Updates from: 06/10/2021 03:15:48
Category Microsoft Docs article Related commit history on GitHub Change details
admin Cortana Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/cortana-integration.md
Cortana voice assistance in the Teams mobile app and on Microsoft Teams display
**Admin control**
-Cortana voice assistance will be enabled by default for tenants. Admins can control who in their tenant can use Cortana voice assistance in Teams via a policy (TeamsCortanaPolicy). This policy can be set at either a user account level or tenant level. Admins can also use the CortanaVoiceInvocationMode field within this policy control to determine whether Cortana is disabled, enabled with push button invocation only, or enabled with wake word invocation as well (applicable to devices that support it, like the Microsoft Teams display). Note that at the time of the initial release for Microsoft 365 Enterprise users in the US in English, the Teams mobile app will not support wake word activation, but it will be supported in the future.
+Cortana voice assistance will be enabled by default for tenants. Admins can control who in their tenant can use Cortana voice assistance in Teams via a policy (TeamsCortanaPolicy). This policy can be set at either a user account level or tenant level. Admins can also use the CortanaVoiceInvocationMode field within this policy control to determine whether Cortana is disabled, enabled with push button invocation only, or enabled with wake word invocation as well (applicable to devices that support it, like the Microsoft Teams display).
**User control**
-Individual users can try out Cortana voice assistance in the Teams mobile app by clicking on the mic button. They can try out Cortana voice assistance on Microsoft Teams display devices by simply saying “Cortana.” They can also control whether Cortana in Teams is enabled for their device via a setting in the Teams mobile app or on the Microsoft Teams display:
+Individual users can try out Cortana voice assistance in the Teams mobile app by clicking on the mic button. They can try out Cortana voice assistance on Microsoft Teams display devices by simply saying “Cortana.” They can also control whether Cortana responds to the wake word invocation.
-1. Open the Teams mobile app, or go to the ambient (home) screen of the Microsoft Teams display.
+1. Open Teams mobile
+2. Go to Settings
+3. Select Cortana
+4. Switch the Voice activation toggle
-2. In the Teams mobile app, go to **Settings**. On the Microsoft Teams display, select the user avatar, and then select Settings. If Cortana is enabled, say, “Cortana, go to Settings.”
-
-3. Select **Cortana**.
-
-4. Move the toggle to **On** or **Off**, depending on whether you want Cortana voice assistance on the device.
[Learn more about Cortana voice assistance in Teams](/microsoftteams/cortana-in-teams)
For services governed by the [Microsoft Services Agreement](https://go.microsoft
[Cortana voice assistance in Teams](/microsoftteams/cortana-in-teams) (article)\ [Configure Cortana in Windows 10](/windows/configuration/cortana-at-work/cortana-at-work-overview) (article)\
-[What can you do with Play My Emails from Cortana?](https://support.microsoft.com/help/4558256)
+[What can you do with Play My Emails from Cortana?](https://support.microsoft.com/help/4558256)
commerce Manage Saas Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/manage-saas-apps.md
Last updated 04/15/2021
You can manage licenses and billing for third-party apps in the new Microsoft 365 admin center. Updated features include enhanced subscription management, improved access to billing information, and improved flexibility for managing bills. Subscription management is based on MicrosoftΓÇÖs updated commerce platform. This applies to software-as-a-service apps that customers purchase directly, or from a third-party provider.
-You can manage licenses and billing for third-party apps in Microsoft 365 admin center with preview mode turned on. Updated features include enhanced subscription management, improved access to billing information, and improved flexibility for managing bills. Subscription management is based on Microsoft's updated commerce platform. This applies to software-as-a-service apps that customers purchase directly, or from third-party provider.
- ## How to get software-as-a-service apps There are a few ways to purchase third-party apps.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
Specific to auto-labeling for SharePoint and OneDrive: - Office files for Word, PowerPoint, and Excel are supported. Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls).
- - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Note that files cannot be auto-labeled if they are part of an open session (the file is open).
+ - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they are part of an open session (the file is open).
+ - Currently, attachments to list items aren't supported and won't be auto-labeled.
- Maximum of 25,000 automatically labeled files in your tenant per day. - Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive). - Existing values for modified, modified by, and the date are not changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied.
compliance Archive Wechat Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-wechat-data.md
+
+ Title: "Set up a connector to archive WeChat data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Set up and use a connector in the Microsoft 365 compliance center to import and archive WeChat data in Microsoft 365."
++
+# Set up a connector to archive WeChat data (preview)
+
+Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive WeChat and WeCom calls, chats, attachments, files, and recalled messages. After you set up and configure a connector, it connects to your organization's TeleMessage account, and imports the mobile communication of employees using the TeleMessage WeChat Archiver to mailboxes in Microsoft 365.
+
+After WeChat Archiver connector data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, In-Place Archiving, Auditing, Communication compliance, and Microsoft 365 retention policies to WeChat communication data. For example, you can search WeChat communication using Content Search or associate the mailbox that contains the WeChat Archiver connector data with a custodian in an Advanced eDiscovery case. Using a WeChat Archiver connector to import and archive data in Microsoft 365 can help your organization stay compliant with corporate governance regulations and regulatory policies.
+
+## Overview of archiving WeChat communication data
+
+The following overview explains the process of using a connector to archive WeChat communications data in Microsoft 365.
+
+![Archiving workflow for WeChat Archiver data](../media/WeChatConnectorWorkflow.png)
+
+1. Your organization works with TeleMessage to set up a WeChat Archiver connector.
+
+2. In real time, your organization's WeChat data is copied to the TeleMessage site.
+
+3. The WeChat Archiver connector that you create in the Microsoft 365 compliance center connects to the TeleMessage site every day and transfers the email messages from the previous 24 hours to a secure Azure Storage area in the Microsoft Cloud.
+
+4. The connector imports the mobile communication items to the mailbox of a specific user. A new folder named WeChat Archiver will be created in the specific user's mailbox and the items will be imported to it. The connector does mapping by using the value of the *User's Email address* property. Every email message contains this property, which is populated with the email address of every participant of the email message. In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the User ΓÇÿs email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
+
+## Before you set up a connector
+
+- Work with TeleMessage to set up a WeChat archive connector. For more information, see [Activating the TeleMessage WeChat Archiver for Microsoft 365](https://www.telemessage.com/microsoft-365-activation-for-wechat-archiver/).
+
+- Set up a TeleMessage connector for Microsoft 365 and get a valid company administration account. For more information, see [Order Microsoft 365 Mobile Archiving](https://www.telemessage.com/mobile-archiver/order-mobile-archiver-for-microsoft-365/).
+
+- Register all users that require WeChat archiving in the TeleMessage account with the same email address that is used for the user's Microsoft 365 account.
+
+- You'll need to install the Tencent WeCom app on the mobile phones of users in your organization and activate it. The WeCom app lets users communicate and chat with other WeChat and WeCom users.
+
+- The user who creates a WeChat Archiver connector in the Microsoft 365 compliance center must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+- This data connector is available in GCC environments in the Microsoft 365 US Government cloud. Third-party applications and services might involve storing, transmitting, and processing your organization's customer data on third-party systems that are outside of the Microsoft 365 infrastructure and therefore are not covered by the Microsoft 365 compliance and data protection commitments. Microsoft makes no representation that use of this product to connect to third-party applications implies that those third-party applications are FEDRAMP compliant.
+
+## Create a WeChat Archiver connector
+
+Follow the steps in this section to create a WeChat Archiver connector in the Microsoft 365 compliance center. The connector uses the information you provide to connect to the TeleMessage site and transfer WeChat communications data to the corresponding user mailboxes in Microsoft 365.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **WeChat Archiver**.
+
+2. On the **WeChat Archiver** product description page, click **Add connector**
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. On the **Login to TeleMessage** page, under Step 3, enter the required information in the following boxes and then click **Next**.
+
+ - **Username**: Your TeleMessage user name.
+
+ - **Password**: Your TeleMessage password.
+
+5. After the connector is created, you can close the pop-up window go to the next page.
+
+6. On the **User mapping** page, enable automatic user mapping. You can also upload a custom user mapping CSV file.
+
+7. Click **Next**, review your settings, and then click **Finish** to create the connector.
+
+8. Go to the **Connectors** tab on **Data connectors** page to see the progress of the import process for the new connector.
+
+## Known issues
+
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
The following table lists the third-party data connectors available in the Micro
|[Verizon Network <sup>1</sup>](archive-verizon-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Webex Teams <sup>2</sup>](archive-webexteams-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Webpages <sup>2</sup>](archive-webpagecapture-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|||
+|[WeChat <sup>1</sup>](archive-wechat-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[WhatsApp <sup>1</sup>](archive-whatsapp-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Workplace from Facebook <sup>2</sup>](archive-workplacefromfacebook-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[XIP <sup>2</sup>](archive-xip-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
As previously mentioned, data connectors provided by TeleMessage are available i
|O2 SMS and Voice Network Archiver | Yes | No | No | |TELUS SMS Network Archiver | Yes | No | No | |Verizon SMS/MMS Network Archiver | Yes | No | No |
+|WeChat Archiver | Yes | No | No |
|WhatsApp Archiver | Yes | No | No | |||||
compliance Enable Mailbox Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-mailbox-auditing.md
Starting in January 2019, Microsoft is turning on mailbox audit logging by defau
Here are some benefits of mailbox auditing on by default: - Auditing is automatically enabled when you create a new mailbox. You don't need to manually enable it for new users.- - You don't need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).- - When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don't need to monitor add new actions on mailboxes.- - You have a consistent mailbox auditing policy across your organization (because you're auditing the same actions for all mailboxes). > [!NOTE]
->* The important thing to remember about the release of mailbox auditing on by default is: you don't need to do anything to manage mailbox auditing. However, to learn more, customize mailbox auditing from the default settings, or turn it off altogether, this topic can help you.
->- By default, only mailbox audit events for E5 users are available in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API. For more information, see the [More information](#more-information) section in this topic.
+>
+> - The important thing to remember about the release of mailbox auditing on by default is: you don't need to do anything to manage mailbox auditing. However, to learn more, customize mailbox auditing from the default settings, or turn it off altogether, this article can help you.
+> - By default, only mailbox audit events for E5 users are available in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API. For more information, see the [More information](#more-information) section in this article.
## Verify mailbox auditing on by default is turned on
Get-OrganizationConfig | Format-List AuditDisabled
The value **False** indicates that mailbox auditing on by default is enabled for the organization. This on by default organizational value overrides the mailbox auditing setting on specific mailboxes. For example, if mailbox auditing is disabled for a mailbox (the *AuditEnabled* property is **False** on the mailbox), the default mailbox actions will still be audited for the mailbox, because mailbox auditing on by default is enabled for the organization.
-To keep mailbox auditing disabled for specific mailboxes, you configure mailbox auditing bypass for the mailbox owner and other users who have been delegated access to the mailbox. For more information, see the [Bypass mailbox audit logging](#bypass-mailbox-audit-logging) section in this topic.
+To keep mailbox auditing disabled for specific mailboxes, you configure mailbox auditing bypass for the mailbox owner and other users who have been delegated access to the mailbox. For more information, see the [Bypass mailbox audit logging](#bypass-mailbox-audit-logging) section in this article.
> [!NOTE] > When mailbox auditing on by default is turned on for the organization, the *AuditEnabled* property for affected mailboxes won't be changed from **False** to **True**. In other words, mailbox auditing on by default ignores the *AuditEnabled* property on mailboxes.
To keep mailbox auditing disabled for specific mailboxes, you configure mailbox
The following table shows the mailbox types that are currently supported by mailbox auditing on by default:
-|**Mailbox type**|**Supported**|**Not supported**|
-|:|::|::|
-|User mailboxes|![Check mark](../media/checkmark.png)||
-|Shared mailboxes|![Check mark](../media/checkmark.png)||
-|Microsoft 365 Group mailboxes|![Check mark](../media/checkmark.png)||
-|Resource mailboxes||![Check mark](../media/checkmark.png)|
-|Public folder mailboxes||![Check mark](../media/checkmark.png)|
+<br>
+
+****
+
+|Mailbox type|Supported|
+||::|
+|User mailboxes|![Check mark](../media/checkmark.png)|
+|Shared mailboxes|![Check mark](../media/checkmark.png)|
+|Microsoft 365 Group mailboxes|![Check mark](../media/checkmark.png)|
+|Resource mailboxes||
+|Public folder mailboxes||
+|
## Logon types and mailbox actions Logon types classify the user that did the audited actions on the mailbox. The following list describes the logon types that are used in mailbox audit logging: - **Owner**: The mailbox owner (the account that's associated with the mailbox).- - **Delegate**:- - A user who's been assigned the SendAs, SendOnBehalf, or FullAccess permission to another mailbox.- - An admin who's been assigned the FullAccess permission to a user's mailbox.- - **Admin**:- - The mailbox is searched with one of the following Microsoft eDiscovery tools:- - Content Search in the Compliance center.- - eDiscovery or Advanced eDiscovery in the Compliance center.- - In-Place eDiscovery in Exchange Online.- - The mailbox is accessed by using the Microsoft Exchange Server MAPI Editor. ### Mailbox actions for user mailboxes and shared mailboxes
Logon types classify the user that did the audited actions on the mailbox. The f
The following table describes the mailbox actions that are available in mailbox audit logging for user mailboxes and shared mailboxes. - A check mark ( ![Check mark](../media/checkmark.png)) indicates the mailbox action can be logged for the logon type (not all actions are available for all logon types).- - An asterisk ( <sup>\*</sup> ) after the check mark indicates the mailbox action is logged by default for the logon type.- - Remember, an admin with Full Access permission to a mailbox is considered a delegate.
-|**Mailbox action**|**Description**|**Admin**|**Delegate**|**Owner**|
-|:|:|::|::|::|
-|**AddFolderPermissions**|**Note**: Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||
+<br>
+
+****
+
+|Mailbox action|Description|Admin|Delegate|Owner|
+|||::|::|::|
+|**AddFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||
|**ApplyRecord**|An item is labeled as a record.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| |**Copy**|A message was copied to another folder.|![Check mark](../media/checkmark.png)||| |**Create**|An item was created in the Calendar, Contacts, Notes, or Tasks folder in the mailbox (for example, a new meeting request is created). Creating, sending, or receiving a message isn't audited. Also, creating a mailbox folder is not audited.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)|
-|**Default**||![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|
|**FolderBind**|A mailbox folder was accessed. This action is also logged when the admin or delegate opens the mailbox. <br/><br/> **Note**: Audit records for folder bind actions performed by delegates are consolidated. One audit record is generated for individual folder access within a 24-hour period.|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |**HardDelete**|A message was purged from the Recoverable Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
-|**MailItemsAccessed**|Mail data is accessed by mail protocols and clients. This value is only available for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit ](set-up-advanced-audit.md).|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
-|**MailboxLogin**|The user signed into their mailbox. |||![Check mark](../media/checkmark.png)|
-|**MessageBind**|A message was viewed in the preview pane or opened by an admin. **Note**: Although this value is accepted as a mailbox action, these actions are no longer logged.|![Check mark](../media/checkmark.png)|||
-|**ModifyFolderPermissions**|**Note**: Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||
+|**MailboxLogin**|The user signed into their mailbox.|||![Check mark](../media/checkmark.png)|
+|**MailItemsAccessed**|**Note**: This value is available only for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <p> Mail data is accessed by mail protocols and clients.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
+|**MessageBind**|**Note**: This value is available only for E3 users (users without E5 or E5 Compliance add-on subscriptions). <p> A message was viewed in the preview pane or opened by an admin.|![Check mark](../media/checkmark.png)|||
+|**ModifyFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.|||||
|**Move**|A message was moved to another folder.|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)| |**MoveToDeletedItems**|A message was deleted and moved to the Deleted Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| |**RecordDelete**|An item that's labeled as a record was soft-deleted (moved to the Recoverable Items folder). Items labeled as records can't be permanently deleted (purged from the Recoverable Items folder).|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|
-|**RemoveFolderPermissions**|**Note**: Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||
-|**Send**|The user sends an email message, replies to an email message, or forwards an email message. This value is only available for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit for users](set-up-advanced-audit.md).|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
+|**RemoveFolderPermissions**|Although this value is accepted as a mailbox action, it's already included in the **UpdateFolderPermissions** action and isn't audited separately. In other words, don't use this value.||||
+|**SearchQueryInitiated**|**Note**: This value is available only for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <p> A person uses Outlook (Windows, Mac, iOS, Android, or Outlook on the web) or the Mail app for Windows 10 to search for items in a mailbox.|||![Check mark](../media/checkmark.png)|
+|**Send**|**Note**: This value is available only for E5 or E5 Compliance add-on subscription users. For more information, see [Set up Advanced Audit in Microsoft 365](set-up-advanced-audit.md). <p> The user sends an email message, replies to an email message, or forwards an email message.|![Check mark](../media/checkmark.png)<sup>\*</sup>||![Check mark](../media/checkmark.png)<sup>\*</sup>|
|**SendAs**|A message was sent using the SendAs permission. This means another user sent the message as though it came from the mailbox owner.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| |**SendOnBehalf**|A message was sent using the SendOnBehalf permission. This means another user sent the message on behalf of the mailbox owner. The message indicates to the recipient who the message was sent on behalf of and who actually sent the message.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| |**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
The following table describes the mailbox actions that are available in mailbox
|**UpdateComplianceTag**|A different retention label is applied to a mail item (an item can only have one retention label assigned to it).|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)| |**UpdateFolderPermissions**|A folder permission was changed. Folder permissions control which users in your organization can access folders in a mailbox and the messages located in those folders.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| |**UpdateInboxRules**|An inbox rule was added, removed, or changed. Inbox rules are used to process messages in the user's Inbox based on the specified conditions and take actions when the conditions of a rule are met, such as moving a message to a specified folder or deleting a message.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
+|
> [!IMPORTANT]
-> If you customized the mailbox actions to audit for any logon type *before* mailbox auditing on by default was enabled in your organization, the customized settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. To revert the audit mailbox actions to their default values (which you can do at any time), see the [Restore the default mailbox actions](#restore-the-default-mailbox-actions) section later in this topic.
+> If you customized the mailbox actions to audit for any logon type *before* mailbox auditing on by default was enabled in your organization, the customized settings are preserved on the mailbox and aren't overwritten by the default mailbox actions as described in this section. To revert the audit mailbox actions to their default values (which you can do at any time), see the [Restore the default mailbox actions](#restore-the-default-mailbox-actions) section later in this article.
### Mailbox actions for Microsoft 365 Group mailboxes
The following table describes the mailbox actions that are logged by default on
Remember, an admin with Full Access permission to a Microsoft 365 Group mailbox is considered a delegate.
-|**Mailbox action**|**Description**|**Admin**|**Delegate**|**Owner**|
-|:|:|::|::|::|
+<br>
+
+****
+
+|Mailbox action|Description|Admin|Delegate|Owner|
+|||::|::|::|
|**Create**|Creation of a calendar Item. Creating, sending, or receiving a message isn't audited.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|| |**HardDelete**|A message was purged from the Recoverable Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| |**MoveToDeletedItems**|A message was deleted and moved to the Deleted Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| |**SendAs**|A message was sent using the SendAs permission.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>||
-|**SendOnBehalf**|A message was sent using the SendOnBehalf permission. |![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>||
+|**SendOnBehalf**|A message was sent using the SendOnBehalf permission.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>||
|**SoftDelete**|A message was permanently deleted or deleted from the Deleted Items folder. Soft-deleted items are moved to the Recoverable Items folder.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>| |**Update**|A message or its properties was changed.|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|![Check mark](../media/checkmark.png)<sup>\*</sup>|
+|
### Verify that default mailbox actions are being logged for each logon type
Get-Mailbox -Identity <MailboxIdentity> -GroupMailbox | Format-List DefaultAudit
The value `Admin, Delegate, Owner` indicates: - The default mailbox actions for all three logon types are being audited. This is the only value you'll see on Microsoft 365 Group mailboxes.- - An admin *has not* changed the audited mailbox actions for any logon type on a user mailbox or a shared mailbox. Note this is the default state after mailbox auditing on by default is initially turned on in your organization. If an admin has ever changed the mailbox actions that are audited for a logon type (by using the *AuditAdmin*, *AuditDelegate*, or *AuditOwner* parameters on the **Set-Mailbox** cmdlet), the property value will be different.
If an admin has ever changed the mailbox actions that are audited for a logon ty
For example, the value `Owner` for the *DefaultAuditSet* property on a user mailbox or shared mailbox indicates: - The default mailbox actions for the mailbox owner are being audited.- - The audited mailbox actions for the `Delegate` and `Admin` logon types have been changed from the default actions. A blank value for the *DefaultAuditSet* property indicates the mailbox actions for all three logon types have been changed on the user mailbox or a shared mailbox.
-For more information, see the [Change or restore mailbox actions logged by default](#change-or-restore-mailbox-actions-logged-by-default) section in this topic
+For more information, see the [Change or restore mailbox actions logged by default](#change-or-restore-mailbox-actions-logged-by-default) section in this article
### Display the mailbox actions that are being logged on mailboxes To see the mailbox actions that are currently being logged on user mailboxes or shared mailboxes, replace \<MailboxIdentity\> with the name, alias, email address, or user principal name (username) of the mailbox, and run one or more of the following commands in Exchange Online PowerShell. > [!NOTE]
-> Although you can add the `-GroupMailbox` switch to the following **Get-Mailbox** commands for Microsoft 365 Group mailboxes, don't believe the values that are returned. The default and static mailbox actions that are audited for Microsoft 365 Group mailboxes are described in the [Mailbox actions for Microsoft 365 Group mailboxes](#mailbox-actions-for-microsoft-365-group-mailboxes) section earlier in this topic.
+> Although you can add the `-GroupMailbox` switch to the following **Get-Mailbox** commands for Microsoft 365 Group mailboxes, don't believe the values that are returned. The default and static mailbox actions that are audited for Microsoft 365 Group mailboxes are described in the [Mailbox actions for Microsoft 365 Group mailboxes](#mailbox-actions-for-microsoft-365-group-mailboxes) section earlier in this article.
#### Owner actions
You can use the *AuditAdmin*, *AuditDelegate*, or *AuditOwner* parameters on the
You can use two different methods to specify the mailbox actions: - *Replace* (overwrite) the existing mailbox actions by using this syntax: `action1,action2,...actionN`.- - *Add or remove* mailbox actions without affecting other existing values by using this syntax: `@{Add="action1","action2",..."actionN"}` or `@{Remove="action1","action2",..."actionN"}`. This example changes the admin mailbox actions for the mailbox named "Gabriela Laureano" by overwriting the default actions with SoftDelete and HardDelete.
Set-Mailbox -Identity "Team Discussion" -AuditDelegate @{Remove="MoveToDeletedIt
Regardless of the method you use, customizing the audited mailbox actions on user mailboxes or shared mailboxes has the following results: - For the logon type that you customized, the audited mailbox actions are no longer managed by Microsoft.- - The logon type that you customized is no longer displayed in the *DefaultAuditSet* property value for the mailbox as [previously described](#verify-that-default-mailbox-actions-are-being-logged-for-each-logon-type). ### Restore the default mailbox actions
+> [!NOTE]
+> The following procedures don't apply to Microsoft 365 Group mailboxes (they're limited to the default actions as described [here](#mailbox-actions-for-microsoft-365-group-mailboxes)).
+ If you customized the mailbox actions that are audited on a user mailbox or a shared mailbox, you can restore the default mailbox actions for one or all logon types by using this syntax: ```PowerShell
Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet <Admin | Delegate | Own
You can specify multiple *DefaultAuditSet* values separated by commas
-**Note**: The following procedures don't apply to Microsoft 365 Group mailboxes (they're limited to the default actions as described [here](#mailbox-actions-for-microsoft-365-group-mailboxes)).
- This example restores the default audited mailbox actions for all logon types on the mailbox mark@contoso.onmicrosoft.com. ```PowerShell
Set-Mailbox -Identity chris@contoso.onmicrosoft.com -DefaultAuditSet Admin
Restoring he default audited mailbox actions for a logon type has the following results: - The current list of mailbox actions is replaced with the default mailbox actions for the logon type.- - Any new mailbox actions that are released by Microsoft are automatically added to the list of audited actions for the logon type.- - The *DefaultAuditSet* property value for the mailbox is updated to include the restored logon type. ## Turn off mailbox auditing on by default for your organization
Set-OrganizationConfig -AuditDisabled $true
Turning off mailbox auditing on by default has the following results: - Mailbox auditing is disabled for your organization.- - From the time you disabled mailbox auditing on by default, no mailbox actions are audited, even if auditing is enabled on a mailbox (the *AuditEnabled* property on the mailbox is **True**).- - Mailbox auditing is not enabled for new mailboxes and setting the *AuditEnabled* property on a new or existing mailbox to **True** will be ignored.- - Any mailbox audit bypass association settings (configured by using the **Set-MailboxAuditBypassAssociation** cmdlet) are ignored.- - Existing mailbox audit records are retained until the audit log age limit for the record expires. ### Turn on mailbox auditing on by default
Currently, you can't disable mailbox auditing for specific mailboxes when mailbo
However, you can still use the **Set-MailboxAuditBypassAssociation** cmdlet in Exchange Online PowerShell to prevent *any and all* mailbox actions by the specified users from being logged, regardless where the actions occur. For example: - Mailbox owner actions performed by the bypassed users aren't logged.- - Delegate actions performed by the bypassed users on other users' mailboxes (including shared mailboxes) aren't logged.- - Admin actions performed by the bypassed users aren't logged. To bypass mailbox audit logging for a specific user, replace \<MailboxIdentity\> with the name, email address, alias, or user principal name (username) of the user and run the following command:
The value **True** indicates that mailbox audit logging is bypassed for the user
> If mailbox auditing already appears to be enabled on the mailbox, but your searches return no results, change the value of the _AuditEnabled_ parameter to `$false` and then back to `$true`. - Use the following cmdlets in Exchange Online PowerShell:- - [Search-MailboxAuditLog](/powershell/module/exchange/search-mailboxauditlog) to search the mailbox audit log for specific users.- - [New-MailboxAuditLogSearch](/powershell/module/exchange/new-mailboxauditlogsearch) to search the mailbox audit log for specific users and to have the results sent via email to specified recipients. - Use the Exchange admin center (EAC) in Exchange Online to do the following actions:- - [Export mailbox audit logs](/Exchange/security-and-compliance/exchange-auditing-reports/export-mailbox-audit-logs)- - [Run a non-owner mailbox access report](/Exchange/security-and-compliance/exchange-auditing-reports/non-owner-mailbox-access-report) - By default, mailbox audit log records are retained for 90 days before they're deleted. You can change the age limit for audit log records by using the *AuditLogAgeLimit* parameter on the **Set-Mailbox** cmdlet in Exchange Online PowerShell. However, increasing this value doesn't allow you to search for events that are older than 90 days in the audit log.
The value **True** indicates that mailbox audit logging is bypassed for the user
- Mailbox audit log records are stored in a subfolder (named *Audits*) in the Recoverable Items folder in each user's mailbox. Keep the following things in mind about mailbox audit records and the Recoverable Items folder: - Mailbox audit records count against the storage quota of the Recoverable Items folder, which is 30 GB by default (the warning quota is 20 GB). The storage quota is automatically increased to 100 GB (with a 90 GB warning quota) when:- - A hold is placed on a mailbox.- - The mailbox is assigned to a retention policy in the Compliance Center. - Mailbox audit records also count against the [folder limit for the Recoverable Items folder](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#mailbox-folder-limits). A maximum of 3 million items (audit records) can be stored in the Audits subfolder.
The value **True** indicates that mailbox audit logging is bypassed for the user
- If a mailbox is placed on hold or assigned to a retention policy in the Compliance Center, audit log records are still retained for the duration that's defined by the mailbox's *AuditLogAgeLimit* property (90 days by default). To retain audit log records longer for mailboxes on hold, you need to increase mailbox's *AuditLogAgeLimit* value. -- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox.
+- In a multi-geo environment, cross-geo mailbox auditing is not supported. For example, if a user is assigned permissions to access a shared mailbox in a different geo location, mailbox actions performed by that user are not logged in the mailbox audit log of the shared mailbox.
compliance Keyword Queries And Search Conditions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/keyword-queries-and-search-conditions.md
search.appverid:
ms.assetid: c4639c2e-7223-4302-8e0d-b6e10f1c3be3 - seo-marvel-apr2020
-description: "Learn about email and file properties that you can search by using the eDiscovery search tools in Microsoft 365."
+description: "Learn about email and document properties that you can search by using the eDiscovery search tools in Microsoft 365."
# Keyword queries and search conditions for eDiscovery
Create a condition using document properties when searching for documents on Sha
|Title|The title of the document. The Title property is metadata that's specified in Office documents. It's different than the file name of the document.| |Created|The date that a document is created.| |Last modified|The date that a document was last changed.|
-|File type|The extension of a file; for example, docx, one, pptx, or xlsx. This is the same property as the FileExtension site property.|
+|File type|The extension of a file; for example, docx, one, pptx, or xlsx. This is the same property as the FileExtension site property. <br/><br/> **Note:** If you include a File type condition using the **Equals** or **Equals any of** operator in a search query, you can't use a prefix search (by including the wildcard character ( * ) at the end of the file type) to return all versions of a file type. If you do, the wildcard will be ignored. For example if you include the condition `Equals any of doc*`, only files with an extension of `.doc` will be returned. Files with an extension of `.docx` will not be returned. To return all versions of a file type, used the *property:value* pair in a keyword query; for example, `filetype:doc*`.|
||| ### Operators used with conditions
When you add a condition, you can select an operator that is relevant to type of
Keep the following in mind when using search conditions. -- A condition is logically connected to the keyword query (specified in the keyword box) by the **AND** operator. That means that items have to satisfy both the keyword query and the condition to be included in the results. This is how conditions help to narrow your results.
-
-- If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the **AND** operator. That means only items that satisfy all the conditions (in addition to any keyword query) are returned.
-
+- A condition is logically connected to the keyword query (specified in the keyword box) by the **AND** operator. That means that items have to satisfy both the keyword query and the condition to be included in the results. This is how conditions help to narrow your results.
+
+- If you add two or more unique conditions to a search query (conditions that specify different properties), those conditions are logically connected by the **AND** operator. That means only items that satisfy all the conditions (in addition to any keyword query) are returned.
+
- If you add more than one condition for the same property, those conditions are logically connected by the **OR** operator. That means items that satisfy the keyword query and any one of the conditions are returned. So, groups of the same conditions are connected to each other by the **OR** operator and then sets of unique conditions are connected by the **AND** operator.
-
+
- If you add multiple values (separated by commas or semi-colons) to a single condition, those values are connected by the **OR** operator. That means items are returned if they contain any of the specified values for the property in the condition.
-
-- The search query that is created by using the keywords box and conditions is displayed on the **Search** page, in the details pane for the selected search. In a query, everything to the right of the notation `(c:c)` indicates conditions that are added to the query.
-
-- Conditions only add properties to the search query; the don't add operators. This is why the query displayed in the detail pane doesn't show operators to the right of the `(c:c)` notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.
-
+
+- The search query that is created by using the keywords box and conditions is displayed on the **Search** page, in the details pane for the selected search. In a query, everything to the right of the notation `(c:c)` indicates conditions that are added to the query.
+
+- Conditions only add properties to the search query; the don't add operators. This is why the query displayed in the detail pane doesn't show operators to the right of the `(c:c)` notation. KQL adds the logical operators (according to the previously explained rules) when the executing the query.
+
- You can use the drag and drop control to resequence the order of conditions. Click on the control for a condition and move it up or down.
-
-- As previously explained, some condition properties allow you to type multiple values (separated by semi-colons). Each value is logically connected by the **OR** operator, and results in the query `(filetype:docx) OR (filetype:pptx) OR (filetype:xlsx)`. The following illustration shows an example of a condition with multiple values.
+
+- As previously explained, some condition properties allow you to type multiple values (separated by semi-colons). Each value is logically connected by the **OR** operator, and results in the query `(filetype=docx) OR (filetype=pptx) OR (filetype=xlsx)`. The following illustration shows an example of a condition with multiple values.
![One condition with multiple values](../media/SearchConditions1.png)
compliance Retention Policies Exchange https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-exchange.md
Both a mailbox and a public folder use the [Recoverable Items folder](/exchange/
When a person deletes a message in a folder other than the Deleted Items folder, by default, the message moves to the Deleted Items folder. When a person deletes an item in the Deleted Items folder, the message is moved to the Recoverable Items folder. However, a user can soft delete an item (Shift+Delete) in any folder, which bypasses the Deleted Items folder and moves the item directly to the Recoverable Items folder.
-When you apply retention settings to Exchange data, a timer job periodically evaluates items in the Recoverable Items folder. If an item doesn't match the rules of at least one retention policy or retention label, the item is permanently deleted (also called hard deleted) from the Recoverable Items folder.
+When you apply retention settings to Exchange data, a timer job periodically evaluates items in the Recoverable Items folder. If an item doesn't match the rules of at least one retention policy or retention label to retain the item, it is permanently deleted (also called hard deleted) from the Recoverable Items folder.
+
+> [!NOTE]
+> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence), permanent deletion is always suspended if the same item must be retained because of another retention policy or retention label, or it is under eDiscovery holds for legal or investigative reasons.
The timer job can take up to seven days to run and the Exchange location must contain at least 10 MB.
compliance Retention Policies Sharepoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-sharepoint.md
When the retention settings are to retain and delete:
2. **If the content is not modified or deleted** during the retention period, the timer job moves this content to the first-stage Recycle Bin at the end of the retention period. If a user deletes the content from there or empties this Recycle Bin (also known as purging), the document is moved to the second-stage Recycle Bin. A 93-day retention period spans both the first- and second-stage recycle bins. At the end of 93 days, the document is permanently deleted from wherever it resides, in either the first-stage or second-stage Recycle Bin. The Recycle Bin is not indexed and therefore unavailable for searching. As a result, an eDiscovery search can't find any Recycle Bin content on which to place a hold.
+> [!NOTE]
+> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence), permanent deletion is always suspended if the same item must be retained because of another retention policy or retention label, or it is under eDiscovery holds for legal or investigative reasons.
+ When the retention settings are retain-only, or delete-only, the contents paths are variations of retain and delete: ### Content paths for retain-only retention settings
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
After a retention policy is configured for chat and channel messages, a timer jo
Messages remain in the SubstrateHolds folder for at least 1 day, and then if they are eligible for deletion, the timer job permanently deletes them the next time it runs.
+> [!NOTE]
+> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence), permanent deletion is always suspended if the same item must be retained because of another retention policy, or it is under eDiscovery holds for legal or investigative reasons.
+ After a retention policy is configured for chat and channel messages, the paths the content takes depend on whether the retention policy is to retain and then delete, to retain only, or delete only. When the retention policy is to retain and then delete:
compliance Retention Policies Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-yammer.md
Yammer messages are not affected by retention policies that are configured for u
After a retention policy is configured for Yammer messages, a timer job from the Exchange service periodically evaluates items in the hidden folder where these Yammer messages are stored. The timer job takes up to seven days to run. When these items have expired their retention period, they are moved to the SubstrateHolds folderΓÇöa hidden folder that's in every user or group mailbox to store "soft-deleted" items before they are permanently deleted.
+> [!NOTE]
+> Because of the [first principle of retention](retention.md#the-principles-of-retention-or-what-takes-precedence), permanent deletion is always suspended if the same item must be retained because of another retention policy, or it is under eDiscovery holds for legal or investigative reasons.
+ After a retention policy is configured for Yammer messages, the paths the content takes depend on whether the retention policy is to retain and then delete, to retain only, or delete only. When the retention policy is to retain and then delete:
compliance Sensitivity Labels Sharepoint Onedrive Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
Use the managed property **InformationProtectionLabelId** to find all documents
For example, to search for all documents that have been labeled as "Confidential", and that label has a GUID of "8faca7b8-8d20-48a3-8ea2-0f96310a848e", in the search box, type:
-`InformationProtectionLabelId: 8faca7b8-8d20-48a3-8ea2-0f96310a848e`
+```
+InformationProtectionLabelId:8faca7b8-8d20-48a3-8ea2-0f96310a848e
+```
+
+Search won't find labeled documents in a compressed file, such as a .zip file.
To get the GUIDs for your sensitivity labels, use the [Get-Label](/powershell/module/exchange/get-label) cmdlet:
compliance Sit Edm Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-edm-wizard.md
audience: Admin-+ Last updated
-localization_priority: Priority
+localization_priority: Normal
- M365-security-compliance search.appverid:
# Use the Exact Data Match Schema and Sensitive Information Type Wizard
-[Creating a custom sensitive information type with Exact Data Match (EDM) based classification](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) involves many steps. You can use this wizard to create your schema and sensitive information type pattern (rule package) files to help simplify the process.
+[Creating a custom sensitive information type with Exact Data Match (EDM) based classification](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) involves many steps. You can use this wizard to create your schema and sensitive information type (SIT) pattern (rule package) files to help simplify the process.
> [!NOTE] > The Exact Data Match Schema and Sensitive Information Type Wizard is only available for the World Wide and GCC clouds only.
steps in [Part 1: Set up EDM-based classification](create-custom-sensitive-infor
3. Fill in an appropriate **Name** and **Description**.
-4. Choose **Ignore delimiters and punctuations for all schema fields** if you want that behavior. To learn more about configuring EDM to ignore case or delimitere, see [Creating a custom sensitive information type with Exact Data Match (EDM) based classification](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md).
+4. Choose **Ignore delimiters and punctuation for all schema fields** if you want that behavior. To learn more about configuring EDM to ignore case or delimiters, see [Creating a custom sensitive information type with Exact Data Match (EDM) based classification](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md).
5. Fill in your desired values for your **Schema field #1** and add more fields as needed.
steps in [Part 1: Set up EDM-based classification](create-custom-sensitive-infor
13. Choose your desired **Confidence level and character proximity**. This will be the default value for the whole EDM sensitive info type
-13. Choose **Create pattern** if you want to creaet additional patterns for your EDM sensitive info type.
+13. Choose **Create pattern** if you want to create additional patterns for your EDM sensitive info type.
14. Choose **Next** and fill in a **Name** and **Description for admins**.
You can delete or edit the sensitive information type pattern by selecting it wh
> [!IMPORTANT] > If you want to remove a schema, and it is already associated with an EDM sensitive info type, you must first delete the EDM sensitive info type, then you can delete the schema.
-## Post steps
+## Post creation steps
-After you have used this wizard to create your EDM schema and pattern (rule package) files, you still have to perform the steps in [Part 2: Hash and upload the sensitive data](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md#part-2-hash-and-upload-the-sensitive-data) before you can use the EDM custom sensitive information type.
+After you have used this wizard to create your EDM schema and pattern (rule package) files, you still have to perform the steps in [Part 2: Hash and upload the sensitive data](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md#part-2-hash-and-upload-the-sensitive-data) before you can use the EDM custom sensitive information type.
+
+After verifying that your sensitive information table has correctly been uploaded, you can test that it's working properly.
+
+1. Open **Compliance center** > **Data classification** > **Sensitive Information Types**.
+2. Select your EDM SIT from the list and then select **Test** in the flyout pane.
+3. Upload an item that contains data you want to detect, for example create an item that contains some of the data in your sensitive information table. If you used the configurable match feature in your schema to define ignored delimiters, make sure the item includes examples with and without those delimiters.
+4. After the file has been uploaded and scanned, check for matches to your EDM SIT.
+5. If the **Test** function in the SIT detects a match, check that it is not trimming it or extracting it incorrectly. For example by extracting only a substring of the full string it is supposed to detect, or picking up only the first word in a multi-word string, or including extra symbols or characters in the extraction. See [Regular Expression Language - Quick Reference](/dotnet/standard/base-types/regular-expression-language-quick-reference) for the regular expression language reference.
+
+### Troubleshooting
+
+If you don't find any matches, try the following:
+- Confirm that your sensitive data was uploaded correctly using the commands explained in [the guidance for uploading your sensitive data using the EDM tool](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md).
+- Check that the examples you entered in the item are present in your sensitive information table and that the ignored delimiters are correct.
+- **Test** the SIT you used when you configured the primary element in each of your patterns. This will confirm that the SIT is able to match the examples in the item.
+ - If the SIT you selected for a primary element in the EDM type doesn't find a match in the item or finds fewer matches than you expected, check that it supports separators and delimiters that exist in the content. Be sure to include the ignored delimiters defined in your schema.
+ - If the **Test** function does not detect any content at all, check if the SIT you selected includes requirements for additional keywords or other validations. For the built-in SITs, see [Sensitive information types entity definitions](sensitive-information-type-entity-definitions.md) to verify what the minimum requirements are for matching each type.
contentunderstanding Apply A Retention Label To A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/apply-a-retention-label-to-a-model.md
search.appverid:
- enabler-strategic - m365initiative-syntex
-localization_priority: Priority
+localization_priority: Normal
description: "This article discusses how to apply a retention label to a model in SharePoint Syntex"
You can add a retention label to an existing form processing model that you own
[Create an extractor](create-an-extractor.md)
-[Document Understanding overview](document-understanding-overview.md)
+[Document Understanding overview](document-understanding-overview.md)
enterprise Ms Cloud Germany Transition Add Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-add-devices.md
Administrators should check `https://portal.microsoftazure.de` to determine if t
**What is the impact on my users?**
-Users from a registered device will no longer be able to sign in after [migration phase 10](ms-cloud-germany-transition-phases.md#Phase-9-&-10:-Azure-AD-Finalization) has been completed and the endpoints for Microsoft Cloud Deutschland have been disabled.
+Users from a registered device will no longer be able to sign in after [migration phase 10](ms-cloud-germany-transition-phases.md#phase-9--10-azure-ad-finalization) has been completed and the endpoints for Microsoft Cloud Deutschland have been disabled.
Ensure that all of your devices are registered with the worldwide endpoint before your organization is disconnected from Microsoft Cloud Deutschland. **When do my users re-register their devices?**
-It's critical to your success that you only unregister and re-register your devices after [phase 9](ms-cloud-germany-transition-phases.md#Phase-9-&-10:-Azure-AD-Finalization) has been completed. You must finish the re-registration before phase 10 starts, otherwise you could lose access to your device.
+It's critical to your success that you only unregister and re-register your devices after [phase 9](ms-cloud-germany-transition-phases.md#phase-9--10-azure-ad-finalization) has been completed. You must finish the re-registration before phase 10 starts, otherwise you could lose access to your device.
**How do I restore my device state after migration?**
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
description: "Overview of Viva Topics."
# Microsoft Viva Topics overview
-Viva Topics uses Microsoft AI technology, Microsoft 365, Microsoft Graph, Search, and other components and services to bring knowledge to your users in Microsoft 365 apps they use everyday, starting with SharePoint modern pages, Microsoft Search, and Search in Word, PowerPoint, Outlook and Excel.
+Viva Topics uses Microsoft AI technology, Microsoft 365, Microsoft Graph, Search, and other components and services to bring knowledge to your users in the Microsoft 365 apps they use everyday, starting with SharePoint modern pages, Microsoft Search, and Search in Word, PowerPoint, Outlook and Excel.
<br/>
Viva Topics uses Microsoft AI technology, Microsoft 365, Microsoft Graph, Search
<br/>
-Viva Topics helps to address a key business issue in many companies - providing the information to users when they need it. For example, new employees need to learn a lot of new information quickly, and encounter terms they know nothing about when reading through company information. To learn more, the user might need to step away from what they are doing and spend valuable time searching for details, such as information about what the term is, who in the organization is a subject matter expert, and maybe sites and documents that are related to the term.
-
-Viva Topics uses AI to automatically search for and identify **topics** in your organization. It compiles information about them, such as a short description, people working on the topic, and sites, files, and pages that are related to it. A knowledge manager or contributor can choose to update the topic information as needed. The topics are available to your users, which means that for every instance of the topic that appears in a modern SharePoint site in news and pages, the text will be highlighted. Users can choose to select the topic to learn more about it through the topic details. Topics can also be found in SharePoint Search.
+Viva Topics helps to address a key business issue in many companies ΓÇö providing the information to users when they need it. For example, new employees need to learn a lot of new information quickly, and encounter terms they know nothing about when reading through company information. To learn more, the user might need to step away from what they are doing and spend valuable time searching for details, such as information about what the term is, who in the organization is a subject matter expert, and maybe sites and documents that are related to the term.
+Viva Topics uses AI to automatically search for and identify *topics* in your organization. It compiles information about them, such as a short description, people working on the topic, and sites, files, and pages that are related to it. A knowledge manager or contributor can choose to update the topic information as needed. The topics are available to your users, which means that for every instance of the topic that appears in a modern SharePoint site in news and pages, the text will be highlighted. Users can choose to select the topic to learn more about it through the topic details. Topics can also be found in SharePoint Search.
## How topics are displayed to users
When you use Search in Word, PowerPoint, Outlook or Excel, either through the se
## Knowledge indexing
-Viva Topics uses Microsoft AI technology to identify **topics** in your Microsoft 365 environment.
+Viva Topics uses Microsoft AI technology to identify *topics* in your Microsoft 365 environment.
A topic is a phrase or term that is organizationally significant or important. It has a specific meaning to the organization, and has resources related to it that can help people understand what it is and find more information about it. There are lots of different types of topics that will be important to your organization. Initially, the Microsoft AI technology focuses on the following types:+ - Project - Event - Organization
A topic is a phrase or term that is organizationally significant or important. I
- Creative work - Field of study -
-When a topic is identified and AI determines that it has enough information for it to be a suggested topic, a **topic page** displays the information that was gathered through topic indexing, such as:
+When a topic is identified and AI determines that it has enough information for it to be a suggested topic, a *topic page* displays the information that was gathered through topic indexing, such as:
- Alternate names and acronyms. - A short description of the topic.
When you use Viva Topics in your Microsoft 365 environment, your users will have
- Contributors: Users who have rights to edit existing topics or create new ones. Knowledge admins assign contributor permissions to users through the Viva Topics settings in the Microsoft 365 admin center. Note that you can also choose to give all topic viewers the permission to edit and create topics so that everyone can contribute to topics that they see. -- Knowledge managers: Users who guide topics through the topic lifecycle. Knowledge managers use the **Manage Topics** page in the Topic center to confirm AI-suggested topics, remove topics that are no longer relevant, as well as edit existing topics or create new ones, and are the only users who have access to it. Knowledge admins assign knowledge manager permissions to users through the Viva Topics admin settings in the Microsoft 365 admin center.
+- Knowledge managers: Users who guide topics through the topic lifecycle. Knowledge managers use the **Manage topics** page in the Topic center to confirm AI-suggested topics, remove topics that are no longer relevant, as well as edit existing topics or create new ones, and are the only users who have access to it. Knowledge admins assign knowledge manager permissions to users through the Viva Topics admin settings in the Microsoft 365 admin center.
-- Knowledge admins: Knowledge admins set up Viva Topics and manage it through the admin controls in the Microsoft 365 admin center. Currently, a Microsoft 365 global or SharePoint administrator can serve as a knowledge admin.
+- Knowledge admins: Admins set up Viva Topics and manage it through the admin controls in the Microsoft 365 admin center. Currently, a Microsoft 365 global or SharePoint administrator can serve as a knowledge admin.
-See [Viva Topics roles](topic-experiences-roles.md) for more information.
+For more information, see [Viva Topics roles](topic-experiences-roles.md).
## Topic management
-Topic management is done in the **Manage topics** page in your organization's **Topic center**. The Topic center is created during setup and serves as your center of knowledge for your organization.
+Topic management is done in the **Manage topics** page in your organization's *topic center*. The topic center is created during setup and serves as your center of knowledge for your organization.
-While all licensed users can see topics they're connected with in the Topic center, only users with *Manage topics* permissions (knowledge managers) can view and use the Manage topics page.
+While all licensed users can see topics they're connected with in the Topic center, only users with *Manage topics* permissions (knowledge managers) can view and use the **Manage topics** page.
Knowledge managers can:
Knowledge managers can:
- Create new topics manually as needed (for example, if not enough information was provided for it to be discovered through AI). - Edit existing topic pages.<br/>
-See [Manage topics in the Topic center](manage-topics.md) for more information.
-
+For more information, see [Manage topics in the Topic center](manage-topics.md).
## Admin controls
Admin controls in the Microsoft 365 admin center allow you to manage Viva Topics
- Control which users can create and edit topics. - Control which user can view topics.
-See [assign user permissions](./plan-topic-experiences.md#user-permissions), [manage topic visibility](./topic-experiences-knowledge-rules.md), and [manage topic discovery](./topic-experiences-discovery.md) for more information about admin controls.
+For more information about admin controls, see [assign user permissions](./plan-topic-experiences.md#user-permissions), [manage topic visibility](./topic-experiences-knowledge-rules.md), and [manage topic discovery](./topic-experiences-discovery.md).
## Topic curation & feedback AI will continually work to provide you suggestions to improve your topics as changes occur in your environment.
-Users with edit or create topics permissions can make updates to topic pages directly if they want to make corrections or add additional information. They can also add new topics that AI wasn't able to identify. If there's enough information on these manually added topics, and AI is able to identify this type of topic, additional suggestions from AI may enhance these manually added topics
+Users with edit or create topics permissions can make updates to topic pages directly if they want to make corrections or add additional information. They can also add new topics that AI wasn't able to identify. If there's enough information on these manually added topics, and AI is able to identify this type of topic, additional suggestions from AI might enhance these manually added topics.
Users that you allow access to see topics in their daily work might be asked if the topic was useful to them. The system looks at these responses and uses them to improve the topic highlight, and help determine what's shown on topic summaries and in topic details. Additionally, users with proper permissions can tag items such as Yammer conversation that are relevant to a topic, and add them to a specific topic.
-See [Topic discovery and curation](./topic-experiences-discovery-curation.md).
+For more information, see [Topic discovery and curation](./topic-experiences-discovery-curation.md).
-<!--
## See also>+
+[Use Microsoft Search to find topics in Viva Topics](./search.md)
managed-desktop Privacy Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/privacy-personal-data.md
For more information about the diagnostic data collection of Windows 10, see the
Direct access to Microsoft Managed DesktopΓÇÖs internal data stores is restricted in several ways: - It requires engineering lead level approval.-- It is both audited and time limited.-- It requires the use of a highly secured and restricted workstation.
+- It is time-bounded and audited.
- All data is encrypted while it is stored.-- There is no standing access. - Access to Microsoft Managed DesktopΓÇÖs internal management portal requires a highly secured and restricted workstation. ## Processing personal data in a compliant manner
Furthermore, use the following guidance to exercise DSRs for the services Micros
- [Azure Active Directory](/compliance/regulatory/gdpr-dsr-Azure?view=o365-worldwide) - [Microsoft Intune](/compliance/regulatory/gdpr-dsr-Intune?view=o365-worldwide) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy)-- [Windows 10](/windows/privacy/windows-10-and-privacy-compliance)
+- [Windows 10](/windows/privacy/windows-10-and-privacy-compliance)
scheduler Scheduler Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-setup.md
To discover which mailbox in your organization is currently set as the Cortana S
```powershell
-Get-mailbox -Organization contoso.com | where {($_.PersistedCapabilities -like "SchedulerAssistant")}
+Get-mailbox | where {$_.PersistedCapabilities -Match "SchedulerAssistant"}
```
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Get your antivirus and antimalware updates](manage-updates-baselines-microsoft-defender-antivirus.md) ##### [Manage the sources for Microsoft Defender Antivirus protection updates](manage-protection-updates-microsoft-defender-antivirus.md) ##### [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
-##### [Manage gradual rollout process for Microsoft Defender updates](updates.md)
-##### [Configure gradual rollout process for Microsoft Defender updates](configure-updates.md)
##### [Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) ##### [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) ##### [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
###### [Indicators]() ####### [Indicators methods and properties](ti-indicator.md)
-####### [Submit Indicator](post-ti-indicator.md)
####### [List Indicators](get-ti-indicators-collection.md)
+####### [Submit Indicator](post-ti-indicator.md)
+####### [Import Indicator](import-ti-indicators.md)
####### [Delete Indicator](delete-ti-indicator-by-id.md) ###### [IP]()
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
# Use attack surface reduction rules to prevent malware infection - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
security Audit Windows Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/audit-windows-defender.md
You can use Group Policy, PowerShell, and configuration service providers (CSPs)
> [!TIP] > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
- **Audit options** | **How to enable audit mode** | **How to view events**
+| Audit options | How to enable audit mode | How to view events |
|||| | Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer) | Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
Behavioral blocking and containment capabilities can help identify and stop thre
Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing. -- [Next-generation protection](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
+- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
-- [Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
+- [Endpoint detection and response](overview-endpoint-detection-response.md) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
-- [Defender for Endpoint](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-threat-protection), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents.
+- [Defender for Endpoint](overview-endpoint-detection-response.md) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](../defender/microsoft-365-defender.md), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents.
With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks.
The following image shows an example of an alert that was triggered by behaviora
## Components of behavioral blocking and containment -- **On-client, policy-driven [attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
+- **On-client, policy-driven [attack surface reduction rules](attack-surface-reduction.md)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
Below are two real-life examples of behavioral blocking and containment in actio
As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the userΓÇÖs device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. Behavior-based device learning models in Defender for Endpoint caught and stopped the attackerΓÇÖs techniques at two points in the attack chain:+ - The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
This example shows that with behavioral blocking and containment capabilities, t
## Next steps -- [Learn more about Defender for Endpoint](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)
+- [Learn more about Defender for Endpoint](overview-endpoint-detection-response.md)
- [Configure your attack surface reduction rules](attack-surface-reduction.md)
This example shows that with behavioral blocking and containment capabilities, t
- [See recent global threat activity](https://www.microsoft.com/wdsi/threats) -- [Get an overview of Microsoft 365 Defender ](/microsoft-365/security/defender/microsoft-threat-protection)
+- [Get an overview of Microsoft 365 Defender](../defender/microsoft-365-defender.md)
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
## Overview
security Configure Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md
-
Title: Create a custom gradual rollout process for Microsoft Defender updates
-description: Learn how to use supported tools to create a custom gradual rollout process for updates
-keywords: update tools, gpo, intune, mdm, microsoft endpoint manager, policy, powershell
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
-- NOCSH------ M365-security-compliance -- m365initiative-m365-defender ---
-# Create a custom gradual rollout process for Microsoft Defender updates
--
-**Applies to:**
--- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)-
-> [!NOTE]
-> This functionality requires Microsoft Defender Antivirus version 4.18.2105.X or newer.
-
-To create your own custom gradual rollout process for Defender updates, you can use Group Policy, Microsoft Endpoint Manager, and PowerShell.
-
-The following table lists the available group policy settings for configuring
-update channels:
-
-| Setting title | Description | Location |
-|-|-|-|
-| Select gradual Microsoft Defender monthly platform update rollout channel | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
-| Select gradual Microsoft Defender monthly engine update rollout channel | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <br><br> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
-| Select gradual Microsoft Defender daily definition updates rollout channel | Enable this policy to specify when devices receive Microsoft Defender definition updates during the daily gradual rollout. <br><br> Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
-| Disable gradual rollout of Microsoft Defender updates | Enable this policy to disable gradual rollout of Defender updates. <br><br> Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <br><br> Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. <br><br> If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
-
-## Group Policy
-
-> [!NOTE]
-> An updated Defender ADMX template will be published together with the 21H2 release of Windows 10.
-
-You can use [Group Policy](/windows/win32/srvnodes/group-policy?redirectedfrom=MSDN) to configure and manage Microsoft Defender Antivirus on your endpoints.
-
-In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
-
-1. On your Group Policy management machine, open theΓÇ»**Group Policy Management Console**, right-click the **Group Policy Object** (GPO) you want to configure and clickΓÇ»**Edit**.
-
-2. Using the Group Policy Management Editor go to **Computer configuration**.
-
-3. ClickΓÇ»**Administrative templates**.
-
-4. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
-
-5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
-
-6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
-
-## Intune
-
-Follow the instructions in below link to create a custom policy in Intune:
-
-[Add custom settings for Windows 10 devices in Microsoft Intune - Azure \| Microsoft Docs](/mem/intune/configuration/custom-settings-windows-10)
-
-## PowerShell
-
-Use the `Set-MpPreference` cmdlet to configure roll out of the gradual updates.
-
-Use the following parameters:
-
-```powershell
-Set-MpPreference
--PlatformUpdatesChannel Beta|Preview|Staged|Broad|NotConfigured--EngineUpdatesChannel Beta|Preview|Staged|Broad|NotConfigured--DisableGradualRelease True|False--SignaturesUpdatesChannel Staged|Broad|NotConfigured
-```
-
-Example:
-
-Use `Set-MpPreference -PlatformUpdatesChannel Beta` to configure platform updates to arrive from the Beta Channel.
-
-For more information on the parameters and how to configure them, see [Set-MpPreference (Defender) | Microsoft Docs](/powershell/module/defender/set-mppreference?view=windowsserver2019-ps).
security Enable Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
keywords: Controlled folder access, windows 10, windows defender, ransomware, pr
description: Learn how to protect your important files by enabling Controlled folder access search.product: eADQiWindows 10XVcnh ms.prod: m365-security+ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security
ms.technology: mde
You can enable controlled folder access by using any of these methods: * [Windows Security app](#windows-security-app)
-* [Microsoft Endpoint Manager](#intune)
+* [Microsoft Endpoint Manager](#endpoint-manager)
* [Mobile Device Management (MDM)](#mobile-device-management-mdm) * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) * [Group Policy](#group-policy)
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 06/08/2021 Last updated : 06/09/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
All our updates contain
<summary> May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)</summary> &ensp;Security intelligence update version: **1.341.8.0**
-&ensp;Released: **June 4, 2021**
+&ensp;Released: **June 3, 2021**
&ensp;Platform: **4.18.2105.4** &ensp;Engine: **1.1.18200.4** &ensp;Support phase: **Security and Critical Updates**
No known issues
<summary> April-2021 (Platform: 4.18.2104.14 | Engine: 1.1.18100.5)</summary> &ensp;Security intelligence update version: **1.337.2.0**
-&ensp;Released: **April 1, 2021**
+&ensp;Released: **April 26, 2021** (Engine: 1.1.18100.6 released May 5, 2021)
&ensp;Platform: **4.18.2104.14** &ensp;Engine: **1.1.18100.5** &ensp;Support phase: **Security and Critical Updates**
No known issues
### What's new - Additional behavior monitoring logic - Improved kernel mode keylogger detection-- Added new controls to manage the gradual rollout process for [Microsoft Defender updates](updates.md) ### Known Issues No known issues
No known issues
<summary> March-2021 (Platform: 4.18.2103.7 | Engine: 1.1.18000.5)</summary> &ensp;Security intelligence update version: **1.335.36.0**
-&ensp;Released: **April 1, 2021**
+&ensp;Released: **April 2, 2021**
&ensp;Platform: **4.18.2103.7** &ensp;Engine: **1.1.18000.5** &ensp;Support phase: **Security and Critical Updates**
security Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/updates.md
-
Title: Manage the gradual rollout process for Microsoft Defender updates
-description: Learn about the gradual update process and controls
-keywords: update, update process, controls, release
-search.product: eADQiWindows 10XVcnh
-ms.sitesec: library
-ms.pagetype: security
-- NOCSH------ M365-security-compliance -- m365initiative-m365-defender ---
-# Manage the gradual rollout process for Microsoft Defender updates
---
-**Applies to:**
--- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)--
-It is important to ensure that client components are up-to-date to deliver critical protection capabilities and prevent attacks.
-
-Capabilities are provided through several components:
--- [Endpoint Detection & Response](overview-endpoint-detection-response.md) -- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md#microsoft-defender-antivirus-your-next-generation-protection) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md) -- [Attack Surface Reduction](overview-attack-surface-reduction.md)-
-Updates are released monthly using a gradual release process. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout.
-
-> [!NOTE]
-> For more information on how to control daily definition updates, see [Schedule Microsoft Defender Antivirus definition updates - Windows security | Microsoft Docs](manage-protection-update-schedule-microsoft-defender-antivirus.md). Definition updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.
-
-## Microsoft gradual rollout model
-
-The following gradual rollout model is followed:
-
-1. The first release goes out to Beta channel subscribers.
-2. After validation, feedback, and fixes, we start the gradual rollout process in a throttled way and to Preview channel subscribers first.
-3. We then proceed to release the update to the rest of the global population, scaling out from 10-100%.
-
-Our engineers continuously monitor impact and escalate any issues to create a fix as needed.
-
-## How to customize your internal deployment process
-
-If your machines are receiving Defender updates from Windows Update, the gradual rollout process may result in some of your machines receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by leveraging update channel configuration.
-
-> [!NOTE]
-> When planning for your own gradual release, please make sure to always have a selection of devices subscribed to the preview and staged channels. This will provide your organization as well as Microsoft the opportunity to prevent or find and fix issues specific to your environment.
-
-For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager (MECM), more options are available to all Windows updates, including options for Microsoft Defender for Endpoint.
--- Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security | Microsoft Docs](manage-updates-baselines-microsoft-defender-antivirus.md#product-updates).-
-## Update channels for monthly updates
-
-You can assign a machine to an update channel to define the cadence in which a machine receives monthly engine and platform updates.
-
-For more information on how to configure updates, see [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md).
-
-The following update channels are available:
-
-| Channel name | Description | Application |
-|-|-|-|
-| Beta Channel - Prerelease | Test updates before others | Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only. |
-| Current Channel (Preview) | Get Current Channel updates **earlier** during gradual release | Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments. |
-| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
-| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
-| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices. |
-
-### Update channels for daily definition updates
-
-You can assign a machine to an update channel to define the cadence in which a machine receives daily definition updates.
-
-| Channel name | Description | Application |
-|-|-|-|
-| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
-| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates. |
-| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices |
-
-> [!NOTE]
-> In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first.
-
-## Update guidance
-
-In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This provides the best balance between protection and possible impact associated with the changes they can introduce.
-
-For environments where there is a need for a more controlled gradual rollout of automatic Defender updates, consider an approach with deployment groups:
-
-1. Participate in the Windows Insider program or assign a group of devices to the Beta Channel.
-2. Designate a pilot group that opts-in to Preview Channel, typically validation environments, to receive new updates early.
-3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the population.
-4. Designate a group of machines that receive updates after the gradual release cycle completes. These are typically important production systems.
-
-For the remainder of devices, the default setting is to receive new updates as they arrive during the Microsoft gradual rollout process and no further configuration is required.
-
-Adopting this model:
-- Allows you to test early releases before they reach a production environment -- Ensure the production environment still receives regular updates and ensure protection against critical threats.-
-## Management tools
-To create your own custom gradual rollout process for monthly updates, you can use the following tools:
--- Group policy-- Microsoft Endpoint Manager-- PowerShell-
-For details on how to use these tools, see [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md).
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
For more information on preview features, see [Preview features](preview.md).
> /api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet= > ```
+## June 2021
+- [Device group definitions](/microsoft-365/security/defender-endpoint/machine-groups) can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group.
+ ## March 2021 - [Manage tamper protection using the Microsoft Defender Security Center](prevent-changes-to-security-settings-with-tamper-protection.md#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) <br> You can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*.