-domain.md).
-
-5. When you're done, select **Save**.
-
-6. Wait 24 hours for the new aliases to populate throughout Microsoft 365.
-
- The user will now have a primary address and an alias. For example, all mail sent to Eliza Hoffman's primary address, Eliza@NodPublishers.com, and her alias, Sales@NodPublishers.com, will go to Eliza's Inbox.
-
-
-7. **When the user replies, the *From* address will depend on her Outlook client. Outlook on the web will use the alias at which the email was received (we'll call this the ping-pong principle). Outlook desktop will use her primary email alias.** For example, let's say a message is sent to Sales@NodPublishers.com, and it arrives in Eliza's inbox. When Eliza replies to the message using Outlook desktop, her primary email address will appear as Eliza@NodPublishers.com, not Sales@NodPublishers.com.
--- ## Did you get "A parameter cannot be found that matches parameter name EmailAddresses"? - If you get the error message "**A parameter cannot be found that matches parameter name EmailAddresses**" it means that it's taking a bit longer to finish setting up your tenant, or your custom domain if you recently added one. The setup process can take up to 4 hours to complete. Wait a while so the set up process has time to finish, and then try again. If the problem persists, call Support and they will do a full sync for you. ## Did you purchase your subscription from GoDaddy or another Partner?
admin Add User Or Contact To Distribution List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/add-user-or-contact-to-distribution-list.md
As the admin of an organization, you may need to add one of your users or contac
## Add a user or contact to a distribution group - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">Groups</a> page. 2. On the **Groups** page, select the name of the group you want to add a contact to.
As the admin of an organization, you may need to add one of your users or contac
![Add members to distribution group](../../media/f79f59f8-1606-43fe-bae6-df74f5b6259d.png) 5. Select **Save** and then **Close**.---
-1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">Groups</a> page.
-
-2. On the **Groups** page, select the group you want to add a contact to.
-
-3. In the **Members** section, select **Edit**.
-
-4. On the **View Members** page, select **Add members**, and select the user or contact you want to add to the distribution group.
-
- ![Add members to distribution group](../../media/f79f59f8-1606-43fe-bae6-df74f5b6259d.png)
-
-5. Select **Save** and then **Close**.
-
-If you haven't created the [contact](../misc/contacts.md) yet, do that first as shown in this video.
---
-1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2052855" target="_blank">Groups</a> page.
-
-2. On the **Groups** page, select the group you want to add a contact to.
-
-3. In the **Members** section, select **Edit**.
-
-4. On the **View Members** page, select **Add members**, and select the user or contact you want to add to the distribution group.
-
- ![Add members to distribution group](../../media/f79f59f8-1606-43fe-bae6-df74f5b6259d.png)
-
-5. Select **Save** and then **Close**.
-
-If you haven't created the [contact](../misc/contacts.md) yet, do that first as shown in this video.
--
-<br><br>
- > [!VIDEO https://www.microsoft.com/videoplayer/embed/ed4e6095-9a6a-4d3d-999d-698c39bb7ec8?autoplay=false]
admin Configure A Shared Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-a-shared-mailbox.md
After you have [created a shared mailbox](create-a-shared-mailbox.md), you'll wa
## Change the name or email alias of a shared mailbox, or change the primary email address - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, and then select **Edit** next to **Name, Email, Email aliases**. 3. Enter a new name, or add another alias. If you want to change the primary email address, your mailbox must have more than one email alias.
After you have [created a shared mailbox](create-a-shared-mailbox.md), you'll wa
You do not need to assign a license to the shared mailbox in order to forward email that's sent to it. You can forward the messages to any valid email address or distribution list. - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, then select **Email forwarding** \> **Edit**. 3. Set the toggle to **On**, and enter one email address to forward the messages to. It can be any valid email address. To forward to multiple addresses, you need to [create a distribution group](/office365/admin/setup/create-distribution-lists) for the addresses, and then enter the name of the group in this box.
You do not need to assign a license to the shared mailbox in order to forward em
## Send automatic replies from a shared mailbox - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, then select **Automatic replies** \> **Edit**. 3. Set the toggle to **On**, and choose whether to send the reply to people inside your organization or outside your organization.
If you want to allow everyone to see the Sent email, in the admin center, edit t
## Choose the apps that a shared mailbox can use to access Microsoft email - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, then select **Email apps** \> **Edit**. 3. Set the toggle to **On** for all of the apps you want members to be able to use to access the shared mailbox. Set the toggle to **Off** for any apps you don't want them to use.
If you want to allow everyone to see the Sent email, in the admin center, edit t
To learn more about litigation hold, see [Create a Litigation Hold](../../compliance/create-a-litigation-hold.md). - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, then select **Litigation hold** \> **Edit**. 3. Set the toggle to **On**.
To learn more about litigation hold, see [Create a Litigation Hold](../../compli
## Add or remove members - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, then select **Members** \> **Edit**. 3. Do one of the following:
To learn more about litigation hold, see [Create a Litigation Hold](../../compli
## Add or remove permissions of members - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, then select **Members** \> **Customize permissions**. 3. Select **Edit** next to the permission you want to change for a member.
To learn more about litigation hold, see [Create a Litigation Hold](../../compli
If you choose not to show the shared mailbox in the global address list, the mailbox won't appear in your organization's address list, but it will still receive email sent to it. - 1. In the admin center, go to the **Groups** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2066847" target="_blank">Shared mailboxes</a> page. --
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
---
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Groups** > **Shared mailboxes** page.
-- 2. Select the shared mailbox you want to edit, then select **Show in global address list** \> **Edit**. 3. Set the toggle to **On** or **Off**.
If you choose not to show the shared mailbox in the global address list, the mai
> [!NOTE] > Hiding a shared mailbox from address list will make it impossible for new shared mailbox members to add the hidden mailbox to their Outlook profile until the shared mailbox is again shown in the address list.
-## Related articles
+## Related content
-[About shared mailboxes](about-shared-mailboxes.md)
+[About shared mailboxes](about-shared-mailboxes.md) (article)
-[Create a shared mailbox](create-a-shared-mailbox.md)
+[Create a shared mailbox](create-a-shared-mailbox.md) (article)
-[Convert a user mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md)
+[Convert a user mailbox to a shared mailbox](convert-user-mailbox-to-shared-mailbox.md) (article)
-[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md)
+[Remove a license from a shared mailbox](remove-license-from-shared-mailbox.md) (article)
-[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md)
+[Resolve issues with shared mailboxes](resolve-issues-with-shared-mailboxes.md) (article)
admin Configure Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/configure-email-forwarding.md
description: "Set up email forwarding to one or more email accounts using Office
# Configure email forwarding in Microsoft 365 -
-> [!NOTE]
-> The admin center is changing. If your experience doesn't match the details presented here, see [About the new Microsoft 365 admin center](../microsoft-365-admin-center-preview.md?preserve-view=true&view=o365-21vianet).
-- As the admin of an organization, you might have company requirements to set up email forwarding for a user's mailbox. Email forwarding lets you forward email messages sent to a user's mailbox to another user's mailbox inside or outside of your organization. > [!IMPORTANT]
Before you set up email forwarding, note the following:
You must be an Exchange administrator or Global administrator in Microsoft 365 to do these steps. For more information, see the topic [About admin roles](../add-users/about-admin-roles.md). - 1. In the admin center, go to the **Users** \> **[Active users](https://go.microsoft.com/fwlink/p/?linkid=834822)** page. 2. Select the name of the user whose email you want to forward to open the properties page.
You must be an Exchange administrator or Global administrator in Microsoft 365 t
Or, in the admin center, [create a distribution group](../setup/create-distribution-lists.md), [add the addresses to it](add-user-or-contact-to-distribution-list.md), and then set up forwarding to point to the DL using the instructions in this article.
-5. Don't delete the account of the user who's email you're forwarding or remove their license! If you do, email forwarding will stop.
---
-1. In the admin center, go to the **Users** \> **[Active users](https://go.microsoft.com/fwlink/p/?linkid=847686)** page.
-
-2. Select the name of the user whose email you want to forward to open the properties page.
-
-3. Expand **Mail settings**, and then in the **Email forwarding** section, select **Edit**.
-
-4. On the email forwarding page, set the toggle to **On**, enter the forwarding address, and choose whether you want to keep a copy of forwarded emails. If you don't see this option, make sure a license is assigned to the user account. Select **Save**.
-
- **To forward to multiple email addresses**, you can ask the user to set up a rule in Outlook to forward to the addresses. To learn more, see [Use rules to automatically forward messages](https://support.microsoft.com/office/45aa9664-4911-4f96-9663-ece42816d746).
-
- Or, in the admin center, [create a distribution group](../setup/create-distribution-lists.md), [add the addresses to it](add-user-or-contact-to-distribution-list.md), and then set up forwarding to point to the DL using the instructions in this article.
-
-5. Don't delete the account of the user who's email you're forwarding or remove their license! If you do, email forwarding will stop.
---
-1. In the admin center, go to the **Users** \> **[Active users](https://go.microsoft.com/fwlink/p/?linkid=850628)** page.
-
-2. Select the name of the user whose email you want to forward to open the properties page.
-
-3. Expand **Mail settings**, and then in the **Email forwarding** section, select **Edit**.
-
-4. On the email forwarding page, set the toggle to **On**, enter the forwarding address, and choose whether you want to keep a copy of forwarded emails. If you don't see this option, make sure a license is assigned to the user account. Select **Save**.
-
- **To forward to multiple email addresses**, you can ask the user to set up a rule in Outlook to forward to the addresses. To learn more, see [Use rules to automatically forward messages](https://support.microsoft.com/office/45aa9664-4911-4f96-9663-ece42816d746).
-
- Or, in the admin center, [create a distribution group](../setup/create-distribution-lists.md), [add the addresses to it](add-user-or-contact-to-distribution-list.md), and then set up forwarding to point to the DL using the instructions in this article.
-
-5. Don't delete the account of the user who's email you're forwarding or remove their license! If you do, email forwarding will stop.
-
+5. Don't delete the account of the user who's email you're forwarding or remove their license! If you do, email forwarding will stop.
business-video Choose Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/choose-subscription.md
Choosing the right Microsoft 365 subscription is key to getting the most out of
2. Open the **Microsoft 365 Business Premium** page, and then choose **See plans and pricing**. Here you can see which subscriptions are tailored to smaller businesses. 3. Scroll down to view the features that are available with each option. 4. If you have a larger business or have complex IT needs, scroll down and select **Microsoft 365 Enterprise**.
-5. Select **See products and plans** , and review the Enterprise subscriptions and their features.
-6. Once you&#39;ve decided on a subscription, choose **Buy now** , and go through the sign-up process.
+5. Select **See products and plans**, and review the Enterprise subscriptions and their features.
+6. Once you&#39;ve decided on a subscription, choose **Buy now**, and go through the sign-up process.
## Compare plans
-| **Service area** | **Feature** | **Microsoft 365 Business Standard** | **Microsoft 365 Business Premium** | **Office 365 Enterprise E3** |
+| Service area | Feature | Microsoft 365 Business Standard | Microsoft 365 Business Premium | Office 365 Enterprise E3 |
| | | | | | | **Licenses available** | Maximum number of users | 300 | 300 | Unlimited | | **Office apps** | Install Office on up to 5 PCs/Macs + 5 smartphones per user (Word, Excel, PowerPoint, OneNote, Access), Office Online | Business | Business | ProPlus |
Choosing the right Microsoft 365 subscription is key to getting the most out of
| **File storage** | OneDrive for Business | 1 TB per user | 1 TB per user | Unlimited | | **Social, video, sites** | Stream, Yammer, Planner, SharePoint Online\*, PowerApps\*, Microsoft Flow\* | Yes | Yes | Yes | | **Business apps** | Scheduling apps - Bookings\*\* | Yes | Yes | Yes |
-|
| **Threat Protection** | Office 365 Advanced Threat Protection | No | Yes | No |
- | Windows Exploit Guard enforcement | No | Yes | No |
+ | Windows Exploit Guard enforcement| | No | Yes | No |
| **Identity Management** | Self-service password reset for hybrid Azure Active Directory accounts | No | Yes | No |
- | Azure Multi-Factor Authentication, conditional access policies | No | Yes | No |
+ | Azure Multi-Factor Authentication, conditional access policies | | No | Yes | No |
| **Device &amp; app management** | Microsoft Intune, Windows AutoPilot, Windows Pro Management | No | Yes | No |
- | Shared computer activation | No | Yes | Yes |
- | Upgrade rights to Windows 10 Pro for Win 7/8.1 Pro licenses | No | Yes | No |
- | Windows Virtual Desktop | No | Yes | No |
+ | Shared computer activation | | No | Yes | Yes |
+ | Upgrade rights to Windows 10 Pro for Win 7/8.1 Pro licenses | | No | Yes | No |
+ | Windows Virtual Desktop | | No | Yes | No |
| **Information protection** | Office 365 data loss prevention | No | Yes | Yes |
- | Azure Information Protection Plan 1, BitLocker enforcement | No | Yes | No |
+ | Azure Information Protection Plan 1, BitLocker enforcement | | No | Yes | No |
| **On-premises CAL rights** | ECAL Suite (Exchange, SharePoint, Skype) | No | No | Yes | | **Compliance** | Unlimited email archiving\*\*\* | No | Yes | Yes |
Choosing the right Microsoft 365 subscription is key to getting the most out of
\*\*\* Unlimited archiving when auto-expansion is turned on.
-To compare Microsoft 365 Business Premium with other products, including other Microsoft 365 plans, see [Licensing Microsoft 365 for small and medium-sized businesses](/office365/servicedescriptions/microsoft-365-service-descriptions/licensing-microsoft-365-in-smb).
+To compare Microsoft 365 Business Premium with other products, including other Microsoft 365 plans, see [Licensing Microsoft 365 for small and medium-sized businesses](/office365/servicedescriptions/microsoft-365-service-descriptions/licensing-microsoft-365-in-smb).
commerce Manage Self Service Purchases Admins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins.md
You can also control whether users in your organization can make self-service pu
::: moniker range="o365-germany"
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=847745" target="_blank">Your products</a> page.
::: moniker-end ::: moniker range="o365-21vianet"
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Your products** page.
-
+1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850626" target="_blank">Your products</a> page.
::: moniker-end 2. On the **Products** tab, select the filter icon, then select **Self-service**.
You can also control whether users in your organization can make self-service pu
::: moniker range="o365-germany"
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
+ 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=848038" target="_blank">Licenses</a> page.
+ ::: moniker-end ::: moniker range="o365-21vianet"
-1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">admin center</a>, go to the **Billing** > **Licenses** page.
+ 1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850625" target="_blank">Licenses</a> page.
::: moniker-end
compliance Compliance Manager Mcca https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-manager-mcca.md
description: "Understand how to use Microsoft Compliance Configuration Analyzer
The Microsoft Compliance Configuration Analyzer (MCCA) is a preview tool that can help you get started with [Microsoft Compliance Manager](compliance-manager.md). MCCA is a PowerShell-based utility that will fetch your organizationΓÇÖs current configurations and validate them against Microsoft 365 recommended best practices. These best practices are based on a set of controls that include key regulations and standards for data protection and data governance.
-MCCA can help you quickly see which improvement actions in Compliance Manger apply to your current Microsoft 365 environment. Each action identified by MCCA will give you recommendations for implementation, with direct links to Compliance Manager and the applicable solution to start taking corrective action.
+MCCA can help you quickly see which improvement actions in Compliance Manager apply to your current Microsoft 365 environment. Each action identified by MCCA will give you recommendations for implementation, with direct links to Compliance Manager and the applicable solution to start taking corrective action.
An additional resource for understanding MCCA is by visiting the [README instructions on GitHub](https://github.com/OfficeDev/MCCA#overview). This page provides detailed information about prerequisites and gives full installation instructions. You donΓÇÖt need a GitHub account to access this page.
Select the dropdown next to the **Recommendation** label to the right of the imp
For more detailed information on installing, setting up, and using MCCA, see the [README instructions on GitHub](https://github.com/OfficeDev/MCCA#overview) (no GitHub account required).
-For more information on Windows PowerShell, start at [How to use the PowerShell documentation](/powershell/scripting/how-to-use-docs?view=powershell-7). See also [Starting Windows PowerShell](/powershell/scripting/windows-powershell/starting-windows-powershell?view=powershell-7).
+For more information on Windows PowerShell, start at [How to use the PowerShell documentation](/powershell/scripting/how-to-use-docs?view=powershell-7). See also [Starting Windows PowerShell](/powershell/scripting/windows-powershell/starting-windows-powershell?view=powershell-7).
compliance Document Metadata Fields In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-metadata-fields-in-Advanced-eDiscovery.md
The following table lists the metadata fields for documents in a review set in a
|**Field name** and **Display field name**|**Searchable field name**|**Exported field name**|**Description**| |:--|:--|:--|:--| |Attachment Content Id|AttachmentContentId||Attachment content Id of the item.|
-|Attachment Names|AttachmentNames|Attachment_Names|List of names of attachments.|
|Attorney client privilege score|AttorneyClientPrivilegeScore||Attorney-client privilege model content score.| |Author|Author|Doc_authors|Author from the document metadata.| |BCC|Bcc|Email_bcc|Bcc field for message types. Format is **DisplayName \<SMTPAddress>**.|
The following table lists the metadata fields for documents in a review set in a
|Content*|Content||Extracted text of the item.| |Conversation Body|Conversation Body||Conversation body of the item.| |Conversation Topic|Conversation Topic||Conversation topic of the item.|
-|Conversation ID|ConversationId|Conversation_ID|Conversation Id from the message.|
+|Conversation ID|ConversationId|Email_conversation_ID|Conversation Id from the message.|
|Conversation Index||Conversation_index|Conversation index from the message.| |Conversation Pdf Time|ConversationPdfTime||Date when the PDF version of the conversation was created.| |Conversation Redaction Burn Time|ConversationRedactionBurnTime||Date when the PDF version of the conversation was created for Chat.|
+|||Converted_file_path|The path of the converted export file. For internal Microsoft use only.|
|Document date created|CreatedTime|Doc_date_created|Create date from document metadata.| |Custodian|Custodian|Custodian|Name of the custodian the item was associated with.| |Date|Date|Date|Date is a computed field that depends on the file type.<br /><br />Email: Sent date<br />Email attachments: Last modified date of the document;if not available, the parent's Sent date<br />Embedded documents: Last modified date of the document; if not available, the parent's last modified date<br />SPO documents (includes modern attachments): SharePoint Last modified date; if not available, the documents last modified date<br />Non-Office 365 documents: Last modified date<br />Meetings: Meeting start date<br />VoiceMail: Sent date<br />IM: Sent date|
The following table lists the metadata fields for documents in a review set in a
|DocIndex*|||The index in the family. **-1** or **0** means it is the root.| |Document keywords||Doc_keywords|Keywords from the document metadata.| |Document modified by||Doc_modified_by|Last modified date by from document metadata.|
-|Document Revision||Doc_revision|Revision from the document metadata.|
+|Document Revision|Doc_Version|Doc_Version|Revision from the document metadata.|
|Document subject||Doc_subject|Subject from the document metadata.| |Document template||Doc_template|Template from the document metadata.|
+|DocLastSavedBy||Doc_last_saved_by|The name of the user who last saved the document.|
|Dominant theme|DominantTheme|Dominant_theme|Dominant theme as calculated for analytics.| |Duplicate subset||Duplicate_subset|Group ID for exact duplicates.| |EmailAction*||Email_action|Values are **None**, **Reply**, or **Forward**; based on the subject line of a message.|
-|Email Delivery Receipt||Email_delivery_receipt|Email address supplied in Internet Headers for delivery receipt.|
+|Email Delivery Receipt Requested||Email_delivery_receipt_requested|Email address supplied in Internet Headers for delivery receipt.|
|Importance|EmailImportance|Email_importance|Importance of the message: **0** - Low; **1** - Normal; **2** - High|
+|EmailInternetHeaders|EmailInternetHeaders|Email_internet_headers|The full set of email headers from the email message|
|EmailLevel*||Email_level|Indicates a message's level within the email thread it belongs to; attachments inherit its parent message's value.| |Email Message Id||Email_message_ID|Internet message Id from the message.|
-|EmailReadReceipt*||Email_read_receipt|Email address supplied in Internet Headers for read receipt.|
+|EmailReadReceiptRequested||Email_read_receipt_requested|Email address supplied in Internet Headers for read receipt.|
|Email Security|EmailSecurity|Email_security|Security setting of the message: **0** - None; **1** - Signed; **2** - Encrypted; **3** - Encrypted and signed.| |Email Sensitivity|EmailSensitivity|email_sensitivity|Sensitivity setting of the message: **0** - None; **1** Personal; **2** - Private; **3** - CompanyConfidential.| |Email set|EmailSet|Email_set|Group ID for all messages in the same email set.| |EmailThread*||Email_thread|Position of the message within the email set; consists of node IDs from the root to the current message and are separated by periods (.).|
-|Extracted content type||Extracted_content_type|Extracted content type, in the form of mime type; for example, **image/jpeg**|
+|||Export_native_path|The path of the exported file.|
+|Extracted content type||Native_type|Extracted content type, in the form of mime type; for example, **image/jpeg**|
+|||Extracted_text_path|The path to the extracted text file in the export.|
|ExtractedTextLength*||Extracted_text_length|Number of characters in the extracted text.|
-|Family relevance score Case issue 1*||Family_relevance_score_case_issue_1|Family relevance score Case issue 1 from Relevance.|
|FamilyDuplicateSet*||Family_duplicate_set|Numeric identifier for families that are exact duplicates of each other (same content and all the same attachments).| |Family ID|FamilyId|Family_ID|Family Id groups together all items; for email, this includes the message and all attachments; for documents, this includes the document and any embedded items.| |Family Size||Family_size|Number of documents in the family.|
-|File relevance score Case issue 1*||File_relevance_score_case_issue_1|File relevance score Case issue 1 from Relevance.|
|File class|FileClass|File_class|For content from SharePoint and OneDrive: **Document**; for content from Exchange: **Email** or **Attachment**.| |File ID|FileId|File_ID|Document identifier unique within the case.| |File system date created||File_system_date_created|Created date from file system (only applies to non-Office 365 data).| |File system date modified||File_system_date_modified|Modified date from file system (only applies to non-Office 365 data).| |File Type|FileType||File type of the item based on file extension.|
-|Group Id| GroupID| |Group ID for grouped content.|
+|Group Id|GroupID||Group ID for grouped content.|
|Has attachment|HasAttachment|Email_has_attachment|Indicates whether or not the message has attachments.| |Has attorney|HasAttorney||**True** when at least one of the participants is found in the attorney list; otherwise, the value is **False**.| |HasText*||Has_text|Indicates whether or not the item has text; possible values are **True** and **False**.| |Immutable ID||Immutable_ID|This Id is used to uniquely identify a document within a review set. This field can't be used in a review set search and the Id can't be used to access a document in its native location.| |Inclusive type|InclusiveType|Inclusive_type|Inclusive type calculated for analytics: **0** - not inclusive; **1** - inclusive; **2** - inclusive minus; **3** - inclusive copy.| |In Reply To Id||In_reply_to_ID|In reply to Id from the message.|
+|InputFileExtension||Original_file_extension|The original file extension of the file.|
+|InputFileID||Input_file_ID|The file ID of the top level item in the review set. For an attachment, this ID will be the ID of the parent. This can be used to group families together.|
|Is modern attachment| IsModernAttachment| |This file is a modern attachment or linked file.| |Is from document version | IsFromDocumentVersion | |Current document is from a different version of another document.| |Is email attachment | IsEmailAttachment| |This item is from an email attachment that shows up as an attached item to the message.|
The following table lists the metadata fields for documents in a review set in a
|Load ID|LoadId|Load_ID|The Id of the load set in which the item was added to a review set.| |Location|Location|Location|String that indicates the type of location that documents were sourced from.<br /><br />**Imported Data** - Non-Office 365 data<br />**Teams** - Microsoft Teams<br />**Exchange** - Exchange mailboxes<br />**SharePoint** - SharePoint sites<br />**OneDrive** - OneDrive accounts| |Location name|LocationName|Location_name|String that identifies the source of the item. For exchange, this will be the SMTP address of the mailbox; for SharePoint and OneDrive, the URL for the site collection.|
+|||Marked_as_pivot|This file is the pivot in a near duplicate set.|
|Marked as representative|MarkAsRepresentative||One document from each set of exact duplicates is marked as representatives.|
-|Marked as pre tagged Case issue 1*||Marked_as_pre_tagged_Case_issue_1|Marked as pre-tagged Case issue 1 from Relevance.|
-|Marked as seed Case issue 1*||Marked_as_seed_Case_issue_1|Marked as seed Case issue 1 from Relevance.|
|Meeting End Date|MeetingEndDate|Meeting_end_date|Meeting end date for meetings.| |Meeting Start Date|MeetingStartDate|Meeting_start_date|Meeting start date for meetings.| |Message kind|MessageKind|Message_kind|The type of message to search for. Possible values: **<br /><br />contacts <br />docs <br />email <br />externaldata <br />faxes <br />im <br />journals <br />meetings <br />microsoftteams** (returns items from chats, meetings, and calls in Microsoft Teams) **<br />notes <br />posts <br />rssfeeds <br />tasks <br />voicemail**|
+|ModernAttachment_ParentId||ModernAttachment_ParentId||
|Native Extension|NativeExtension|Native_extension|Native extension of the item.| |Native file name|NativeFileName|Native_file_name|Native file name of the item.| |NativeMD5||Native_MD5|MD5 hash (128-bit hash value) of the file stream.| |NativeSHA256||Native_SHA_256|SHA256 hash (256-bit hash value) of the file stream.| |ND/ET Sort: Excluding attachments|NdEtSortExclAttach|ND_ET_sort_excl_attach|Concatenation of the email thread (ET) set and Near-duplicate (ND) set. This field is used for efficient sorting at review time. A **D** is prefixed to ND sets and an **E** is prefixed to ET sets.| |ND/ET Sort: Including attachments|NdEtSortInclAttach|ND_ET_sort_incl_attach|Concatenation of an email thread (ET) set and near-duplicate (ND) set. This field is used for efficient sorting at review time. A **D** is prefixed to ND sets and an **E** is prefixed to ET sets. Each email item in an ET set is followed by its appropriate attachments.|
-|Normalized relevance score Case issue 1||Normalized_relevance_score_case_issue_1|Normalized relevance score Case issue 1 from Relevance.|
|O365 authors||O365_authors|Author from SharePoint.| |O365 created by||O365_created_by|Created by from SharePoint.| |O365 date created||O365_date_created|Created date from SharePoint.| |O365 date modified||O365_date_modified|Last modified date from SharePoint.| |O365 modified by||O365_modified_by|Modified by from SharePoint.|
-|Parent ID|ParentId|Parent_ID|Id of the item's parent.|
+|Parent ID|ParentId|Container_ID|Id of the item's parent.|
|ParentNode||Parent_node|The closest preceding email message in the email thread.|
-|Parent path|ParentPath|Parent_path|Compound path of the direct parent of the item.|
|Participant domains|ParticipantDomains|Email_participant_domains|List of all domains of participants of a message.| |Participants|Participants|Email_participants|List of all participants of a message; for example, Sender, To, Cc, Bcc.| |Pivot ID|PivotId|Pivot_ID|The ID of a pivot.| |Potentially privileged|PotentiallyPrivileged|Potentially_privileged|True if attorney-client privilege detection model considers the document potentially privileged| |Processing status|ProcessingStatus|Error_code|Processing status after the item was added to a review set.|
-|Read percent Case issue 1||Read_percent_Case_issue_1|Read percent Case issue 1 from Relevance.|
|Read percentile|ReadPercentile||Read percentile for the document based on Relevance.|
+|Received|Received|Email_date_received|The date and time the email was received in UTC.|
|Recipient Count||Recipient_count|Number of recipients in the message.| |Recipient domains|RecipientDomains|Email_recipient_domains|List of all domains of recipients of a message.| |Recipients|Recipients|Email_recipients|List of all recipients of a message (To, Cc, Bcc).|
-|Relevance load group Case issue 1||Relevance_load_group_case_issue_1|Relevance load group Case issue 1 from Relevance.|
-|Relevance status description Case issue 1||Relevance_status_description_Case_issue_1|Relevance status description Case issue 1 from Relevance.|
+|||Redacted_file_path|The path of the redacted replacement file in the export.|
+|||Redacted_text_path|The path of the redacted text file replacement in the export. For internal Microsoft use only.|
|Relevance tag Case issue 1||Relevance_tag_case_issue_1|Relevance tag Case issue 1 from Relevance.|
-|Relevance Comment||Relevance_comment|Comment field from Relevance.|
|Relevance score|RelevanceScore||Relevance score of a document based on Relevance.| |Relevance tag|RelevanceTag||Relevance score of a document based on Relevance.| |Representative ID|RepresentativeId||Numeric identifier of each set of exact duplicates.|
+|||Row_number|The row number of the item in the load file.|
|Sender|Sender|Email_sender|Sender (From) field for message types. Format is **DisplayName \<SmtpAddress>**.| |Sender/Author|SenderAuthor||Calculated field comprised of the sender or author of the item.| |Sender domain|SenderDomain|Email_sender_domain|Domain of the sender.|
The following table lists the metadata fields for documents in a review set in a
|Native file size|Size|Native_size|Number of bytes of the native item.| |Subject|Subject|Email_subject|Subject of the message.| |Subject/Title|SubjectTitle||Calculated field comprised of the subject or title of the item.|
-|Tagged by Case issue 1||Tagged_by_Case_issue_1|User who tagged this document for Case issue 1 in Relevance.|
|Tags|Tags|Tags|Tags applied in a review set.| |Themes list|ThemesList|Themes_list|Themes list as calculated for analytics.| |Title|Title|Doc_title|Title from the document metadata.|
compliance Export Documents From Review Set https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-documents-from-review-set.md
To export documents from a review set:
## Export options
-Use the following options to configure the export.
+Use the following options to configure the export. Not all options are allowed for some output options, most notably, export of text files and redacted PDFs are not allowed when exporting to the PST format.
-- **Export name**: Name of the export job.
+- **Export name**: Name of the export job. This will be used to name the ZIP files that will be downloaded.
- **Description**: Free-text field for you to add a description. - **Export these documents**
- - **Selected documents only**: This option exports only the documents that are currently selected.
-
- - **All documents in the review set**: This option exports all documents in the review set.
--- **Metadata**
-
- - **Load file**: This file contains metadata for each file. This file can typically be ingested by third-party eDiscovery tools. For more information about what fields are included, see [Document metadata fields in Advanced eDiscovery](document-metadata-fields-in-Advanced-eDiscovery.md).
-
- - **Tags**: When selected, tagging information is included in the load file.
+ - Selected documents only: This option exports only the documents that are currently selected. This option is only available when items are selected in a review set.
+ - All filtered documents: This option exports the documents in an active filter. This option is only available when a filter is applied to the review set.
+ - All documents in the review set: This option exports all documents in the review set.
-- **Content**
-
- - **Native files**: Select this checkbox to include the native files of the documents in the review set. If you choose to export native files, you have the following options for how export chat conversations.
+- **Output options**: Exported content is either available for download directly through a web browser or can be sent to an Azure Storage account. The first two options enable direct download.
- - **Conversation options**
-
- - **Conversation files**: This option exports reconstructed chat conversations. This format presents conversations in a form that resembles what users see in the native application.
+ - Reports only: Only the summary and load file are created.
+ - Loose files and PSTs (email is added to PSTs when possible): Files are exported in a format that resembles the original directory structure seen by users in their native applications. For more information, see the [Loose files and PST export structure](#loose-files-and-pst-export-structure) section.
+ - Condensed directory structure: Files are exported and included in the download.
+ - Condensed directory structure exported to your Azure Storage account: Files are exported to your organization's Azure Storage account. For this option, you have to provide the URL for the container in your Azure Storage account to export the files to. You also have to provide the shared access signature (SAS) token for your Azure Storage account. For more information, see [Export documents in a review set to an Azure Storage account](download-export-jobs.md).
- - **Individual chat messages**: This option exports the original conversation files as they are stored in Microsoft 365.
+- **Include**
+ - Tags: When selected, tagging information is included in the load file.
+ - Text files: This option includes the extracted text versions of native files in the export.
+ - Replace redacted natives with converted PDFs: If redacted PDF files are generated during review, these files are available for export. You can choose to export only the native files that were redacted (by not selecting this option) or you can select this option to export the PDF files that contain the actual redactions.
-- **Options**
+## The following sections describe the folder structure for loose files and condensed directory structure options
- - **Text files**: - This option includes the extracted text versions of native files in the export.
-
- - **Replace redacted natives with converted PDFs**: If redacted PDF files are generated during review, these files are available for export. You can choose to export only the native files that were redacted (by not selecting this option) or you can select this option to export the PDF files that contain the actual redactions.
--- **Output options**: Exported content is either available for download directly through a web browser or can be sent to an Azure Storage account. The first two options enable direct download.
-
- - **Loose files and PSTs (email is added to PSTs when possible)**: Files are exported in a format that resembles the original directory structure seen by users in their native applications. For more information, see the [Loose files and PST export structure](#loose-files-and-pst-export-structure) section.
-
- - **Condensed directory structure**: Files are exported and included in the download.
-
- - **Condensed directory structure exported to your Azure Storage account**: Files are exported to your organization's Azure Storage account. For this option, you have to provide the URL for the container in your Azure Storage account to export the files to. You also have to provide the shared access signature (SAS) token for your Azure Storage account. For more information, see [Export documents in a review set to an Azure Storage account](download-export-jobs.md).
-
-The following sections describe the folder structure for loose files and condensed directory structure options.
+Exports are partitioned into ZIP files with a maximum size of uncompressed content of 75 GB. If the export size is less than 75 GB, the export will consist of a summary file and a single ZIP file. For exports exceeding 75 GB of uncompressed data, multiple ZIP files will be created. Once downloaded, the ZIP files can be uncompressed into a single location to recreate the full export.
### Loose files and PST export structure If you select this export option, the exported content is organized in the following structure: -- Root folder: This folder in named ExportName.zip
-
- - Export_load_file.csv: The metadata file.
-
- - Summary.csv: A summary file that also contains export statistics.
-
- - Exchange: This folder contains all content from Exchange in native file format. Natives files are replaced with redacted PDFs if you selected the **Replace redacted natives with converted PDFs** option.
-
- - SharePoint: This folder contains all native content from SharePoint in a native file format. Natives files are replaced with redacted PDFs if you selected the **Replace redacted natives with converted PDFs** option.
+- Summary.csv: Includes a summary of the content exported from the review set
+- Root folder: This folder in named [Export Name] x of z.zip and will be repeated for each ZIP file partition.
+ - Export_load_file_x of z.csv: The metadata file.
+ - Warnings and errors x of z.csv: This file includes information about errors encountered when trying to export from the review set.
+ - Exchange: This folder contains all content from Exchange stored in PST files. Redacted PDF files cannot be included with this option. If an attachment is selected in the review set, the parent email will be exported with the attachment attached.
+ - SharePoint: This folder contains all native content from SharePoint in a native file format. Redacted PDF files cannot be included with this option.
### Condensed directory structure -- Root folder: This folder is named ExportName.zip
-
- - Export_load_file.csv: The metadata file.
-
- - Summary.txt: A summary file that also contains export statistics.
-
- - NativeFiles: This folder contains all the native files that were exported. If you export redacted PDF files, they are not put in PST files. Instead, they're added to a separated folder.
-
- - Error_files: This folder contains the following error files, if they are included in the export:
+- Summary.csv: Includes a summary of the content exported from the review set
+- Root folder: This folder in named [Export Name] x of z.zip and will be repeated for each ZIP file partition.
+ - Export_load_file_x of z.csv: The metadata file and also includes the location of each file that is stored in the ZIP file.
+ - Warnings and errors x of z.csv: This file includes information about errors encountered when trying to export from the review set.
+ - NativeFiles: This folder contains all the native files that were exported. Natives files are replaced with redacted PDFs if you selected the *Replace redacted natives with converted PDFs* option.
+ - Error_files: This folder contains files that had either extraction or other processing error. The files will be placed into separate folders, either ExtractionError or ProcessingError. These files are listed in the load file.
+ - Extracted_text_files: This folder contains all of the extracted text files that were generated at processing.
- - ExtractionError: A CSV file that contains any available metadata of files that weren't properly extracted from parent files.
+### Condensed directory structure exported to your Azure Storage Account
- - ProcessingError: This file contains a list of documents with processing errors. This content is item-level, meaning if an attachment resulted in a processing error, the email message that contains the attachment is included in this folder.
-
- - Extracted_text_files: This folder contains all of the extracted text files that were generated at processing.
+This option uses the same general structure as the *Condensed directory structure*, however the contents is not zipped and the data is saved to your Azure Storage account. This option is generally used when working with a third-party eDiscovery provider. For details about how to use this option, see [Export documents in a review set to an Azure Storage account](download-export-jobs.md).
compliance Limits Ediscovery20 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/limits-ediscovery20.md
The limits described in this section are related to using the search tool on the
Microsoft collects performance information for searches run by all organizations. While the complexity of the search query can impact search times, the biggest factor that affects how long searches take is the number of mailboxes searched. Although Microsoft doesn't provide a Service Level Agreement for search times, the following table lists average search times for collection searches based on the number of mailboxes included in the search.
- |**Number of mailboxes**|**Average search time**|
+ | Number of mailboxes | Average search time |
|:--|:--| |100 <br/> |30 seconds <br/> | |1,000 <br/> |45 seconds <br/> |
The limits described in this section are related to exporting documents out of a
| Description of limit | Limit | |:--|:--|
-|Maximum size of a single export.|3 million documents or 100 GB, whichever is smaller|
+|Maximum size of a single export.|5 million documents or 500 GB, whichever is smaller|
|Maximum concurrent exports per review set. | 1 | |||
compliance Permissions Filtering For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
For troubleshooting PowerShell connection errors, see:
The **New-ComplianceSecurityFilter** is used to create a search permissions filter. The following table describes the parameters for this cmdlet. All parameters are required to create a compliance security filter.
-|**Parameter**|**Description**|
+| Parameter | Description |
|:--|:--| | _Action_ <br/> | The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content Search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> | | _FilterName_ <br/> |The _FilterName_ parameter specifies the name of the permissions filter. This name is used to identity a filter when using the **Get-ComplianceSecurityFilter**, **Set-ComplianceSecurityFilter,** and **Remove-ComplianceSecurityFilter** cmdlets. <br/> |
The **Get-ComplianceSecurityFilter** is used to return a list of search permissi
The **Set-ComplianceSecurityFilter** is used to modify an existing search permissions filter. The only required parameter is _FilterName_.
-|**Parameter**|**Description**|
+| Parameter | Description |
|:--|:--| | _Action_| The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content Search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> | | _FilterName_|The _FilterName_ parameter specifies the name of the permissions filter. |
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
This preview version of co-authoring for files encrypted with sensitivity labels
- When you use [DLP policies that use sensitivity labels as conditions](dlp-sensitivity-label-as-condition.md), unencrypted attachments for emails are not supported.
+- Some documents are incompatible with sensitivity labels because of features such as [password-protection](https://support.microsoft.com/office/require-a-password-to-open-or-modify-a-workbook-10579f0e-b2d9-4c05-b9f8-4109a6bce643), [shared workbooks](https://support.microsoft.com/office/about-the-shared-workbook-feature-49b833c0-873b-48d8-8bf2-c1c59a628534), or content that includes ActiveX controls. Other reasons are documented in [Troubleshoot co-authoring in Office](https://support.microsoft.com/office/troubleshoot-co-authoring-in-office-bd481512-3f3a-4b6d-b7eb-ebf9d3626ae7). For these documents, you see a message **UPLOAD FAILED** and should select the **Discard Changes** option. Until this issue is addressed, do not label these documents that are identified with this failure message.
+ - Office apps for iOS and Android are not supported. ## How to enable co-authoring for files with sensitivity labels
compliance Sensitivity Labels Sharepoint Onedrive Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers
## Limitations
-> [!WARNING]
-> There is a current problem with Power Query and custom add-ins with Excel on the web: Do not encrypt these files by using sensitivity labels because data can be lost when the file is saved. Instead, apply a label without encryption.
+- Power Query and custom add-ins with Excel on the web: If these files are encrypted with a sensitivity label, SharePoint and OneDrive can't process the files so users won't be able to open them in Office on the web. For these files, either apply a label without encryption so that they can be opened in Office on the web, or instruct users to open the files in their desktop apps.
+
+- If you experience problems opening labeled and encrypted files in Office on the web, try the following:
+ 1. Open the file in the Office desktop app.
+ 2. Remove the label that applies encryption.
+ 3. Save the file in the original location (SharePoint or OneDrive), and close the desktop app.
+ 4. Open the file in Office on the web, and reapply the original label that applies encryption.
- SharePoint and OneDrive don't automatically apply sensitivity labels to existing files that you've already encrypted using Azure Information Protection labels. Instead, for the features to work after you enable sensitivity labels for Office files in SharePoint and OneDrive, complete these tasks: 1. Make sure you have [migrated the Azure Information Protection labels](/azure/information-protection/configure-policy-migrate-labels) to sensitivity labels and [published them](create-sensitivity-labels.md#publish-sensitivity-labels-by-creating-a-label-policy) from the Microsoft 365 compliance center, or equivalent labeling admin center.
-
2. Download the files and then upload them to SharePoint. - SharePoint and OneDrive can't process encrypted files when the label that applied the encryption has any of the following [configurations for encryption](encryption-sensitivity-labels.md#configure-encryption-settings):
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
When you enable Intune integration, Intune will automatically create a classic C
## Device discovery Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. For more information, see [Device discovery](device-discovery.md).
+> [!NOTE]
+> You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
+ ## Preview features
-Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience.
+Learn about new features in the Defender for Endpoint preview release. Try upcoming features by turning on the preview experience.
You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
You have the option to turn off device discovery through the [Advanced features]
## Can I control which devices perform Standard discovery? You can customize the list of devices that are used to perform Standard discovery. You can either enable Standard discovery on all the onboarded devices that also support this capability (currently Windows 10 devices only) or select a subset or subsets of your devices by specifying their device tags. In this case, all other devices will be configured to run Basic discovery only. The configuration is available in the device discovery settings page.
+## Can I exclude unmanaged devices from the device inventory list?
+Yes, you can apply filters exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
++ ## Which onboarded devices can perform discovery? Onboarded devices running on Windows 10 version 1809 or later can perform discovery.
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
You can now use a new filter in the device inventory list called Onboarding stat
![Image of device inventory dashboard](images/2b62255cd3a9dd42f3219e437b956fb9.png) -
+> [!TIP]
+> You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
## Vulnerability assessment on discovered devices Vulnerabilities and risks on your devices as well as other discovered unmanaged devices in the network are part of the current TVM flows under "Security Recommendations" and represented in entity pages across the portal.
DeviceNetworkEvents
```
-## Changed behaviour
+## Changed behavior
The following section lists the changes you'll observe in Microsoft Defender for Endpoint and/or Microsoft 365 Security Center when this capability is enabled. 1. Devices that are not onboarded to Microsoft Defender to Endpoint are expected to appear in the device inventory, advanced hunting, and API queries. This may significantly increase the size of query results.
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
localization_priority: Normal
- next-gen - edr Previously updated : 01/26/2021 Last updated : 05/05/2021 - m365-security-compliance - m365initiative-defender-endpoint
The following image shows an instance of unwanted software that was detected and
|Requirement |Details | ||| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/basic-permissions). |
-|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server, version 1803 or newer <br/>- Windows Server 2019 |
+|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server, version 1803 or newer <br/>- Windows Server 2019 <p>**NOTE**: EDR in block mode is not supported on Windows Server 2016. |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | |Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | |Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/
3. In the list of results, in the **STATE** row, confirm that the service is running. ### How much time does it take for EDR in block mode to be disabled?+ If you chose to disable EDR in block mode it can take up to 30 minutes for the system to disable this capability.
+### Is EDR in block mode supported on Windows Server 2016?
+
+No. EDR in block mode is supported of the following versions of Windows:
+
+- Windows 10 (all releases)
+- Windows Server, version 1803 or newer
+- Windows Server 2019
+ ## See also - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
The following commands are available for user roles that are granted the ability
|`connect` | Initiates a live response session to the device. | |`connections` | Shows all the active connections. | |`dir` | Shows a list of files and subdirectories in a directory. |
-|`download <file_path> &` | Downloads a file in the background. |
|`drivers` | Shows all drivers installed on the device. | |`fg <command ID>` | Place the specified job in the foreground in the foreground, making it the current job. <br> NOTE: fg takes a ΓÇ£command IDΓÇ¥ available from jobs, not a PID | |`fileinfo` | Get information about a file. |
Here are some examples:
|Command |What it does | |||
-|`Download "C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
+|`getfile "C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. |
|`fg 1234` |Returns a download with command ID *1234* to the foreground. |
Anytime during a session, you can cancel a command by pressing CTRL + C.
>[!WARNING] >Using this shortcut will not stop the command in the agent side. It will only cancel the command in the portal. So, changing operations such as "remediate" may continue, while the command is canceled.
-### Automatically run prerequisite commands
-
-Some commands have prerequisite commands to run. If you don't run the prerequisite command, you'll get an error. For example, running the `download` command without `fileinfo` will return an error.
-
-You can use the auto flag to automatically run prerequisite commands, for example:
-
-```console
-getfile c:\Users\user\Desktop\work.txt -auto
-```
- ## Run a PowerShell script Before you can run a PowerShell script, you must first upload it to the library.
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
Contact your administrator for help.
**Cause:**
-You deployed and/or installed the Microsoft Defender for Endpoint on macOS package ("Download installation package") but you might have run the configuration script ("Download onboarding package").
+You deployed and/or installed the Microsoft Defender for Endpoint for macOS package ("Download installation package"), but you might have run the configuration script ("Download onboarding package"), or you have not assigned a license to the user.
**Solution:** Follow the MicrosoftDefenderATPOnboardingMacOs.py instructions documented here: [Client configuration](mac-install-manually.md#client-configuration)-
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
All our updates contain
- integration improvements (Cloud, Microsoft 365 Defender). <br/> <details>
-<summary> April-2021 (Platform: 4.18.2104.9| Engine: 1.1.18100.5)</summary>
+<summary> April-2021 (Platform: 4.19.2104.9| Engine: 1.1.18100.5)</summary>
&ensp;Security intelligence update version: **1.337.2.0** &ensp;Released: **April 1, 2021**
No known issues
</details> <details>
-<summary> March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)</summary>
+<summary> March-2021 (Platform: 4.19.2103.7 | Engine: 1.1.18000.5)</summary>
&ensp;Security intelligence update version: **1.335.36.0** &ensp;Released: **April 1, 2021**
No known issues
No known issues <br/> </details><details>
-<summary> February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)</summary>
+<summary> February-2021 (Platform: 4.19.2102.3 | Engine: 1.1.17900.7)</summary>
&ensp;Security intelligence update version: **1.333.7.0** &ensp;Released: **March 9, 2021**
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
Title: Microsoft Defender Antivirus compatibility with other security products
-description: What to expect from Microsoft Defender Antivirus with other security products and the operating systems you are using.
-keywords: windows defender, next-generation, antivirus, compatibility, passive mode
+description: Learn about Microsoft Defender Antivirus with other security products and the operating systems.
+keywords: windows defender, defender for endpoint, next-generation, antivirus, compatibility, passive mode
search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: m365-security
+ ms.technology: mde Last updated : 05/05/2021 # Microsoft Defender Antivirus compatibility
ms.technology: mde
## Overview
-Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) together with your antivirus protection.
-- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender for Endpoint is not used, then Microsoft Defender Antivirus automatically goes into disabled mode.-- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.)-- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact.
+Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another (non-Microsoft) antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) together with your antivirus protection.
+
+- If your organization's client devices are protected by a non-Microsoft antivirus/antimwalware solution, when those devices are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode automatically. In this case, threat detections occur, but real-time protection and threats are not remediated by Microsoft Defender Antivirus. **NOTE**: This particular scenario does not apply to endpoints running Windows Server.
+
+- If your organization's client devices are protected by a non-Microsoft antivirus/antimalware solution, and those devices are not onboarded to Microsoft Defender for Endpoint, then Microsoft Defender Antivirus goes into disabled mode automatically. In this case, threats are not detected or remediated by Microsoft Defender Antivirus. **NOTE**: This particular scenario does not apply to endpoints running Windows Server.
+
+- If your organization's endpoints are running Windows Server and those endpoints are protected by a non-Microsoft antivirus/antimalware solution, when those endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus does not go into either passive mode or disabled mode automatically. In this particular scenario, you must configure your Windows Server endpoints appropriately.
+
+ - On Windows Server, version 1803 or newer, and Windows Server 2019, you can set Microsoft Defender Antivirus to run in passive mode.
+ - On Windows Server 2016, Microsoft Defender Antivirus must be disabled (passive mode is not supported on Windows Server 2016).
+
+- If your organization's endpoints are protected by a non-Microsoft antivirus/antimalware solution, when those devices are onboarded to Defender for Endpoint with [EDR in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode) enabled, then Defender for Endpoint blocks and remediates malicious artifacts. **NOTE**: This particular scenario does not apply to Windows Server 2016. EDR in block mode requires Microsoft Defender Antivirus to be enabled in either active mode or passive mode.
## Antivirus and Microsoft Defender for Endpoint The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. -
-| Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state |
+| Windows version | Antivirus/antimalware product | Defender for Endpoint enrollment | Microsoft Defender Antivirus state |
|||-|-|
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatically disabled mode |
| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | | Windows 10 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Must be set to passive mode (manually) <sup>[[1](#fn1)]<sup> |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) <sup>[[2](#fn2)]<sup></sup> |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode |
-| Windows Server, version 1803 or newer, or Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode (automatically) |
+| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Disabled mode (automatically) |
+| Windows Server, version 1803 or newer <p> Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode |
+| Windows Server, version 1803 or newer <p> Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
+| Windows Server, version 1803 or newer <p> Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[1](#fn1)]<sup> |
+| Windows Server, version 1803 or newer <p> Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup></sup> |
| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Must be disabled (manually) <sup>[[2](#fn2)]<sup> |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Must be disabled (manually) <sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
-(<a id="fn1">1</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.
+(<a id="fn1">1</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. You can do set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
If you are using Windows Server, version 1803 or newer, or Windows Server 2019,
> [!NOTE] > The `ForcePassiveMode` registry key is not supported on Windows Server 2016.
-(<a id="fn2">2</a>) On Windows Server 2016, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In addition, Microsoft Defender Antivirus is not supported in passive mode. In those cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
+(<a id="fn2">2</a>) On Windows Server 2016, if you are using a non-Microsoft antivirus product, you cannot run Microsoft Defender Antivirus in either passive mode or active mode. In such cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations.
The table in this section summarizes the functionality and features that are ava
|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled | |:|:|:|:|:|
-| [Real-time protection](./configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](./enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
-| [Limited periodic scanning availability](./limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | No | Yes |
-| [File scanning and detection information](./customize-run-review-remediate-scans-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
-| [Threat remediation](./configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[4](#fn4)]<sup> | Yes | No |
-| [Security intelligence updates](./manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
+| [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
+| [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | No | Yes |
+| [File scanning and detection information](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
+| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[4](#fn4)]<sup> | Yes | No |
+| [Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
(<a id="fn3">3</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
The table in this section summarizes the functionality and features that are ava
- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
+- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
-- When [EDR in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
+- When [EDR in block mode](edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it will detect and remediate malicious items. EDR in block mode requires Microsoft Defender Antivirus to be enabled in either active mode or passive mode.
- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. -- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](/microsoft-365/security/defender-endpoint/defender-compatibility) in order to properly monitor your devices and network for intrusion attempts and attacks.
+- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. The service requires common information sharing from Microsoft Defender Antivirus service in order to properly monitor your devices and network for intrusion attempts and attacks. To learn more, see [Microsoft Defender Antivirus compatibility with Microsoft Defender for Endpoint](defender-compatibility.md).
-- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product that is providing real-time protection from malware. For optimal security layered defense and detection efficacy, make sure to update the [Microsoft Defender Antivirus protection (Security intelligence update, Engine, and Platform)](manage-updates-baselines-microsoft-defender-antivirus.md) even if Microsoft Defender Antivirus is running in passive mode.
-- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. For optimal security layered defense and detection efficacy, please ensure that you update the [Microsoft Defender Antivirus protection (Security intelligence update, Engine and Platform)](./manage-updates-baselines-microsoft-defender-antivirus.md) even if Microsoft Defender Antivirus is running in passive mode.
+- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
- If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
> [!WARNING] > Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
ms.technology: mde+ Last updated : 04/23/2021 # Microsoft Defender Antivirus on Windows Server
Microsoft Defender Antivirus is available on the following editions/versions of
In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server: -- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.-- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
+- On Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
+
+- On Windows Server, if you are running a non-Microsoft antivirus/antimalware solution, Microsoft Defender Antivirus does not go into either passive mode or disabled mode automatically. However, you can set Microsoft Defender Antivirus to passive or disabled mode manually.
-## The process at a glance
+## Setting up Microsoft Defender Antivirus on Windows Server
The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
The process of setting up and running Microsoft Defender Antivirus on a server p
## Enable the user interface on Windows Server
-By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets.
+By default, Microsoft Defender Antivirus is installed and functional on Windows Server. Sometimes, the user interface (GUI) is installed by default, but the GUI is not required. You can use PowerShell, Group Policy, or other methods to manage Microsoft Defender Antivirus.
+
+If the GUI is not installed on your server, and you want to install it, either the **Add Roles and Features** wizard or PowerShell cmdlets.
### Turn on the GUI using the Add Roles and Features Wizard
Install-WindowsFeature -Name Windows-Defender-GUI
## Install Microsoft Defender Antivirus on Windows Server
-You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus.
+If you need to install or reinstall Microsoft Defender Antivirus on Windows Server, you can do that using either the **Add Roles and Features Wizard** or PowerShell.
-### Use the Add Roles and Features Wizard
+### Use the Add Roles and Features Wizard to install Microsoft Defender Antivirus
1. Refer to [this article](/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. 2. When you get to the **Features** step of the wizard, select the Microsoft Defender Antivirus option. Also select the **GUI for Windows Defender** option.
-### Use PowerShell
+### Use PowerShell to install Microsoft Defender Antivirus
To use PowerShell to install Microsoft Defender Antivirus, run the following cmdlet:
Event messages for the antimalware engine included with Microsoft Defender Antiv
## Verify Microsoft Defender Antivirus is running
-To verify that Microsoft Defender Antivirus is running on your server, run the following PowerShell cmdlet:
+Once Microsoft Defender Antivirus is installed, your next step is to verify that it's running. On your Windows Server endpoint, run the following PowerShell cmdlet:
```PowerShell Get-Service -Name windefend
See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](con
## Need to set Microsoft Defender Antivirus to passive mode?
-If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode.
+If you are using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode.
+
+- On Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode.
+
+- On Windows Server 2016, Microsoft Defender Antivirus is not supported alongside a non-Microsoft antivirus/antimalware product. In these cases, you must set Microsoft Defender Antivirus to disabled mode.
+
+### Set Microsoft Defender Antivirus to passive mode using PowerShell
+
+If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by using the following PowerShell cmdlet:
+
+`CMDLET NEEDED`
+
+### Set Microsoft Defender Antivirus to passive mode using Group Policy
+
+PROCEDURE NEEDED
### Set Microsoft Defender Antivirus to passive mode using a registry key
The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windo
Uninstall-WindowsFeature -Name Windows-Defender ```
+To disable Microsoft Defender Antivirus on Windows Server 2016, use the following PowerShell cmdlet:
+
+```PowerShell
+Set-MpPreference -DisableRealtimeMonitoring $true
+```
+ ## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
Access to Defender for Endpoint is done through a browser, supporting the follow
- Windows 8.1 Enterprise - Windows 8.1 Pro - Windows 10 Enterprise-- [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
+- [Windows 10 Enterprise LTSC 2016 (or later)](/windows/whats-new/ltsc/)
- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
The Defender for Endpoint service is constantly being updated to include new fea
Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. >[!TIP]
->Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us`
+>Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22In+the+navigation+pane%2C+select+Settings+%3E+Advanced+features+%3E+Preview+features.%22&locale=en-us&facet=`
For more information on new capabilities that are generally available, see [What's new in Defender for Endpoint](whats-new-in-microsoft-defender-atp.md).
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
Title: Run and customize on-demand scans in Microsoft Defender AV
+ Title: Run and customize on-demand scans in Microsoft Defender Antivirus
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app keywords: scan, on-demand, dos, intune, instant scan search.product: eADQiWindows 10XVcnh
localization_priority: normal
Previously updated : 11/13/2020 Last updated : 05/05/2021 ms.technology: mde+ # Configure and run on-demand Microsoft Defender Antivirus scans
security Scheduled Catch Up Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus.md
localization_priority: normal
Previously updated : 11/02/2020- Last updated : 05/05/2021+ ms.technology: mde+ # Configure scheduled quick or full Microsoft Defender Antivirus scans -- **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
This article describes how to configure scheduled scans with Group Policy, Power
## To configure the Group Policy settings described in this article
-1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, in the Group Policy Editor, go to **Computer configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Scan**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+2. Right-click the Group Policy Object you want to configure, and then select **Edit**.
-4. Click **Administrative templates**.
+3. Specify settings for the Group Policy Object, and then select **OK**.
-5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
+4. Repeat steps 1-4 for each setting you want to configure.
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration.
-
-7. Click **OK**, and repeat for any other settings.
+5. Deploy your Group Policy Object as you normally do. If you need help with Group Policy Objects, see [Create a Group Policy Object](/windows/security/threat-protection/windows-firewall/create-a-group-policy-object).
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
Also see the [Manage when protection updates should be downloaded and applied](m
When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
-Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+|Quick scan |Full scan | Custom scan |
+||||
+|A quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. <p>In most cases, a quick scan is sufficient and is recommended for scheduled scans. |A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives (if the full scan is configured to do so). <p>A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned.<p>When the full scan is complete, new security intelligence is available, and a new scan is required to make sure that no other threats are detected with the new security intelligence. | A custom scan is a quick scan that runs on the files and folders you specify. For example, you can opt to scan a USB drive, or a specific folder on your device's local drive. <p> |
-In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-microsoft-defender-antivirus.md).
+### How do I know which scan type to choose?
-A custom scan allows you to specify the files and folders to scan, such as a USB drive.
+Use the following table to choose a scan type.
->[!NOTE]
->By default, quick scans run on mounted removable devices, such as USB drives.
+
+|Scenario |Recommended scan type |
+|||
+|You want to set up regular, scheduled scans | Quick scan <p>A quick scan checks the processes, memory, profiles, and certain locations on the device. Combined with [always-on real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they are opened and closed, and whenever a user navigates to a folder. |
+|Threats, such as malware, are detected on a device | Full scan <p>A full scan can help identify whether there are any inactive components that require a more thorough clean-up. |
+|You want to run an [on-demand scan](run-scan-microsoft-defender-antivirus.md) | Full scan <p>A full scan looks at all files on the device disk, including files that are stale, archived, and not accessed on a daily basis. |
+| You want to make sure a portable device, such as a USB drive, does not contain malware | Custom scan <p>A custom scan enables you to select specific locations, folders, or files and runs a quick scan. |
+
+### What else do I need to know about quick and full scans?
+
+- Malicious files can be stored in locations that are not included in a quick scan. However, always-on real-time protection reviews all files that are opened and closed, and any files that are in folders that are accessed by a user. The combination of real-time protection and a quick scan helps provide strong protection against malware.
+
+- On-access protection with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) helps ensure that all the files accessed on the system are being scanned with the latest security intelligence and cloud machine learning models.
+
+- When real-time protection detects malware and the extent of the affected files is not determined initially, Microsoft Defender Antivirus initiates a full scan as part of the remediation process.
+
+- A full scan can detect malicious files that were not detected by other scans, such as a quick scan. However, a full scan can take a while and use valuable system resources to complete.
+
+- If a device is offline for an extended period of time, a full scan can take longer to complete.
## Set up scheduled scans
-Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
+Scheduled scans run on the day and time that you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
->[!NOTE]
->If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
+> [!NOTE]
+> If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus will run a full scan at the next scheduled time.
### Use Group Policy to schedule scans
Scheduled scans will run at the day and time you specify. You can use Group Poli
|Scan | Specify the scan type to use for a scheduled scan | Quick scan | |Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never | |Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
-|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
+|Root | Randomize scheduled task times |In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 4 hours. <p>In [SCEP](/mem/intune/protect/certificates-scep-configure), randomize scans to any interval plus or minus 30 minutes. This can be useful in virtual machines or VDI deployments. | Enabled |
### Use PowerShell cmdlets to schedule scans
Set-MpPreference -RandomizeScheduleTaskTimes
```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Use Windows Management Instruction (WMI) to schedule scans
ScanScheduleTime
RandomizeScheduleTaskTimes ```
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)--
+For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
## Start scheduled scans only when the endpoint is not in use
Use the following cmdlets:
Set-MpPreference -ScanOnlyIfIdleEnabled ```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
### Use Windows Management Instruction (WMI)
Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows
ScanOnlyIfIdleEnabled ```
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+For more information about APIs and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
<a id="remed"></a> ## Configure when full scans should be run to complete remediation
-Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
+Some threats might require a full scan to complete their removal and remediation. You can specify when these scans should occur with Group Policy, PowerShell, or WMI.
### Use Group Policy to schedule remediation-required scans
RemediationScheduleDay
RemediationScheduleTime ```
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)--
+For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
## Set up daily quick scans You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI. - ### Use Group Policy to schedule daily scans - |Location | Setting | Description | Default setting (if not configured) | |:|:|:|:| |Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
Use the following cmdlets:
Set-MpPreference -ScanScheduleQuickScanTime ```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+For more information about how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
### Use Windows Management Instruction (WMI) to schedule daily scans
Use the [**Set** method of the **MSFT_MpPreference**](/previous-versions/windows
ScanScheduleQuickScanTime ```
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+For more information and allowed parameters, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
## Enable scans after protection updates
You can force a scan to occur after every [protection update](manage-protection-
|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled | ## See also+ - [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) - [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) - [Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
## Enable Microsoft Defender Antivirus and confirm it's in passive mode
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
+On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
This step of the migration process includes the following tasks: - [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
This step of the migration process includes the following tasks:
### Set DisableAntiSpyware to false on Windows Server
-The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
+The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
1. On your Windows Server device, open Registry Editor.
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+
+1. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
+
+1. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
- If you do not see that entry, you're all set. - If you do see **DisableAntiSpyware**, proceed to step 4.
-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-5. Set the value to `0`. (This sets the registry key's value to *false*.)
+
+1. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+
+1. Set the value to `0`. (This sets the registry key's value to *false*.)
> [!TIP]
-> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
+> To learn more about this registry key, see [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
### Reinstall Microsoft Defender Antivirus on Windows Server
The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/d
1. As a local administrator on the endpoint or device, open Windows PowerShell. 2. Run the following PowerShell cmdlets: <br/>
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/><br/>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Example:<br/>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+
+ > [!NOTE]
+ > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+ > Example:<br/>
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/><br/>
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+ 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/> `Get-Service -Name windefend`
If you're using Windows Server 2016 and are having trouble enabling Microsoft De
`mpcmdrun -wdenable` > [!TIP]
-> Still need help? See [Microsoft Defender Antivirus on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+> Still need help? See [Microsoft Defender Antivirus on Windows Server](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
### Set Microsoft Defender Antivirus to passive mode on Windows Server
Because your organization is still using your existing endpoint protection solut
1. Open Registry Editor, and then navigate to <br/> `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.+ 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**. > [!NOTE] > You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+>- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
### Enable Microsoft Defender Antivirus on your Windows client devices
To enable Microsoft Defender Antivirus, we recommend using Intune. However, you
|Method |What to do | |||
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).<br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/>4. Expand **Microsoft Defender Antivirus**. <br/>5. Enable **Cloud-delivered protection**.<br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/>8. Select **Review + save**, and then choose **Save**.<br/>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<br/><br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/><br/>4. Expand **Microsoft Defender Antivirus**. <br/><br/>5. Enable **Cloud-delivered protection**.<br/><br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>8. Select **Review + save**, and then choose **Save**.<br/>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/><br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+ ### Confirm that Microsoft Defender Antivirus is in passive mode
Microsoft Defender Antivirus can run alongside your existing endpoint protection
|Method |What to do | |||
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/>2. Type `sc query windefend`, and then press Enter.<br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. ## Get updates for Microsoft Defender Antivirus
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
There are two types of updates related to keeping Microsoft Defender Antivirus up to date: - Security intelligence updates - Product updates
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
The specific exclusions to configure depend on which version of Windows your end
|OS |Exclusions | |--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))<br/>- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/> |
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|- Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>- Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/> |
+|- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add your existing solution to the exclusion list for Microsoft Defender Antivirus During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list.
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
- Path exclusions exclude specific files and whatever those files access. - Process exclusions exclude whatever a process touches, but does not exclude the process itself. - If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.mic
You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table: + |Method | What to do| |--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/>3. Under **Manage**, select **Properties**. <br/>4. Select **Configuration settings: Edit**.<br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/>7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/>3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/>5. Click **OK**.<br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/>7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/>3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**.<br/> <br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) |1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/><br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/><br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/><br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/><br/>5. Click **OK**.<br/><br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/><br/>7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/><br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.<br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/><br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+|||
+ ## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators#create-indicators-for-files).
+To add exclusions to Microsoft Defender for Endpoint, you create [indicators](/microsoft-365/security/defender-endpoint/manage-indicators#create-indicators-for-files).
+
+1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.<br/>
+
+1. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.<br/>
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-3. On the **File hashes** tab, choose **Add indicator**.
-4. On the **Indicator** tab, specify the following settings:
+1. On the **File hashes** tab, choose **Add indicator**.<br/>
+
+1. On the **Indicator** tab, specify the following settings:
- File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-5. On the **Action** tab, specify the following settings:
+ - Under **Expires on (UTC)**, choose **Never**.<br/>
+
+1. On the **Action** tab, specify the following settings:
- **Response Action**: **Allow**
- - Title and description
-6. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-7. On the **Summary** tab, review the settings, and then click **Save**.
+ - Title and description<br/>
+
+1. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.<br/>
+
+1. On the **Summary** tab, review the settings, and then click **Save**.
### Find a file hash using CMPivot
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](/mem/configmgr/core/servers/manage/cmpivot-overview).
To use CMPivot to get your file hash, follow these steps:
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+1. Review the [prerequisites](/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
+2. [Start CMPivot](/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). 4. Select the **Query** tab. 5. In the **Device Collection** list, and choose **All Systems (default)**.
To use CMPivot to get your file hash, follow these steps:
| Collection type | What to do | |--|--|
-|[Device groups](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <br/>3. Choose **+ Add device group**.<br/>4. Specify a name and description for the device group.<br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/machine-tags). <br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/>8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/>Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/><br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <br/><br/>3. Choose **+ Add device group**.<br/><br/>4. Specify a name and description for the device group.<br/><br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<br/><br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<br/><br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/><br/>8. Choose **Done**. |
+|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<br/>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
## Configure antimalware policies and real-time protection Using Configuration Manager and your device collection(s), configure your antimalware policies.-- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
> [!TIP] > You can deploy the policies before your organization's devices on onboarded.
security Symantec To Microsoft Defender Atp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/symantec-to-microsoft-defender-atp-setup.md
> [!TIP] > If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**.
-On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll
> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus). 1. As a local administrator on the endpoint or device, open Windows PowerShell.
-2. Run the following PowerShell cmdlets:
+
+1. Run the following PowerShell cmdlets:<br/>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/> `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
- > [!NOTE]
- > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
- > Example:<br/>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+ > [!NOTE]
+ > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required.
+ > Example:<br/>
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/>
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/>
+ 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/> `Get-Service -Name windefend`
If you're using Windows Server 2016 and are having trouble enabling Microsoft De
`mpcmdrun -wdenable` > [!TIP]
-> Still need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+> Still need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
### Set Microsoft Defender Antivirus to passive mode on Windows Server
Because your organization is still using Symantec, you must set Microsoft Defend
1. Open Registry Editor, and then navigate to <br/> `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.+ 2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: - Set the DWORD's value to **1**. - Under **Base**, select **Hexadecimal**. > [!NOTE] > You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
+>- [Group Policy Preference](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
+>- [Local Group Policy Object tool](/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
+>- [A package in Configuration Manager](/mem/configmgr/apps/deploy-use/packages-and-programs)
## Enable Microsoft Defender Antivirus
To enable Microsoft Defender Antivirus, we recommend using Intune. However, you
|Method |What to do | |||
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).<br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/>4. Expand **Microsoft Defender Antivirus**. <br/>5. Enable **Cloud-delivered protection**.<br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/>8. Select **Review + save**, and then choose **Save**.<br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<br/><br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/><br/>4. Expand **Microsoft Defender Antivirus**. <br/><br/>5. Enable **Cloud-delivered protection**.<br/><br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>8. Select **Review + save**, and then choose **Save**.<br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/><br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
### Verify that Microsoft Defender Antivirus is in passive mode
Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def
|Method |What to do | |||
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/>2. Type `sc query windefend`, and then press Enter.<br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
+|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet.<br/> <br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.|
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. ## Get updates for Microsoft Defender Antivirus
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
There are two types of updates related to keeping Microsoft Defender Antivirus up to date: - Security intelligence updates - Product updates
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
+To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
## Add Microsoft Defender for Endpoint to the exclusion list for Symantec
This step of the setup process involves adding Microsoft Defender for Endpoint t
|OS |Exclusions | |--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information))<br/>- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/> |
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](https://docs.microsoft.com/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|- Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>- Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/> |
+|- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/><br/>- [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/><br/>- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add Symantec to the exclusion list for Microsoft Defender Antivirus
During this step of the setup process, you add Symantec and your other security
> [!NOTE] > To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
+When you add [exclusions to Microsoft Defender Antivirus scans](/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
- Path exclusions exclude specific files and whatever those files access. - Process exclusions exclude whatever a process touches, but does not exclude the process itself. - If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
You can choose from several methods to add your exclusions to Microsoft Defender
|Method | What to do| |--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/>3. Under **Manage**, select **Properties**. <br/>4. Select **Configuration settings: Edit**.<br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/>7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/>5. Click **OK**.<br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/>7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/>3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**. <br/><br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) |1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/><br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/><br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/><br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/><br/>- Set the option to **Enabled**.<br/><br/>- Under the **Options** section, click **Show...**.<br/><br/>- Specify each folder on its own line under the **Value name** column.<br/><br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/><br/>5. Click **OK**.<br/><br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/><br/>- Set the option to **Enabled**.<br/><br/>- Under the **Options** section, click **Show...**.<br/><br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/>7. Click **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/><br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/><br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
## Add Symantec to the exclusion list for Microsoft Defender for Endpoint
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators#create-indicators-for-files).
+To add exclusions to Microsoft Defender for Endpoint, you create [indicators](/microsoft-365/security/defender-endpoint/manage-indicators#create-indicators-for-files).
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-3. On the **File hashes** tab, choose **Add indicator**.
-4. On the **Indicator** tab, specify the following settings:
+
+1. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
+
+1. On the **File hashes** tab, choose **Add indicator**.
+
+1. On the **Indicator** tab, specify the following settings:
- File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) - Under **Expires on (UTC)**, choose **Never**.
-5. On the **Action** tab, specify the following settings:
+
+1. On the **Action** tab, specify the following settings:
- **Response Action**: **Allow** - Title and description
-6. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-7. On the **Summary** tab, review the settings, and then click **Save**.
+
+1. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
+
+1. On the **Summary** tab, review the settings, and then click **Save**.
### Find a file hash using CMPivot
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
+CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](/mem/configmgr/core/servers/manage/cmpivot-overview).
To use CMPivot to get your file hash, follow these steps:
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+1. Review the [prerequisites](/mem/configmgr/core/servers/manage/cmpivot#prerequisites).<br/>
+
+2. [Start CMPivot](/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
+ 3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).+ 4. Select the **Query** tab.+ 5. In the **Device Collection** list, and choose **All Systems (default)**.+ 6. In the query box, type the following query:<br/> ```kusto File(c:\\windows\\notepad.exe)
To use CMPivot to get your file hash, follow these steps:
| Collection type | What to do | |--|--|
-|[Device groups](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <br/>3. Choose **+ Add device group**.<br/>4. Specify a name and description for the device group.<br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/machine-tags). <br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/>8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/>Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/><br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <br/><br/>3. Choose **+ Add device group**.<br/><br/>4. Specify a name and description for the device group.<br/><br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<br/><br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<br/> <br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/><br/>8. Choose **Done**. |
+|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
+|[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
## Configure antimalware policies and real-time protection Using Configuration Manager and your device collection(s), configure your antimalware policies. -- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
+- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
+
+- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
> [!TIP] > You can deploy the policies before your organization's devices on onboarded.
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
For more information preview features, see [Preview features](https://docs.micro
> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: > > ```https
-> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
+> https://docs.microsoft.com/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=
> ```
security Advanced Hunting Expert Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
+- Microsoft Defender for Endpoint
Boost your knowledge of advanced hunting quickly with _Tracking the adversary_, a webcast series for new security analysts and seasoned threat hunters. The series guides you through the basics all the way to creating your own sophisticated queries. Start with the first video on fundamentals or jump to more advanced videos that suit your level of experience. | Title | Description | Watch | Queries | |--|--|--|--|
-| Episode 1: KQL fundamentals | This episode covers the basics of advanced hunting in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators. | [YouTube](https://youtu.be/0D9TkGjeJwM?t=351) (54:14) | [CSL file](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl) |
-| Episode 2: Joins | Continue learning about data in advanced hunting and how to join tables together. Learn about `inner`, `outer`, `unique`, and `semi` joins, and understand the nuances of the default Kusto `innerunique` join. | [YouTube](https://youtu.be/LMrO6K5TWOU?t=297) (53:33) | [CSL file](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.csl) |
-| Episode 3: Summarizing, pivoting, and visualizing data | Now that you've learned to filter, manipulate, and join data, itΓÇÖs time to summarize, quantify, pivot, and visualize. This episode discusses the `summarize` operator and various calculations, while introducing additional tables in the schema. You'll also learn to turn datasets into charts that can help you extract insight. | [YouTube](https://youtu.be/UKnk9U1NH6Y?t=296) (48:52) | [CSL file](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.csl) |
-| Episode 4: LetΓÇÖs hunt! Applying KQL to incident tracking | In this episode, you learn to track some attacker activity. We use our improved understanding of Kusto and advanced hunting to track an attack. Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response. | [YouTube](https://youtu.be/2EUxOc_LNd8?t=291) (59:36) | [CSL file](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.csl)
+| Episode 1: KQL fundamentals | This episode covers the basics of advanced hunting in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators. | [YouTube](https://youtu.be/0D9TkGjeJwM?t=351) (54:14) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.txt) |
+| Episode 2: Joins | Continue learning about data in advanced hunting and how to join tables together. Learn about `inner`, `outer`, `unique`, and `semi` joins, and understand the nuances of the default Kusto `innerunique` join. | [YouTube](https://youtu.be/LMrO6K5TWOU?t=297) (53:33) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.txt) |
+| Episode 3: Summarizing, pivoting, and visualizing data | Now that you've learned to filter, manipulate, and join data, itΓÇÖs time to summarize, quantify, pivot, and visualize. This episode discusses the `summarize` operator and various calculations, while introducing additional tables in the schema. You'll also learn to turn datasets into charts that can help you extract insight. | [YouTube](https://youtu.be/UKnk9U1NH6Y?t=296) (48:52) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.txt) |
+| Episode 4: LetΓÇÖs hunt! Applying KQL to incident tracking | In this episode, you learn to track some attacker activity. We use our improved understanding of Kusto and advanced hunting to track an attack. Learn actual tricks used in the field, including the ABCs of cybersecurity and how to apply them to incident response. | [YouTube](https://youtu.be/2EUxOc_LNd8?t=291) (59:36) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.txt)
Get more expert training with *L33TSP3AK: Advanced hunting in Microsoft 365 Defender*, a webcast series for analysts looking to expand their technical knowledge and practical skills in conducting security investigations using advanced hunting in Microsoft 365 Defender. | Title | Description | Watch | Queries | |--|--|--|--|
-| Episode 1 | In this episode, you will learn different best practices in running advanced hunting queries. Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. | [YouTube](https://www.youtube.com/watch?v=nMGbK-ALaVg&feature=youtu.be) (56:34) | [CSL file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/l33tSpeak/Performance%2C%20Json%20and%20dynamics%20operator%2C%20external%20data.csl)
+| Episode 1 | In this episode, you will learn different best practices in running advanced hunting queries. Among the topics covered are: how to optimize your queries, use advanced hunting for ransomware, handle JSON as a dynamic type, and work with external data operators. | [YouTube](https://www.youtube.com/watch?v=nMGbK-ALaVg&feature=youtu.be) (56:34) | [Text file](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/l33tSpeak/Performance%2C%20Json%20and%20dynamics%20operator%2C%20external%20data.txt)
## How to use the CSL file
-Before starting an episode, access the corresponding [Kusto CSL file on GitHub](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/tree/master/Webcasts/TrackingTheAdversary) and copy its contents to the advanced hunting query editor. As you watch an episode, you can use the copied contents to follow the speaker and run queries.
+Before starting an episode, access the corresponding [text file on GitHub](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/tree/master/Webcasts) and copy its contents to the advanced hunting query editor. As you watch an episode, you can use the copied contents to follow the speaker and run queries.
-The following excerpt from a CSL file shows a comprehensive set of guidance marked as comments with `//`.
+The following excerpt from a text file containing the queries shows a comprehensive set of guidance marked as comments with `//`.
```kusto // DeviceLogonEvents
The following excerpt from a CSL file shows a comprehensive set of guidance mark
// - Timestamp ```
-The same CSL file includes queries before and after the comments as shown below. To run a specific query with [multiple queries in the editor](advanced-hunting-query-language.md#work-with-multiple-queries-in-the-editor), move the cursor to that query and select **Run query**.
+The same text file includes queries before and after the comments as shown below. To run a specific query with [multiple queries in the editor](advanced-hunting-query-language.md#work-with-multiple-queries-in-the-editor), move the cursor to that query and select **Run query**.
```kusto DeviceLogonEvents
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
localization_priority: Normal
search.appverid: - MET150 - MOE150--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.prod: m365-security ms.technology: m365d
If you are looking for compliance-related items, visit the [Microsoft 365 compli
This table is a quick reference of Email & Collaboration areas where change has occurred between the **Security & Compliance center** and the **Microsoft 365 Security** portal. Click the links to read more about these areas.
-|**Area** |**Description of change** |
-|||
-| [Email entity page](../office-365-security/mdo-email-entity-page.md) | This page **unifies** email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling. |
-| [Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-security-center) | Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place. |
-| [Alert view](../../compliance/alert-policies.md) | The **View alerts** flyout pane in the Office Security and Compliance center now includes links to the Microsoft 365 security center. Click on the **Open Alert Page** link and the Microsoft 365 security center opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue. |
-| [Attack Simulation training](../office-365-security/attack-simulation-training-insights.md) | Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage. |
+<br>
+
+****
+
+|Area|Description of change|
+|||
+|[Email entity page](../office-365-security/mdo-email-entity-page.md)|This page **unifies** email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling.|
+|[Investigation](../office-365-security/office-365-air.md#changes-are-coming-soon-in-your-security-center)|Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) and [Defender for Endpoint](../defender-endpoint/automated-investigations.md). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.|
+|[Alert view](../../compliance/alert-policies.md)|The **View alerts** flyout pane in the Office Security and Compliance center now includes links to the Microsoft 365 security center. Click on the **Open Alert Page** link and the Microsoft 365 security center opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue.|
+|[Attack Simulation training](../office-365-security/attack-simulation-training-insights.md)|Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage.|
+|
No changes to these areas:+ - [Explorer](../office-365-security/threat-explorer.md) - [Policies & Rules](../../compliance/alert-policies.md) - [Campaign](../office-365-security/campaigns.md)
Also, check the **Related Information** section at the bottom of this article.
> The Microsoft 365 Security portal (https://security.microsoft.com) combines security features in https://securitycenter.windows.com, and https://protection.office.com. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics. > [!TIP]
-> All Exchange Online Protection (EOP) functions will be included in the Microsoft 365 security center, as EOP is a core element of Defender for Office 365.
+> All Exchange Online Protection (EOP) functions will be included in the Microsoft 365 security center, as EOP is a core element of Defender for Office 365.
## Microsoft 365 security center Home page
The Home page of the portal surfaces:
- tweets from MicrosoftΓÇÖs security intelligence twitter feed - and more summary information
-Using the **Guided tour** you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.
+Using the **Guided tour** you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.
Also included is a link to the **Office 365 Security and Compliance center** for comparison. The last link is to the **What's New** page that describes recent updates.
Also included is a link to the **Office 365 Security and Compliance center** for
The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this security center. ### Incidents and alerts+ Brings together incident and alert management across your email, devices, and identities. Alerts are now available under the Investigation node, and help provide a broader view of an attack. The alert page provides full context to the alert, by combining attack signals to construct a detailed story. Previously, alerts were specific to different workloads. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action. - [Learn more about Investigations](incidents-overview.md)
Brings together incident and alert management across your email, devices, and id
![The Alerts and Actions quick launch bar](../../media/converge-1-alerts-and-actions.png) - ### Hunting+ Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using [advanced hunting queries](advanced-hunting-overview.md). These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats. [Custom detection rules](/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.
Action center shows you the investigations created by automated investigation an
[Learn more about Action Center](m365d-action-center.md) #### Threat Analytics+ Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes: - Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint.-- Incidents view related to the threats. -- Enhanced experience for quickly identifying and using actionable information in the reports.
-You can access Threat analytics either from the upper left navigation bar in the Microsoft 365 security center, or from a dedicated dashboard card that shows the top threats for your organization.
+- Incidents view related to the threats.
+- Enhanced experience for quickly identifying and using actionable information in the reports.
+You can access Threat analytics either from the upper left navigation bar in the Microsoft 365 security center, or from a dedicated dashboard card that shows the top threats for your organization.
Learn more about how to [track and respond to emerging threats with threat analytics](./threat-analytics.md)
View reports, change your settings, and modify user roles.
:::image type="content" source="../../media/converge-4-access-and-reporting-new.png" alt-text="The quick launch menu for Microsoft 365 security center permissions and reporting, on the left side of the security center."::: - > [!NOTE]
-> For Defender for Office 365 users, you can now *manage and rotate* DomainKeys Identified Mail (DKIM) keys through the Microsoft 365 security center: https://security.microsoft.com/threatpolicy, or navigate to **Policy & rules > Threat policies > DKIM**.
+> For Defender for Office 365 users, you can now *manage and rotate* DomainKeys Identified Mail (DKIM) keys through the Microsoft 365 security center: <https://security.microsoft.com/threatpolicy>, or navigate to **Policy & rules** \> **Threat policies** \> **DKIM**.
## Advanced Hunting example for Microsoft Defender for Office 365+ Want to get started searching for email threats using advanced hunting? Try this: The [Getting Started](/microsoft-365/security/office-365-security/defender-for-office-365.md#getting-started) section of the [Microsoft Defender for Office 365 article](/microsoft-365/security/office-365-security/defender-for-office-365) has logical early configuration chunks that look like this: 1. Configure everything with 'anti' in the name.-- anti-malware-- anti-phishing-- anti-spam
+ - anti-malware
+ - anti-phishing
+ - anti-spam
2. Set up everything with 'safe' in the name.-- safe links-- safe attachments
+ - safe links
+ - safe attachments
3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams) 4. Protect with Zero-Hour auto purge
Along with a [link](../office-365-security/protect-against-threats.md) to jump r
The last step in **Getting Started** is protecting users with **Zero-Hour auto purge**, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.
-Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps [here](https://security.microsoft.com/advanced-hunting), under **Hunting** > **Advanced Hunting**.
+Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps [here](https://security.microsoft.com/advanced-hunting), under **Hunting** \> **Advanced Hunting**.
1. On the Advanced Hunting page, click Query. 1. Copy the query below into the query window. 1. Select Run query. - ```kusto EmailPostDeliveryEvents | where Timestamp > ago(7d)
LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, Lo
The data from this query will appear in the results panel below the query itself. Results include information like 'DeviceName', 'AccountDisplayName', and 'ZapTime' in a customizable result set. Results can also be exported for your records. If the query is one you'll need again, select **Save** > **Save As** and add the query to your list of queries, shared, or community queries. ## Related information+ - [Microsoft Defender for Office 365 in the Microsoft 365 security center](microsoft-365-security-center-mdo.md) - [The Action center](./m365d-action-center.md) - [Email & collaboration alerts](../../compliance/alert-policies.md#default-alert-policies)
security Configure Global Settings For Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-global-settings-for-safe-links.md
Safe Links is a feature in [Microsoft Defender for Office 365](defender-for-offi
You configure most Safe Links settings in Safe Links policies. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).
-But, Safe Links also uses global settings that apply to all users who are included in any active Safe Links policies. These global settings area:
+But, Safe Links also uses the following global settings that you configure outside of the Safe Links policies themselves:
-- The **Block the following URLs** list. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links)-- Safe Links protection for Office 365 apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
+- The **Block the following URLs** list. This setting applies to all users who are included in any active Safe Links policies. For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links)
+- Safe Links protection for Office 365 apps. These settings apply to all users in the organization who are licensed for Defender for Office 365, regardless of whether the users are included in active Safe Links policies or not. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).
You can configure the global Safe Links settings in the Security & Compliance Center or in PowerShell (Exchange Online PowerShell for eligible Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes, but with Microsoft Defender for Office 365 add-on subscriptions). ## What do you need to know before you begin? -- The features provided by global settings for Safe Links are only applied to users who are included in active Safe Links policies. There is no built-in or default Safe Links policy, so you need to create at least one Safe Links policy in order for these global settings to be active. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).
+- There is no built-in or default Safe Links policy, so you need to create at least one Safe Links policy in order for the **Block the following URLs** list to be active. For instructions, see [Set up Safe Links policies in Microsoft Defender for Office 365](set-up-safe-links-policies.md).
- You open the Security & Compliance Center at <https://protection.office.com/>. To go directly to the **Safe Links** page, use <https://protection.office.com/safelinksv2>.
To verify that you've successfully configured the global settings for Safe Links
Get-AtpPolicyForO365 | Format-List BlockUrls,EnableSafeLinksForO365Clients,AllowClickThrough,TrackClicks ```
- For detailed syntax and parameter information, see [Get-AtpPolicyForO365](/powershell/module/exchange/get-atppolicyforo365).
+ For detailed syntax and parameter information, see [Get-AtpPolicyForO365](/powershell/module/exchange/get-atppolicyforo365).
security Safe Attachments https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments.md
Safe Attachments protection for email messages is controlled by Safe Attachments
The following table describes scenarios for Safe Attachments in Microsoft 365 and Office 365 organizations that include Microsoft Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).
+<br>
+ **** |Scenario|Result|
Safe Attachments scanning takes place in the same region where your Microsoft 36
> The following features are located in the global settings of Safe Attachments policies in the Security & Compliance Center. But, these settings are enabled or disabled globally, and don't require Safe Attachments policies: > > - [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](mdo-for-spo-odb-and-teams.md).
->
> - [Safe Documents in Microsoft 365 E5](safe-docs.md) ## Safe Attachments policy settings
This section describes the settings in Safe Attachments policies:
- **Safe Attachments unknown malware response**: This setting controls the action for Safe Attachments malware scanning in email messages. The available options are described in the following table:
+ <br>
+ **** |Option|Effect|Use when you want to:|
This section describes the settings in Safe Attachments policies:
- **Apply the above selection if malware scanning for attachments times out or error occurs**: The action specified by **Safe Attachments unknown malware response** is taken on messages even when Safe Attachments scanning can't complete. Always select this option if you select **Enable redirect**. Otherwise, messages might be lost. - **Recipient filters**: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:- - **The recipient is** - **The recipient domain is** - **The recipient is a member of**
If you're using a mobile device, and PDFs aren't rendering in the Dynamic Delive
Here are some considerations for Dynamic Delivery and forwarded messages: - If the forwarded recipient is protected by a Safe Attachments policy that uses the Dynamic Delivery option, then the recipient sees the placeholder, with the ability to preview compatible files.- - If the forwarded recipient is not protected by a Safe Attachments policy, the message and attachments will be delivered without any Safe Attachments scanning or attachment placeholders. There are scenarios where Dynamic Delivery is unable to replace attachments in messages. These scenarios include: - Messages in public folders.- - Messages that are routed out of and then back into a user's mailbox using custom rules.- - Messages that are moved (automatically or manually) out of cloud mailboxes to other locations, including archive folders.-
+- Inbox rules move the message out of the Inbox into a different folder.
- Deleted messages.- - The user's mailbox search folder is in an error state.--- Exchange Online organizations where Exclaimer is enabled. To resolve this, see [KB4014438](https://support.microsoft.com/help/4014438).-
+- Exchange Online organizations where Exclaimer is enabled. To resolve this issue, see [KB4014438](https://support.microsoft.com/help/4014438).
- [S/MIME)](s-mime-for-message-signing-and-encryption.md) encrypted messages.- - You configured the Dynamic Delivery action in a Safe Attachments policy, but the recipient doesn't support Dynamic Delivery (for example, the recipient is a mailbox in an on-premises Exchange organization). However, [Safe Links in Microsoft Defender for Office 365](set-up-safe-links-policies.md) is able to scan Office file attachments that contain URLs (depending on how the [global settings for Safe Links](configure-global-settings-for-safe-links.md) are configured). ## Submitting files for malware analysis - If you receive a file that you want to send to Microsoft for analysis, see [Submit malware and non-malware to Microsoft for analysis](submitting-malware-and-non-malware-to-microsoft-for-analysis.md).- - If you receive an email message (with or without an attachment) that you want to submit to Microsoft for analysis, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
Safe Links protection is available in the following locations:
For more information about Safe Links protection in Teams, see the [Safe Links settings for Microsoft Teams](#safe-links-settings-for-microsoft-teams) section later in this article. -- **Office 365 apps**: Safe Links protection for Office 365 apps is available in supported desktop, mobile, and web aps. You **configure** Safe Links protection for Office 365 apps in the global setting that are **outside** of Safe Links policies. For instructions, see [Configure global settings for Safe Links settings in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md).
+- **Office 365 apps**: Safe Links protection for Office 365 apps is available in supported desktop, mobile, and web apps. You **configure** Safe Links protection for Office 365 apps in the global setting that are **outside** of Safe Links policies. For instructions, see [Configure global settings for Safe Links settings in Microsoft Defender for Office 365](configure-global-settings-for-safe-links.md).
- But, Safe Links protection for Office 365 apps is only **applied** to users who are included in active Safe Links policies. If a user isn't included in an active Safe Links policy, the user doesn't get Safe Links protection in supported Office 365 apps.
+ Safe Links protection for Office 365 apps is applied to all users in the organization who are licensed for Defender for Office 365, regardless of whether the users are included in active Safe Links policies or not.
For more information about Safe Links protection in Office 365 apps, see the [Safe Links settings for Office 365 apps](#safe-links-settings-for-office-365-apps) section later in this article.
This article includes detailed descriptions of the following types of Safe Links
The following table describes scenarios for Safe Links in Microsoft 365 and Office 365 organizations that include Defender for Office 365 (in other words, lack of licensing is never an issue in the examples).
+<br>
+ **** |Scenario|Result|
The following table describes scenarios for Safe Links in Microsoft 365 and Offi
|In Pat's organization, no admins have created any Safe Links policies, but Safe Links protection for Office 365 apps is turned on. Pat opens a Word document and clicks a URL in the file.|Pat is not protected by Safe Links. <p> Although Safe Links protection for Office 365 apps is turned on globally, Pat is not included in any active Safe Links policies, so the protection can't be applied.| |In Lee's organization, `https://tailspintoys.com` is configured in the **Block the following URLs** list in the global settings for Safe Links. A Safe Links policy that includes Lee already exists. Lee receives an email message that contains the URL `https://tailspintoys.com/aboutus/trythispage`. Lee clicks the URL.|The URL might be automatically blocked for Lee; it depends on the URL entry in the list and the email client Lee used. For more information, see the ["Block the following URLs" list for Safe Links](#block-the-following-urls-list-for-safe-links) section later in this article.| |Jamie and Julia both work for contoso.com. A long time ago, admins configured Safe Links policies that apply to both of Jamie and Julia. Jamie sends an email to Julia, not knowing that the email contains a malicious URL.|Julia is protected by Safe Links **if** the Safe Links policy that applies to her is configured to apply to messages between internal recipients. For more information, see the [Safe Links settings for email messages](#safe-links-settings-for-email-messages) section later in this article.|
+|
## Safe Links settings for email messages
Safe Links protection for Office 365 apps has the following client requirements:
- Users are signed in using their work or school accounts. For more information, see [Sign in to Office](https://support.microsoft.com/office/b9582171-fd1f-4284-9846-bdd72bb28426).
-You configure Safe Links protection for Office 365 apps in the global settings for Safe Links, not in Safe Links policies. But, in order for Safe Links protection for Office 365 apps to be applied, the user who opens the Office document and clicks the link must be included in an active Safe Links policy.
+You configure Safe Links protection for Office 365 apps in the global settings for Safe Links, not in Safe Links policies. The protection is applied to all users in the organization who are licensed for Defender for Office 365, regardless of whether the users are included in active Safe Links policies or not.
The following Safe Links settings are available for Office 365 apps:
security Security Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-dashboard.md
The metrics are calculated as described in the following table:
||| |Messages scanned|Number of email messages scanned multiplied by the number of recipients| |Threats stopped|Number of email messages identified as containing malware multiplied by the number of recipients|
-|Blocked by [Defender for Office 365 ](defender-for-office-365.md)|Number of email messages blocked by Defender for Office 365 multiplied by the number of recipients|
+|Blocked by [Defender for Office 365](defender-for-office-365.md)|Number of email messages blocked by Defender for Office 365 multiplied by the number of recipients|
|Removed after delivery|Number of messages removed by [zero-hour auto purge](zero-hour-auto-purge.md) multiplied by the number of recipients| ## Malware
security Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
Currently, we surface delivery location in the email grid and email flyout. The
*Additional actions* were applied after delivery of the email. They can include *ZAP*, *manual remediation* (action taken by an Admin such as soft delete), *dynamic delivery*, and *reprocessed* (for an email that was retroactively detected as good). > [!NOTE]
->
-> - As part of the pending changes, the "Removed by ZAP" value currently surfaced in the Delivery Action filter is going away. You'll have a way to search for all email with the ZAP attempt through **Additional actions**.
->
-> - There will be new fields and values for **Detection technologies** and **Additional actions** (especially for ZAP scenarios). You'll need to evaluate your existing saved queries and tracked queries to make sure they work with the new values.
+> As part of the pending changes, the "Removed by ZAP" value currently surfaced in the Delivery Action filter is going away. You'll have a way to search for all email with the ZAP attempt through **Additional actions**.
> [!div class="mx-imgBorder"] > ![Additional Actions in Explorer](../../media/Additional_Actions.png)
security View Mail Flow Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-mail-flow-reports.md
For the detail view, you can only export data for one day. So, if you want to ex
Each exported .csv file is limited to 150,000 rows. If the data for that day contains more than 150,000 rows, then multiple .csv files will be created.
-![Type view in the Mailflow status report ](../../media/mail-flow-status-report-type-view.png)
+![Type view in the Mailflow status report](../../media/mail-flow-status-report-type-view.png)
### Direction view for the Mailflow status report
For the detail view, you can only export data for one day. So, if you want to ex
Each exported .csv file is limited to 150,000 rows. If the data for that day contains more than 150,000 rows, then multiple .csv files will be created.
-![Direction view in the Mailflow status report ](../../media/mail-flow-status-report-direction-view.png)
+![Direction view in the Mailflow status report](../../media/mail-flow-status-report-direction-view.png)
### Funnel view for the Mailflow status report
Under **Date**, choose a range, and then click **Apply**. Data for the current f
Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, then multiple .csv files will be created.
- ![Funnel view in the Mailflow status report ](../../media/mail-flow-status-report-funnel-view.png)
+ ![Funnel view in the Mailflow status report](../../media/mail-flow-status-report-funnel-view.png)
### Tech view for the Mailflow status report
Under **Date**, choose a range, and then click **Apply**. Data for the current f
Each exported .csv file is limited to 150,000 rows. If the data contains more than 150,000 rows, then multiple .csv files will be created.
- ![Tech view in the Mailflow status report ](../../media/mail-flow-status-report-Tech-view.png)
+ ![Tech view in the Mailflow status report](../../media/mail-flow-status-report-Tech-view.png)
## Sent and received email report
solutions Groups Teams Compliance Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-teams-compliance-governance.md
The following table provides a quick reference for the compliance controls avail
||Define your organization's sensitive information|[Custom sensitive information types](../compliance/sensitive-information-type-learn-about.md)| |User segmentation||| ||Restrict communication between user segments|[Information barriers](../compliance/information-barriers.md)|
+|Data residency|||
+||Store data in specific geo-locations|[Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo)|
## Information retention
With information barriers, you can segment your data and users to restrict unwan
- [Use information barriers with SharePoint](/sharepoint/information-barriers)
+## Data residency
+
+With Microsoft 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet data residency requirements. In a Multi-Geo environment, your Microsoft 365 tenant consists of a central location (where your Microsoft 365 subscription was originally provisioned) and one or more satellite locations where you can store data.
+
+- [Microsoft 365 Multi-Geo](/microsoft-365/enterprise/microsoft-365-multi-geo)
+
+- [Plan for Microsoft 365 Multi-Geo](/microsoft-365/enterprise/plan-for-multi-geo)
+ ## Related topics [Collaboration governance planning step-by-step](collaboration-governance-overview.md#collaboration-governance-planning-step-by-step)