Updates from: 06/23/2021 03:16:09
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove Former Employee Step 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/remove-former-employee-step-1.md
If you need to immediately prevent a user's sign-in access, you should reset the
1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page. 2. Select the box next to the user's name, and then select **Reset password**. 3. Enter a new password, and then select **Reset**. (Don't send it to them.)
-4. Select the user's name to go to their properties pane, and on the **Account** tab, select **Initiate sign-out**.
+4. Select the user's name to go to their properties pane, and on the **Account** tab, select **Sign out of all sessions**.
Within an hour - or after they leave the current Microsoft 365 page they are on - they're prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether they navigate out of their current webpage.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
- If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label. - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling. - Incoming email is labeled when there is a match with your auto-labeling conditions:
- - Rolling out: If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption isn't applied.
+ - If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption isn't applied.
- If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that this can result in the names of people outside your organization. - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email. There currently isn't a way to set a Rights Manager owner for all incoming email messages that are automatically encrypted.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
As previously mentioned, data connectors provided by TeleMessage are available i
|O2 SMS and Voice Network Archiver | Yes | No | No | |TELUS SMS Network Archiver | Yes | No | No | |Verizon SMS/MMS Network Archiver | Yes | No | No |
-|WeChat Archiver | Yes | No | No |
|WhatsApp Archiver | Yes | No | No | |||||
compliance Data Loss Prevention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md
If you choose to include specific distribution groups in Exchange, the DLP polic
If you choose to include or exclude specific SharePoint sites, a DLP policy can contain no more than 100 such inclusions and exclusions. Although this limit exists, you can exceed this limit by applying either an org-wide policy or a policy that applies to entire locations. If you choose to include or exclude specific OneDrive accounts or groups, a DLP policy can contain no more than 100 user accounts or 50 groups as inclusion or exclusion.-
-> [!NOTE]
-> OneDrive for business policy scoping using user accounts or groups is in public preview.
### Rules
compliance Endpoint Dlp Getting Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md
Data from Endpoint DLP can be viewed in [Activity explorer](data-classification-
- Compliance admin - Security admin - Compliance data admin-- Global reader-- Security reader-- Reports reader ### Prepare your endpoints
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
description: "Turn on a setting that enables co-authoring and AutoSave in deskto
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).* > [!NOTE]
-> This feature is in preview and subject to change.
->
-> Enable this feature in a test tenant rather than a production tenant because:
-> - This feature makes changes to labeling metadata and not all apps on all platforms currently support this change
-> - You cannot disable this feature yourself after it is enabled
+> This feature is in preview and subject to change.
Enable the setting to support [co-authoring](https://support.office.com/article/ee1509b4-1f6e-401e-b04a-782d26f564a4) for Office desktop apps so that when documents are labeled and encrypted by [sensitivity labels](sensitivity-labels.md), multiple users can edit these documents at the same time.
Without this setting enabled for your tenant, users must check out an encrypted
In addition, enabling this functionality results in the [AutoSave](https://support.office.com/article/what-is-autosave-6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5) functionality being supported for these labeled and encrypted files.
-To read the release announcement, see the blog post [Announcing co-authoring on Microsoft Information Protection-encrypted documents and labeling updates](https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-co-authoring-on-microsoft-information-protection/ba-p/2164162).
+To read the initial release announcement, see the blog post [Announcing co-authoring on Microsoft Information Protection-encrypted documents and labeling updates](https://techcommunity.microsoft.com/t5/microsoft-security-and/announcing-co-authoring-on-microsoft-information-protection/ba-p/2164162).
## Metadata changes for sensitivity labels
Check the following section for a list of apps and services that support this se
Make sure you understand the following prerequisites before you turn on this feature. -- You must use a test tenant for this preview.- - You must be a global admin to turn on this feature. - Sensitivity labels must be [enabled for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md) for the tenant. If this feature isn't already enabled, it will be automatically enabled when you select the setting to turn on co-authoring for files with sensitivity labels. - Microsoft 365 Apps for enterprise:
- - **Windows**: Preview: [Current Channel (Preview)](https://office.com/insider)
- - **macOS**: Preview: [Current Channel (Preview)](https://office.com/insider)
+ - **Windows**: Minimum version 2105: June 18
+ - **macOS**: Minimum version 16.50
- **iOS**: Not yet supported - **Android**: Not yet supported
This preview version of co-authoring for files encrypted with sensitivity labels
## How to enable co-authoring for files with sensitivity labels > [!CAUTION]
-> Turning on this setting is a one-way action. While the feature is in preview, test it only in a non-production environment and only after you have read and understood the metadata changes, prerequisites, limitations, and any known issues documented on this page.
+> Turning on this setting is a one-way action. While the feature is in preview, enable it only after you have read and understood the metadata changes, prerequisites, limitations, and any known issues documented on this page.
-During the preview, you must use a specific URL to access this setting in the Microsoft 365 compliance center.
+1. Sign in to the [Microsoft 365 compliance center](https://compliance.microsoft.com) as a global admin for your tenant.
-1. Sign in to the Microsoft 365 compliance center as a global admin for your test tenant, using the following link:
-
- ```http
- https://compliance.microsoft.com/co-authoring_for_files_with_sensitivity_labels
- ```
- This link takes you directly to the tenant setting, **Co-authoring for files with sensitivity labels**.
-
- > [!IMPORTANT]
- > Before you continue, check you're signed in to a test tenant that won't affect your users:
- >
- > Select the circle with your account initials in the top right of the compliance center, and confirm that the tenant name does display your intended test tenant.
+2. From the navigation pane, select **Settings** > **Co-authoring for files with sensitivity files**.
+
+2. On the **Co-authoring for files with sensitivity labels (preview)** page, read the summary description, prerequisites, what to expect, and the warning that you can't turn off this setting after you've turned it on.
-2. Read the summary description, prerequisites, what to expect, and the warning that you can't turn off this setting after you've turned it on. Then select **Turn on co-authoring for files with sensitivity labels**, and **Apply**:
+ Then select **Turn on co-authoring for files with sensitivity labels**, and **Apply**:
![Option to turn on co-authoring for files with sensitivity labels](../media/co-authoring-tenant-option-for-sensitivity-labels.png)
-3. Wait 24 hours for this setting to replicate across your environment before you test this new feature for co-authoring.
+3. Wait 24 hours for this setting to replicate across your environment before you use this new feature for co-authoring.
## Contact Support if you need to disable this feature > [!IMPORTANT] > If you do need to disable this feature, be aware that labeling information can be lost.
-After you've enabled co-authoring for files with sensitivity labels for your tenant, you can't disable this setting yourself. That's why it's so important that you check and understand the prerequisites, consequences, and limitations before you enable this setting. It's also why we recommend that you test this feature with a test tenant rather than a production tenant.
+After you've enabled co-authoring for files with sensitivity labels for your tenant, you can't disable this setting yourself. That's why it's so important that you check and understand the prerequisites, consequences, and limitations before you enable this setting.
![Option that shows co-authoring turned on for sensitivity labels](../media/co-authoring-tenant-option-set-for-sensitivity-labels.png)
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
The numbers listed are the minimum Office application version required for each
|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | Rolling out: 16.0.13628+ | Yes <sup>\*</sup> | |[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.45+ | 2.47+ | 16.0.13628+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) | 2009+ | Rolling out: 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
-|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | Preview: [Current Channel (Preview)](https://office.com/insider) | Preview: [Current Channel (Preview)](https://office.com/insider) | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
+|[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | 2105: June 18+ | 16.50+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
| **Footnote:**
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) #### [Enable attack surface reduction rules](enable-attack-surface-reduction.md) #### [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
-#### [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
+#### [Attack surface reduction FAQ](attack-surface-reduction-faq.yml)
#### [View attack surface reduction events](event-views.md) #### [Use audit mode for attack surface reduction](audit-windows-defender.md)
security Android Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-terms.md
DO NOT USE THE APPLICATION.**
1. **Installation and Use.** You may install and use any number of copies of this application on Android enabled device or devices that you own
- or control. You may use this application with your company's valid
- subscription of Microsoft Defender for Endpoint or
- an online service that includes Microsoft Defender for Endpoint functionalities.
+ or control.
2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full functionality. Some functionality may not be available in all countries.
security Attack Surface Reduction Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq.md
- Title: Attack surface reduction frequently asked questions (FAQ)
-description: Find answers to frequently asked questions about Microsoft Defender for Endpoint's attack surface reduction rules.
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, microsoft defender for endpoint
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.sitesec: library
-localization_priority: Normal
--------
-# Attack surface reduction frequently asked questions (FAQ)
--
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)--
-## Is attack surface reduction (ASR) part of Windows?
-
-ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10, version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
-
-## Do I need to have an enterprise license to run ASR rules?
-
-The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. Using ASR without an enterprise license isn't officially supported and you won't be able to use the full capabilities of ASR.
-
-To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
-
-## Is ASR supported if I have an E3 license?
-
-Yes. ASR is supported for Windows Enterprise E3 and above.
-
-## Which features are supported with an E5 license?
-
-All of the rules supported with E3 are also supported with E5.
-
-E5 adds greater integration with Defender for Endpoint. With E5, you can view alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
-
-## What are the currently supported ASR rules?
-ASR currently supports all of the rules below.
-
-## What rules to enable? All, or can I turn on individual rules?
-To help you figure out whatΓÇÖs best for your environment, we recommended that you enable ASR rules in [audit mode](audit-windows-defender.md). With this approach, youΓÇÖll determine the possible affect to your organization. For example, your line-of-business applications.
-
-## How do ASR rules exclusions work?
-For ASR rules, if you add one exclusion, it will affect every ASR rule.
-The following two specific rules don't support exclusions:
-
-|Rule name|GUID|File & folder exclusions|
-|:--|:--|:--|
-|Block JavaScript or VBScript from launching downloaded executable content|D3E037E1-3EB8-44C8-A917-57927947596D|Not supported|
-|Block persistence through WMI event subscription|e6db77e5-3df2-4cf1-b95a-636979351e5b|Not supported|
-
-ASR rules exclusions support wildcards, paths, and environmental variables. For more information on how to use wildcards in ASR rules, see [configure and validate exclusions based on file extension and folder location](/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus).
-
-Be aware of the following items about ASR rules exclusions (including wildcards and env. variables):
--- ASR rules exclusions are independent from Defender AV exclusions-- Wildcards cannot be used to define a drive letter-- If you want to exclude more than one folder, in a path, use multiple instances of \*\ to indicate multiple nested folders (for example, c:\Folder\*\*\Test)-- Microsoft Endpoint Configuration Manager *does not* support wildcards (* or ?)-- If you want to exclude a file, that contains random characters (automated file generation), you can use the '?' symbol (for example, C:\Folder\fileversion?.docx)-- ASR exclusions in Group Policy don't support quotes (the engine will natively handle long path, spaces, etc., so there's no need to use quotes)-- ASR rules run under NT AUTHORITY\SYSTEM account, so environmental variables are limited to machine variables.-
-## How do I know what I need to exclude?
-Different ASR rules will have different protection flows. Always think about what the ASR rule you are configuring protects against, and how the actual execution flow pans out.
-
-Example:
-**Block credential stealing from the Windows local security authority subsystem**
-Reading directly from Local Security Authority Subsystem (LSASS) process can be a security risk, since it might expose corporate credentials.
-
-This rule prevents untrusted processes from having direct access to LSASS memory. Whenever a process tries to use the OpenProcess() function to access LSASS, with an access right of PROCESS_VM_READ, the rule will specifically block that access right.
--
-Looking at the above example, if you really had to create an exception for the process that the access right was blocked, adding the filename along with full path would exclude it from being blocked and after allowed to access LSASS process memory. The value of 0 means that ASR rules will ignore this file/process and not block/audit it.
--
-## What are the rules Microsoft recommends enabling?
-
-We recommend enabling every possible rule. However, there are some cases where you shouldnΓÇÖt enable a rule. For example, we don't recommend enabling the Block process creations originating from PSExec and WMI commands rule, if youΓÇÖre using Microsoft Endpoint Configuration Manager (or, System Center Configuration Manager - SCCM) to manage your endpoints.
-
-We highly recommend you that you read each rule-specific information and/or warnings, which are available in our
-[public documentation](/microsoft-365/security/defender-endpoint/attack-surface-reduction.md).
- spanning across multiple pillars of protection, like Office, Credentials, Scripts, E-Mail, etc. All ASR rules, except for Block persistence through WMI event subscription, are supported on Windows 1709 and later:
-
-* [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail)
-* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
-* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
-* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
-* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
-* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
-* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
-* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
-* [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe)
-* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
-* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
-* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
-* [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes)
-* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
-* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
-
-## What are some good recommendations for getting started with ASR?
-
-Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
-
-Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
-
-## How long should I test an ASR rule in audit mode before enabling it?
-
-Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
-
-## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR?
-
-In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](/windows/security/threat-protection) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
-
-The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities.
-
-From within Defender for Endpoint, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
-
-## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
-
-Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
-
-## Do ASR rules cover all applications by default?
-
-It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
-
-## Does ASR support third-party security solutions?
-
-ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
-
-## I have an E5 license and enabled some ASR rules in conjunction with Defender for Endpoint. Is it possible for an ASR event to not show up at all in Defender for Endpoint's event timeline?
-
-Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Defender for Endpoint portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Defender for Endpoint.
-
-## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.
-
-Try opening the indexing options directly from Windows 10.
-
-1. Select the **Search** icon on the Windows taskbar.
-
-1. Enter **Indexing options** into the search box.
-
-## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin?
-
-No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
-
-## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?
-
-This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
-
-Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode.
-
-## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?
-
-A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
-
-Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
-
-## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?
-
-Enabling this rule will not provide additional protection if you have [LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
-
-## See also
-
-* [Attack surface reduction overview](attack-surface-reduction.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-* [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
-* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Compatibility of Microsoft Defender with other antivirus/antimalware](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility)
--
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
+This rule blocks executable files, such as .exe, .dll, or .scr, from launching unless any of the following conditions are met:
-- Executable files (such as .exe, .dll, or .scr)
+- Prevalence: The executable files are found on more than 1,000 endpoints
+- Age: The executable files were released more than 24 hours ago
+- Location: The executable files are included in a trusted list or an exclusion list
Launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
ms.technology: m365d
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) Protecting your environment requires taking inventory of the devices that are in your network. However, mapping devices in a network can often be expensive, challenging, and time-consuming.
security Migrating Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md
This article helps you to map common rules to Microsoft Defender for Endpoint.
See also -- [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
+- [Attack surface reduction FAQ](attack-surface-reduction-faq.yml)
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
ms.technology: mde
- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> [!IMPORTANT]
-> **Scanning and managing network devices is currently in public preview**<br>
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Microsoft Defender for Endpoint preview features](preview.md).
- >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) > [!NOTE]
security Preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preview.md
Turn on the preview experience setting to be among the first to try upcoming fea
The following features are included in the preview release: -- [Device discovery](device-discovery.md) <br> Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.-
- > [!IMPORTANT]
- > Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the basic mode through the settings page.
-- - [Web Content Filtering](web-content-filtering.md) <br> Web content filtering is part of web protection capabilities in Microsoft Defender for Endpoint. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. - [Device health and compliance report](machine-reports.md) <br/> The device health and compliance report provides high-level information about the devices in your organization.
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
For more information on preview features, see [Preview features](preview.md).
> ``` ## June 2021+
+- [Device discovery](device-discovery.md) <br> Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. You can then onboard discovered devices to reduce risks associated with having unmanaged endpoints in your network.
+
+ > [!IMPORTANT]
+ > Standard discovery will be the default mode for all customers starting July 19, 2021. You can choose to retain the basic mode through the settings page.
++ - [Device group definitions](/microsoft-365/security/defender-endpoint/machine-groups) can now include multiple values for each condition. You can set multiple tags, device names, and domains to the definition of a single device group. ## March 2021
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
For other ways to submit email messages, URLs, and attachments to Microsoft, see
5. When you're finished, click the **Submit** button.
- ![New URL submission example](../../media/submission-flyout-email.PNG)
+> [!div class="mx-imgBorder"]
+> ![New URL submission example](../../media/submission-flyout-email.png)
### Send a suspect URL to Microsoft
For other ways to submit email messages, URLs, and attachments to Microsoft, see
4. When you're finished, click the **Submit** button.
- ![New Email submission example](../../media/submission-url-flyout.png)
+> [!div class="mx-imgBorder"]
+> ![New Email submission example](../../media/submission-url-flyout.png)
### Submit a suspected email attachment to Microsoft
For other ways to submit email messages, URLs, and attachments to Microsoft, see
4. When you're finished, click the **Submit** button.
- ![New Attachment submission example](../../media/submission-file-flyout.PNG)
+> [!div class="mx-imgBorder"]
+> ![New Attachment submission example](../../media/submission-file-flyout.png)
## View admin submissions to Microsoft
For other ways to submit email messages, URLs, and attachments to Microsoft, see
When you're finished, click **Apply**.
- ![New Filter options for admin submissions](../../media/admin-submission-email-filter-options.png)
+ > [!div class="mx-imgBorder"]
+ > ![New Filter options for admin submissions](../../media/admin-submission-filters.png)
- To group the entries, click **Group** and select one of the following values from the drop down list: - **None**
For other ways to submit email messages, URLs, and attachments to Microsoft, see
### Admin submission rescan details
-Messages that are submitted in admin submissions are rescanned and results shown in the submissions detail flyout:
+Messages that are submitted in admin submissions are reviewed and results shown in the submissions detail flyout:
- If there was a failure in the sender's email authentication at the time of delivery. - Information about any policy hits that could have affected or overridden the verdict of a message.
If you've deployed the [Report Message add-in](enable-the-report-message-add-in.
When you're finished, click **Apply**.
- ![New Filter options for user submissions](../../media/user-submissions-filter-options.png)
+ > [!div class="mx-imgBorder"]
+ > ![New Filter options for user submissions](../../media/admin-submission-reported-messages.png)
- To group the entries, click **Group** and select one of the following values from the drop down list: - **None**
On the **User reported messages** tab, select a message in the list, click **Sub
- **Report spam** - **Trigger investigation**
-![New Options on the Action button](../../media/user-submission-custom-mailbox-action-button.png)
+> [!div class="mx-imgBorder"]
+> ![New Options on the Action button](../../media/admin-submission-main-action-button.png)
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Move message to the recipients' Junk Email folders** - **Quarantine the message**
- - **Safety tips & indicators**: This setting is available only if you selected **Enable spoof intelligence** on the previous page:
- - **Show (?) for unauthenticated senders for spoof**: Adds a question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication).
- - **Show "via" tag**: Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address.
+ - **Safety tips & indicators**:
+ - **Show first contact safety tip**: For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).
+ - **Show (?) for unauthenticated senders for spoof**<sup>\*</sup>: Adds a question mark to the sender's photo in the From box in Outlook if the message does not pass SPF or DKIM checks **and** the message does not pass DMARC or [composite authentication](email-validation-and-authentication.md#composite-authentication).
+ - **Show "via" tag**<sup>\*</sup>: Adds a via tag (chris@contoso.com via fabrikam.com) to the From address if it's different from the domain in the DKIM signature or the **MAIL FROM** address.
To turn on a setting, select the check box. To turn it off, clear the check box.
+ <sup>\*</sup> This setting is available only if you selected **Enable spoof intelligence** on the previous page. For more information, see [Unauthenticated sender](set-up-anti-phishing-policies.md#unauthenticated-sender).
+ When you're finished, click **Next**. 7. On the **Review** page that appears, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
Creating a custom anti-phishing policy in the Microsoft 365 Defender portal crea
- **Quarantine the message** - **Safety tips & indicators**: Configure the following settings:
- - **Show first contact safety tip**: This safety tip replaces the need to create mail flow rules (also known as transport rules) that add the header named **X-MS-Exchange-EnableFirstContactSafetyTip** with the value **Enable** to messages.
+ - **Show first contact safety tip**: For more information, see [First contact safety tip](set-up-anti-phishing-policies.md#first-contact-safety-tip).
- **Show user impersonation safety tip**: This setting is available only if you selected **Enable users to protect** on the previous page. - **Show domain impersonation safety tip**: This setting is available only if you selected **Enable domains to protect** on the previous page. - **Show user impersonation unusual characters safety tip** This setting is available only if you selected **Enable users to protect** or **Enable domains to protect** on the previous page.
security Mdo For Spo Odb And Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in [Microsoft Defender for Office 365](whats-new-in-defender-for-office-365.md) provides an additional layer of protection for files that have already been scanned at upload time by the [common virus detection engine in Microsoft 365](virus-detection-in-spo.md). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams helps detect and block existing files that are identified as malicious in team sites and document libraries.
+Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in [Microsoft Defender for Office 365](whats-new-in-defender-for-office-365.md) provides an additional layer of protection for files that have already been scanned asynchronously by the [common virus detection engine in Microsoft 365](virus-detection-in-spo.md). Safe Attachments for SharePoint, OneDrive, and Microsoft Teams helps detect and block existing files that are identified as malicious in team sites and document libraries.
Safe Attachments for SharePoint, OneDrive, and Microsoft Teams is not enabled by default. To turn it on, see [Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](turn-on-mdo-for-spo-odb-and-teams.md).
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
6. On the **Notification** page that appears, select one of the following values for **How would you like to notify your users?**: - **Use the default notification text**
- - **Use custom notification text**: If you select this value, the following settings appear:
+ - **Use custom notification text**: If you select this value (the lenght cannot exceed 200 characters), the following settings appear:
- **Use Microsoft Translator for automatic localization** - **Custom notification text**: Enter the custom notification text in this box.
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
The message formatting requirements are described in the next section. The forma
To correctly identify the original attached messages, messages that are sent to the custom mailbox require specific formatting. If the messages don't use this format, the original attached messages are always identified as phishing submissions.
-For correct identification of the original attached messages, messages that are sent to the custom mailbox need to use the following syntax for the Subject (Envelope Title):
+If you want to specify the reported reason for the original attached messages, messages that are sent to the custom mailbox (don't modify the attachment) need to start with one of the following prefixes in the Subject (Envelope Title):
-`SafetyAPIAction|NetworkMessageId|SenderIp|FromAddress|(Message Subject)`
+- 1| or Junk:
+- 2| or Not junk
+- 3| or Phishing
-where SafetyAPIAction is one of the following integer values:
+For example:
-- 1: Junk-- 2: Not junk-- 3: Phishing
+`3|This part is ignored by the system` <br>
+`Not Junk:This part of the subject is ignored as well`
-This example uses the following values:
+- Both of these messages are being reported as Not Junk based on Subject.
+- The rest is ignored.
-- The message is being reported as phishing.-- The Network Message ID is 49871234-6dc6-43e8-abcd-08d797f20abe.-- The Sender IP is 167.220.232.101.-- The From address is test@contoso.com.-- The message's subject line is "test phishing submission"-
-`3|49871234-6dc6-43e8-abcd-08d797f20abe|167.220.232.101|test@contoso.com|(test phishing submission)`
Messages that don't follow this format will not display properly in the Submissions portal.