-You can use Basic Mobility and Security to manage many types of mobile devices like Windows Phone, Android, iPhone, and iPad. To manage mobile devices used by people in your organization, each person must have an applicable Microsoft 365 license and their device must be enrolled in Basic Mobility and Security.

-**Step 2:** Set up Basic Mobility and Security by, for example, creating an APNs certificate to manage iOS devices and adding a Domain Name System (DNS) record for your domain to support Windows phones.

-[Get details about devices managed by Basic Mobility and Security](get-details-about-managed-devices.md) (article)

-Billing support is provided in English from 9 AM-5 PM (9 AM-6 PM in Australia), Monday-Friday.\

-Technical support is provided in English 24 hours a day, 7 days a week.\

-If your support phone number isn't listed above, use the drop-down menu below to find the number for your country or region.

-1. In the admin center, go to **Settings** \> **Org settings**, and on the <a href="https://go.microsoft.com/fwlink/p/?linkid=2053743" target="_blank">**Services** tab</a>, select **Calendar**.

-Once sharing is enabled, calendar owners can extend invitations to specific users. For instructions, see [Sharing your calendar in Outlook Web App](https://support.microsoft.com/office/7ecef8ae-139c-40d9-bae2-a23977ee58d5).

-1. In the admin center, in the left nav, choose **Settings**, and then choose <a href="https://go.microsoft.com/fwlink/p/?linkid=2125823" target="_blank">**Integrated apps**</a>.

-In the Microsoft 365 admin center, you can configure per-user and service <a href="https://go.microsoft.com/fwlink/p/?linkid=2169174" target="_blank">MFA settings</a>.

-[Turn on multifactor authentication for your phone](https://support.microsoft.com/office/ace1d096-61e5-449b-a875-58eb3d74de14) (video)

-1. Check individualΓÇÖs EwsApplicationAccessPolicy by running the following command:

-[Buy or remove subscription licenses](buy-licenses.md) (article)

-When you buy a subscription to Microsoft 365 for business, you sign up for a set of apps and services that you pay for on either a monthly or an annual basis. The applications and services that you receive as part of your subscription depend on which product you purchased, such as Microsoft 365 Apps for business or Microsoft 365 Business Standard. You can see what comes with each product on the [Microsoft 365 for small and medium-sized businesses](https://products.office.com/compare-all-microsoft-office-products?&activetab=tab:primaryr1) page.

-|Exchange Online|A mailbox is created for that person. <br/> To learn about the SLA for this task to be completed, see ["Setting up..." messages in the Microsoft 365 admin center](https://support.microsoft.com/help/2635238/setting-up-messages-in-the-office-365-admin-center). |

-|SharePoint Online|Edit permissions to the default SharePoint Online team site are assigned to that person.|

-|Skype for Business Online|The person has access to the features associated with the license.|

-|Microsoft 365 Apps for enterprise and Microsoft 365 Apps for business|The person can download Office apps on up to five Macs or PCs, five tablets, and five smartphones.|

-| Power Apps per user | CFQ7TTC0KP0P |

-The following example walks you through how to import the **MSCommerce** module, sign in with your account, get the **ProductId** for Power Automate, and then disable **AllowSelfServicePurchase** for that product.

-$product = Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | where {$_.ProductName -match 'Power Automate'}

-If you have more than one subscription, have users with a license for one subscription, but want to move them to another subscription, you can replace their existing license with a different one.

-2. Select the circles next to the names of the users that you want to replace existing licenses for.

-3. On the subscription details page, select **Upgrade**.

-3. For the selected domain, choose **Request services** from the top navigation bar, and review the list of available offers.

-> [!NOTE]

-> Notification emails are sent unprotected.

-The SMTP protocol is the main protocol used to transfer messages between mail servers and is, by default, not secure. The Transport Layer Security (TLS) protocol was introduced years ago to support encrypted transmission of messages over SMTP. ItΓÇÖs commonly used opportunistically rather than as a requirement, leaving much email traffic in clear text, vulnerable to interception by nefarious actors. Furthermore, SMTP determines the IP addresses of destination servers through the public DNS infrastructure, which is susceptible to spoofing and Man-in-the-Middle (MITM) attacks. This has led to many new standards being created to increase security for sending and receiving email, one of those is DNS-based Authentication of Named Entities (DANE).

-

-DANE for SMTP [RFC 7672](https://tools.ietf.org/html/rfc7672) uses the presence of a Transport Layer Security Authentication (TLSA) record in a domain's DNS record set to signal a domain and its mail server(s) support DANE. If there is no TLSA record present, DNS resolution for mail flow will work as usual without any DANE checks being attempted. The TLSA record securely signals TLS support and publishes the DANE policy for the domain. So, sending mail servers can successfully authenticate legitimate receiving mail servers using SMTP DANE. This makes it resistant to downgrade and MITM attacks. DANE has direct dependencies on DNSSEC, which works by digitally signing records for DNS lookups using public key cryptography. DNSSEC checks occur on recursive DNS resolvers, the DNS servers that make DNS queries for clients. DNSSEC ensures that DNS records arenΓÇÖt tampered with and are authentic.

-After you upgrade to TLS 1.2, make sure that the cipher suites you're using are supported by Azure Front Door. Microsoft 365 and Azure Front Door have slight differences in cipher suite support. For details, see [What are the current cipher suites supported by Azure Front Door?](/azure/frontdoor/front-door-faq#what-are-the-current-cipher-suites-supported-by-azure-front-door-).

-You cannot create or edit documents in an IRM-enabled library using Office in a browser. Instead, one person at a time can download and edit IRM-encrypted files. Use check-in and check-out to manage *co-authoring* , or authoring across multiple users.

-When you download a PDF file from an IRM-protected library, Microsoft 365 creates a protected PDF file. The file's extension won't change, but the file is protected. To view this file you'll need the Azure Information Protection viewer, the full Azure Information Protection client, or another application that supports viewing protected PDF files.

-4. Run the Remove-PSSession cmdlet to disconnect from the Rights Management service.

-Before you start, review [Overview of attack surface reduction](overview-attack-surface-reduction.md), and [Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) for foundational information. To understand the areas of coverage and potential impact, familiarize yourself with the current set of ASR rules; see [Attack surface reduction rules reference](attack-surface-reduction-rules-reference.md). While you are familiarizing yourself with the ASR rules set, take note of the per-rule GUID mappings; see: [ASR rules and GUIDs matrix](attack-surface-reduction-rules-reference.md#asr-rules-and-guids-matrix).

- - Rule descriptions

- - Configuration management system rule names

-> [!Note]

-| [Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | Y | Y | Y <br> version 1803 (Semi-Annual Channel) or later | Y | Y |

-Toast notifications are generated for all rules in Block mode. Rules in any other mode will not generate toast notifications

-## ASR rules and GUIDs matrix

-If the allow button is clicked, the block will be suppressed for 24 hours. After 24 hours, the end-user will need to allow the block again. The warn mode for ASR rules is only supported for RS5+ (1809+) devices. If bypass is assigned to ASR rules on devices with older versions, the rule will be in blocked mode.

-You can also set a rule in warn mode via PowerShell by simply specifying the AttackSurfaceReductionRules_Actions as "Warn". For example:

-The **Block abuse of exploited vulnerable signed drivers** rule does not block a driver already existing on the system from being loaded.

-Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.

-LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.

-Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.

-This rule blocks processes created through [PsExec](/sysinternals/downloads/psexec) and [WMI](/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.

-This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:

-|**Group Id**|GUID, a unique ID, represents the group and will be used in the policy as GroupId||

-|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail. All properties are case sensitive. |**PrimaryId**: `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`<br>**BusId**: For example, USB, SCSI<br>**DeviceId**<br>**HardwareId**<br>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.<br>**FriendlyNameId**<br>**SerialNumberId**<br>**VID**<br>**PID**<br>**VID_PID**<br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751|

-|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <br> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value. |

-#### Endpoint security policy**

-| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"

-| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"

-| where _tsmodeproperties.TroubleshootingStateChangeReason == "Troubleshooting mode started"

-There are some apps that stop functioning when an active VPN is detected. You can disable the VPN during the time you are using such apps.

-By default, Defender for Endpoint on iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. Defender for Endpoint on iOS uses a VPN in order to provide this protection. Note that this is a local VPN and unlike traditional VPN, network traffic is not sent outside the device.

-While enabled by default, there might be some cases that require you to disable VPN. For example, you want to run some apps that do not work when a VPN is configured. In such cases, you can choose to disable the VPN directly from the Defender for Endpoint app or using the following steps:

-Apple iOS does not support multiple **device-wide** VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. If you need to use another VPN on the device, you can disable Defender for Endpoint VPN while you are using the other VPN.

-In order to provide you all-time protection from web-based threats, Microsoft Defender for Endpoint needs to run in the background at all times. This might lead to a minor increase in overall battery consumption of your device. In case you are seeing significant battery drain, please [send us feedback](ios-troubleshoot.md#send-in-app-feedback) and we will investigate.

-Microsoft Defender for Endpoint uses a local/loopback VPN to check web traffic for any malicious websites or connections. Due to this reason, Microsoft Defender for Endpoint data usage can be inaccurately accounted for. We have also observed that if the device is on cellular network only, the data usage reported by service provider is very close to the actual consumption whereas in the Settings app, Apple shows about 1.5x to 2x of actual data consumed.

-We have similar observations with other VPN services as well and have reported this to Apple.

-## Device not seen on the Defender for Endpoint console after onboarding.

- - Open MSDefender app on the iOS/iPadOS device.

- - Tap on Menu (profile icon) on the top-left corner.

- - Tap **Send Feedback**.

- - Choose from the given options. To report an issue, select **I don't like something**.

- - Provide details of the issue that you are facing and check **Send diagnostic data**. We recommend that you include your email address so that the team can contact you for a solution or a follow-up.

- - Tap **Submit** to successfully send the feedback.

- release => $channel,

- > :::image type="content" source="images/mac-system-extension-intune2.png" alt-text="The Kernel settings of the system's extension" lightbox="images/mac-system-extension-intune2.png":::

- - Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements).

- - Intune license is needed before onboarding Android devices.

- - Additionally, device(s) can be [enrolled](/mem/intune/user-help/enroll-device-android-company-portal) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.

- - For more information on how to assign licenses, see [Assign licenses to users](/azure/active-directory/users-groups-roles/licensing-groups-assign).

- - Access [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) to

- - Deploy the app to enrolled user groups in your organization.

- - Configure Microsoft Defender for Endpoint risk signals in app protection policy.

-keywords: Azure Virtual Desktop, WVD, microsoft defender, endpoint, onboard

-Microsoft recommends onboarding Azure Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender for Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and redeploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.

-Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It's executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you're using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.

-> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It's **not** recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 and 2 take this into account.

-There are several ways to onboard a WVD host machine:

-As part of your onboarding, you may want to consider setting a machine tag to can differentiate WVD machines more easily in the Microsoft Security Center. For more information, see

-> - Full isolation is available for devices on Windows 10, version 1703, Windows 11, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2022.

-> - Selective isolation is available for devices on Windows 10, version 1709 or later, and Windows 11.

- - m365-security-compliance

-Microsoft Defender for Endpoint troubleshooting mode allows you to troubleshoot various Microsoft Defender antivirus features by enabling them from the device and testing different scenarios, even if they're controlled by the organization policy. The troubleshooting mode is disabled by default and requires you to turn it on for a device (and/or group of devices) for a limited time. Note that this is exclusively an Enterprise-only feature, and requires Microsoft 365 Defender access.

-1. Request the SOC admin to turn on troubleshooting mode. You'll get a Windows Security notification once the troubleshooting mode starts.

- - Run `get-mppreference` to check RTP status.

- - Run `setΓÇômppreference` to turn off RTP Run.

- - Set-mppreference -ExclusionPath (for example, C:\DB\DataFiles)

- - Set-mppreference ΓÇôExclusionExtension (for example, .dbx)

- - Set-mppreference ΓÇôExclusionProcess (for example, C:\DB\Bin\Convertdb.exe)

-1. Request SOC admin to turn on troubleshooting mode on the device.

- - Set-mppreference -DisableRealtimeMonitoring $true

- - Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Disabled

- - Set-MpPreference -EnableNetworkProtection Disabled

-Watch this short video to learn how threat and vulnerability management discovers vulnerabilities and misconfigurations on your endpoints and provides actionable insights that help you quickly remediate threats and vulnerabilities in your environment.

-To use this capability, enable your Microsoft Intune connections. In the Microsoft 365 Defender portal, navigate to **Settings** \> **General** \> **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.

-For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog):

-## View email admin submissions to Microsoft

-2. On the **Submissions** page, verify that the **Emails** tab is selected.

-If the message is reported to Microsoft, the **Converted to admin submission** value turns from **no** to **yes**. You can directly access the admin submission by clicking **View the converted admin submission** from the overflow menu inside the submission flyout of the respective user reported message.

-> [!div class="mx-imgBorder"]

-> :::image type="content" source="../../media/view-converted-admin-submission.png" alt-text="Option to view created admin submission from user reported message" lightbox="../../media/view-converted-admin-submission.png":::

- - A verified DKIM domain.

-Our custom polices give admins the ability to decide what items their users can triage in the ***False positive*** folder with an extended ability of allowing the user to request the *release* of those items from the folder.

-## Assigning quarantine polices and enabling notification with organization branding

-Once it has been decided the categories of items users can triage or not-triage, and created the corresponding quarantine polices, admins should to assign these policies to the respective users and enable notifications.

-2. End users can also add the sender to the [block senders list](https://support.microsoft.com/en-us/office/block-a-mail-sender-b29fd867-cac9-40d8-aed1-659e06a706e4#:~:text=1%20On%20the%20Home%20tab%2C%20in%20the%20Delete,4%20Click%20OK%20in%20both%20open%20dialog%20boxes..) in Outlook to prevent emails from this sender's mail from arrive at Inboxes.

-2. Admins can submit any malicious, or suspect messages to Microsoft for analysis, and create a block to mitigate the situation while waiting for verdict.

-## Handling legitimate emails emails in quarantine folder of an admin

-3. Once the results for submissions are available, admins should read the verdict to understand why emails were blocked, and how the tenant setup could be improved to prevent similar situations from happening in the future.

-4. View the history of AIR, including decisions made, source of action, and admin who made the decision,if appropriate.

-[Learn about approving and rejecting pending actions from the Investigation page](../air-review-approve-pending-completed-actions.md)

-If you want to achieve these steps via PowerShell, you can do this using the following cmdlets:

-[Track new and changed features in the Microsoft 365 Message center](https://docs.microsoft.com/microsoft-365/admin/manage/message-center)

- - A verified DKIM domain.

- - **Sender** (domain in source server's PTR record, IP/24 address, or verified DKIM domain)

-> [!TIP]

-> Don't have Microsoft Defender for Office 365 yet? [Contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).

- [  ](Media/creatingaccount01-search.png#lightbox)

- [  ](Media/creatingaccount02-testbase.png#lightbox)

- [  ](Media/creatingaccount03-basics.png#lightbox)

- 

- 

- [  ](Media/creatingaccount06-review.png#lightbox)

- 

- [  ](Media/creatingaccount08-complete.png#lightbox)