Updates from: 05/07/2021 03:13:03
Category Microsoft Docs article Related commit history on GitHub Change details
admin Add Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/add-users.md
If you're seeing this page in the admin center, you're on the **admin simplified
:::image type="content" source="../../media/vsb-add-user-view.png" alt-text="Screenshot: Simplified admin center view"::: + 1. Go to the admin center at <https://admin.microsoft.com>.+++
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">https://portal.office.de</a>.
+++
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=850627" target="_blank">https://portal.partner.microsoftonline.cn</a>.
++ 2. Select **Create an account for another person**. 3. On the **Add a user account** page, fill in the first and last name, display name, and username they'll use to sign in. 4. Add the email address of the user in the **Up to 5 email addresses...** text box. This will make sure the new user gets the information they need to sign into Microsoft 365 services.
If you're seeing this page in the admin center, you're on the **admin simplified
## Add users one at a time in the dashboard view
- ::: moniker range="o365-worldwide"
- :::image type="content" source="../../media/classic-admin-center.png" alt-text="Screenshot: Admin center dashboard view"::: + 1. Go to the admin center at <https://admin.microsoft.com>.
-2. Go to **Users** > **Active users**, and select **Add a user**.
-3. In the **Set up the basics** pane, fill in the basic user information, and then select **Next**.
- - **Name** Fill in the first and last name, display name, and username.
- - **Domain** Choose the domain for the user's account. For example, if the user's username is Jakob, and the domain is contoso.com, they'll sign in by using jakob@contoso.com.
- - **Password settings** Choose to use the autogenerated password or to create your own strong password for the user.
- - The user must change their password after 90 days. Or you can choose to **Require this user to change their password when they first sign in**.
- - Choose whether you want to send the password in email when the user is added.
-4. In the **Assign product licenses** pane, select the location and the appropriate license for the user. If you don't have any licenses available, you can still add a user and buy additional licenses. Expand **Apps** and select or deselect apps to limit the apps the user has a license for. Select **Next**.
-5. In the **Optional settings** pane, expand **Roles** to make this user an admin. Expand **Profile info** to add additional information about the user.
-6. Select **Next**, review your new user's settings, make any changes you like, then select **Finish adding**, then **Close**.
+ 1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=848041" target="_blank">https://portal.office.de</a>.
After you add a user, you get an email notification from Microsoft. The email co
[Add several users at the same time to Microsoft 365](../../enterprise/add-several-users-at-the-same-time.md) (article)\ [Restore a user in Microsoft 365](restore-user.md) (article)\ [Assign licenses to users](../manage/assign-licenses-to-users.md) (article)\
-[Delete a user from your organization](delete-a-user.md) (article)
+[Delete a user from your organization](delete-a-user.md) (article)
admin Assign Licenses To Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md
You can assign licenses to users on either the **Active users** page, or on the
## Before you begin - You must be a Global, License, or User admin to assign licenses. For more information, see [About Microsoft 365 admin roles](../add-users/about-admin-roles.md).-- You can [assign licenses to user accounts with Office 365 PowerShell](../../enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell.md).
+- You can [assign Microsoft 365 licenses to user accounts with PowerShell](../../enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell.md).
- To use group-based licensing, see [Assign licenses to users by group membership in Azure Active Directory](/azure/active-directory/users-groups-roles/licensing-groups-assign) - Some services, like Sway, are automatically assigned to users, and don't need to be assigned individually. + ## Use the Licenses page to assign licenses to users When you use the **Licenses** page to assign licenses, you assign licenses for a specific product to up to 20 users. On the **Licenses** page, you see a list of all the products that you have subscriptions for. You also see the total number of licenses for each product, how many licenses are assigned, and how many are available.
When you use the **Active users** page to assign licenses, you assign users lice
By default, all services associated with those licenses are automatically assigned to the users. You can limit which services are available to the users. Switch the toggles to the **Off** position for the services that you don't want the users to have. 6. At the bottom of the pane, select **Add** \> **Close**. +
+> [!NOTE]
+> If you want to assign licenses for a large number of users, use [Assign licenses to users by group membership in Azure Active Directory](/azure/active-directory/enterprise-users/licensing-groups-assign)
+ ### Assign licenses to one user ::: moniker range="o365-worldwide"
If your users don't yet have the Office apps installed, you can share the [Emplo
[Understand subscriptions and licenses](../../commerce/licenses/subscriptions-and-licenses.md) (article)\ [Unassign licenses from users](remove-licenses-from-users.md) (article)\
-[Buy or remove licenses for your subscription](../../commerce/licenses/buy-licenses.md) (article)
+[Buy or remove licenses for your subscription](../../commerce/licenses/buy-licenses.md) (article)
admin Services In China https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/services-in-china.md
GDPR grants individuals (or, data subjects) certain rights in connection with th
- System generated logs for Microsoft services operated by 21Vianet can be exported by Tenant Administrators using the Data Log Export. For details and instructions, see [Data Subject Requests (DSR) for GDPR](https://www.trustcenter.cn/privacy/gdpr-office365.mdl).+
+## Related content
+
+[Try or buy a Microsoft 365 for business subscription](../../commerce/try-or-buy-microsoft-365.md) (article)
+
+[Azure Information Protection support for Office 365 operated by 21Vianet](parity-between-azure-information-protection.md) (article)
+
+[View your bill or get a Fapiao](../../commerce/billing-and-payments/view-your-bill-or-invoice.md) (article)
admin Set Up File Storage And Sharing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-file-storage-and-sharing.md
You can enable third-party storage for your users in Microsoft 365 so they can s
- [Install and set up Office on an iPhone or iPad with Microsoft 365](https://support.microsoft.com/office/9df6d10c-7281-4671-8666-6ca8e339b628) - [Set up Office on Windows Phone with Microsoft 365](https://support.microsoft.com/office/2b7c1b51-a717-45d6-90c9-ee1c1c5ee0b7)+
+## Related content
+
+[Add storage space for your subscription](../../commerce/add-storage-space.md) (article)
+
+[Share files and folders with Microsoft 365 Business](https://support.microsoft.com/office/share-files-and-folders-with-microsoft-365-business-72f26d6c-bf9e-432c-8b96-e3c2437f5b65) (video)
+
+[Customize your team site for file storage and sharing](customize-team-site.md) (article)
commerce Afghanistan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/afghanistan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Albania https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/albania.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Algeria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/algeria.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Angola https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/angola.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Argentina https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/argentina.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Armenia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/armenia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Australia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/australia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Austria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/austria.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Azerbaijan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/azerbaijan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Bahamas https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/bahamas.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Bahrain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/bahrain.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Bangladesh https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/bangladesh.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Barbados https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/barbados.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Belarus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/belarus.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Belgium https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/belgium.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Belize https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/belize.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Bermuda https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/bermuda.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Bolivia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/bolivia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Bosnia And Herzegovina https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/bosnia-and-herzegovina.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Botswana https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/botswana.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Brazil https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/brazil.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Brunei https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/brunei.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Bulgaria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/bulgaria.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Cameroon https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/cameroon.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Canada https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/canada.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Cape Verde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/cape-verde.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Cayman Islands https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/cayman-islands.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Chile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/chile.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce China Prc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/china-prc.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Colombia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/colombia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Costa Rica https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/costa-rica.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Cote Divoire https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/cote-divoire.md
audience: Admin
localization_priority: Normal-+ description: Learn where to send the payment for your subscription.
commerce Croatia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/croatia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Curacao https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/curacao.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Cyprus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/cyprus.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Czech Republic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/czech-republic.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Democratic Republic Of Congo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/democratic-republic-of-congo.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Denmark https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/denmark.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Dominican Republic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/dominican-republic.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Ecuador https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/ecuador.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Egypt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/egypt.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce El Salvador https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/el-salvador.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Estonia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/estonia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Ethiopia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/ethiopia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Faroe Islands https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/faroe-islands.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Fiji https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/fiji.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Finland https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/finland.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce France https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/france.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce French Guiana https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/french-guiana.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Georgia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/georgia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Germany https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/germany.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Ghana https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/ghana.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Greece https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/greece.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Grenada https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/grenada.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Guadeloupe https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/guadeloupe.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Guam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/guam.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Guatemala https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/guatemala.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Guyana https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/guyana.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Haiti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/haiti.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Honduras https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/honduras.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Hong Kong https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/hong-kong.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Hungary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/hungary.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Iceland https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/iceland.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce India https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/india.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Indonesia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/indonesia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Iraq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/iraq.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Ireland https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/ireland.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Israel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/israel.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Italy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/italy.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Jamaica https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/jamaica.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Japan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/japan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Jordan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/jordan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Kazakhstan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/kazakhstan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Kenya https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/kenya.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Korea https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/korea.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Kuwait https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/kuwait.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Kyrgyzstan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/kyrgyzstan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Latvia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/latvia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Lebanon https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/lebanon.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Libya https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/libya.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Liechtenstein https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/liechtenstein.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Lithuania https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/lithuania.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Luxembourg https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/luxembourg.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Macao https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/macao.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Macedonia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/macedonia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Malaysia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/malaysia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Malta https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/malta.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Mauritius https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/mauritius.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Mexico https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/mexico.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Moldova https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/moldova.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Monaco https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/monaco.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Mongolia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/mongolia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Montenegro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/montenegro.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Morocco https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/morocco.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Namibia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/namibia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Nepal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/nepal.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Netherlands https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/netherlands.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce New Zealand https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/new-zealand.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Nicaragua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/nicaragua.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Nigeria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/nigeria.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Norway https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/norway.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Oman https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/oman.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Pakistan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/pakistan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Palestinian Authority https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/palestinian-authority.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Panama https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/panama.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Paraguay https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/paraguay.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Peru https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/peru.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Philippines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/philippines.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Poland https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/poland.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Portugal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/portugal.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Puerto Rico https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/puerto-rico.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Qatar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/qatar.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Romania https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/romania.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Russia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/russia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Rwanda https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/rwanda.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Saint Kitts And Nevis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/saint-kitts-and-nevis.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Saint Lucia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/saint-lucia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Saint Vincent And The Grenadines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/saint-vincent-and-the-grenadines.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Saudi Arabia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/saudi-arabia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Senegal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/senegal.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Serbia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/serbia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Singapore https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/singapore.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Slovakia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/slovakia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Slovenia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/slovenia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce South Africa https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/south-africa.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Spain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/spain.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Sri Lanka https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/sri-lanka.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Suriname https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/suriname.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Sweden https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/sweden.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Switzerland https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/switzerland.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Taiwan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/taiwan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Tajikistan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/tajikistan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Tanzania https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/tanzania.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Thailand https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/thailand.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Trinidad And Tobago https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/trinidad-and-tobago.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Tunisia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/tunisia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Turkey https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/turkey.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Turkmenistan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/turkmenistan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Uganda https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/uganda.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Ukraine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/ukraine.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce United Arab Emirates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/united-arab-emirates.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce United Kingdom https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/united-kingdom.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce United States https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/united-states.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Uruguay https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/uruguay.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Uzbekistan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/uzbekistan.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Venezuela https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/venezuela.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Vietnam https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/vietnam.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Virgin Islands https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/virgin-islands.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Yemen https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/yemen.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Zambia https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/zambia.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
commerce Zimbabwe https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/pay/zimbabwe.md
audience: Admin -+ localization_priority: Normal description: Learn where to send the payment for your subscription.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
- When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the account that last modified the file. Specific to auto-labeling for Exchange:
- - Unlike manual labeling or auto-labeling with Office apps, Office attachments (Word, Excel, and PowerPoint files) and PDF attachments are also scanned for the conditions you specify in your auto-labeling policy. When there is a match, the email is labeled but not the attachment.
- - For these Office files, Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls).
+ - Unlike manual labeling or auto-labeling with Office apps, PDF attachments as well as Office attachments (Word, Excel, and PowerPoint files) are also scanned for the conditions you specify in your auto-labeling policy. When there is a match, the email is labeled but not the attachment.
+ - For PDF files, if the label applies encryption, these files are encrypted when your tenant is [enabled for PDF attachments](ome-faq.yml#are-pdf-file-attachments-supported-).
+ - For these Office files, Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls). If the label applies encryption, these files are encrypted.
- If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label. - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling. - Incoming email is labeled when there is a match with your auto-labeling conditions:
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
When you have more than one retention policy, and when you also use retention la
For **Teams channel messages**, message from standard channels but not [private channels](/microsoftteams/private-channels) are included. Currently, private channels aren't supported by retention policies.
- By default, [all teams and all users are selected](#a-policy-that-applies-to-entire-locations), but you can refine this by selecting the [**Choose** and **Exclude** options](#a-policy-with-specific-inclusions-or-exclusions).
+ By default, [all teams and all users are selected](#a-policy-that-applies-to-entire-locations), but you can refine this by selecting the [**Choose** and **Exclude** options](#a-policy-with-specific-inclusions-or-exclusions). However, before you change the default, be aware of the following consequences for a retention policy that deletes messages when it's configured for includes or excludes:
+
+ - For group chats, because a copy of messages are saved in each user's mailbox who are included in the chat, copies of messages will continue to be returned in eDiscovery results from users who weren't assigned the policy.
+ - For users who weren't assigned the policy, deleted messages will be returned in their Teams search results but won't display the contents of the message as a result of the permanent deletion from the policy assigned to users.
4. For **Decide if you want to retain content, delete it, or both** page of the wizard, specify the configuration options for retaining and deleting content.
When you have more than one retention policy, and when you also use retention la
5. Complete the wizard to save your settings.
-For more information about retention policies for Teams, see [Retention policies in Microsoft Teams](/microsoftteams/retention-policies) from the Teams documentation.
+For high-level information when to use retention policies for Teams, see [Retention policies in Microsoft Teams](/microsoftteams/retention-policies) from the Teams documentation.
+
+For technical details about how retention works for Teams, including what elements of messages are supported for retention and timing information with example walkthroughs, see [Learn about retention for Microsoft Teams](retention-policies-teams.md).
#### Known configuration issues
compliance Document Metadata Fields In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-metadata-fields-in-Advanced-eDiscovery.md
The following table lists the metadata fields for documents in a review set in a
|Meeting End Date|MeetingEndDate|Meeting_end_date|Meeting end date for meetings.| |Meeting Start Date|MeetingStartDate|Meeting_start_date|Meeting start date for meetings.| |Message kind|MessageKind|Message_kind|The type of message to search for. Possible values: **<br /><br />contacts <br />docs <br />email <br />externaldata <br />faxes <br />im <br />journals <br />meetings <br />microsoftteams** (returns items from chats, meetings, and calls in Microsoft Teams) **<br />notes <br />posts <br />rssfeeds <br />tasks <br />voicemail**|
-|ModernAttachment_ParentId||ModernAttachment_ParentId||
+|Modern Attachment Parent Id||ModernAttachment_ParentId|The Immutable Id of the document's parent.|
|Native Extension|NativeExtension|Native_extension|Native extension of the item.| |Native file name|NativeFileName|Native_file_name|Native file name of the item.| |NativeMD5||Native_MD5|MD5 hash (128-bit hash value) of the file stream.|
The following table lists the metadata fields for documents in a review set in a
|Title|Title|Doc_title|Title from the document metadata.| |To|To|Email_to|To field for message types. Format is **DisplayName\<SmtpAddress>**| |Unique in email set|UniqueInEmailSet||**False** if there's a duplicate of the attachment in its email set.|
+|Version Group ID||Version_Group_Id|Groups together the different versions of the same document.|
|Was Remediated|WasRemediated|Was_Remediated|**True** if the item was remediated, otherwise **False**.| |Word count|WordCount|Word_count|Number of words in the item.| ||||| > [!NOTE]
-> For more information about searchable properties when searching Office 365 content locations when you're collecting data for an Advanced eDiscovery case, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
+> For more information about searchable properties when searching Office 365 content locations when you're collecting data for an Advanced eDiscovery case, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
compliance Download Existing Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/download-existing-reports.md
Title: "Download existing reports in the Security &amp; Compliance Center" f1.keywords: - NOCSH--++ Last updated 06/01/2018 audience: ITPro
compliance Endpoint Dlp Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to
- For Windows 10 2004 - KB4568831, KB4577063 - For devices running Office 2016 (and not any other Office version) - KB4577063
-4. All devices must be [Azure Active Directory (Azure AD) joined](/azure/active-directory/devices/concept-azure-ad-join), or Hybrid Azure AD joined.
+4. All devices must be [Azure Active Directory (Azure AD) joined](/azure/active-directory/devices/concept-azure-ad-join), AD joined, Hybrid Azure AD joined, or AAD registered.
5. Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. See, [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium).
compliance Endpoint Dlp Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md
These scenarios require that you already have devices onboarded and reporting in
- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/)-- [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
+- [Onboarding tools and methods for Windows 10 machines](/microsoft-365/compliance/dlp-configure-endpoints)
- [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) - [Azure Active Directory (AAD) joined](/azure/active-directory/devices/concept-azure-ad-join) - [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium) - [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)
+- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)
compliance Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection.md
MIP capabilities are included with Microsoft 365 Compliance and give you the too
![Image of how MIP helps you discover, classify, and protect sensitive data](../media/powered-by-intelligent-platform.png) + For information about governing your data, see [Microsoft Information Governance in Microsoft 365](manage-Information-governance.md). ## Know your data
For information about governing your data, see [Microsoft Information Governance
> > For release announcements for Azure Purview, see the following blog posts: [Microsoft Information Protection and Microsoft Azure Purview: Better Together](https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-information-protection-and-microsoft-azure-purview/ba-p/1957481) and [Azure Purview at Spring Ignite 2021](https://techcommunity.microsoft.com/t5/azure-purview/azure-purview-at-spring-ignite-2021/ba-p/2175919). - To understand your data landscape and identify important data across your hybrid environment, use the following capabilities:
-
-|Capability|What problems does it solve?|Get started|
-|:|:|:--|
-|[Sensitive information types](sensitive-information-type-learn-about.md)| Identifies sensitive data by using built-in or custom regular expressions or a function. Corroborative evidence includes keywords, confidence levels, and proximity.| [Customize a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md)|
-|[Trainable classifiers](classifier-learn-about.md)| Identifies sensitive data by using examples of the data you're interested in rather than identifying elements in the item (pattern matching). You can use built-in classifiers or train a classifier with your own content.| [Get started with trainable classifiers](classifier-get-started-with.md) |
-|[Data classification](data-classification-overview.md) | A graphical identification of items in your organization that have a sensitivity label, a retention label, or have been classified. You can also use this information to gain insights into the actions that your users are taking on these items. | [Get started with content explorer](data-classification-content-explorer.md)<br /><br /> [Get started with activity explorer](data-classification-activity-explorer.md) |
+++
+|**Capability**|**What problems does it solve?**|**Get started**|**Licensing**|
+|--|--|--|--|
+|[Sensitive information types](sensitive-information-type-entity-definitions.md)| Identifies sensitive data by using built-in or custom regular expressions or a function, together with corroborative evidence that includes keywords, confidence levels, and proximity. Use sensitive information types to identify specific types of data in your organization. Use the out-of-the-box sensitive information types to find standard types of data, such as passport numbers. Create a custom information type to identify information that is unique to your environment, such as part numbers. | [Customize a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md)| |
+|[Trainable classifiers (preview)](classifier-learn-about.md)| Classifies data for you, using one of the built-in classifiers or train a classifier with your own content | [Get started with trainable classifiers (preview)](classifier-get-started-with.md)| |
+|[Data classification](data-classification-overview.md) | Identifies items that have a sensitivity label, a retention label, or have been classified as a sensitive information type in your organization and the actions that your users are taking on them | [Get started with content explorer](data-classification-content-explorer.md)<br /><br /> [Get started with activity explorer](data-classification-activity-explorer.md)| |
++ ## Protect your data To apply flexible protection actions that include encryption, access restrictions, and visual markings, use the following capabilities:
-|Capability|What problems does it solve?|Get started|
-|:|:||
-|[Sensitivity labels](sensitivity-labels.md)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <br /><br />Example scenarios: <br /> [Manage sensitivity labels for Office apps](sensitivity-labels-office-apps.md)<br /> [Encrypt documents and emails](encryption-sensitivity-labels.md )<br /> [Apply and view labels in Power BI](/power-bi/admin/service-security-apply-data-sensitivity-labels) <br /><br /> For a comprehensive list of scenarios for sensitivity labels, see the Get started documentation.|[ Get started with sensitivity labels](get-started-with-sensitivity-labels.md) |
-|[Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2)| For Windows computers, extends sensitivity labels for additional features and functionality that includes labeling and protecting all file types from File Explorer and PowerShell<br /><br /> Example additional features: [Custom configurations for the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-customizations)| [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide)|
-|[Double Key Encryption](double-key-encryption.md)| Under all circumstances, only your organization can ever decrypt protected content or for regulatory requirements, you must hold encryption keys within a geographical boundary. | [Deploy Double Key Encryption](double-key-encryption.md#deploy-dke)|
-|[Office 365 Message Encryption (OME)](ome.md)| Encrypts email messages and attached documents that are sent to any user on any device, so only authorized recipients can read emailed information. <br /><br />Example scenario: [Revoke email encrypted by Advanced Message Encryption](revoke-ome-encrypted-mail.md) | [Set up new Message Encryption capabilities](set-up-new-message-encryption-capabilities.md)|
-|[Service encryption with Customer Key](customer-key-overview.md) | Protects against viewing of data by unauthorized systems or personnel, and complements BitLocker disk encryption in Microsoft datacenters. | [Set up Customer Key for Office 365](customer-key-set-up.md)|
-|[SharePoint Information Rights Management (IRM)](set-up-irm-in-sp-admin-center.md#irm-enable-sharepoint-document-libraries-and-lists)|Protects SharePoint lists and libraries so that when a user checks out a document, the downloaded file is protected so that only authorized people can view and use the file according to policies that you specify. | [Set up Information Rights Management (IRM) in SharePoint admin center](set-up-irm-in-sp-admin-center.md)|
-[Rights Management connector](/azure/information-protection/deploy-rms-connector) |Protection-only for existing on-premises deployments that use Exchange or SharePoint Server, or file servers that run Windows Server and File Classification Infrastructure (FCI). | [Steps to deploy the RMS connector](/azure/information-protection/deploy-rms-connector#steps-to-deploy-the-rms-connector)
-|[Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner)| Discovers, labels, and protects sensitive information that resides in data stores that are on premises. | [Configuring and installing the Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner-configure-install)|
-|[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)| Discovers, labels, and protects sensitive information that resides in data stores that are in the cloud. | [Discover, classify, label, and protect regulated and sensitive data stored in the cloud](/cloud-app-security/best-practices#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)|
-|[Microsoft Information Protection SDK](/information-protection/develop/overview#microsoft-information-protection-sdk)|Extends sensitivity labels to third-party apps and services. <br /><br /> Example scenario: [Set and get a sensitivity label (C++)](/information-protection/develop/quick-file-set-get-label-cpp) |[Microsoft Information Protection (MIP) SDK setup and configuration](/information-protection/develop/setup-configure-mip)|
++
+|**Capability**|**What problems does it solve?**|**Get started**|**Licensing**|
+|--|--|--|--|
+|[Sensitivity labels](sensitivity-labels.md)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization <br /><br />Example scenario: [Apply and view sensitivity labels in Power BI, and protect data when it is exported](/power-bi/admin/service-security-apply-data-sensitivity-labels)|[ Get started with sensitivity labels](get-started-with-sensitivity-labels.md) |
+|[Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security)| Discovers,labels, and protects sensitive information that resides in data stores that are in the cloud | [Discover, classify, label, and protect regulated and sensitive data stored in the cloud](/cloud-app-security/best-practices#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)|
+|[Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner)| Discovers, labels, and protects sensitive information that resides in data stores that are on premises | [Configuring and installing the Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner-configure-install)|
+|[Activity Explorer]()||||
++
+## Transition from AIP to MIP
+The classic Azure Information Protection admin experience and client are being deprecated early next year. It is recommended to move to Microsoft Information Protection.This entails migrating all your existing labels and policies over.
++
+## Additional capabilities
+Microsoft 365 includes these capabilities to help protect data:
+
+|**Capability**|**What problems does it solve?**|**Get started**|
+|--|--|--|
+| Office 365 Message Encryption(OME) | Encrypts email messages and attached documents that are sent to any user on any device, so only authorized recipients can read emailed information. <br /><br /> Example scenario: Revoke email encrypted by Advanced Message Encryption | Set up new Message Encryption capabilities |
+| Double Key Encryption | Under all circumstances only you can ever decrypt protected content, or for regulatory requirements you must hold encryption keys within a geographical boundary | Deploy Double Key Encryption |
+| Service encryption with Customer Key | Protects against viewing of data by unauthorized systems or personnel, and complements bitlocker disk encryption in Microsoft data centers | Set up Customer Key for Office 365 |
+| SharePoint Information Rights Management(IRM) | Protects SharePoint lists and libraries so that when a user checks out a document, the downloaded file is protected so that only authorized can view and use the file according to policies that you specify | Set up Information Rights Management (IRM) in SharePoint admin center |
+| Rights Management Connector | Protection-only for existing on-premises deployments that use Exchange or SharePoint Server and File Classification Infrastructure (FCI) | Steps to deploy the RMS Connector |
+ ## Prevent data loss To help prevent accidental oversharing of sensitive information, use the following capabilities:
-|Capability|What problems does it solve?|Get started|
-|:|:|:|
+|**Step**|**Description**|**More information**|
+|--|--|--|
+|[Design DLP policies](data-loss-prevention-policies.md)| Plan for the mode of identifying info(sensitive info type, label, other) <br /><br /> Plan where the policies will target(services, client, 3rd party apps.) <br /><br /> Plan policy tips, other||
+||||
++++
+|**Capability**|**What problems does it solve?**|**Get started**|
+|--|--|--|
|[Learn about data loss prevention](dlp-learn-about-dlp.md)| Helps prevent unintentional sharing of sensitive items. | [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)| |[Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md)| Extends DLP capabilities to items that are used and shared on Windows 10 computers. | [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md)| |[Learn about the Microsoft Compliance Extension (preview)](dlp-chrome-learn-about.md) | Extends DLP capabilities to the Chrome browser | [Get started with the Microsoft Compliance Extension (preview)](dlp-chrome-get-started.md)|
Additionally, to help you plan an integrated strategy for implementing informati
| Item | Description | |:--|:|
-|[![Model poster: Microsoft 365 information protection and compliance capabilities](../media/solutions-architecture-center/m365-compliance-illustrations-thumb.png)](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.pdf) <br/> [Download as a PDF](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.pdf) \| [Download as a Visio](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.vsdx) <br/> Japanese: [Download as a PDF](https://download.microsoft.com/download/6/f/1/6f1a7d0e-dd8e-442e-b073-8e94327ae4f8/m365-compliance-illustrations.pdf) \| [Download as a Visio](https://download.microsoft.com/download/6/f/1/6f1a7d0e-dd8e-442e-b073-8e94327ae4f8/m365-compliance-illustrations.vsdx) <br/> Updated October 2020|Includes: <ul><li> Microsoft information protection and data loss prevention</li><li>Retention policies and retention labels </li><li>Information barriers</li><li>Communication compliance</li><li>Insider risk management</li><li>Third-party data ingestion</li>|
+|[![Model poster: Microsoft 365 information protection and compliance capabilities](../media/solutions-architecture-center/m365-compliance-illustrations-thumb.png)](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.pdf) <br/> [Download as a PDF](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.pdf) \| [Download as a Visio](https://download.microsoft.com/download/3/a/6/3a6ab1a3-feb0-4ee2-8e77-62415a772e53/m365-compliance-illustrations.vsdx) <br/> Japanese: [Download as a PDF](https://download.microsoft.com/download/6/f/1/6f1a7d0e-dd8e-442e-b073-8e94327ae4f8/m365-compliance-illustrations.pdf) \| [Download as a Visio](https://download.microsoft.com/download/6/f/1/6f1a7d0e-dd8e-442e-b073-8e94327ae4f8/m365-compliance-illustrations.vsdx) <br/> Updated October 2020|Includes: <ul><li> Microsoft information protection and data loss prevention</li><li>Retention policies and retention labels </li><li>Information barriers</li><li>Communication compliance</li><li>Insider risk management</li><li>Third-party data ingestion</li>|
+
compliance Insider Risk Management Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-settings.md
To enable the monitoring of risk activities on devices and include policy indica
Make sure that the Windows 10 devices that you plan on reporting in insider risk management meet these requirements. 1. Must be running Windows 10 x64 build 1809 or later and must have installed the [Windows 10 update (OS Build 17763.1075)](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) from February 20, 2020.
-2. All devices must be [Azure Active Directory (AAD) joined](/azure/active-directory/devices/concept-azure-ad-join), or Hybrid Azure AD joined.
+2. The user account used to log into the Windows 10 device must be an active Azure Active Directory (AAD) account. The Windows 10 device may be [AAD](/azure/active-directory/devices/concept-azure-ad-join), hybrid AAD, or Active Directory joined, or AAD registered.
3. Install Microsoft Chromium Edge browser on the endpoint device to monitor actions for the cloud upload activity. See, [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium). #### Step 2: Onboarding devices
To share a Power Automate flow in the settings area, you must be a member of the
Complete the following steps to share a Power Automate flow:
-1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Power Automate flows**. You can also access from the **Cases** or **Users dashboards** pages by choosing **Automate** > **Manage Power Automate flows**.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Power Automate flows**. You can also access from the **Cases** or **Users dashboards** pages by choosing **Automate** > **Manage Power Automate flows**.
2. On the **Power Automate flows** page, select the **My flows** or **Team flows** tab. 3. Select the flow to share, then select **Share** from the flow options menu. 4. On the flow sharing page, enter the name of the user or group you want to add as an owner for the flow.
To edit a Power Automate flow in the settings area, you must be a member of the
Complete the following steps to edit a Power Automate flow:
-1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Power Automate flows**. You can also access from the **Cases** or **Users dashboards** pages by choosing **Automate** > **Manage Power Automate flows**.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Power Automate flows**. You can also access from the **Cases** or **Users dashboards** pages by choosing **Automate** > **Manage Power Automate flows**.
2. On the **Power Automate flows** page, select a flow to edit and select **Edit** from the flow control menu. 3. Select the **ellipsis** > **Settings** to change a flow component setting or **ellipsis** > **Delete** to delete a flow component. 4. Select **Save** and then **Close** to complete editing the flow.
To delete a Power Automate flow in the settings area, you must be a member of th
Complete the following steps to delete a Power Automate flow:
-1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Power Automate flows**. You can also access from the **Cases** or **Users dashboards** pages by choosing **Automate** > **Manage Power Automate flows**.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** and select **Insider risk settings** > **Power Automate flows**. You can also access from the **Cases** or **Users dashboards** pages by choosing **Automate** > **Manage Power Automate flows**.
2. On the **Power Automate flows** page, select a flow to delete and select **Delete** from the flow control menu. 3. On the deletion confirmation dialog, select **Delete** to remove the flow or select **Cancel** to exit the deletion action.
For more information on how to use teams and channels in Microsoft Teams, see [O
Enabling Microsoft Teams support for cases is quick and easy to configure. To enable Microsoft Teams for insider risk management, complete the following steps:
-1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management** > **Insider risk settings**.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** > **Insider risk settings**.
2. Select the **Microsoft Teams** tab. 3. Enable Microsoft Teams integration for insider risk management. 4. Select **Save** to configure and exit.
Users need permission to create Microsoft 365 groups in your organization to cre
To create a team for a case, you'll use the Create Microsoft Team control when working directly in an existing case. Complete the following steps to create a new team:
-1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management** > **Cases** and select an existing case.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management** > **Cases** and select an existing case.
2. On the case action menu, select **Create Microsoft Team**. 3. In the **Team name** field, enter a name for the new Microsoft Teams team. 4. Select **Create Microsoft team** and then select **Close**.
Analytics insights from scans are based on the same risk activity signals used b
To enable insider risk analytics, you must be a member of the Insider Risk Management, Insider Risk Management Admin or Microsoft 365 Global admin role group. Complete the following steps to enable insider risk analytics:
-1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management**.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management**.
2. Select **Run scan** on the **Scan for insider risks in your organization** card on the insider risk management **Overview** tab. This turns on analytics scanning for your organization. You can also turn on scanning in your organization by navigating to **Insider risk settings** > **Analytics** and enabling **Scan your tenant's user activity to identify potential insider risks**. 3. On the **Analytics details** pane, select **Run scan** to start the scan for your organization. Analytics scan results may take up to 24 hours before insights are available as reports for review.
To turn off insider risk analytics, you must be a member of the *Insider Risk Ma
Complete the following steps to turn off insider risk analytics:
-1. In the [Microsoft 365 compliance center](htttps://compliance.microsoft.com), go to **Insider risk management**.
+1. In the [Microsoft 365 compliance center](https://compliance.microsoft.com), go to **Insider risk management**.
2. Select **Insider risk settings** > **Analytics** page. 3. On the **Analytics** page, turn off **Scan your tenant's user activity to identify potential insider risks**.
compliance Use Network Upload To Import Pst Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-network-upload-to-import-pst-files.md
As an optional step, you can install and use the Microsoft Azure Storage Explore
- Verify the filename (and the subfolder pathname if you included one) for each PST file uploaded to the Azure blob. This is helpful when you're creating the PST mapping file in the next step because you have to specify both the folder pathname and filename for each PST file. Verifying these names can help reduce potential errors in your PST mapping file.
-The Microsoft Azure Storage Explorer is in Preview.
+The Azure Storage Explorer standalone application is generally available. You can download the latest version using the link in the following procedure.
> [!IMPORTANT] > You can't use the Azure Storage Explorer to upload or modify PST files. The only supported method for importing PST files is to use AzCopy. Also, you can't delete PST files that you've uploaded to the Azure blob. If you try to delete a PST file, you'll receive an error about not having the required permissions. Note that all PST files are automatically deleted from your Azure storage area. If there are no import jobs in progress, then all PST files in the **ingestiondata** container are deleted 30 days after the most recent import job was created.
enterprise Portallaunchscheduler https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/PortalLaunchScheduler.md
Title: "Launch your portal using the Portal Launch Scheduler"
+ Title: "Launch your portal using the Portal launch scheduler"
search.appverid: - SPO160 - MET150
-description: "This article describes how you can launch your portal using the Portal Launch Scheduler"
+description: "This article describes how you can launch your portal using the Portal launch scheduler"
-# Launch your portal using the Portal Launch Scheduler
+# Launch your portal using the SharePoint Portal launch scheduler
-A portal is a SharePoint site on your intranet that has a large number of site viewers who consume content on the site. Launching your portal in waves is an important part of ensuring users have a smooth and performant experience accessing a new SharePoint Online portal.
+A portal is a SharePoint communication site on your intranet that is high-traffic ΓÇô a site that has anywhere from 10,000 to over 100,000 viewers over the course of several weeks. Use the Portal launch scheduler to launch your portal to ensure users have a smooth viewing experience when accessing your new SharePoint portal.
+<br>
+<br>
+The Portal launch scheduler is designed to help you follow a phased roll-out approach by batching viewers in waves and managing the URL redirects for the new portal. During the launch of each wave, you can gather user feedback, monitor portal performance, and pause the launch to resolve issues before proceeding with the next wave. Learn more about how to [plan a portal launch in SharePoint](https://docs.microsoft.com/microsoft-365/Enterprise/Planportallaunchroll-out?view=o365-worldwide).
-Launching in waves is a key way to roll-out your portal, as detailed in [Planning your portal launch roll-out plan in SharePoint Online](./planportallaunchroll-out.md?view=o365-worldwide). The Portal Launch Scheduler is designed to help you follow a wave / phased roll-out approach by managing the redirects for the new portal. During each of the waves, you can gather user feedback and monitor performance during each wave of deployment. This has the advantage of slowly introducing the portal, giving you the option to pause and resolve issues before proceeding with the next wave, and ultimately ensuring a positive experience for your users.
+**There are two types of redirections:**
-There are two types of redirection:
-- bidirectional: launch a new modern SharePoint Online portal to replace an existing SharePoint classic or modern portal -- temporary page redirection: launch a new modern SharePoint Online portal with no existing SharePoint portal
+- **Bidirectional**: launch a new modern SharePoint portal to replace an existing SharePoint classic or modern portal
+- **Redirect to a temporary page**: launch a new modern SharePoint portal with no existing SharePoint portal
-The portal launch scheduler is only available to launch modern SharePoint Online portals (i.e. communication sites). Launches must be scheduled at least 7 days in advance. The number of waves required is determined by the expected number of users. Before scheduling a portal launch, the [Page Diagnostics for SharePoint tool](./page-diagnostics-for-spo.md) must be run to verify that the home page on the portal is healthy. At the end of the portal launch, all users with permissions to the site will be able to access the new site.
+Site permissions must be set up separately from waves as part of the launch. For example, if you are releasing an organization-wide portal, you can set permissions to ΓÇ£Everyone except external users,ΓÇ¥ then separate your users into waves using security groups. Adding a security group to a wave does not give that security group access to the site.
-For more information about launching a successful portal, follow the basic principles, practices, and recommendations detailed in [Creating, launching and maintaining a healthy portal](/sharepoint/portal-health).
> [!NOTE]
-> This feature is not available for Office 365 Germany, Office 365 operated by 21Vianet (China), or Microsoft 365 US Government plans.
+> - This will feature will be accessible from the **Settings** panel on the home page of SharePoint communication sites for Targeted release customers starting in May 2021 and will become available to all customers by July 2021
+> - The PowerShell version of this tool is available today
+> - This feature can only be used on modern SharePoint communication sites
+> - You must have site owner permissions for the site to customize and schedule the launch of a portal
+> - Launches must be scheduled at least seven days in advance and each wave can last one to seven days
+> - The number of waves required is automatically determined by the expected number of users
+> - Before scheduling a portal launch, the [Page Diagnostics for SharePoint tool](https://aka.ms/perftool) must be run to verify that the home page of the site is healthy
+> - At the end of the launch, all users with permissions to the site will be able to access the new site
+> - If your organization is using [Viva Connections](https://docs.microsoft.com/SharePoint/viva-connections), users may see your organization's icon in the Microsoft Teams app bar, however when the icon is selected users will not be able to access the portal until their wave has launched
+> - This feature is not available for Office 365 Germany, Office 365 operated by 21Vianet (China), or Microsoft 365 US Government plans
-## App setup and connecting to SharePoint Online
+### Understand the differences between Portal launch scheduler options:
+
+Formerly, portal launches could only be scheduled through SharePoint PowerShell. Now, you have two options to help you schedule and manage your portal's launch. Learn about the key differences between both tools:
+
+**SharePoint PowerShell version:**
+
+- Admin credentials are required to use [SharePoint PowerShell](https://docs.microsoft.com/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell?view=sharepoint-ps)
+- Minimum requirement of one wave
+- Schedule your launch based on Coordinated Universal Time (UTC) time zone
+
+**In-product version:**
+
+- Site owner credentials are required
+- Minimum requirement of two waves
+- Schedule your launch based on the portal's local time zone as indicated in regional settings
+++
+## Get started using the Portal launch scheduler
+
+1. Before using the Portal launch scheduler tool, [add all users who will need access to this site](https://support.microsoft.com/office/share-a-site-958771a8-d041-4eb8-b51c-afea2eae3658) through **Site permissions** as a Site owner, Site member, or Visitor.
+
+2. Then, start scheduling your portalΓÇÖs launch by accessing the Portal launch scheduler in one of two ways:
+
+ **Option 1**: The first few times you edit and republish changes to your home page - or up until home page version 3.0 - you will be prompted to use the Portal launch scheduler tool. Select **Schedule launch** to move forward with scheduling. Or select **Republish** to republish your page edits without scheduling the launch.
+
+ ![Image of the prompt to use the portal launch scheduler when republishing the home page](../media/portal-launch-republish-2.png)
+
+ **Option 2**: At any time, you can navigate to the SharePoint communication site home page, select **Settings** and then **Schedule site launch** to schedule your portalΓÇÖs launch.
+
+ ![Image of the Settings pane with Schedule a site launch highlighted](../media/portal-launch-settings-2.png)
+
+3. Next, confirm the portalΓÇÖs health score and make improvements to the portal if needed using the [Page Diagnostics for SharePoint](https://aka.ms/perftool) tool until your portal receives a **Healthy** score. Then, select **Next**.
+
+ ![Image of the Portal launch scheduler tool](../media/portal-launch-panel-2.png)
+
+ > [!NOTE]
+ > The site name and description canΓÇÖt be edited from the Portal launch scheduler and instead can be changed by selecting **Settings** and then **Site information** from the home page.
+
+4. Select the **Number of expected users** from the drop-down. This figure represents the number of users who will most likely need access to the site. The Portal launch scheduler will automatically determine the ideal number of waves depending on the expected users like this:
+
+ - Less than 10k users: Two waves
+ - 10k to 30k users: Three waves
+ - 30k+ to 100k users: Five waves
+ - More than 100k users: Five waves and contact your Microsoft account team
+
+5. Then, determine the **Type of redirect** needed:
+
+ **Option 1: Send users to an existing SharePoint page (bidirectional)** ΓÇô Use this option when launching a new modern SharePoint portal to replace an existing SharePoint portal. Users in active waves will be redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site will be redirected back to the old site until their wave is launched.
+
+ > [!NOTE]
+ > When using the bidirectional option, the person scheduling the launch must also have site owner permissions to the other SharePoint portal.
+
+ **Option 2: Send users to an autogenerated temporary page (temporary page redirection)** ΓÇô Use a temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint portal and if a user is in a wave that has not been launched, they will be redirected to a temporary page.
+
+ **Option 3: Send users to an external page** ΓÇô Provide an external URL to a temporary landing page experience until the userΓÇÖs wave is launched.
+
+6. Break up your audience into waves. Add up to 20 security groups per wave. Wave details can be edited up until the launch of each wave. Each wave can last at minimum one day (24 hours) and at most seven days. This allows SharePoint and your technical environment an opportunity to acclimate and scale to the large volume of site users. When scheduling a launch through the UI, the time zone is based on the siteΓÇÖs regional settings.
+
+ >[!NOTE]
+ > - The Portal launch scheduler will automatically default to a minimum of 2 waves. However, the PowerShell version of this tool will allow for 1 wave.
+ > - Microsoft 365 groups are not supported by this version of the Portal launch scheduler.
+
+7. Determine who needs to view the site right away and enter their information into the **Users exempt from waves** field. These users are excluded from waves and will not be redirected before, during, or after the launch.
+
+8. Confirm portal launch details and select **Schedule**. Once the launch has been scheduled, any changes to the SharePoint portal home page will need to receive a healthy diagnostic result before the portal launch will resume.
++
+## Make changes to a scheduled portal launch
+
+Launch details can be edited for each wave up until the date of the waveΓÇÖs launch.
+
+1. To edit portal launch details, navigate to **Settings** and select **Schedule site launch**.
+2. Then, select **Edit**.
+3. When you are finished making your edits, select **Update**.
++
+## Delete a scheduled portal launch
+
+Launches scheduled using the Portal launch scheduler tool can be canceled, or deleted, at any time even if some waves have already been launched.
+
+1. To cancel your portalΓÇÖs launch, navigate to **Settings** and **Schedule site launch**.
+
+2. Then, select **Delete** and then when you see the message below select **Delete** again.
+
+ ![Image of the Portal launch scheduler tool](../media/portal-launch-delete-2.png)
++
+## Use the PowerShell Portal launch scheduler
+
+The SharePoint Portal launch scheduler tool was originally only available via [SharePoint PowerShell](https://docs.microsoft.com/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell?view=sharepoint-ps) and will continue to be supported through PowerShell for customers who prefer this method. The same notes at the beginning of this article apply to both versions of the Portal launch scheduler.
+
+>[!NOTE]
+> You need administrator permissions to use SharePoint PowerShell.
+> Portal launch details for launches created in PowerShell will appear and can be managed in the new Portal launch scheduler tool in SharePoint.
++
+### App setup and connecting to SharePoint Online
1. [Download the latest SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251). > [!NOTE]
For more information about launching a successful portal, follow the basic princ
2. Connect to SharePoint as a [global admin or SharePoint admin](/sharepoint/sharepoint-admin-role) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).
-## View any existing portal launch setups
+### View any existing portal launch setups
To see if there are existing portal launch configurations:
To see if there are existing portal launch configurations:
Get-SPOPortalLaunchWaves -LaunchSiteUrl <object> -DisplayFormat <object> ```
-## Schedule a portal launch on the site
+### Schedule a portal launch on the site
The number of waves required depends on your expected launch size. -- Less than 10k users: 1 wave-- 10k to 30k users: 3 waves -- 30k+ to 100k users: 5 waves-- More than 100k users: 5 waves and contact your Microsoft account team
+- Less than 10k users: One wave
+- 10k to 30k users: Three waves 
+- 30k+ to 100k users: Five waves
+- More than 100k users: Five waves and contact your Microsoft account team
-### Steps for bidirectional redirection
+#### Steps for bidirectional redirection
Bidirectional redirection involves launching a new modern SharePoint Online portal to replace an existing SharePoint classic or modern portal. Users in active waves will be redirected to the new site regardless of whether they navigate to the old or new site. Users in a non-launched wave that try to access the new site will be redirected back to the old site until their wave is launched.
To migrate users from an existing SharePoint site to a new SharePoint site in a
1. Run the following command to designate portal launch waves. ```PowerShell
- New-SPOPortalLaunchWaves -LaunchSiteUrl <object> -RedirectionType Bidirectional -RedirectUrl <string> -ExpectedNumberOfUsers <object> -WaveOverrideUsers <object> -Waves <object>
- ```
+ New-SPOPortalLaunchWaves -LaunchSiteUrl <object> -RedirectionType Bidirectional -RedirectUrl <string> -ExpectedNumberOfUsers <object> -WaveOverrideUsers <object> -Waves <object>
+ ```
+
+ Example:
-Example:
```PowerShell New-SPOPortalLaunchWaves -LaunchSiteUrl "https://contoso.sharepoint.com/teams/newsite" -RedirectionType Bidirectional -RedirectUrl "https://contoso.sharepoint.com/teams/oldsite" -ExpectedNumberOfUsers 10kTo30kUsers -WaveOverrideUsers "admin@contoso.com" -Waves ' 
-[{Name:"Wave 1", Groups:["Viewers 1"], LaunchDateUtc:"2020/10/14"}, 
-{Name:"Wave 2", Groups:["Viewers 2"], LaunchDateUtc:"2020/10/15"},
-{Name:"Wave 3", Groups:["Viewers 3"], LaunchDateUtc:"2020/10/16"}]'
+ [{Name:"Wave 1", Groups:["Viewers 1"], LaunchDateUtc:"2020/10/14"}, 
+ {Name:"Wave 2", Groups:["Viewers 2"], LaunchDateUtc:"2020/10/15"},
+ {Name:"Wave 3", Groups:["Viewers 3"], LaunchDateUtc:"2020/10/16"}]'
``` 2. Complete validation. It can take 5-10 minutes for the redirection to complete its configuration across the service.
-### Steps for redirection to temporary page
+#### Steps for redirection to temporary page
Temporary page redirection should be used when no existing SharePoint portal exists. Users are directed to a new modern SharePoint Online portal in a staged manner. If a user is in a wave that has not been launched, they will be redirected to a temporary page (any URL). 1. Run the following command to designate portal launch waves.
- ```PowerShell
- New-SPOPortalLaunchWaves -LaunchSiteUrl <object> -RedirectionType ToTemporaryPage -RedirectUrl <string> -ExpectedNumberOfUsers <object> -WaveOverrideUsers <object> -Waves <object>
- ```
+ ```PowerShell
+ New-SPOPortalLaunchWaves -LaunchSiteUrl <object> -RedirectionType ToTemporaryPage -RedirectUrl <string> -ExpectedNumberOfUsers <object> -WaveOverrideUsers <object> -Waves <object>
+ ```
+
+ Example:
-Example:
```PowerShell New-SPOPortalLaunchWaves -LaunchSiteUrl "https://contoso.sharepoint.com/teams/newsite" -RedirectionType ToTemporaryPage -RedirectUrl "https://portal.contoso.com/UnderConstruction.aspx" -ExpectedNumberOfUsers 10kTo30kUsers -WaveOverrideUsers "admin@contoso.com" -Waves ' 
-[{Name:"Wave 1", Groups:["Viewers 1"], LaunchDateUtc:"2020/10/14"}, 
-{Name:"Wave 2", Groups:["Viewers 2"], LaunchDateUtc:"2020/10/15"},
-{Name:"Wave 3", Groups:["Viewers 3"], LaunchDateUtc:"2020/10/16"}]'
+ [{Name:"Wave 1", Groups:["Viewers 1"], LaunchDateUtc:"2020/10/14"}, 
+ {Name:"Wave 2", Groups:["Viewers 2"], LaunchDateUtc:"2020/10/15"},
+ {Name:"Wave 3", Groups:["Viewers 3"], LaunchDateUtc:"2020/10/16"}]'
``` 2. Complete validation. It can take 5-10 minutes for the redirection to complete its configuration across the service.
-## Pause or restart a portal launch on the site
+### Pause or restart a portal launch on the site
1. To pause a portal launch in progress and temporarily prevent upcoming wave progressions from occurring, run the following command: ```PowerShell Set-SPOPortalLaunchWaves -Status Pause - LaunchSiteUrl <object> ```+ 2. Validate that all users are redirected to the old site. 3. To restart a portal launch that's been paused, run the following command:
Example:
4. Validate that the redirection is now restored.
-## Delete a portal launch on the site
+### Delete a portal launch on the site
1. Run the following command to delete a portal launch scheduled or in progress for a site.
Example:
2. Validate that no redirection happens for all users. ## Learn more
-[Planning your portal launch roll-out plan in SharePoint Online](./planportallaunchroll-out.md)
+
+[Planning your portal launch roll-out plan in SharePoint Online](./planportallaunchroll-out.md)
+
+[Plan your communication site](https://support.microsoft.com/office/plan-your-sharepoint-communication-site-35d9adfe-d5cc-462f-a63a-bae7f2529182)
enterprise Configure Exchange Server For Hybrid Modern Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication.md
If OAuth is missing from any server and any of the four virtual directories, you
Return to the on-premises Exchange Management Shell for this last command. Now you can validate that your on-premises has an entry for the evoSTS authentication provider: ```powershell
-Get-AuthServer | where {$_.Name -eq "EvoSts"}
+Get-AuthServer | where {$_.Name -like "EvoSts"}
``` Your output should show an AuthServer of the Name EvoSts and the 'Enabled' state should be True. If you don't see this, you should download and run the most recent version of the Hybrid Configuration Wizard.
enterprise Microsoft 365 Vpn Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel.md
description: "Guidance for using VPN split tunneling with Office 365 to optimize
>- For information about optimizing Office 365 worldwide tenant performance for users in China, see [Office 365 performance optimization for China users](microsoft-365-networking-china.md). -->
-For customers who connect their remote worker devices to the corporate network or cloud infrastructure over VPN, Microsoft recommends that the key Office 365 scenarios **Microsoft Teams**, **SharePoint Online** and **Exchange Online** are routed over a _VPN split tunnel_ configuration. This becomes especially important as the first line strategy to facilitate continued employee productivity during large scale work-from-home events such as the COVID-19 crisis.
+For customers who connect their remote worker devices to the corporate network or cloud infrastructure over VPN, Microsoft recommends that the key Office 365 scenarios **Microsoft Teams**, **SharePoint Online**, and **Exchange Online** are routed over a _VPN split tunnel_ configuration. This becomes especially important as the first line strategy to facilitate continued employee productivity during large-scale work-from-home events such as the COVID-19 crisis.
![Split Tunnel VPN configuration](../media/vpn-split-tunneling/vpn-model-2.png)
The essence of this approach is to provide a simple method for enterprises to mi
- Immediately mitigates the root cause of a majority of customer-reported performance and network capacity issues in enterprise VPN architectures impacting Office 365 user experience
- The recommended solution specifically targets Office 365 service endpoints categorized as **Optimize** in the topic [Office 365 URLs and IP address ranges](./urls-and-ip-address-ranges.md). Traffic to these endpoints is highly sensitive to latency and bandwidth throttling, and enabling it to bypass the VPN tunnel can dramatically improve the end user experience as well as reduce the corporate network load. Office 365 connections that do not constitute the majority of bandwidth or user experience footprint can continue to be routed through the VPN tunnel along with the rest of the Internet-bound traffic. For more information, see [The VPN split tunnel strategy](#the-vpn-split-tunnel-strategy).
+ The recommended solution specifically targets Office 365 service endpoints categorized as **Optimize** in the topic [Office 365 URLs and IP address ranges](./urls-and-ip-address-ranges.md). Traffic to these endpoints is highly sensitive to latency and bandwidth throttling, and enabling it to bypass the VPN tunnel can dramatically improve the end-user experience as well as reduce the corporate network load. Office 365 connections that do not constitute the majority of bandwidth or user experience footprint can continue to be routed through the VPN tunnel along with the rest of the Internet-bound traffic. For more information, see [The VPN split tunnel strategy](#the-vpn-split-tunnel-strategy).
-- Can be configured, tested and implemented rapidly by customers and with no additional infrastructure or application requirements
+- Can be configured, tested, and implemented rapidly by customers and with no additional infrastructure or application requirements
Depending on the VPN platform and network architecture, implementation can take as little as a few hours. For more information, see [Implement VPN split tunneling](microsoft-365-vpn-implement-split-tunnel.md#implement-vpn-split-tunneling). - Preserves the security posture of customer VPN implementations by not changing how other connections are routed, including traffic to the Internet
- The recommended configuration follows the **least privilege** principle for VPN traffic exceptions and allows customers to implement split tunnel VPN without exposing users or infrastructure to additional security risks. Network traffic routed directly to Office 365 endpoints is encrypted, validated for integrity by Office client application stacks and scoped to IP addresses dedicated to Office 365 services which are hardened at both the application and network level. For more information, see [Alternative ways for security professionals and IT to achieve modern security controls in today's unique remote work scenarios (Microsoft Security Team blog)](https://www.microsoft.com/security/blog/2020/03/26/alternative-security-professionals-it-achieve-modern-security-controls-todays-unique-remote-work-scenarios/).
+ The recommended configuration follows the **least privilege** principle for VPN traffic exceptions and allows customers to implement split tunnel VPN without exposing users or infrastructure to additional security risks. Network traffic routed directly to Office 365 endpoints is encrypted, validated for integrity by Office client application stacks and scoped to IP addresses dedicated to Office 365 services that are hardened at both the application and network level. For more information, see [Alternative ways for security professionals and IT to achieve modern security controls in today's unique remote work scenarios (Microsoft Security Team blog)](https://www.microsoft.com/security/blog/2020/03/26/alternative-security-professionals-it-achieve-modern-security-controls-todays-unique-remote-work-scenarios/).
- Is natively supported by most enterprise VPN platforms
The essence of this approach is to provide a simple method for enterprises to mi
For full implementation guidance, see [Implementing VPN split tunneling for Office 365](microsoft-365-vpn-implement-split-tunnel.md).
+For a step-by-step process to configure Microsoft 365 for remote workers, see [Set up your infrastructure for remote work](..\solutions\empower-people-to-work-remotely.md)
+ ## The VPN split tunnel strategy Traditional corporate networks are often designed to work securely for a pre-cloud world where most important data, services, applications are hosted on premises and are directly connected to the internal corporate network, as are the majority of users. Thus network infrastructure is built around these elements in that branch offices are connected to the head office via _Multiprotocol Label Switching (MPLS)_ networks, and remote users must connect to the corporate network over a VPN to access both on premises endpoints and the Internet. In this model, all traffic from remote users traverses the corporate network and is routed to the cloud service through a common egress point.
Traditional corporate networks are often designed to work securely for a pre-clo
_Figure 2: A common VPN solution for remote users where all traffic is forced back into the corporate network regardless of destination_
-As organizations move data and applications to the cloud, this model has begun to become less effective as it quickly becomes cumbersome, expensive and unscalable, significantly impacting network performance and efficiency of users and restricting the ability of the organization to adapt to changing needs. Numerous Microsoft customers have reported that a few years ago 80% of network traffic was to an internal destination, but in 2020 80% plus of traffic connects to an external cloud based resource.
+As organizations move data and applications to the cloud, this model has begun to become less effective as it quickly becomes cumbersome, expensive, and unscalable, significantly impacting network performance and efficiency of users and restricting the ability of the organization to adapt to changing needs. Numerous Microsoft customers have reported that a few years ago 80% of network traffic was to an internal destination, but in 2020 80% plus of traffic connects to an external cloud-based resource.
-The COVID-19 crisis has aggravated this problem to require immediate solutions for the vast majority of organizations. Many customers have found that the forced VPN model is not scalable or performant enough for 100% remote work scenarios such as that which this crisis has necessitated. Rapid solutions are required for these organization to continue to operate efficiently.
+The COVID-19 crisis has aggravated this problem to require immediate solutions for the vast majority of organizations. Many customers have found that the forced VPN model is not scalable or performant enough for 100% remote work scenarios such as that which this crisis has necessitated. Rapid solutions are required for these organizations to continue to operate efficiently.
-For the Office 365 service, Microsoft has designed the connectivity requirements for the service with this problem squarely in mind, where a focused, tightly controlled and relatively static set of service endpoints can be optimized very simply and quickly so as to deliver high performance for users accessing the service, and reducing the burden on the VPN infrastructure so it can be used by traffic which still requires it.
+For the Office 365 service, Microsoft has designed the connectivity requirements for the service with this problem squarely in mind, where a focused, tightly controlled and relatively static set of service endpoints can be optimized very simply and quickly so as to deliver high performance for users accessing the service, and reducing the burden on the VPN infrastructure so it can be used by traffic that still requires it.
Office 365 categorizes the required endpoints for Office 365 into three categories: **Optimize**, **Allow**, and **Default**. **Optimize** endpoints are our focus here and have the following characteristics:
Office 365 categorizes the required endpoints for Office 365 into three categori
This tightly scoped set of endpoints can be split out of the forced VPN tunnel and sent securely and directly to the Office 365 service via the user's local interface. This is known as **split tunneling**.
-Security elements such as DLP, AV protection, authentication and access control can all be delivered much more efficiently against these endpoints at different layers within the service. As we also divert the bulk of the traffic volume away from the VPN solution, this frees the VPN capacity up for business critical traffic which still relies on it. It also should remove the need in many cases to go through a lengthy and costly upgrade program to deal with this new way of operating.
+Security elements such as DLP, AV protection, authentication, and access control can all be delivered much more efficiently against these endpoints at different layers within the service. As we also divert the bulk of the traffic volume away from the VPN solution, this frees the VPN capacity up for business critical traffic that still relies on it. It also should remove the need in many cases to go through a lengthy and costly upgrade program to deal with this new way of operating.
![Split Tunnel VPN configuration details](../media/vpn-split-tunneling/vpn-split-tunnel-example.png)
enterprise Prepare For Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/prepare-for-directory-synchronization.md
The attributes that you need to prepare are listed here:
- Maximum number of characters per value: 256 - The attribute value must not contain a space. - The attribute value must be unique within the directory.
- - Invalid characters: \< \> ( ) ; , [ ] " '
+ - Invalid characters: \< \> ( ) ; , [ ] "
Note that the invalid characters apply to the characters following the type delimiter and ":", such that SMTP:User@contso.com is allowed, but SMTP:user:M@contoso.com is not.
Also see [How to prepare a non-routable domain (such as .local domain) for direc
## Next steps
-If you have done steps 1 through 5 above, see [Set up directory synchronization](set-up-directory-synchronization.md).
+If you have done steps 1 through 5 above, see [Set up directory synchronization](set-up-directory-synchronization.md).
knowledge Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/search.md
The topic answer will display:
The topic page can display in the search results even if the topic answer card doesn't appear.
+The search results in Word and PowerPoint will also show the topic answer when one is found.
+ ## Acronyms
For users who are looking for information about booking a trip for work:
In the users search experience, when a user searches for a term like ΓÇ£travelΓÇ¥, search results will display in the following priority in Microsoft Search 1. Published or Confirmed topics 2. Bookmarks
-3. Suggested topics
+3. Suggested topics
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
Title: "Microsoft Viva Topics overview"--++ audience: admin
description: "Overview of Viva Topics."
# Microsoft Viva Topics overview
-Viva Topics uses Microsoft AI technology, Microsoft 365, Microsoft Graph, Search, and other components and services to bring knowledge to your users in Microsoft 365 apps they use everyday, starting with SharePoint modern pages and Microsoft Search.
+Viva Topics uses Microsoft AI technology, Microsoft 365, Microsoft Graph, Search, and other components and services to bring knowledge to your users in Microsoft 365 apps they use everyday, starting with SharePoint modern pages, Microsoft Search, and Search in Word and PowerPoint.
</br>
Viva Topics uses AI to automatically search for and identify **topics** in your
When a topic is mentioned in content on SharePoint news and pages, you'll see it highlighted. You can open the topic summary from the highlight. Open the topic details from the title of the summary. The mentioned topic could be identified automatically or have been added to the page with a direct reference to the topic by the page author.
- ![Topic highlights](../media/knowledge-management/saturn.png) </br>
+ ![Topic highlights](../media/knowledge-management/saturn.png)
+When you use Search in Word or PowerPoint, either through the search box, or by selecting **Search** in the context menu, the results that are displayed might also show the topic summary.
+
+ ![Screenshot showing search in Word through the Search box.](../media/knowledge-management/word-search-2.png)
+
+ ![Screenshot showing search in Word through the Search context menu.](../media/knowledge-management/word-search-1.png)
## Knowledge indexing
managed-desktop Network https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/network.md
Azure Active Directory | api.login.microsoftonline.com<br>api.passwordreset.micr
Microsoft Intune | login.microsoftonline.com<br>portal.manage.microsoft.com<br>m.manage.microsoft.com<br>sts.manage.microsoft.com<br>Manage.microsoft.com <br>i.manage.microsoft.com <br>r.manage.microsoft.com <br>a.manage.microsoft.com <br>p.manage.microsoft.com <br>EnterpriseEnrollment.manage.microsoft.com <br>EnterpriseEnrollment-s.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com<br>m.fei.msua01.manage.microsoft.com<br>fei.msua01.manage.microsoft.com<br>portal.fei.msua01.manage.microsoft.com <br>m.fei.msua01.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua02.manage.microsoft.com<br>portal.fei.msua02.manage.microsoft.com<br>m.fei.msua02.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua04.manage.microsoft.com<br>portal.fei.msua04.manage.microsoft.com <br>m.fei.msua04.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.msua05.manage.microsoft.com <br>portal.fei.msua05.manage.microsoft.com <br>m.fei.msua05.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.amsua0502.manage.microsoft.com <br>portal.fei.amsua0502.manage.microsoft.com <br>m.fei.amsua0502.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.msua06.manage.microsoft.com <br>portal.fei.msua06.manage.microsoft.com <br>m.fei.msua06.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.amsua0602.manage.microsoft.com <br>portal.fei.amsua0602.manage.microsoft.com <br>m.fei.amsua0602.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.msub01.manage.microsoft.com <br>portal.fei.msub01.manage.microsoft.com <br>m.fei.msub01.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.amsub0102.manage.microsoft.com <br>portal.fei.amsub0102.manage.microsoft.com <br>m.fei.amsub0102.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub02.manage.microsoft.com <br>portal.fei.msub02.manage.microsoft.com <br>m.fei.msub02.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub03.manage.microsoft.com <br>portal.fei.msub03.manage.microsoft.com <br>m.fei.msub03.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msub05.manage.microsoft.com <br>portal.fei.msub05.manage.microsoft.com <br>m.fei.msub05.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc01.manage.microsoft.com <br>portal.fei.msuc01.manage.microsoft.com <br>m.fei.msuc01.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc02.manage.microsoft.com <br>portal.fei.msuc02.manage.microsoft.com <br>m.fei.msuc02.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc03.manage.microsoft.com <br>portal.fei.msuc03.manage.microsoft.com <br>m.fei.msuc03.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fei.msuc05.manage.microsoft.com <br>portal.fei.msuc05.manage.microsoft.com <br>m.fei.msuc05.manage.microsoft.com<br>fef.msua01.manage.microsoft.com<br>fef.msua02.manage.microsoft.com<br>fef.msua04.manage.microsoft.com<br>fef.msua05.manage.microsoft.com<br>fef.msua06.manage.microsoft.com<br>fef.msua07.manage.microsoft.com<br>fef.msub01.manage.microsoft.com<br>fef.msub02.manage.microsoft.com<br>fef.msub03.manage.microsoft.com<br>fef.msub05.manage.microsoft.com<br>fef.msuc01.manage.microsoft.com<br>fef.msuc02.manage.microsoft.com<br>fef.msuc03.manage.microsoft.com<br>fef.msuc05.manage.microsoft.com | [Intune network configuration requirements](/intune/network-bandwidth-use) OneDrive for Business | onedrive.com <br> <br>\*.onedrive.com <br>onedrive.live.com <br>login.live.com <br>spoprod-a.akamaihd.net <br>\*.mesh.com <br>p.sfx.ms <br>\*.microsoft.com <br>fabric.io <br>\*.crashlytics.com <br>vortex.data.microsoft.com <br>https://posarprodcssservice.accesscontrol.windows.net <br>redemptionservices.accesscontrol.windows.net <br>token.cp.microsoft.com/ <br>tokensit.cp.microsoft-tst.com/ <br>\*.office.com <br>\*.officeapps.live.com <br>\*.aria.microsoft.com <br>\*.mobileengagement.windows.net <br>\*.branch.io <br>\*.adjust.com <br>\*.servicebus.windows.net <br>vas.samsungapps.com <br>odc.officeapps.live.com <br>login.windows.net <br>login.microsoftonline.com <br>\*.files.1drv.com <br>\*.onedrive.live.com <br>\*.\*.onedrive.live.com <br>storage.live.com <br>\*.storage.live.com <br>\*.\*.storage.live.com <br>\*.groups.office.live.com <br>\*.groups.photos.live.com <br>\*.groups.skydrive.live.com <br>favorites.live.com <br>oauth.live.com <br>photos.live.com <br>skydrive.live.com <br>api.live.net <br>apis.live.net <br>docs.live.net <br>\*.docs.live.net <br>policies.live.net <br>\*.policies.live.net <br>settings.live.net <br>\*.settings.live.net <br>skyapi.live.net <br>snapi.live.net <br>\*.livefilestore.com <br>\*.\*.livefilestore.com <br>storage.msn.com <br>\*.storage.msn.com <br>\*.*.storage.msn.com | [Required URLs and ports for OneDrive](/onedrive/required-urls-and-ports) Microsoft Defender Advanced Threat Protection (ATP) | \ *.oms.opinsights.azure.com <br>\*.blob.core.windows.net <br>\*.azure-automation.net <br>\*.ods.opinsights.azure.com <br>winatp-gw-cus.microsoft.com <br>winatp-gw-eus.microsoft.com <br>winatp-gw-neu.microsoft.com <br>winatp-gw-weu.microsoft.com <br>winatp-gw-uks.microsoft.com <br>winatp-gw-ukw.microsoft.com <br>winatp-gw-aus.microsoft.com <br>winatp-gw-aue.microsoft.com | [Windows Defender ATP endpoints](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection)
-Get Help | \*.support.services.microsoft.com <br>inprod.support.services.microsoft.com <br>supportchannels.services.microsoft.com <br>graph.windows.net <br>login.windows.net <br>prod-mwaas-services-customerapi.azurewebsites.net <br>concierge.live.com |
+Get Help | \*.support.services.microsoft.com <br>inprod.support.services.microsoft.com <br>supportchannels.services.microsoft.com <br>graph.windows.net <br>login.windows.net <br>prod-mwaas-services-customerapi.azurewebsites.net <br>concierge.live.com <br>rave.office.net |
Quick Assist | remoteassistance.support.services.microsoft.com <br>relay.support.services.microsoft.com <br>channelwebsdks.azureedge.net <br>web.vortex.data.microsoft.com <br>gateway.channelservices.microsoft.com <br>\*.lync.com | SharePoint Online | \*.sharepoint.com <br>\ *.svc.ms <br>\<tenant\>.sharepoint.com <br>\<tenant\>-my.sharepoint.com <br>\<tenant\>-files.sharepoint.com <br>\<tenant\>-myfiles.sharepoint.com <br>\*.sharepointonline.com <br>cdn.sharepointonline.com <br>static.sharepointonline.com <br>spoprod-a.akamaihd.net <br>publiccdn.sharepointonline.com <br>privatecdn.sharepointonline.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) OneDrive for Business | admin.onedrive.com <br>officeclient.microsoft.com <br>odc.officeapps.live.com <br>skydrive.wns.windows.com <br>g.live.com <br>oneclient.sfx.ms <br>\*.log.optimizely.com <br>click.email.microsoftonline.com <br>ssw.live.com <br>storage.live.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/index.md
Your IT admins benefit from these features:
## Device management Microsoft Managed Desktop takes on the burden of managing registered devices and the Microsoft software they use. -- **Hardware:** Instead of your IT department having to research and figure out if a device is compatible with the service, we've provided specific hardware and software requirements, tools, and processes to streamline selection so you can choose devices with confidence. You can find recommended devices by filtering for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/windowsforbusiness/view-all-devices) site. You can either obtain devices yourself (or work with a partner) or reuse devices you already have, provided they are on the approved list. Registering devices is easy and straightforward, and before they're deployed, you can also [customize](../working-with-managed-desktop/config-setting-overview.md) certain aspects of the device experience for your users.
+- **Hardware:** Instead of your IT department having to research and figure out if a device is compatible with the service, we've provided specific hardware and software requirements, tools, and processes to streamline selection so you can choose devices with confidence. You can find recommended devices by filtering for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/windowsforbusiness/view-all-devices) site. You can either obtain devices yourself (or work with a partner) or reuse devices you already have. Registering devices is easy and straightforward, and before they're deployed, you can also [customize](../working-with-managed-desktop/config-setting-overview.md) certain aspects of the device experience for your users.
- **Updates:** Microsoft Managed Desktop sets up and manages all aspects of [deployment groups](../service-description/updates.md) for Windows 10 quality and feature updates, drivers, firmware, anti-virus definitions, and Microsoft 365 Apps for enterprise updates. This includes extensive testing and verification of all updates, assuring that registered devices are always up to date and minimizing disruptions, freeing your IT department from that ongoing task.
managed-desktop Diagnostic Logs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/diagnostic-logs.md
+
+ Title: Diagnostic logs
+description: Logs that might be collected from devices during troubleshooting and how they are stored
+keywords: Microsoft Managed Desktop, Microsoft 365, service, documentation
++
+ms.localizationpriority: normal
++++++
+# Diagnostic logs
+
+When we troubleshoot an issue on a device managed by Microsoft Managed Desktop, whether one you've reported or one identified by our service, we might have to collect certain diagnostic logs from the device without intervention from the user. We don't collect any user-generated content or information from user directories. We only collect diagnostic and log data that concerns device health and status.
+
+We store any collected logs for 28 days, and then delete them. We process any logs collected from a device following our [data handling standards](privacy-personal-data.md).
+
+## Data collected
+
+This list includes all the folders, event logs, executables, or registry locations that Microsoft Managed Desktop might collect diagnostic logs from. The actual data collected will be a subset of this list and depends on the identified issue.
+
+### Registry keys
+
+- HKLM\\SYSTEM\\CurrentControlSet\\Services
+- HKLM\\SOFTWARE\\Microsoft\\Surface
+- HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate
+- HKLM\\SYSTEM\\CurrentControlSet\\Control\\MUI\\UILanguages
+- HKLM\\Software\\Policies\\Microsoft\\WindowsStore
+- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate
+- HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
+- HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion
+- HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppModel
+- HKLM\\SYSTEM\\CurrentControlSet\\Control\\FirmwareResources
+- HKLM\\SOFTWARE\\Microsoft\\WindowsSelfhost
+- HKLM\\SOFTWARE\\Microsoft\\WindowsUpdate
+- HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Appx
+- HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Superfetch
+- HKLM\\SYSTEM\\Setup
+- HKLM\\Software\\Microsoft\\IntuneManagementExtension
+- HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot
+- HKLM\\SOFTWARE\\Microsoft\\Windows Advanced Threat Protection
+- HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI
+- HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+- HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall
+- HKLM\\Software\\Policies
+- HKLM\\SOFTWARE\\Policies\\Microsoft\\Cryptography\\Configuration\\SSL
+- HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Advanced Threat Protection
+- HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall
+- HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL
+
+### Commands
+
+- %programfiles%\\windows defender\\mpcmdrun.exe -GetFiles
+- %windir%\\system32\\certutil.exe -store
+- %windir%\\system32\\certutil.exe -store -user my
+- %windir%\\system32\\Dsregcmd.exe /status
+- %windir%\\system32\\ipconfig.exe /all
+- %windir%\\system32\\ipconfig.exe /displaydns
+- %windir%\\system32\\mdmdiagnosticstool.exe
+- %windir%\\system32\\msinfo32.exe /report %temp%\\MDMDiagnostics\\msinfo32.log
+- %windir%\\system32\\netsh.exe advfirewall show allprofiles
+- %windir%\\system32\\netsh.exe advfirewall show global
+- %windir%\\system32\\netsh.exe lan show profiles
+- %windir%\\system32\\netsh.exe winhttp show proxy
+- %windir%\\system32\\netsh.exe wlan show profiles
+- %windir%\\system32\\netsh.exe wlan show wlanreport
+- %windir%\\system32\\ping.exe -n 50 localhost
+- %windir%\\system32\\powercfg.exe /batteryreport /output %temp%\\MDMDiagnostics\\battery-report.html
+- %windir%\\system32\\powercfg.exe /energy /output %temp%\\MDMDiagnostics\\energy-report.html
+- bitsadmin /list /allusers /verbose
+- fltMC.exe
+- bcdedit /enum all /v
+- manage-bde -protectors -get
+- Windows PowerShell commands:
+ - Get-appxpackage -allusers
+ - Get-appxpackage -packagetype bundle
+ - Get-Service wuauserv
+ - Get-NetFirewallRule
+ - Get-WmiObject -Class win32\_product
+ - Get-ComputerInfo
+ - Get-Service
+ - Get-Process
+ - Get-WmiObject Win32\_PnPSignedDriver
+
+### Event logs
+
+- Application
+- Microsoft-Windows-AppLocker/EXE and DLL
+- Microsoft-Windows-AppLocker/MSI and Script
+- Microsoft-Windows-AppLocker/Packaged app-Deployment
+- Microsoft-Windows-AppLocker/Packaged app-Execution
+- Microsoft-Windows-Bitlocker/Bitlocker Management
+- Microsoft-Windows-SENSE/Operational
+- Microsoft-Windows-SenseIR/Operational
+- Setup
+- System
+
+### Files
+
+- %ProgramData%\\Microsoft\\DiagnosticLogCSP\\Collectors\\\*.etl
+- %ProgramData%\\Microsoft\\IntuneManagementExtension\\Logs\\\*.\*
+- %ProgramData%\\Microsoft\\Windows Defender\\Support\\MpSupportFiles.cab
+- %ProgramData%\\Microsoft\\Windows\\WlanReport\\wlan-report-latest.html
+- %ProgramData%\\Microsoft\\Windows\\WlanReport -SourceFileName wlan-report-latest.html
+- %windir%\\ccm\\logs\*.log
+- %windir%\\ccmsetup\\logs\*.log
+- %windir%\\logs\\CBS\\cbs.log
+- %windir%\\logs\\measuredboot\*.\*
+- %windir%\\Logs\\WindowsUpdate\*.etl
+- %windir%\\inf\\\*.log
+- %windir%\\servicing\\sessions\\ActionList.xml
+- %windir%\\servicing\\sessions\\Sessions.xml
+- %windir%\\SoftwareDistribution\\DataStore\\Logs\\edb.log
+- %windir%\\SoftwareDistribution\\DataStore\\DataStore.edb
+- %windir%\\logs\\dism\\dism.log
+- %SystemRoot%\\System32\\Winevt\\Logs\\
+- %appdata%\\Microsoft\\Teams\\media-stack\\\*.blog
+- %appdata%\\Microsoft\\Teams\\skylib\\\*.blog
+- %appdata%\\Microsoft\\Teams\\media-stack\\\*.etl
+- %appdata%\\Microsoft\\Teams\\logs.txt
+- %windir%\\Windows\\System32\\winevt\\\*.\*
scheduler Scheduler Faqs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-faqs.md
- Title: "Scheduler for Microsoft 365 FAQs"-----
-localization_priority: Normal
-description: "Scheduler for Microsoft 365 FAQs"
-
-# Scheduler for Microsoft 365 FAQs
-
-**Question:** How does Scheduler integrate with other Cortana features, such as *Cortana for Windows*, *Daily Briefing Email*, and *Play My Emails*?</br>
-Scheduler is an independent service from other Cortana features. Other Cortana features can be disabled at the tenant level, and Scheduler can still be enabled by using the cortana@yourdomain.com email address. Currently, users can only interact with Scheduler via email.
-
-**Question:** Does this work only with Outlook? Are other email products supported?</br>
-As long as you have a license, Other than the three requirements above, users can email cortana@yourdomain.com from any email client on any device.
-
-**Question:** Can contacts be in a personal contact list on Outlook and GAL or other company equivalent?</br>
-Meeting attendees can be anyone with an email address inside or outside the company. Unfortunately, Scheduler cannot automatically translate names to email addresses / alias by looking it up in the GAL today.
-
-**Question:** Can I use Scheduler with my installed version (on-premises) version of Outlook?</br>
-Scheduler requires Exchange Online. Does not work with Exchange Server (On-Prem). Works with any email client, Outlook Desktop, OWA, iOS, android, gmail, and so on.
-
-**Question:** Does Outlook have to be open in the background?</br>
-Outlook doesn't need to be open in the background. All you need to do is send Cortana a mail and rely on it to do the bulk of the work.
-
-## Frequently Asked Trust and Privacy Questions
-
-**Question:** How does Scheduler work?</br>
-Scheduler uses Scheduling Intelligence (AI) augmented with human assistants. If AI models generate a need for support in the natural language of communication with Cortana, the meeting request escalates to a human for review and completion.
-
-**Question:** Who are the humans that review escalated requests? </br>
-Scheduler assistants are Microsoft Supplier Security and Privacy Assurance (SSPA) certified for personal and highly confidential information.
-
-**Question:** What can SSPA Assistants view?</br>
-Scheduler and the SSPA Assistants can view the emails that are addressed to Cortana. In a threaded email exchange, only the emails that include CortanaΓÇÖs email address will be processed, not the previous emails in the thread before Cortana was added.
-
-**Question:** Is customer data retained in the SchedulerΓÇÖs Data Flow?ΓÇï </br>
-Scheduler stores all customer content within the tenant boundaries and retains data in accordance with GDPR guidelines, Microsoft 365 Trust & Privacy policies, and tenant email policies.
-
-**Question:** How does Scheduler process the free/busy data of internal attendees?ΓÇï </br>
-SchedulerΓÇÖs automation uses the *findMeetingTimes* service to identify times that are mutually available for attendees and the organizer. This service powers other Outlook experiences such as *Suggested Times* in the Outlook meeting form. Free/busy attendee information is not consumed explicitly as free/busy blocks.ΓÇï
-
-**Question:** Is Scheduler GDPR Compliant? </br>
-Yes.
-
-**Question:** Who has access to the Cortana mailbox? </br>
-Scheduler processes meeting requests and associated emails that are sent to your tenantΓÇÖs Cortana mailbox. Microsoft does not have any other access to the Cortana mailbox except through Lockbox approval at the request of the tenant admin.
-
-**Question:** Is customer data used for training AI models?</br>
-No customer content from Scheduler for Microsoft 365 can be used for data training sets. All customer content resides in the customer tenant. ΓÇï
-
-**Question:** Will Scheduler process encrypted mail?</br>
-No, encrypted mail will be rejected by the Scheduler workflow.
----
scheduler Scheduler Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-overview.md
- Title: "Scheduler for Microsoft 365 Overview"-----
-localization_priority: Normal
-description: "Overview of Scheduler for Microsoft 365."
--
-# Welcome to Scheduler for Microsoft 365
-
-Scheduler for Microsoft 365 is a service that lets you delegate meeting and appointment scheduling to Cortana, your digital personal assistant.
-
-Scheduler uses natural language processing to interpret emails sent to Cortana (cortana@yourdomain.com) to find a time to meet and send calendar invitations for the meeting organizer.
-
-Scheduler:
--- Communicates with the meeting organizer and attendees by email in natural language.-- Finds a time to meet when everyone is available.-- Coordinates between external attendees based on the organizerΓÇÖs availability.-- Keeps the meeting organizer informed on scheduling progress and asks the organizer for guidance when needed.-- Negotiates times to meet across up to two different time zones.-- Sends the invitation to the meeting from the organizer.-- Adds a Teams link to every meeting.-- Reschedules or cancels meetings booked by Cortana.-- Works from any device with access to email.-
-## Who can benefit from Scheduler for Microsoft 365?
-
-Scheduler takes care of the time-consuming hassle of scheduling meetings so users can focus on more important things.
-
-If you regularly schedule small meetings with fewer than five attendees, you'll save time with Scheduler. Departments such as recruiting, sales, procurement, and legal can benefit from delegating meeting coordination to Scheduler.
-
-## How does Scheduler for Microsoft 365 work?
-
-Scheduler uses a combination of artificial intelligence and human intelligence to complete scheduling requests that are received by emailing Cortana (Cortana@yourdomain.com).
-
-To use Scheduler, add CortanaΓÇÖs email address to an email with the people you want to meet with and ask Cortana to book a meeting in natural language.
-
-In your request, tell Cortana how long and when you want to meet. For example, **ΓÇ£Cortana, find 45 minutes for us to meet next week.ΓÇ¥**
-
-After a user sends a meeting request to Cortana, the Scheduler service:
--- Finds a time to meet based on the availability of the organizer and attendees in the same tenant.-- If the organizer does not have access to availability of the attendees, Cortana negotiates a time to meet with those attendees by email. -- Once a mutually agreeable time has been found, Cortana adds a Teams meeting and sends out the calendar invites.
scheduler Scheduler Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-setup.md
- Title: "Setting up Scheduler for Microsoft 365."-----
-localization_priority: Normal
-description: "Setting up Scheduler for Microsoft 365."
-
-# Setting up Scheduler for Microsoft 365
-
-To set up the Scheduler for Microsoft 365, following are the prerequisites:
-
-|**What do I need?** |**Description** |
-|-|-|
-|Cortana mailbox |Tenant admins will need to set a mailbox to serve as the ΓÇ£CortanaΓÇ¥ mailbox (that is, cortana@yourdomain.com). |
-|Exchange Online mailbox |Users must have an Exchange Online mail and calendar |
-|Scheduler license |For licensing and pricing information, see [Scheduler for Microsoft 365](https://www.microsoft.com/microsoft-365/meeting-scheduler-pricing). |
-
-## Create a mailbox for Cortana
-An Exchange mailbox in your tenant acts as the Cortana mailbox for your tenant to send and receive emails to and from Cortana. All emails sent to Cortana are retained in your tenantΓÇÖs Cortana mailbox based on your retention policy.
--- Use the Microsoft 365 admin center to create a new mailbox. A 30-day retention policy is recommended. Use the name Cortana in your mailboxΓÇÖs primary SMTP address. Names such as ΓÇ£Cortana@yourdomain.com,ΓÇÖ ΓÇÿCortanaScheduler@contoso.com,ΓÇÖ or ΓÇÿCortana.Scheduler@yourdomain.comΓÇÖ are recommended.-- Contact Microsoft (scheduler_m365@microsoft.com) to enable your Cortana mailbox. -
-> [!IMPORTANT]
-> You must contact Microsoft to configure your Cortana mailbox to use the Scheduler service by emailing scheduler_m365@microsoft.com. Enabling your Cortana mailbox may take up to two weeks.
-
-## Exchange Online mailbox
-Scheduler is an add-on to Microsoft 365. Meeting organizers must have an Exchange Online mailbox and calendar for Scheduler to work.
-
-## Exchange requirements
-
-In addition to licensing Scheduler, you must have one of the following licenses:
--- Microsoft 365 E3, A3, E5, A5-- Business Basic, Business, Business Standard, Business Premium-- Office 365 E1, A1, E3, A3, E5, A5-- Business Essentials, Business Premium-- Exchange Online Plan 1 or Plan 2 license. -
-> [!Note]
-> **Scheduler for Microsoft 365** isn't available for users of Office 365 operated by 21Vianet in China. It's also not available for users of Microsoft 365 with the German cloud that uses the data trustee German Telekom. It is supported for users in Germany whose data location isn't in the German datacenter.
->
->This feature is also not supported for users of the Government Cloud, including GCC, Consumer, GCC High, or DoD.
scheduler Scheduler Trust Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-trust-privacy.md
- Title: "Understanding Trust and Privacy in Scheduler for Microsoft 365."-----
-localization_priority: Normal
-description: "Understanding Trust and Privacy in Scheduler for Microsoft 365 are used with AI models and human assisted AI."
-
-# Trust and Privacy in Scheduler for Microsoft 365
-
-Scheduler is a unique offering whose artificial intelligence is augmented with human assistance when the AI models are not confident in the userΓÇÖs intent, often due to ambiguity or contextual references.
-
-## Policies
--- All customer content is stored in the customerΓÇÖs tenant.-- Scheduler is General Data Protection Regulation (GDPR) compliant.-- All customer data is processed in the Microsoft 365 Trust and Privacy Boundaries.-- SchedulerΓÇÖs human assistants are **Supplier Security & Privacy Assurance certified** for personal information and highly confidential information by Microsoft analogous to Microsoft support personnel / data processors. -- Email attachments are not consumed or processed by the Scheduler service.-- Encrypted emails are not consumed or processed by the Scheduler service.-- Scheduler does not monitor the meeting organizerΓÇÖs or attendeeΓÇÖs calendar or inbox.
scheduler Scheduler Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-using.md
- Title: "Using Scheduler for Microsoft 365"-----
-localization_priority: Normal
-description: "Using Scheduler for Microsoft 365."
-
-# How to use Scheduler for Microsoft 365
-
-Cortana understands natural language. Include cortana@yourdomain.com in an email with other attendees, and Cortana will take over from there. Cortana will send email notifications confirming meeting times and keep you up to date on progress.
-
-To use Scheduler, add CortanaΓÇÖs email address to your email in addition to the people you want to meeting with. In your email to Cortana and the other attendees, tell Cortana to schedule a meeting using natural language.
-
-## When to use Scheduler?
--- **Scheduling meetings with internal attendees**
-Use Cortana to schedule your meetings with 5 or fewer attendees. Cortana has the same access to free/busy information that you see for others in Outlook calendar. It will pick a time that works for everyone and send an invite on your behalf. Cortana will automatically Teams-enable all the meetings that it schedules. Anyone on the CC line will receive the invite as an optional attendee.
--- **Scheduling meetings with external attendees**
-Cortana communicates with external invitees to negotiate times that you are available to meet. After confirming a time to meet, Cortana sends an invite to attendees and notifies you that the meeting has been scheduled.
-
-## What to say to Cortana?
-
-Cortana understands natural language, but concise language is recommended.
-
-Use the following pattern to request a meeting: Schedule a [length of time] meeting [time frame].
--- ΓÇ£Schedule a 30-minute meeting next week.ΓÇ¥ -- ΓÇ£Find 1 hour for us to meet in January.ΓÇ¥ -- ΓÇ£Find 45 minutes the first week of May that works for India Standard Time.ΓÇ¥ -
-If you don't specify a time range, Cortana will book the meeting as soon as the next business day.
-
-## Scheduling across multiple time zones
-
-Use the following pattern to request a multi-time zone meeting:
-"Schedule a [length of time] meeting in [time frame] that works for [time zone]."
-
-Cortana will accommodate attendees in another time zone if you request it in the first email to Cortana.
-
-You cannot change time zone(s) after sending the initial request to Cortana. As some time zone abbreviations are the same, use the full time zone name for best results.
-
-## Organizer guidance
-
-Occasionally, Cortana may ask you for guidance as the organizer. Follow the directions in CortanaΓÇÖs email and reply using the reply buttons in Cortana emails.
-
-## Reschedule or Cancel
-
-If you need to reschedule or cancel, just reply to an email in the thread with Cortana regarding the meeting and ask to ΓÇ£RescheduleΓÇ¥ or ΓÇ£Cancel.ΓÇ¥
-
-> [!NOTE]
-> Cortana can't reschedule or cancel meetings that were not scheduled by Scheduler.
security Auto Investigation Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro
security Autoir Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/autoir-investigation-results.md
ms.sitesec: library
ms.pagetype: security f1.keywords: - NOCSH--++ localization_priority: Normal audience: ITPro
security Automated Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md
ms.technology: mde
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ Last updated 02/02/2021 localization_priority: Normal
security Automation Levels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md
ms.technology: mde
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ Last updated 10/22/2020 localization_priority: Normal
security Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
security Collect Diagnostic Data Update Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+ # Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 06/29/2020
ms.technology: mde+ # Collect Microsoft Defender AV diagnostic data
security Command Line Arguments Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
Last updated 03/19/2021 ms.technology: mde+ # Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
security Common Exclusion Mistakes Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Common mistakes to avoid when defining exclusions
security Configuration Management Reference Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Previously updated : 12/16/2020 Last updated : 05/06/2021 ms.technology: mde+ # Manage Microsoft Defender Antivirus in your business
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
Title: Configure scanning options for Microsoft Defender AV
+ Title: Configure scanning options for Microsoft Defender Antivirus
description: You can configure Microsoft Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Configure Microsoft Defender Antivirus scanning options
security Configure Automated Investigations Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation.md
ms.technology: mde
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: priority
+localization_priority: Priority
Last updated 04/28/2021 ms.technology: mde+ # Turn on block at first sight
security Configure Cloud Block Timeout Period Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Configure the cloud block timeout period
security Configure End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-end-user-interaction-microsoft-defender-antivirus.md
Title: Configure how users can interact with Microsoft Defender AV
-description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
+ Title: Configure how users can interact with Microsoft Defender Antivirus
+description: Configure how end users interact with Microsoft Defender Antivirus, what notifications they see, and if they can override settings.
keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Configure end-user interaction with Microsoft Defender Antivirus
ms.technology: mde
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
+You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus. You can configure whether users see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally deployed Group Policy settings.
-This includes whether they see the Microsoft Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
+Use the following articles to configure end-user interaction with Microsoft Defender Antivirus
-## In this section
+- [Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) Configure and customize notifications, customized text for notifications, and notifications about reboots for remediation
-Topic | Description
-|
-[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
-[Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users
-[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints
+- [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) Hide the user interface from users
+
+- [Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) Prevent (or allow) users from overriding policy settings on their individual endpoints
security Configure Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md
Title: Set up exclusions for Microsoft Defender Antivirus scans
-description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
+description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender Antivirus. Validate your exclusions with PowerShell.
keywords: search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
You can exclude certain files, folders, processes, and process-opened files from
To configure and validate exclusions, see the following: -- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). You can exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). You can exclude files from scans that have been opened by a specific process.
## Recommendations for defining exclusions
-[!IMPORTANT]
-Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
-Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-The following is a list of recommendations that you should keep in mind when defining exclusions:
+> [!IMPORTANT]
+> Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+>
+> Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-- Exclusions are technically a protection gapΓÇöalways consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
+Keep the following points in mind when you are defining exclusions:
-- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
+- Exclusions are technically a protection gap. Always consider mitigations when defining exclusions. Other mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
-- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issuesΓÇömostly around performance, or sometimes around application compatibility that exclusions could mitigate.
+- Review the exclusions periodically. Recheck and re-enforce the mitigations as part of the review process.
+
+- Ideally, avoid defining exclusions intending to be proactive. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate.
- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Configure and validate exclusions based on file extension and folder location
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 02/13/2020
ms.technology: mde+ # Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 11/18/2020
ms.technology: mde+ # Configure Microsoft Defender Antivirus features
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 12/28/2020
ms.technology: mde+ # Configure and validate Microsoft Defender Antivirus network connections
security Configure Notifications Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+ # Configure the notifications that appear on endpoints
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Configure exclusions for files opened by processes
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Configure behavioral, heuristic, and real-time protection
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 12/16/2019
ms.technology: mde+ # Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
security Configure Remediation Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 03/16/2021
ms.technology: mde+ # Configure remediation for Microsoft Defender Antivirus detections
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde Last updated 02/10/2021+ # Configure Microsoft Defender Antivirus exclusions on Windows Server
security Customize Run Review Remediate Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+ # Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
security Customize Run Review Remediate Scans Windows Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-windows-defender-antivirus.md
- Title: Run and customize scheduled and on-demand scans
-description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
-keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
-localization_priority: normal
--- Previously updated : 09/03/2018----
-# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation
---
-**Applies to:**
--- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)-
-You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
-
-## In this section
-
-| Article | Description |
-|:|:|
-|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning |
-|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning |
-|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder |
-|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans |
-|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app |
-|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app |
security Defender Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-compatibility.md
Title: Microsoft Defender Antivirus compatibility with Defender for Endpoint
+ Title: Antivirus solution compatibility with Defender for Endpoint
description: Learn about how Windows Defender works with Microsoft Defender for Endpoint and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, Microsoft Defender for Endpoint, defender for endpoint, antivirus, mde search.product: eADQiWindows 10XVcnh
audience: ITPro Previously updated : 04/24/2018 Last updated : 05/06/2021 ms.technology: mde
-# Microsoft Defender Antivirus compatibility with Microsoft Defender for Endpoint
+# Antivirus solution compatibility with Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Deploy Manage Report Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+ # Deploy, manage, and report on Microsoft Defender Antivirus
security Deploy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 01/06/2021
ms.technology: mde+ # Deploy and enable Microsoft Defender Antivirus
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
Last updated 12/28/2020
ms.technology: mde+ # Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: detect ms.sitesec: library
-localization_priority: priority
+localization_priority: Priority
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
localization_priority: Normal
- next-gen - edr Previously updated : 05/05/2021 Last updated : 05/06/2021 - m365-security-compliance - m365initiative-defender-endpoint
EDR in block mode is also integrated with [threat & vulnerability management](ht
## What happens when something is detected?
-When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-machine-alerts#check-activity-details-in-action-center).
+When EDR in block mode is turned on, and a malicious artifact is detected, Microsoft Defender for Endpoint blocks and remediates that artifact. Your security operations team will see detection status as **Blocked** or **Prevented** in the [Action center](respond-machine-alerts.md#check-activity-details-in-action-center), listed as completed actions.
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
The following image shows an instance of unwanted software that was detected and
|Requirement |Details | ||| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/basic-permissions). |
-|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server, version 1803 or newer <br/>- Windows Server 2019 <p>**NOTE**: EDR in block mode is not supported on Windows Server 2016. |
-|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
+|Operating system |One of the following versions: <br/>- Windows 10 (all releases) <br/>- Windows Server, version 1803 or newer <br/>- Windows Server 2019 <br/>- Windows Server 2016 (only when Microsoft Defender Antivirus is in active mode) |
+|Windows E5 enrollment |Windows E5 is included in the following subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 E3 together with the Identity & Threat Protection offering <br/><br/>See [Components](/microsoft-365/enterprise/microsoft-365-overview#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
-|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
-|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
+|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](enable-cloud-protection-microsoft-defender-antivirus.md). |
+|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
+|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
> [!IMPORTANT]
-> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.
+> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus.
## Frequently asked questions
EDR in block mode does not affect third-party antivirus protection running on us
### Why do I need to keep Microsoft Defender Antivirus up to date?
-Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date.
+Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](microsoft-defender-endpoint.md) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
### Why do we need cloud protection on?
-Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
+Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](microsoft-defender-endpoint.md) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
### How do I set Microsoft Defender Antivirus to passive mode?
-See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
+Depending on operating systems, when devices that are running a non-Microsoft antivirus/antimalware solution are onboarded to Defender for Endpoint, Microsoft Defender Antivirus can go into passive mode automatically. For more information, see [Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus-compatibility.md#antivirus-and-microsoft-defender-for-endpoint).
### How do I confirm Microsoft Defender Antivirus is in active or passive mode? To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows.
-#### Use PowerShell
-1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results.
-
-2. Type `Get-MpComputerStatus`.
-
-3. In the list of results, in the **AMRunningMode** row, look for one of the following values:
- - `Normal`
- - `Passive Mode`
- - `SxS Passive Mode`
-
-To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus).
-
-#### Use Command Prompt
-
-1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results.
-
-2. Type `sc query windefend`.
-
-3. In the list of results, in the **STATE** row, confirm that the service is running.
+|Method |Procedure |
+|||
+| PowerShell | 1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results. <p>2. Type `Get-MpComputerStatus`. <p>3. In the list of results, in the **AMRunningMode** row, look for one of the following values: <br/>- `Normal` <br/>- `Passive Mode` <br/>- `SxS Passive Mode` <p>To learn more, see [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus). |
+|Command Prompt | 1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results. <p>2. Type `sc query windefend`. <p>3. In the list of results, in the **STATE** row, confirm that the service is running. |
### How much time does it take for EDR in block mode to be disabled?
-If you chose to disable EDR in block mode it can take up to 30 minutes for the system to disable this capability.
+If you chose to disable EDR in block mode, it can take up to 30 minutes for the system to disable this capability.
### Is EDR in block mode supported on Windows Server 2016?
-No. EDR in block mode is supported of the following versions of Windows:
+If Microsoft Defender Antivirus is running in active mode or passive mode, EDR in block mode is supported of the following versions of Windows:
- Windows 10 (all releases) - Windows Server, version 1803 or newer - Windows Server 2019
+If Windows Server 2016 has Microsoft Defender Antivirus running in active mode, and the endpoint is onboarded to Defender for Endpoint, then EDR in block mode is supported. However, EDR in block mode is intended to be additional protection when Microsoft Defender Antivirus is not the primary antivirus solution on an endpoint.
+ ## See also - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
Last updated 04/30/2021
ms.technology: mde+ # Turn on cloud-delivered protection
security Evaluate Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+ # Evaluate Microsoft Defender Antivirus
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
Title: Deploy Microsoft Defender for Endpoint on Linux manually-+ description: Describes how to deploy Microsoft Defender for Endpoint on Linux manually from the command line. keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
In order to preview new features and provide early feedback, it is recommended t
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list ``` For example, if you chose *prod* channel:
-
+ ```bash sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-prod.list
- ```
+ ```
- Install the `gpg` package if not already installed:
Download the onboarding package from Microsoft Defender Security Center:
- Open a Terminal window. Copy and execute the following command: ``` bash
- curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
+ curl -o /tmp/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
``` - The file should have been quarantined by Defender for Endpoint on Linux. Use the following command to list all the detected threats:
security Linux Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md
Microsoft regularly publishes software updates to improve performance, security,
> mdatp health --field product_expiration > ``` +
+Generally available Microsoft Defender for Endpoint capabilities are equivalent regardless update channel used for a deployment (Beta (Insider), Preview (External), Current (Production)).
++ To update Defender for Endpoint on Linux manually, execute one of the following commands: ## RHEL and variants (CentOS and Oracle Linux)
security Machine Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-groups.md
Title: Create and manage device groups in Microsoft Defender for Endpoint
-description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group
+description: Create device groups and set automated remediation levels on them by confirming the rules that apply on the group
keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150
In Microsoft Defender for Endpoint, you can create device groups and use them to
- Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac.md) - Configure different auto-remediation settings for different sets of devices - Assign specific remediation levels to apply during automated investigations-- In an investigation, filter the **Devices list** to just specific device groups by using the **Group** filter.
+- In an investigation, filter the **Devices list** to specific device groups by using the **Group** filter.
You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac.md).
You can create device groups in the context of role-based access (RBAC) to contr
As part of the process of creating a device group, you'll: - Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations.md).-- Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. If a device is also matched to other groups, it is added only to the highest ranked device group.
+- Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. If a device is also matched to other groups, it's added only to the highest ranked device group.
- Select the Azure AD user group that should have access to the device group.-- Rank the device group relative to other groups after it is created.
+- Rank the device group relative to other groups after it's created.
>[!NOTE] >A device group is accessible to all users if you donΓÇÖt assign any Azure AD groups to it.
As part of the process of creating a device group, you'll:
>[!TIP] >If you want to group devices by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage device tags](machine-tags.md).
-4. Preview several devices that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab.
+4. Preview several devices that will be matched by this rule. If you're satisfied with the rule, click the **User access** tab.
5. Assign the user groups that can access the device group you created.
As part of the process of creating a device group, you'll:
## Manage device groups
-You can promote or demote the rank of a device group so that it is given higher or lower priority during matching. When a device is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
+You can promote or demote the rank of a device group so that it's given higher or lower priority during matching. When a device is matched to more than one group, it's added only to the highest ranked group. You can also edit and delete groups.
++ >[!WARNING] >Deleting a device group may affect email notification rules. If a device group is configured under an email notification rule, it will be removed from that rule. If the device group is the only group configured for an email notification, that email notification rule will be deleted along with the device group. By default, device groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the device group.
-Devices that are not matched to any groups are added to Ungrouped devices (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
+Devices that aren't matched to any groups are added to Ungrouped devices (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
>[!NOTE] > Applying changes to device group configuration may take up to several minutes. +
+### Add device group definitions
+Device group definitions can also include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.
+
+1. Create a new device group, then select **Devices** tab.
+2. Add the first value for one of the conditions.
+3. Select `+` to add more rows of the same property type.
+
+>[!TIP]
+> Use the 'OR' operator between rows of the same condition type, which allows multiple values per property.
+> You can add up to 10 rows (values) for each property type - tag, device name, domain.
+
+For more information on linking to device groups definitions, see [Device groups - Microsoft 365 security](https://sip.security.microsoft.com/homepage).
+ ## Related topics - [Manage portal access using role-based based access control](rbac.md)
security Manage Auto Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-auto-investigation.md
ms.prod: m365-security
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security--++ localization_priority: Normal audience: ITPro
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/17/2018
ms.technology: mde+ # Manage event-based forced updates
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+ # Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date
security Manage Protection Update Schedule Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus.md
search.appverid: met150
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Manage the schedule for when protection updates should be downloaded and applied
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Manage the sources for Microsoft Defender Antivirus protection updates
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
audience: ITPro
ms.technology: mde Last updated : 05/06/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details>
+<summary>1.1.2105.01</summary>
+
+&ensp;Package version: **1.1.2105.01**
+&ensp;Platform version: **4.18.2103.7**
+&ensp;Engine version: **1.1.18100.6**
+&ensp;Signature version: **1.339.42.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
<summary>1.1.2104.01</summary> &ensp;Package version: **1.1.2104.01**
security Manage Updates Mobile Devices Vms Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Manage updates for mobile devices and virtual machines (VMs)
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
-+ ms.technology: mde Previously updated : 05/05/2021 Last updated : 05/06/2021 # Microsoft Defender Antivirus compatibility
Last updated 05/05/2021
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-## Overview
+## Summary
-Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another (non-Microsoft) antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) together with your antivirus protection.
+Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another (non-Microsoft) antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) together with your antivirus protection. This article describes what happens with antivirus/antimalware solutions when endpoints are onboarded to Microsoft Defender for Endpoint.
+
+## Why Defender for Endpoint matters
+
+Consider onboarding your endpoints to Defender for Endpoint, even if you are using a non-Microsoft antivirus/antimalware solution. In most cases, when you onboard your devices to Defender for Endpoint, you can use Microsoft Defender Antivirus alongside your non-Microsoft antivirus solution for added protection. For example, you can use [EDR in block mode](edr-in-block-mode.md), which blocks and remediates malicious artifacts that your primary antivirus solution might have missed.
+
+Here's how it works:
- If your organization's client devices are protected by a non-Microsoft antivirus/antimwalware solution, when those devices are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode automatically. In this case, threat detections occur, but real-time protection and threats are not remediated by Microsoft Defender Antivirus. **NOTE**: This particular scenario does not apply to endpoints running Windows Server.
Microsoft Defender Antivirus is automatically enabled and installed on endpoints
## Antivirus and Microsoft Defender for Endpoint
-The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint.
+The following table summarizes what happens with Microsoft Defender Antivirus when non-Microsoft antivirus/antimalware solutions are used together or without Microsoft Defender for Endpoint.
-| Windows version | Antivirus/antimalware product | Defender for Endpoint enrollment | Microsoft Defender Antivirus state |
+| Windows version | Antivirus/antimalware solution | Onboarded to <br/> Defender for Endpoint? | Microsoft Defender Antivirus state |
|||-|-| | Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | | Windows 10 | Microsoft Defender Antivirus | No | Active mode |
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode (automatically) |
-| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Disabled mode (automatically) |
+| Windows 10 | A non-Microsoft antivirus/antimalware solution | Yes | Passive mode (automatically) |
+| Windows 10 | A non-Microsoft antivirus/antimalware solution | No | Disabled mode (automatically) |
| Windows Server, version 1803 or newer <p> Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server, version 1803 or newer <p> Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server, version 1803 or newer <p> Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[1](#fn1)]<sup> |
-| Windows Server, version 1803 or newer <p> Windows Server 2019 | A third-party product that is not offered or developed by Microsoft | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup></sup> |
+| Windows Server, version 1803 or newer <p> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Yes | Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[1](#fn1)]<sup> |
+| Windows Server, version 1803 or newer <p> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup></sup> |
| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode | | Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | Yes | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
-| Windows Server 2016 | A third-party product that is not offered or developed by Microsoft | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | Yes | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
+| Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
-(<a id="fn1">1</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. You can do set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
+(<a id="fn1">1</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
If you are using Windows Server, version 1803 or newer, or Windows Server 2019,
- Value: `1` > [!NOTE]
-> The `ForcePassiveMode` registry key is not supported on Windows Server 2016.
+> Passive mode is not supported on Windows Server 2016. The `ForcePassiveMode` registry key can be used on Windows Server, version 1803 or newer, or Windows Server 2019, but not Windows Server 2016.
(<a id="fn2">2</a>) On Windows Server 2016, if you are using a non-Microsoft antivirus product, you cannot run Microsoft Defender Antivirus in either passive mode or active mode. In such cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
The table in this section summarizes the functionality and features that are ava
- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. - > [!WARNING] > Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
security Microsoft Defender Antivirus In Windows 10 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10.md
ms.technology: mde+ # Next-generation protection
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
This topic describes how to install, configure, update, and use Microsoft Defend
- Beginner-level experience in Linux and BASH scripting - Administrative privileges on the device (in case of manual deployment)
+> [!NOTE]
+> Microsoft Defender for Endpoint on Linux agent is independent from [OMS agent](/azure/azure-monitor/agents/agents-overview#log-analytics-agent). Microsoft Defender for Endpoint relies on its own independent telemetry pipeline.
+>
+> Microsoft Defender for Endpoint on Linux is not yet integrated into Azure Security Center.
+++ ### Installation instructions There are several methods and deployment tools that you can use to install and configure Microsoft Defender for Endpoint on Linux.
In general you need to take the following steps:
If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender for Endpoint on Linux](linux-support-install.md). ++ ### System requirements - Supported Linux server distributions and versions:
If you experience any installation failures, refer to [Troubleshooting installat
- SUSE Linux Enterprise Server 12 or higher - Oracle Linux 7.2 or higher
+ > [!NOTE]
+ > Distributions and version that are not explicitly listed are unsupported (even if they are derived from the officially supported distributions).
++ - Minimum kernel version 3.10.0-327+ - The `fanotify` kernel option must be enabled+ > [!CAUTION] > Running Defender for Endpoint on Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. -- Disk space: 1GB
+- Disk space: 1 GB
+ - /opt/microsoft/mdatp/sbin/wdavdaemon requires executable permission. For more information, see "Ensure that the daemon has executable permission" in [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install).-- Memory: 1GB+
+- Memory: 1 GB
+ > [!NOTE] > Please make sure that you have free disk space in /var.
After you've enabled the service, you may need to configure your network or fire
The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
-|**Spreadsheet of domains list**|**Description**|
+| Spreadsheet of domains list | Description |
|:--|:--| |![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)<br/> | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <br><br>[Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
security Microsoft Defender Offline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Run and review the results of a Microsoft Defender Offline scan
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Microsoft Defender Antivirus in the Windows Security app
security Office 365 Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
audience: ITPro
Protection from ransomware is one great reason to put your files in OneDrive. An
- [OneDrive](/onedrive) -- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
+- [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp)
- [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md)
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
audience: ITPro ms.technology: mde+ # Protect security settings with tamper protection
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/03/2018
ms.technology: mde+ # Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
security Report Monitor Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 12/07/2020
ms.technology: mde+ # Report on Microsoft Defender Antivirus
security Restore Quarantined Files Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 05/20/2020
ms.technology: mde+ # Restore quarantined files in Microsoft Defender AV
security Review Scan Results Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
Last updated 09/28/2020
ms.technology: mde+ # Review Microsoft Defender Antivirus scan results
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
security Scheduled Catch Up Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
security Specify Cloud Protection Level Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
ms.pagetype: security
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
Last updated 10/26/2020
ms.technology: mde+ # Specify the cloud-delivered protection level
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
Title: Switch to Microsoft Defender for Endpoint - Setup
-description: This is phase 2, Setup, for switching to Microsoft Defender for Endpoint.
-keywords: migration, Microsoft Defender for Endpoint, edr
+description: Phase 2, the setup process, when switching to Microsoft Defender for Endpoint.
+keywords: migration, Microsoft Defender for Endpoint, edr, Windows Defender
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
- m365solution-migratetomdatp Previously updated : 03/03/2021 Last updated : 05/06/2021
## Enable Microsoft Defender Antivirus and confirm it's in passive mode
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
+On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. When you get ready to onboard your endpoints to Defender for Endpoint, Microsoft Defender Antivirus does not enter passive or disabled mode automatically. In addition, on Windows Server, you cannot have Microsoft Defender Antivirus in active mode alongside a non-Microsoft antivirus/antimalware solution, such as McAfee, Symantec, or others. To learn more about what happens with Defender for Endpoint and antivirus solutions, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-This step of the migration process includes the following tasks:
+To help ensure that Microsoft Defender Antivirus is enabled and in passive mode, complete the following tasks described in this article:
- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) - [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server); - [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
1. On your Windows Server device, open Registry Editor.
-1. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
+2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-1. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
+3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
- If you do not see that entry, you're all set. - If you do see **DisableAntiSpyware**, proceed to step 4.
-1. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
+4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-1. Set the value to `0`. (This sets the registry key's value to *false*.)
+5. Set the value to `0`. (This action sets the registry key's value to *false*.)
> [!TIP] > To learn more about this registry key, see [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
> The following procedure applies only to endpoints or devices that are running the following versions of Windows: > - Windows Server 2019 > - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
+> - Windows Server 2016 (see important information in [Are you using Windows Server 2016?](#are-you-using-windows-server-2016))
1. As a local administrator on the endpoint or device, open Windows PowerShell.+ 2. Run the following PowerShell cmdlets: <br/>
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/><br/>
+ `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <p>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/> > [!NOTE] > When using the DISM command within a task sequence running PS, the following path to cmd.exe is required. > Example:<br/>
- > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<br/><br/>
+ > `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`<p>
> `c:\windows\sysnative\cmd.exe /c Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`<br/> 3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
The [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-m
#### Are you using Windows Server 2016?
+If you have endpoints running Windows Server 2016, you cannot run Microsoft Defender Antivirus alongside a non-Microsoft antivirus/antimalware solution. Microsoft Defender Antivirus cannot run in passive mode on Windows Server 2016. In this case, you'll need to uninstall the non-Microsoft antivirus/antimalware solution, and install/enable Microsoft Defender Antivirus instead. To learn more, see [Antivirus solution compatibility with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md).
+ If you're using Windows Server 2016 and are having trouble enabling Microsoft Defender Antivirus, use the following PowerShell cmdlet: `mpcmdrun -wdenable` > [!TIP]
-> Still need help? See [Microsoft Defender Antivirus on Windows Server](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
+> Still need help? See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md).
### Set Microsoft Defender Antivirus to passive mode on Windows Server
+> [!IMPORTANT]
+> You can set Microsoft Defender Antivirus to passive mode on Windows Server, version 1803 or newer, or Windows Server 2019. But Passive mode is not supported on Windows Server 2016. To learn more, see [Antivirus solution compatibility with Microsoft Defender for Endpoint](defender-compatibility.md).
+ Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint. 1. Open Registry Editor, and then navigate to <br/>
To enable Microsoft Defender Antivirus, we recommend using Intune. However, you
|Method |What to do | |||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<br/><br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/><br/>4. Expand **Microsoft Defender Antivirus**. <br/><br/>5. Enable **Cloud-delivered protection**.<br/><br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>8. Select **Review + save**, and then choose **Save**.<br/>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/><br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p> 3. Select **Properties**, and then select **Configuration settings: Edit**.<p> 4. Expand **Microsoft Defender Antivirus**. <p> 5. Enable **Cloud-delivered protection**.<p> 6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p> 7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p> 8. Select **Review + save**, and then choose **Save**.<p>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) | 1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <p> 2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p> 3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
### Confirm that Microsoft Defender Antivirus is in passive mode
Microsoft Defender Antivirus can run alongside your existing endpoint protection
|Method |What to do | |||
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <br/><br/>3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
+|Command Prompt | 1. On a Windows device, open Command Prompt as an administrator. <p> 2. Type `sc query windefend`, and then press Enter.<p> 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
+|PowerShell | 1. On a Windows device, open Windows PowerShell as an administrator.<p> 2. Run the [Get-MpComputerStatus](/powershell/module/defender/Get-MpComputerStatus) cmdlet. <p> 3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. |
> [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
This step of the setup process involves adding Microsoft Defender for Endpoint t
> [!TIP] > To get help configuring exclusions, refer to your solution provider's documentation.
-The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
+The specific exclusions to configure will depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
|OS |Exclusions | |--|--|
-|- Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>- Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/> |
-|- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
+|- Windows 10, [version 1803](/windows/release-health/status-windows-10-1803) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/>- Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<p>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<p> |
+|- [Windows 8.1](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](/windows/release-health/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders. <br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<p>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
You can choose from several methods to add your exclusions to Microsoft Defender
|Method | What to do| |--|--|
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**.<br/> <br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) |1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/><br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/><br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/><br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/><br/>5. Click **OK**.<br/><br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/><br/>7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/><br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.<br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/><br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-|||
-
+|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<p> 3. Under **Manage**, select **Properties**.<p> 4. Select **Configuration settings: Edit**.<p> 5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<p> 6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<p> 7. Choose **Review + save**, and then choose **Save**. |
+|[Microsoft Endpoint Configuration Manager](/mem/configmgr/) | 1. Using the [Configuration Manager console](/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <p> 2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
+|[Group Policy Object](/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and then select **Edit**.<p> 2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.<p> 3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p> 4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<p> 5. Select **OK**.<p> 6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, select **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<p> 7. Select **OK**. |
+|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <p>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.<p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<p>3. Specify your path and process exclusions. |
+|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<p>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint
To add exclusions to Microsoft Defender for Endpoint, you create [indicators](/m
1. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.<br/>
-1. On the **File hashes** tab, choose **Add indicator**.<br/>
+2. On the **File hashes** tab, choose **Add indicator**.<br/>
-1. On the **Indicator** tab, specify the following settings:
+3. On the **Indicator** tab, specify the following settings:
- File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) - Under **Expires on (UTC)**, choose **Never**.<br/>
-1. On the **Action** tab, specify the following settings:
+4. On the **Action** tab, specify the following settings:
- **Response Action**: **Allow** - Title and description<br/>
-1. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.<br/>
+5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.<br/>
-1. On the **Summary** tab, review the settings, and then click **Save**.
+6. On the **Summary** tab, review the settings, and then select **Save**.
### Find a file hash using CMPivot
CMPivot is an in-console utility for Configuration Manager. CMPivot provides acc
To use CMPivot to get your file hash, follow these steps: 1. Review the [prerequisites](/mem/configmgr/core/servers/manage/cmpivot#prerequisites).+ 2. [Start CMPivot](/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). + 3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).+ 4. Select the **Query** tab.+ 5. In the **Device Collection** list, and choose **All Systems (default)**.+ 6. In the query box, type the following query:<br/> ```kusto
To use CMPivot to get your file hash, follow these steps:
| Collection type | What to do | |--|--|
-|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/><br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <br/><br/>3. Choose **+ Add device group**.<br/><br/>4. Specify a name and description for the device group.<br/><br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<br/><br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<br/><br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/><br/>8. Choose **Done**. |
+|[Device groups](/microsoft-365/security/defender-endpoint/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<p>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <p>3. Choose **+ Add device group**.<p>4. Specify a name and description for the device group.<p>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](/microsoft-365/security/defender-endpoint/automated-investigations#how-threats-are-remediated).<p>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](/microsoft-365/security/defender-endpoint/machine-tags).<p>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <p>8. Choose **Done**. |
|[Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<br/>Device collections are created by using [Configuration Manager](/mem/configmgr/). |Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | |[Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
Last updated 09/11/2018
ms.technology: mde+ # Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
security Troubleshoot Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
ms.technology: mde+ # Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
security Use Group Policy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library
-localization_priority: normal
+localization_priority: Normal
security Use Intune Config Manager Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus.md
ms.prod: m365-security
ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
-localization_priority: normal
+localization_priority: Normal
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
Microsoft 365 Defender applies correlation analytics and aggregates related aler
The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
-You get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)).
+You get to the incident queue from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
:::image type="content" source="../../media/incidents-queue/incidents-ss-incidents.png" alt-text="Example of the incident queue":::
+The **Most recent incidents and alerts** section shows a graph of the number of alerts received and incidents created in the last 24 hours.
+ By default, the incident queue in the Microsoft 365 security center displays incidents seen in the last six months. The most recent incident is at the top of the list so you can see it first. The incident queue has customizable columns (select **Choose columns**) that give you visibility into different characteristics of the incident or the impacted entities. This helps you make an informed decision regarding the prioritization of incidents for analysis.
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
Microsoft 365 Defender automatically investigates all the incidents' supported e
Each of the analyzed entities is marked with a verdict (Malicious, Suspicious, Clean) and a remediation status. This helps you understand the remediation status of the entire incident and what next steps can be taken.
+## Graph (in Preview)
+
+With the new **Graph** tab (in preview), you can see:
+
+- The connection of alerts to the impacted assets in your organization.
+- Which entities are related to which alerts and how they are part of the story of the attack.
+- The alerts for the incident.
+
+Here's an example.
++
+The incident graph helps you quickly understand the full scope of the attack by connecting the different suspicious entities that are part of the attack with their related assets such as users, devices, and mailboxes.
+
+Now you can understand how the attack spread through your network over time, where it started, and how far the attack went.
++ ## Related topics - [Incidents overview](incidents-overview.md)
security M365d Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md
**Applies to:** - Microsoft 365 Defender
-## A "single pane of glass" experience
+The Action center provides a "single pane of glass" experience for incident and alert tasks such as:
-The Action center provides a "single pane of glass" experience for tasks, such as:
-- Approving pending remediation actions;-- Viewing an audit log of already approved remediation actions; and
+- Approving pending remediation actions.
+- Viewing an audit log of already approved remediation actions.
- Reviewing completed remediation actions.
-Your security operations team can operate more effectively and efficiently, because the Action center provides a comprehensive view of Microsoft 365 Defender at work.
+Because the Action center provides a comprehensive view of Microsoft 365 Defender at work, your security operations team can operate more effectively and efficiently.
-## A new, unified Action center
+## The unified Action center
-We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))!
+The unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.
:::image type="content" source="../../media/m3d-action-center-unified.png" alt-text="Unified Action center in Microsoft 365 Defender":::
-The improved Action center lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.
-- If you were previously using the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), try the new, unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).-- If you were using the Action Center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the new, unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+For example:
+
+- If you were previously using the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), try the unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+- If you were using the Action Center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
- If you were already using the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), you'll see several improvements in the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
-The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience. The Action center provides your security operations team with a "single pane of glass" experience to view and manage remediation actions.
+The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions and provides a unified investigation experience. Your security operations team has a "single pane of glass" experience to view and manage remediation actions.
You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:
You can use the unified Action center if you have appropriate permissions and on
1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. 2. In the navigation pane, choose **Action center**.
-When you visit the Action center, you see two tabs: Pending actions and History. The following table summarizes what you'll see on each tab:
+When you visit the Action center, you see two tabs: **Pending actions** and **History**. The following table summarizes what you'll see on each tab:
|Tab |Description | |||
To perform tasks, such as approving or rejecting pending actions in the Action c
|Remediation action |Required roles and permissions | |--|-|
-|Microsoft Defender for Endpoint remediation (devices) |**Security Administrator** role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> or <br/>**Active remediation actions** role assigned in Microsoft Defender for Endpoint <br/> <br/> To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Create and manage roles for role-based access control (Microsoft Defender for Endpoint)](../defender-endpoint/user-roles.md) |
-|Microsoft Defender for Office 365 remediation (Office content and email) |**Security Administrator** role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> and <br/>**Search and Purge** role assigned the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) <br/><br/>**IMPORTANT**: If you have the **Security Administrator** role assigned only in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the **Security Administrator** role assigned in Azure Active Directory or the Microsoft 365 admin center. <br/><br/>To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Permissions in the Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) |
+|Microsoft Defender for Endpoint remediation (devices) |**Security Administrator** role assigned in either Azure Active Directory (Azure AD) ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> or <br/>**Active remediation actions** role assigned in Microsoft Defender for Endpoint <br/> <br/> To learn more, see the following resources: <br/>- [Administrator role permissions in Azure AD](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Create and manage roles for role-based access control (Microsoft Defender for Endpoint)](../defender-endpoint/user-roles.md) |
+|Microsoft Defender for Office 365 remediation (Office content and email) |**Security Administrator** role assigned in either Azure AD ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> and <br/>**Search and Purge** role assigned in the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) <br/><br/>**IMPORTANT**: If you have the **Security Administrator** role assigned only in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the **Security Administrator** role assigned in Azure AD or the Microsoft 365 admin center. <br/><br/>To learn more, see the following resources: <br/>- [Administrator role permissions in Azure AD](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Permissions in the Security & Compliance Center](/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) |
> [!TIP]
-> Users who have the **Global Administrator** role assigned in Azure Active Directory can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the **Global Administrator** role assigned. We recommend using the **Security Administrator**, **Active remediation actions**, and **Search and Purge** roles listed in the preceding table for Action center permissions.
+> Users who have the **Global Administrator** role assigned in Azure AD can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the **Global Administrator** role assigned. We recommend using the **Security Administrator**, **Active remediation actions**, and **Search and Purge** roles listed in the preceding table for Action center permissions.
## Next step -- [Review and manage remediation actions](m365d-autoir-actions.md)
+- [View and manage remediation actions](m365d-autoir-actions.md)
security M365d Autoir Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-actions.md
ms.technology: m365d
- Microsoft 365 Defender Threat protection features in Microsoft 365 Defender can result in certain remediation actions. Here are some examples:-- [Automated investigations](m365d-autoir.md) can result in remediation actions that are taken automatically or await approval.+
+- [Automated investigations](m365d-autoir.md) can result in remediation actions that are taken automatically or await your approval.
- Antivirus, antimalware, and other threat protection features can result in remediation actions, such as blocking a file, URL, or process, or sending an artifact to quarantine. - Your security operations team can take remediation actions manually, such as during [advanced hunting](advanced-hunting-overview.md) or while investigating [alerts](investigate-alerts.md) or [incidents](investigate-incidents.md). > [!NOTE]
-> You must have [appropriate permissions](m365d-action-center.md#required-permissions-for-action-center-tasks) to approve or reject remediation actions. For more information, see [Prerequisites for automated investigation and response in Microsoft 365 Defender](m365d-configure-auto-investigation-response.md#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender).
+> You must have [appropriate permissions](m365d-action-center.md#required-permissions-for-action-center-tasks) to approve or reject remediation actions. For more information, see the [prerequisites](m365d-configure-auto-investigation-response.md#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender).
## Review pending actions in the Action center It's important to approve (or reject) pending actions as soon as possible so that your automated investigations can proceed and complete in a timely manner.
-![Approve or reject an action](../../media/air-actioncenter-itemselected.png)
- 1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. 2. In the navigation pane, choose **Action center**.
-3. In the Action Center, on the **Pending** tab, select an item in the list. Its flyout pane opens.
+3. In the Action Center, on the **Pending** tab, select an item in the list. Its flyout pane opens. Here's an example.
+
+ ![Approve or reject an action](../../media/air-actioncenter-itemselected.png)
4. Review the information in the flyout pane, and then take one of the following steps: - Select **Open investigation page** to view more details about the investigation.
If youΓÇÖve determined that a device or a file is not a threat, you can undo rem
1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
-2. On the **History** tab, select a file that has the Action type **Quarantine file**.
+2. On the **History** tab, select a file that has a **Quarantine file** Action type.
3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. ## Next steps - [View the details and results of an automated investigation](m365d-autoir-results.md)-- [Learn how to handle false positives/negatives (if you get one)](m365d-autoir-report-false-positives-negatives.md)
+- [Address false positives or false negatives)](m365d-autoir-report-false-positives-negatives.md)
security M365d Autoir Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-report-false-positives-negatives.md
Title: Handle false positives or false negatives in AIR in Microsoft 365 Defender
+ Title: Address false positives or false negatives in Microsoft 365 Defender
description: Was something missed or wrongly detected by AIR in Microsoft 365 Defender? Learn how to submit false positives or false negatives to Microsoft for analysis. keywords: automated, investigation, alert, remediation, false positive, false negative search.appverid: met150
ms.technology: m365d
-# Handle false positives/negatives in automated investigation and response capabilities
+# Address false positives or false negatives in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] **Applies to:** - Microsoft 365 Defender
-False positives/negatives can occasionally occur with any threat protection solution. If [automated investigation and response capabilities](m365d-autoir.md) in Microsoft 365 Defender missed or wrongly detected something, there are steps your security operations team can take:
+False positives or negatives can occasionally occur with any threat protection solution. If [automated investigation and response capabilities](m365d-autoir.md) in Microsoft 365 Defender missed or wrongly detected something, there are steps your security operations team can take:
-- [Report a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis);-- [Adjust your alerts](#adjust-an-alert-to-prevent-false-positives-from-recurring) (if needed); and -- [Undo remediation actions that were taken on devices](#undo-a-remediation-action-that-was-taken-on-a-device).
+- [Report a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis)
+- [Adjust your alerts](#adjust-an-alert-to-prevent-false-positives-from-recurring) (if needed)
+- [Undo remediation actions that were taken on devices](#undo-a-remediation-action-that-was-taken-on-a-device)
The following sections describe how to perform these tasks.
The following sections describe how to perform these tasks.
|Scenario |Service |What to do | |--|--|--|
-|- An alert is triggered by legitimate use <br/>- An alert is inaccurate |[Microsoft Cloud App Security](/cloud-app-security)<br/> or <br/>[Azure Advanced Threat Detection](/azure/security/fundamentals/threat-detection) |[Manage alerts in the Cloud App Security portal](/cloud-app-security/managing-alerts) |
+|- An alert is triggered by legitimate use <br/>- An alert is inaccurate |[Microsoft Cloud App Security](/cloud-app-security)<br/> or <br/>[Azure threat protection](/azure/security/fundamentals/threat-detection) |[Manage alerts in the Cloud App Security portal](/cloud-app-security/managing-alerts) |
|A file, IP address, URL, or domain is treated as malware on a device, even though it's safe|[Microsoft Defender for Endpoint](/windows/security/threat-protection) |[Create a custom indicator with an "Allow" action](/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) | ## Undo a remediation action that was taken on a device
security M365d Autoir Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir-results.md
**Applies to:** - Microsoft 365 Defender
-With Microsoft 365 Defender, when an [automated investigation](m365d-autoir.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the [necessary permissions](m365d-action-center.md#required-permissions-for-action-center-tasks), you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.
+With Microsoft 365 Defender, when an [automated investigation](m365d-autoir.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the [necessary permissions](m365d-action-center.md#required-permissions-for-action-center-tasks), you can view those details in an investigation details view. This view provides you with up-to-date status and the ability to approve any pending actions.
![Investigation details](../../media/mtp-air-investdetails.png) ## (NEW!) Unified investigation page The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and [Microsoft Defender for Office 365](../office-365-security/defender-for-office-365.md). To access the unified investigation page, select the link in the yellow banner you'll see on:+ - Any investigation page in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) - Any investigation page in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com))-- Any incident or Action center experience in the improved Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com))
+- Any incident or Action center experience in the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com))
## Open the investigation details view You can open the investigation details view by using one of the following methods:+ - [Select an item in the Action center](#select-an-item-in-the-action-center) - [Select an investigation from an incident details page](#open-an-investigation-from-an-incident-details-page)
The improved [Action center](m365d-action-center.md) ([https://security.microsof
Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.
-![Incident details](../../media/mtp-incidentdetails-tabs.png)
- 1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. 2. In the navigation pane, choose **Incidents & alerts** > **Incidents**.
Use an incident details page to view detailed information about an incident, inc
5. Select **Open investigation page**.
+Here's an example.
+
+![Incident details](../../media/mtp-incidentdetails-tabs.png)
+ ## Investigation details
-Use the investigation details view to see past, current, and pending activity pertaining to an investigation. The investigation details view resembles the following image:
+Use the investigation details view to see past, current, and pending activity pertaining to an investigation. Here's an example.
![Investigation details](../../media/mtp-air-investdetails.png)
In the Investigation details view, you can see information on the **Investigatio
| Tab | Description | |:--|:--| | **Investigation graph** | Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.<br/>You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts. |
-| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.|
+| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Microsoft Cloud App Security, and other Microsoft 365 Defender features.|
| **Devices** | Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to [the automation level for device groups](m365d-configure-auto-investigation-response.md#review-or-change-the-automation-level-for-device-groups).) | | **Mailboxes** |Lists mailboxes that are impacted by detected threats. | | **Users** | Lists user accounts that are impacted by detected threats. |
-| **Evidence** | Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status. |
+| **Evidence** | Lists pieces of evidence raised by alerts or investigations. Includes verdicts (*Malicious*, *Suspicious*, *Unknown*, or *No threats found*) and remediation status. |
| **Entities** | Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).| |**Log** | Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.|
-| **Pending actions** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. |
+| **Pending actions history** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. |
## Next steps -- [Approve or reject remediation actions following an automated investigation](m365d-autoir-actions.md)
+- [View and manage remediation actions](m365d-autoir-actions.md)
- [Learn more about remediation actions](m365d-remediation-actions.md)
security M365d Autoir https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-autoir.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-If your organization is using [Microsoft 365 Defender](microsoft-365-defender.md), your security operations team receives an alert whenever a malicious or suspicious artifact is detected. Given the seemingly never-ending flow of threats that come in, security teams often face challenges in addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
+If your organization is using [Microsoft 365 Defender](microsoft-365-defender.md), your security operations team receives an alert within the Microsoft 365 security center whenever a malicious or suspicious activity or artifact is detected. Given the seemingly never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
This article provides an overview of AIR and includes links to next steps and additional resources.
In Microsoft 365 Defender, automated investigation and response with self-healin
## Your own virtual analyst
-Imagine having a virtual analyst in your Tier 1 or Tier 2 security operations team. The virtual analyst mimics the ideal steps that security operations would take to investigate and remediate threats. The virtual assistant could work 24x7, with unlimited capacity, and take on a significant load of investigations and threat remediation. Such a virtual assistant could significantly reduce the time to respond, freeing up your security operations team for other important strategic projects. If this scenario sounds like science fiction, it's not! Such a virtual analyst is part of your Microsoft 365 Defender suite, and its name is *automated investigation and response*.
+Imagine having a virtual analyst in your Tier 1 or Tier 2 security operations team. The virtual analyst mimics the ideal steps that security operations would take to investigate and remediate threats. The virtual analyst could work 24x7, with unlimited capacity, and take on a significant load of investigations and threat remediation. Such a virtual analyst could significantly reduce the time to respond, freeing up your security operations team for other important threats or strategic projects. If this scenario sounds like science fiction, it's not! Such a virtual analyst is part of your Microsoft 365 Defender suite, and its name is *automated investigation and response*.
-Automated investigation and response capabilities enable your security operations team to dramatically increase your organization's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and remediation activities and get the most out of your threat protection suite. Automated investigation and response capabilities help your security operations team by:
+Automated investigation and response capabilities enable your security operations team to dramatically increase your organization's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and response activities and get the most out of your threat protection suite. Automated investigation and response capabilities help your security operations team by:
-1. Determining whether a threat requires action;
-2. Taking (or recommending) any necessary remediation actions;
-3. Determining whether and what other investigations should occur; and
+1. Determining whether a threat requires action.
+2. Taking (or recommending) any necessary remediation actions.
+3. Determining whether and what other investigations should occur.
4. Repeating the process as necessary for other alerts. ## The automated investigation process An alert creates an incident, which can start an automated investigation. The automated investigation results in a verdict for each piece of evidence. Verdicts can be:-- *Malicious*;-- *Suspicious*; or -- *No threats found*.
+- *Malicious*
+- *Suspicious*
+- *No threats found*
Remediation actions for malicious or suspicious entities are identified. Examples of remediation actions include:-- Sending a file to quarantine;-- Stopping a process;-- Isolating a device;-- Blocking a URL; and -- other actions. (See [Remediation actions in Microsoft 365 Defender](m365d-remediation-actions.md).)+
+- Sending a file to quarantine
+- Stopping a process
+- Isolating a device
+- Blocking a URL
+- Other actions
+
+For more information, see See [Remediation actions in Microsoft 365 Defender](m365d-remediation-actions.md).
Depending on [how automated investigation and response capabilities are configured](m365d-configure-auto-investigation-response.md) for your organization, remediation actions are taken automatically or only upon approval by your security operations team. All actions, whether pending or completed, are listed in the [Action center](m365d-action-center.md).
-While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an incriminated entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.
+While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.
-In Microsoft 365 Defender, each automated investigation correlates signals across Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Defender for Office 365, as summarized in the following table:
+In Microsoft 365 Defender, each automated investigation correlates signals across Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365, as summarized in the following table:
|Entities |Threat protection services | |:|:|
-|Devices (also referred to as endpoints, and sometimes referred to as machines) |[Microsoft Defender for Endpoint](../defender-endpoint/automated-investigations.md)<br/>[Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) |
-|Email content (email messages that can contain files and URLs) |[Microsoft Defender for Office 365](../office-365-security/defender-for-office-365.md) |
+|Devices (also referred to as endpoints or machines) |[Defender for Endpoint](../defender-endpoint/automated-investigations.md) |
+|On-premises Active Directory users, entity behavior, and activities |[Defender for Identity](/azure-advanced-threat-protection/what-is-atp) |
+|Email content (email messages that can contain files and URLs) |[Defender for Office 365](../office-365-security/defender-for-office-365.md) |
> [!NOTE]
-> Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions; it depends on how automated investigation and response is configured for your organization. See [Configure automated investigation and response capabilities in Microsoft 365 Defender](m365d-configure-auto-investigation-response.md).
+> Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions. It depends on how automated investigation and response is configured for your organization. See [Configure automated investigation and response capabilities](m365d-configure-auto-investigation-response.md).
## Viewing a list of investigations
To view investigations, go to the **Incidents** page. Select an incident, and th
## Next steps -- [See the prerequisites for automated investigation and response in Microsoft 365 Defender](m365d-configure-auto-investigation-response.md#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender)
+- [See the prerequisites for automated investigation and response](m365d-configure-auto-investigation-response.md#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender)
- [Configure automated investigation and response for your organization](m365d-configure-auto-investigation-response.md) - [Learn more about the Action center](m365d-action-center.md)
security M365d Configure Auto Investigation Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-configure-auto-investigation-response.md
ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-Microsoft 365 Defender includes powerful [automated investigation and response capabilities](m365d-autoir.md) that can save your security operations team much time and effort. With [self-healing](m365d-autoir.md#how-automated-investigation-and-self-healing-works), these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale. This article describes how to configure automated investigation and response in Microsoft 365 Defender.
+Microsoft 365 Defender includes powerful [automated investigation and response capabilities](m365d-autoir.md) that can save your security operations team much time and effort. With [self-healing](m365d-autoir.md#how-automated-investigation-and-self-healing-works), these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale.
-To configure automated investigation and response capabilities, follow these steps:
+This article describes how to configure automated investigation and response in Microsoft 365 Defender with these steps:
1. [Review the prerequisites](#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender). 2. [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups). 3. [Review your security and alert policies in Office 365](#review-your-security-and-alert-policies-in-office-365). 4. [Make sure Microsoft 365 Defender is turned on](#make-sure-microsoft-365-defender-is-turned-on).
-Then, after you're all set up, [View and manage actions in the Action center](m365d-autoir-actions.md).
+Then, after you're all set up, you can [view and manage remediation actions in the Action center](m365d-autoir-actions.md).
## Prerequisites for automated investigation and response in Microsoft 365 Defender |Requirement |Details | |:-|:-|
-|Subscription requirements |One of these subscriptions: <br/>- Microsoft 365 E5<br/>- Microsoft 365 A5<br/>- Microsoft 365 E5 Security<br/>- Microsoft 365 A5 Security<br/>- Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5<p> See [Microsoft 365 Defender licensing requirements](./prerequisites.md#licensing-requirements).|
+|Subscription requirements |One of these subscriptions: <br/>- Microsoft 365 E5<br/>- Microsoft 365 A5<br/>- Microsoft 365 E3 with the Microsoft 365 E5 Security add-on<br/>- Microsoft 365 A3 with the Microsoft 365 A5 Security add-on<br/>- Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5<p> See [Microsoft 365 Defender licensing requirements](./prerequisites.md#licensing-requirements).|
|Network requirements |- [Microsoft Defender for Identity](/azure-advanced-threat-protection/what-is-atp) enabled<br/>- [Microsoft Cloud App Security](/cloud-app-security/what-is-cloud-app-security) configured<br/>- [Microsoft Defender for Identity integration](/cloud-app-security/mdi-integration) | |Windows machine requirements |- Windows 10, version 1709 or later installed (See [Windows 10 release information](/windows/release-information/)) <br/>- The following threat protection services configured:<br/>- [Microsoft Defender for Endpoint](../defender-endpoint/configure-endpoints.md)<br/>- [Microsoft Defender Antivirus](/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) | |Protection for email content and Office files |[Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365#configure-atp-policies) configured |
Then, after you're all set up, [View and manage actions in the Action center](m3
## Review or change the automation level for device groups
-Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the automation level set for your device group policies.
+Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the configured automation level for your device group policies.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Go to **Settings** > **Permissions** > **Device groups**.
Whether automated investigations run, and whether remediation actions are taken
## Review your security and alert policies in Office 365
-Microsoft provides built-in [alert policies](../../compliance/alert-policies.md) that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Some alerts can trigger [automated investigation and response in Office 365](../office-365-security/office-365-air.md). Make sure your [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/defender-for-office-365) features are configured correctly.
+Microsoft provides built-in [alert policies](../../compliance/alert-policies.md) that help identify certain risks. These risks include Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. Some alerts can trigger [automated investigation and response in Office 365](../office-365-security/office-365-air.md). Make sure your [Defender for Office 365](../office-365-security/defender-for-office-365.md) features are configured correctly.
-Although certain alerts and security policies can trigger automated investigations, no remediation actions are taken automatically for email and content. Instead, all remediation actions for email and email content await approval by your security operations team in the [Action center](m365d-action-center.md).
+Although certain alerts and security policies can trigger automated investigations, *no remediation actions are taken automatically for email and content*. Instead, all remediation actions for email and email content await approval by your security operations team in the [Action center](m365d-action-center.md).
Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in [Protect against threats](../office-365-security/protect-against-threats.md).
-1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies** > **Threat protection**.
+1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies & Rules** > **Threat policies**.
2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](/microsoft-365/security/office-365-security/protect-against-threats).
- - [Anti-malware (Office 365)](../office-365-security/protect-against-threats.md#part-1anti-malware-protection)
- - [Anti-phishing in Defender for Office 365)](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection)
- - [Safe Attachments (Office 365)](../office-365-security/protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365)
- - [Safe Links (Office 365)](../office-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365)
- - [Anti-spam (Office 365)](../office-365-security/protect-against-threats.md#part-3anti-spam-protection)
+ - [Anti-malware)](../office-365-security/protect-against-threats.md#part-1anti-malware-protection)
+ - [Anti-phishing)](../office-365-security/protect-against-threats.md#part-2anti-phishing-protection)
+ - [Safe Attachments](../office-365-security/protect-against-threats.md#safe-attachments-policies-in-microsoft-defender-for-office-365)
+ - [Safe Links](../office-365-security/protect-against-threats.md#safe-links-policies-in-microsoft-defender-for-office-365)
+ - [Anti-spam](../office-365-security/protect-against-threats.md#part-3anti-spam-protection)
3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](../office-365-security/protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on) is turned on. 4. Make sure [zero-hour auto purge for email](../office-365-security/protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop) protection is in effect. 5. (This step is optional.) Review your [Office 365 alert policies](../../compliance/alert-policies.md) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](../../compliance/alert-policies.md#default-alert-policies).
Security settings in Office 365 help protect email and content. To view or chang
:::image type="content" source="../../media/mtp-enable/mtp-on.png" alt-text="MTP on":::
-1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+1. Sign in to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)).
2. In the navigation pane, look for **Incidents**, **Action center**, and **Hunting**, as shown in the preceding image.
- - If you see **Incidents**, **Action center**, and **Hunting**, Microsoft 365 Defender is turned on. See the procedure, [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups) (in this article).
- - If you do *not* see **Incidents**, **Action center**, or **Hunting**, then Microsoft 365 Defender might not be turned on. In this case, proceed to [Visit the Action center](m365d-action-center.md)).
+ - If you see **Incidents**, **Action center**, and **Hunting**, Microsoft 365 Defender is turned on. See the [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups) section of this article.
+ - If you do *not* see **Incidents**, **Action center**, or **Hunting**, Microsoft 365 Defender might not be turned on. In this case, [visit the Action center](m365d-action-center.md)).
3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on. > [!TIP]
security M365d Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-remediation-actions.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-## Remediation actions
- During and after an automated investigation in Microsoft 365 Defender, remediation actions are identified for malicious or suspicious items. Some kinds of remediation actions are taken on devices, also referred to as endpoints. Other remediation actions are taken on email content. Automated investigations complete after remediation actions are taken, approved, or rejected. > [!IMPORTANT]
During and after an automated investigation in Microsoft 365 Defender, remediati
> - [How threats are remediated on devices](../defender-endpoint/automated-investigations.md) > - [Threats and remediation actions on email & collaboration content](../office-365-security/air-remediation-actions.md#threats-and-remediation-actions)
-The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender:
+The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender.
|Device (endpoint) remediation actions |Email remediation actions | |:|:|
When an automated investigation completes, a verdict is reached for every piece
The following table lists possible verdicts and outcomes:
-| Verdict | Area | Outcomes|
+| Verdict | Affected entities | Outcomes|
|||| | Malicious | Devices (endpoints) | Remediation actions are taken automatically (assuming your organization's [device groups](m365d-configure-auto-investigation-response.md#review-or-change-the-automation-level-for-device-groups) are set to **Full - remediate threats automatically**)| | Malicious | Email content (URLs or attachments) | Recommended remediation actions are pending approval|
The following table lists possible verdicts and outcomes:
## Remediation actions that are taken manually
-In addition to remediation actions that follow automated investigations, your security operations team can take certain remediation actions manually. These include the following actions:
+In addition to remediation actions that follow automated investigations, your security operations team can take certain remediation actions manually. These include the following:
-- Manual device action, such as device isolation or file quarantine.-- Manual email action, such as soft-deleting email messages. -- [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md) action on devices or email.-- [Explorer](../office-365-security/threat-explorer.md) action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email.-- Manual [live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response) action, such as deleting a file, stopping a process, and removing a scheduled task.-- Live response action with [Microsoft Defender for Endpoint APIs](../defender-endpoint/management-apis.md#microsoft-defender-for-endpoint-apis), such as isolating a device, running an antivirus scan, and getting information about a file.
+- Manual device action, such as device isolation or file quarantine
+- Manual email action, such as soft-deleting email messages
+- [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md) action on devices or email
+- [Explorer](../office-365-security/threat-explorer.md) action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email
+- Manual [live response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/live-response) action, such as deleting a file, stopping a process, and removing a scheduled task
+- Live response action with [Microsoft Defender for Endpoint APIs](../defender-endpoint/management-apis.md#microsoft-defender-for-endpoint-apis), such as isolating a device, running an antivirus scan, and getting information about a file
## Next steps - [Visit the Action center](m365d-action-center.md)-- [View and manage remediation actions]( m365d-autoir-actions.md)-- [Handle false positives/negatives in automated investigation and response capabilities](m365d-autoir-report-false-positives-negatives.md)
+- [View and manage remediation actions](m365d-autoir-actions.md)
+- [Address false positives or false negatives](m365d-autoir-report-false-positives-negatives.md)
security Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/prerequisites.md
Learn about licensing and other requirements for provisioning and using [Microso
Any of these licenses gives you access to Microsoft 365 Defender features in Microsoft 365 security center without additional cost: - Microsoft 365 E5 or A5-- Microsoft 365 E5 Security or A5 Security
+- Microsoft 365 E3 with the Microsoft 365 E5 Security add-on
+- Microsoft 365 A3 with the Microsoft 365 A5 Security add-on
- Windows 10 Enterprise E5 or A5 - Enterprise Mobility + Security (EMS) E5 or A5 - Office 365 E5 or A5
Any of these licenses gives you access to Microsoft 365 Defender features in Mic
For more information, [view the Microsoft 365 Enterprise service plans](https://www.microsoft.com/licensing/product-licensing/microsoft-365-enterprise).
-> Don't have license yet? [Try or buy a Microsoft 365 subscription](../../commerce/try-or-buy-microsoft-365.md?view=o365-worldwide)
+> Don't have license yet? [Try or buy a Microsoft 365 subscription](../../commerce/try-or-buy-microsoft-365.md)
### Check your existing licenses Go to Microsoft 365 admin center ([admin.microsoft.com](https://admin.microsoft.com/)) to view your existing licenses. In the admin center, go to **Billing** > **Licenses**.
security Air Custom Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-custom-reporting.md
Title: Custom reporting solutions with automated investigation and response
keywords: SIEM, API, AIR, autoIR, Microsoft Defender for Endpoint, automated investigation, integration, custom report f1.keywords: - NOCSH--++ audience: ITPro
security Air Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md
Title: Remediation actions in Microsoft Defender for Office 365
keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection f1.keywords: - NOCSH--++ audience: ITPro
security Air Report False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md
ms.sitesec: library
ms.pagetype: security f1.keywords: - NOCSH--++ ms.prod: m365-security Last updated 01/29/2021 localization_priority: Normal
security Air Review Approve Pending Completed Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md
Title: Review and manage remediation actions in Microsoft Defender for Office 36
keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection f1.keywords: - NOCSH--++ audience: ITPro
security Air View Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md
Title: View the results of an automated investigation in Microsoft 365
keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, remediation, actions f1.keywords: - NOCSH--++ audience: ITPro
security Automated Investigation Response Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/automated-investigation-response-office.md
Title: How automated investigation and response works in Microsoft Defender for Office 365 f1.keywords: - NOCSH--++ audience: ITPro
security Find And Release Quarantined Messages As A User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/find-and-release-quarantined-messages-as-a-user.md
After you select a message, you have options for what to do with the messages in
- **Remove from quarantine**: After you click **Yes** in the warning that appears, the message is immediately deleted. -- **Block Sender**: Prevents the sender from sending messages to you.
+- **Block Sender**: Add the sender to the Blocked Senders list on your mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
+
+Add the sender to the Blocked Senders list on your mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
When you're finished, click **Close**.
security Manage Quarantined Messages And Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-quarantined-messages-and-files.md
After you select a message, you have several options for what to do with the mes
- **Download message**: In the flyout pane that appears, select **I understand the risks from downloading this message** to save a local copy of the message in .eml format. -- **Block Sender**: Prevents the sender from sending messages to recipients in the organization.
+- **Block Sender**: Add the sender to the Blocked Senders list on your mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
- **Submit message**: In the flyout pane that appears, choose the following options:
security Message Trace Scc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-trace-scc.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-## Message trace features
- Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
-Message trace in the Security & Compliance Center improves upon the original message trace that was available in the Exchange admin center (EAC). You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.
+You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes.
-> [!NOTE]
->
-> - To do a message trace, you need to be a member of the Organization Management, Compliance Management or Help Desk role groups. For more information, see [Permissions in the Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).
->
-> - The maximum number of messages that are displayed in the results depends on the report type you selected (see the [Choose report type](#choose-report-type) section for details). The [Get-HistoricalSearch](/powershell/module/exchange/get-historicalsearch) cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.
+## What do you need to know before you begin?
+
+- You need to be a member of the **Organization Management**, **Compliance Management** or **Help Desk** role groups in **Exchange Online** to use message trace. For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
+
+ **Notes**: Membership in the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).
+
+- The maximum number of messages that are displayed in the results of a message trace depends on the report type you selected (see the [Choose report type](#choose-report-type) section for details). The [Get-HistoricalSearch](/powershell/module/exchange/get-historicalsearch) cmdlet in Exchange Online PowerShell or standalone EOP PowerShell returns all messages in the results.
## Open message trace
-1. Open the Security & Compliance Center at <https://protection.office.com>.
+Open the Security & Compliance Center at <https://protection.office.com/>, and then go to **Mail flow** \> **Message trace**.
-2. Expand **Mail flow**, and then select **Message trace**.
+To go directly to the **Message trace** page, open <https://protection.office.com/messagetrace>.
## Message trace page From here you can start a new default trace by clicking on the **Start a trace** button. This will search for all messages for all senders and recipients for the last two days. Or you can use one of the stored queries from the available query categories and either run them as-is or use them as starting points for your own queries: - **Default queries**: Built-in queries provided by Microsoft 365.- - **Custom queries**: Queries saved by admins in your organization for future use.- - **Autosaved queries**: The last ten most recently run queries. This list makes it simple to pick up where you left off. Also on this page is a **Downloadable reports** section for the requests you've submitted, as well as the reports themselves when they're are available for download.
Also on this page is a **Downloadable reports** section for the requests you've
The default values are **All senders** and **All recipients**, but you can use the following fields to filter the results: - **By these people**: Click in this field to select one or more senders from your organization. You can also start to type a name and the items in the list will be filtered by what you've typed, much like how a search page behaves.- - **To these people**: Click in this field to select one or more recipients in your organization. > [!NOTE] > > - You can also type the email addresses of external senders and recipients. Wildcards are supported (for example, `*@contoso.com`), but you can't use multiple wildcard entries in the same field at the same time.
->
> - You can paste multiple senders or recipients lists separated by semicolons (`;`). spaces (`\s`), carriage returns (`\r`), or next lines (`\n`). ### Time range
The default value is **2 days**, but you can specify date/time ranges of up to 9
You can leave the default value **All** selected, or you can select one of the following values to filter the results: - **Delivered**: The message was successfully delivered to the intended destination.- - **Pending**: Delivery of the message is being attempted or re-attempted.- - **Expanded**: A distribution group recipient was expanded before delivery to the individual members of the group.- - **Failed**: The message was not delivered.- - **Quarantined**: The message was quarantined (as spam, bulk mail, or phishing). For more information, see [Quarantined email messages in EOP](quarantine-email-messages.md).- - **Filtered as spam**: The message was identified spam, and was rejected or blocked (not quarantined).- - **Getting status:** The message was recently received by Microsoft 365, but no other status data is yet available. Check back in a few minutes. > [!NOTE]
You can filer the results by client IP address to investigate hacked computers t
The available report types are: - **Summary**: Available if the time range is less than 10 days, and requires no additional filtering options. The results are available almost immediately after you click **Search**. The report returns up to 20000 results.- - **Enhanced summary** or **Extended**: These reports are only available as downloadable CSV files, and require one or more of the following filtering options regardless of the time range: **By these people**, **To these people**, or **Message ID**. You can use wildcards for the senders or the recipients (for example, \*@contoso.com). The Enhanced summary report returns up to 50000 results. The Extended report returns up to 1000 results. > [!NOTE] > > - Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available to download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before your queued request starts to be processed.
->
> - While you can select an Enhanced summary or Extended report for any date/time range, commonly the last four hours of archived data will not yet be available for these two types of reports.
->
> - The maximum size for a downloadable report is 500 MB. If a downloadable report exceeds 500 MB, you can't open the report in Excel or Notepad. When you click **Next**, you're presented with a summary page that lists the filtering options that you selected, a unique (editable) title for the report, and the email address that receives the notification when the message trace completes (also editable, and must be in one of your organization's accepted domains). Click **Prepare report** to submit the message trace. On the main **Message trace** page, you can see the status of the report in the **Downloadable reports** section.
After running the message trace, the results will be listed, sorted by descendin
The summary report contains the following information: - **Date**: The date and time at which the message was received by the service, using the configured UTC time zone.- - **Sender**: The email address of the sender (*alias*@*domain*).- - **Recipient**: The email address of the recipient or recipients. For a message sent to multiple recipients, there's one line per recipient. If the recipient is a distribution group, dynamic distribution group, or mail-enabled security group, the group will be the first recipient, and then each member of the group is on a separate line.- - **Subject**: The first 256 characters of the message's **Subject:** field.- - **Status**: These values are described in the [Delivery status](#delivery-status) section. By default, the first 250 results are loaded and readily available. When you scroll down, there's a slight pause as the next batch of results are loaded. Instead of scrolling, you can click **Load all** to load all of the results up to a maximum of 10,000.
For more information about the Message ID, see the Message ID section earlier in
In the summary report output, you can view details about a message by using either of the following methods: - Select the row (click anywhere in the row except the check box).- - Select the row's check box and click **More options** ![More](../../media/1ea52bbf-9d00-48ce-9362-307f7f6fb7fe.png) \> **View message details**. ![Details after double-clicking a row in the summary report message trace results in the Security & Compliance Center](../../media/e50ee7cd-810a-4c06-8b58-e56ffd7028d1.png)
In the summary report output, you can view details about a message by using eith
The message trace details contain the following additional information that's not present in the summary report: - **Message events**: This section contains classifications that help categorize the actions that the service takes on messages. **Some of the more interesting events** that you might encounter are:- - **Receive**: The message was received by the service.- - **Send**: The message was sent by the service.- - **Fail**: The message failed to be delivered.- - **Deliver**: The message was delivered to a mailbox.- - **Expand**: The message was sent to a distribution group that was expanded.- - **Transfer**: Recipients were moved to a bifurcated message because of content conversion, message recipient limits, or agents.- - **Defer**: The message delivery was postponed and might be re-attempted later.- - **Resolved**: The message was redirected to a new recipient address based on an Active Directory look up. When this happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message. > [!NOTE]
- >
+ >
> - An uneventful message that's successfully delivered will generate multiple **Event** entries in the message trace.
- >
> - This list is not meant to be exhaustive. For descriptions of more events, see [Event types in the message tracking log](/Exchange/mail-flow/transport-logs/message-tracking#event-types-in-the-message-tracking-log). Note that this link is an Exchange Server (on-premises Exchange) topic. - **More information**: This section contains the following details:- - **Message ID**: This value is described in the [Message ID](#message-id) section earlier in this article. For example, `<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>`.- - **Message size**- - **From IP**: The IP address of the computer that sent the message. For outbound messages sent from Exchange Online, this value is blank.- - **To IP**: The IP address or addresses where the service attempted to deliver the message. If the message has multiple recipients, these are displayed. For inbound messages sent to Exchange Online, this value is blank. ### Enhanced summary reports
The message trace details contain the following additional information that's no
Available (completed) Enhanced summary reports are available in the **Downloadable reports** section at the beginning message trace. The following information is available in the report: - **origin_timestamp**<sup>*</sup>: The date and time when the message was initially received by the service, using the configured UTC time zone.- - **sender_address**: The sender's email address (*alias*@*domain*).- - **Recipient_status**: The status of the delivery of the message to the recipient. If the message was sent to multiple recipients, it will show all the recipients and the corresponding status for each, in the format: \<*email address*\>##\<*status*\>. For example:- - **##Receive, Send** means the message was received by the service and was sent to the intended destination.- - **##Receive, Fail** means the message was received by the service but delivery to the intended destination failed.- - **##Receive, Deliver** means the message was received by the service and was delivered to the recipient's mailbox.- - **message_subject**: The first 256 characters of the message's **Subject** field.- - **total_bytes**: The size of the message in bytes, including attachments.- - **message_id**: This value is described in the [Message ID](#message-id) section earlier in this article. For example, `<d9683b4c-127b-413a-ae2e-fa7dfb32c69d@DM3NAM06BG401.Eop-nam06.prod.protection.outlook.com>`.- - **network_message_id**: A unique message ID value that persists across all copies of the message that might be created due to bifurcation or distribution group expansion. An example value is `1341ac7b13fb42ab4d4408cf7f55890f`.- - **original_client_ip**: The IP address of the sender's client.- - **directionality**: Indicates whether the message was sent inbound (1) to your organization, or whether it was sent outbound (2) from your organization.- - **connector_id**: The name of the source or destination connector. For more information about connectors in Exchange Online, see [Configure mail flow using connectors in Office 365](/Exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow).- - **delivery_priority**<sup>*</sup>: Whether the message was sent with **High**, **Low**, or **Normal** priority. <sup>*</sup> These properties are only available in Enhanced summary reports.
Available (completed) Enhanced summary reports are available in the **Downloadab
Available (completed) Extended reports are available in the **Downloadable reports** section at the beginning of message trace. Virtually all of the information from an Enhanced summary report is available in an Extended report (with the exception of **origin_timestamp** and **delivery_priority**). The following additional information is only available in an Extended report: - **client_ip**: The IP address of the email server or messaging client that submitted the message.- - **client_hostname**: The host name or FQDN of the email server or messaging client that submitted the message.- - **server_ip**: The IP address of the source or destination server.- - **server_hostname**: The host name or FQDN of the destination server.- - **source_context**: Extra information associated with the **source** field. For example:- - `Protocol Filter Agent`- - `3489061114359050000`- - **source**: The Exchange Online component that's responsible for the event. For example:- - `AGENT`- - `MAILBOXRULE`- - `SMTP`- - **event_id**: These correspond to the **Message event** values that are explained in the [Find related records for this message](#find-related-records-for-this-message) section.- - **internal_message_id**: A message identifier that's assigned by the Exchange Online server that's currently processing the message.- - **recipient_address**: The email addresses of the message's recipients. Multiple email addresses are separated by the semicolon character (;).- - **recipient_count**: The total number of recipients in the message.- - **related_recipient_address**: Used with `EXPAND`, `REDIRECT`, and `RESOLVE` events to display other recipient email addresses that are associated with the message.- - **reference**: This field contains additional information for specific types of events. For example:- - **DSN**: Contains the report link, which is the **message_id** value of the associated delivery status notification (also known as a DSN, non-delivery report, NDR, or bounce message) if a DSN is generated subsequent to this event. If this is a DSN message, this field contains the **message_id** value of the original message that the DSN was generated for.- - **EXPAND**: Contains the **related_recipient_address** value of the related messages.- - **RECEIVE**: Might contain the **message_id** value of the related message if the message was generated by other processes (for example, Inbox rules).- - **SEND**: Contains the **internal_message_id** value of any DSN messages.- - **TRANSFER**: Contains the **internal_message_id** value of the message that's being forked (for example, by content conversion, message recipient limits, or agents).-
- - **MAILBOXRULE**: Contains the **internal_message_id** value of the inbound message that caused the Inbox rule to generate the outbound message.
-
- For other types of events, this field is usually blank.
-
+ - **MAILBOXRULE**: Contains the **internal_message_id** value of the inbound message that caused the Inbox rule to generate the outbound message. For other types of events, this field is usually blank.
- **return_path**: The return email address specified by the **MAIL FROM** command that sent the message. Although this field is never empty, it can have the null sender address value represented as `<>`.- - **message_info**: Additional information about the message. For example:- - The message origination date-time in UTC for `DELIVER` and `SEND` events. The origination date-time is the time when the message first entered the Exchange Online organization. The UTC date-time is represented in the ISO 8601 date-time format: `yyyy-mm-ddThh:mm:ss.fffZ`, where `yyyy` = year, `mm` = month, `dd` = day, `T` indicates the beginning of the time component, `hh` = hour, `mm` = minute, `ss` = second, `fff` = fractions of a second, and `Z` signifies `Zulu`, which is another way to denote UTC.- - Authentication errors. For example, you might see the value `11a` and the type of authentication that was used when the authentication error occurred.- - **tenant_id**: A GUID value that represents the Exchange Online organization (for example, `39238e87-b5ab-4ef6-a559-af54c6b07b42`).- - **original_server_ip**: The IP address of the original server.- - **custom_data**: Contains data related to specific event types. For more information, see the following sections. #### custom_data values
The **custom_data** field for an `AGENTINFO` event is used by a variety of Excha
A **custom_data** value that starts with `S:SFA` is from the spam filter agent. The key details are described in the following table:
+<br>
+ **** |Value|Description|
An example **custom_data** value for a message that's filtered for spam like thi
A **custom_data** value that starts with `S:AMA` is from the malware filter agent. The key details are described in the following table:
+<br>
+ **** |Value|Description|
An example **custom_data** value for a message that contains malware looks like
A **custom_data** value that starts with`S:TRA` is from the Transport Rule agent for mail flow rules (also known as transport rules). The key details are described in the following table:
+<br>
+ **** |Value|Description|
A **custom_data** value that starts with`S:TRA` is from the Transport Rule agent
An example **custom_data** value for a messages that matches the conditions of a mail flow rule looks like this:
-`S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2017 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce`
+`S:TRA=ETR|ruleId=19a25eb2-3e43-4896-ad9e-47b6c359779d|st=7/17/2017 12:31:25 AM|action=ApplyHtmlDisclaimer|sev=1|mode=Enforce`
security Office 365 Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
Title: Automated investigation and response in Microsoft Defender for Office 365
keywords: AIR, autoIR, Microsoft Defender for Endpoint, automated, investigation, response, remediation, threats, advanced, threat, protection f1.keywords: - NOCSH--++ audience: ITPro
security Quarantine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-tags.md
The individual permissions are combined into the following preset permission gro
The available individual permissions and what's included or not included in the preset permission groups are described in the following table:
+<br>
+
+****
+ |Permission|No access|Limited access|Full access| ||::|::|::| |**Allow sender** (_PermissionToAllowSender_)|||![Check mark](../../media/checkmark.png)|
The _EndUserQuarantinePermissionsValue_ parameter uses a decimal value that's co
The required order and values for each individual permission in preset permission groups are described in the following table:
+<br>
+ **** |Permission|No access|Limited access|Full access|
The required order and values for each individual permission in preset permissio
|PermissionToViewHeader<sup>\*</sup>|0|0|0| |Binary value|00000000|01101010|11101100| |Decimal value to use|0|106|236|
+|
<sup>\*</sup> Currently, this value is always 0. For PermissionToViewHeader, the value 0 doesn't hide the **View message header** button in the details of the quarantined message (the button is always available).
For detailed syntax and parameter information, see [New-QuarantineTag](/powershe
In _supported_ protection features that quarantine messages or files (automatically or as a configurable action), you can assign a quarantine tag to the available quarantine actions. Features that quarantine messages and the availability of quarantine tags are described in the following table:
+<br>
+ **** |Feature|Quarantine tags supported?|Default quarantine tags used|
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
Anti-spam, anti-malware, and anti-phishing are EOP features that can be configur
To create and configure anti-spam policies, see [Configure anti-spam policies in Office 365](configure-your-spam-filter-policies.md).
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
There are several other Advanced Spam Filter (ASF) settings in anti-spam policie
We recommend that you turn these ASF settings **Off** for both **Standard** and **Strict** levels. For more information about ASF settings, see [Advanced Spam Filter (ASF) settings in Office 365](advanced-spam-filtering-asf-options.md).
+<br>
+ **** |Security feature name|Comment|
To create and configure outbound spam policies, see [Configure outbound spam fil
For more information about the default sending limits in the service, see [Sending limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#sending-limits-1).
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
For more information about the default sending limits in the service, see [Sendi
To create and configure anti-malware policies, see [Configure anti-malware policies in Office 365](configure-anti-malware-policies.md).
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
To create and configure anti-malware policies, see [Configure anti-malware polic
For more information about these settings, see [Spoof settings](set-up-anti-phishing-policies.md#spoof-settings). To configure these settings, see [Configure anti-phishing policies in EOP](configure-anti-phishing-policies-eop.md).
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
EOP customers get basic anti-phishing as previously described, but Microsoft Def
For more information about these settings, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure these settings, see [Configure anti-phishing policies in Defender for Office 365](configure-atp-anti-phishing-policies.md).
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
For more information about these settings, see [Impersonation settings in anti-p
Note that these are the same settings that are available in [anti-spam policy settings in EOP](#eop-anti-spam-policy-settings).
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
Note that these are the same settings that are available in [anti-spam policy se
For more information about this setting, see [Advanced phishing thresholds in anti-phishing policies in Microsoft Defender for Office 365](set-up-anti-phishing-policies.md#advanced-phishing-thresholds-in-anti-phishing-policies-in-microsoft-defender-for-office-365). To configure this setting, see [Configure anti-phishing policies in Defender for Office 365](configure-atp-anti-phishing-policies.md).
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
To configure these settings, see [Configure global settings for Safe Links in De
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/set-atppolicyforo365) cmdlet for these settings.
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
> [!NOTE] > As described earlier, there is no default Safe Links policy. The values in the Default column are the default values in new Safe Links policies that you create.
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
To configure these settings, see [Turn on Safe Attachments for SharePoint, OneDr
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/set-atppolicyforo365) cmdlet for these settings.
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
> [!NOTE] > As described earlier, there is no default Safe Attachments policy. The values in the Default column are the default values in new Safe Attachments policies that you create.
+<br>
+ **** |Security feature name|Default|Standard|Strict|Comment|
In PowerShell, you use the [New-SafeAttachmentPolicy](/powershell/module/exchang
- Use these links for info on how to **set up** your [EOP service](set-up-your-eop-service.md), and **configure** [Microsoft Defender for Office 365](defender-for-office-365.md). Don't forget the helpful directions in '[Protect Against Threats in Office 365](protect-against-threats.md)'. -- **Security baselines for Windows** can be found here: [Where can I get the security baselines?](/windows/security/threat-protection/windows-security-baselines#where-can-i-get-the-security-baselines) for GPO/on-premises options, and [Use security baselines to configure Windows 10 devices in Intune](/intune/protect/security-baselines) for Intune-based security. Finally, a comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in [Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines](/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline#compare-the-microsoft-defender-atp-and-the-windows-intune-security-baselines).
+- **Security baselines for Windows** can be found here: [Where can I get the security baselines?](/windows/security/threat-protection/windows-security-baselines#where-can-i-get-the-security-baselines) for GPO/on-premises options, and [Use security baselines to configure Windows 10 devices in Intune](/intune/protect/security-baselines) for Intune-based security. Finally, a comparison between Microsoft Defender for Endpoint and Microsoft Intune security baselines is available in [Compare the Microsoft Defender for Endpoint and the Windows Intune security baselines](/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline#compare-the-microsoft-defender-atp-and-the-windows-intune-security-baselines).
security Reports And Insights In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-and-insights-in-security-and-compliance.md
Title: Smart reports, insights - Microsoft 365 Security & Compliance Center
f1.keywords: - NOCSH -+ Last updated audience: ITPro
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
The settings in Safe Links policies that apply to email messages are described i
- URLs that don't have a valid reputation are detonated asynchronously in the background. - **Apply real-time URL scanning for suspicious links and links that point to files**: Enables real-time scanning of links, including links in email messages that point to downloadable content. The recommended value is enabled.- - **Wait for URL scanning to complete before delivering the message**:- - Enabled: Messages that contain URLs are held until scanning is finished. Messages are delivered only after the URLs are confirmed to be safe. This is the recommended value. - Disabled: If URL scanning can't complete, deliver the message anyway.
The settings in Safe Links policies that apply to email messages are described i
For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). - **Recipient filters**: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions:- - **The recipient is** - **The recipient domain is** - **The recipient is a member of**
When a user in an active Safe Links policy clicks a blocked link in a supported
You configure the list of URLs in the global settings for Safe Links. For instructions, see [Configure the "Block the following URLs" list](configure-global-settings-for-safe-links.md#configure-the-block-the-following-urls-list-in-the-security--compliance-center).
-> [!NOTE]
->
-> - For a truly universal list of URLs that are blocked everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
->
-> - Limits:
-> - The maximum number of entries is 500.
-> - The maximum length of an entry is 128 characters.
-> - All of the entries can't exceed 10,000 characters.
->
-> - Don't include a forward slash (`/`) at the end of the URL. For example, use `https://www.contoso.com`, not `https://www.contoso.com/`.
->
-> - A domain only-URL (for example `contoso.com` or `tailspintoys.com`) will block any URL that contains the domain.
->
-> - You can block a subdomain without blocking the full domain. For example, `toys.contoso.com*` blocks any URL that contains the subdomain, but it doesn't block URLs that contain the full domain `contoso.com`.
->
-> - You can include up to three wildcards (`*`) per URL entry.
+**Notes**:
+
+- For a truly universal list of URLs that are blocked everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+- Limits for the **Block the following URLs** list:
+ - The maximum number of entries is 500.
+ - The maximum length of an entry is 128 characters.
+ - All of the entries can't exceed 10,000 characters.
+- Don't include a forward slash (`/`) at the end of the URL. For example, use `https://www.contoso.com`, not `https://www.contoso.com/`.
+- A domain only-URL (for example `contoso.com` or `tailspintoys.com`) will block any URL that contains the domain.
+- You can block a subdomain without blocking the full domain. For example, `toys.contoso.com*` blocks any URL that contains the subdomain, but it doesn't block URLs that contain the full domain `contoso.com`.
+- You can include up to three wildcards (`*`) per URL entry.
### Entry syntax for the "Block the following URLs" list Examples of the values that you can enter and their results are described in the following table:
+<br>
+ **** |Value|Result|
Each Safe Links policy contains a **Do not rewrite the following URLs** list tha
To add entries to the list in new or existing Safe Links policies, see [Create Safe Links policies](set-up-safe-links-policies.md#use-the-security--compliance-center-to-create-safe-links-policies) or [Modify Safe Links policies](set-up-safe-links-policies.md#use-the-security--compliance-center-to-modify-safe-links-policies).
-> [!NOTE]
->
-> - The following clients don't recognize the **Do not rewrite the following URLs** lists in Safe Links policies. Users included in the polices can be blocked from accessing the URLs based on the results of Safe Links scanning in these clients:
->
-> - Microsoft Teams
-> - Office web apps
->
-> For a truly universal list of URLs that are allowed everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
->
-> - Consider adding commonly used internal URLs to the list to improve the user experience. For example, if you have on-premises services, such as Skype for Business or SharePoint, you can add those URLs to exclude them from scanning.
->
-> - If you already have **Do not rewrite the following URLs** entries in your Safe Links policies, be sure to review the lists and add wildcards as required. For example, your list has an entry like `https://contoso.com/a` and you later decide to include subpaths like `https://contoso.com/a/b`. Instead of adding a new entry, add a wildcard to the existing entry so it becomes `https://contoso.com/a/*`.
->
-> - You can include up to three wildcards (`*`) per URL entry. Wildcards explicitly include prefixes or subdomains. For example, the entry `contoso.com` is not the same as `*.contoso.com/*`, because `*.contoso.com/*` allows people to visit subdomains and paths in the specified domain.
+**Notes**:
+
+- The following clients don't recognize the **Do not rewrite the following URLs** lists in Safe Links policies. Users included in the polices can be blocked from accessing the URLs based on the results of Safe Links scanning in these clients:
+ - Microsoft Teams
+ - Office web apps
+
+ For a truly universal list of URLs that are allowed everywhere, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+
+- Consider adding commonly used internal URLs to the list to improve the user experience. For example, if you have on-premises services, such as Skype for Business or SharePoint, you can add those URLs to exclude them from scanning.
+- If you already have **Do not rewrite the following URLs** entries in your Safe Links policies, be sure to review the lists and add wildcards as required. For example, your list has an entry like `https://contoso.com/a` and you later decide to include subpaths like `https://contoso.com/a/b`. Instead of adding a new entry, add a wildcard to the existing entry so it becomes `https://contoso.com/a/*`.
+- You can include up to three wildcards (`*`) per URL entry. Wildcards explicitly include prefixes or subdomains. For example, the entry `contoso.com` is not the same as `*.contoso.com/*`, because `*.contoso.com/*` allows people to visit subdomains and paths in the specified domain.
+- If a URL uses automatic redirection for HTTP to HTTPS (for example, 302 redirection for `http://www.contoso.com` to `https://www.contoso.com`), and you try to enter both HTTP and HTTPS entries for the same URL to the list, you might notice that the second URL entry replaces the first URL entry. This behavior does not occur if the HTTP and HTTPS versions of the URL are completely separate.
### Entry syntax for the "Do not rewrite the following URLs" list Examples of the values that you can enter and their results are described in the following table:
+<br>
+ **** |Value|Result|
security Security Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/security-dashboard.md
Title: Security dashboard overview
f1.keywords: - NOCSH -+ audience: ITPro
security Use Spam Notifications To Release And Report Quarantined Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages.md
An end-user spam notification contains the following information for each quaran
- **Date**: The date and time (in UTC) that the message was quarantined. -- **Block Sender**: Click this link to add the sender to your Blocked Senders list. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
+- **Block Sender**: Click this link to add the sender to the Blocked Senders list on your mailbox. For more information, see [Block a mail sender](https://support.microsoft.com/office/b29fd867-cac9-40d8-aed1-659e06a706e4).
- **Release**: For spam (not phishing) messages, you can release the message here without going to Quarantine the Security & Compliance Center.