+# Welcome to Defender-Threat-Intelligence!

+Beginning on June 23, 2022, an API will gradually become available to all environments for global admins to change this setting without needing to visit the Microsoft 365 admin center.

+The API details are below:

+The URL is https://graph.microsoft.com/beta/reportSettings

+Two methods have been approved for this API:

+The report will only contain a Privacy Setting property. For more information on Graph API, see [Use the Microsoft Graph API](/graph/use-the-api). Global admins can use the Software Development Kit (SDK) or directly call the API using any program language with network ability. We recommend using [Graph Explorer](/graph/graph-explorer/graph-explorer-overview).

+1. In the admin center, select **Reports**, and then select **Usage**.

+### GroupID hidden by default

+When you export the report data, you will by default not be able to view the **GroupID** variable in the Excel .csv file that you download. If you want to view GroupID information and all other identifiable information in Microsoft 365 usage reports, you can use choose to [show user details in reports](../../admin/activity-reports/activity-reports.md#show-user-details-in-the-reports) through the organizational settings in the Microsoft 365 admin center. You must be a global administrator to make these changes.

+The following are definitions of the metrics available in the report table.

+ Title: "Add-in deployment email alerts"

+f1.keywords: CSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolio

+search.appverid: MET150

+description: "Send emails to alert users about Office Add-ins you've deployed to them from the Integrated Apps page."

+# Add-in deployment email alerts

+When you deploy Office Add-ins from the Integrated Apps page, you can now notify the assigned users about the newly deployed add-in by email. To send out the email notification, you need to consent to sending the email notification at the time of add-in deployment or user assignment updates.

+As of now, email notifications can be sent for deployment of Excel, Outlook, PowerPoint, and Word add-ins. Moreover, these emails are only for add-in assignments to specific users and groups.

+The following sections provide more information about what the email alert would look like for the users the add-in is deployed to.

+## Email sample for Excel, PowerPoint, and Word add-ins

+The following are some key capabilities available to users as part of the email alert sent for Excel, PowerPoint, and Word add-in deployment.

+- Email provides details about the add-in such as brief description, deployment date, and supported Office Apps and respective versions.

+- Email provides buttons to launch the add-in in the respective Office Apps on the web, on Windows, and on Mac platforms to help make the add-in easier to discover. **Note**: The launch buttons are currently not supported for iPad clients.

+## Email sample for Outlook add-ins

+The following are some key capabilities available to users as part of the email alert sent for Outlook add-in deployment.

+- Email provides details about the add-in such as brief description, deployment date, supported Outlook versions.

+- Email provides instructions about where to discover the deployed add-in across supported platforms: Windows, Mac, and web browser.

+# Idle session timeout for Microsoft 365 (Public Preview)

+ - If they get single sign-on (SSO) into the web app from the device joined account or selected **Stay signed in** at the time of sign-in. For more info on hiding this option for your organization, see [Add branding to your organization's sign-in page](/azure/active-directory/fundamentals/customize-branding).

+ Title: "Bookings with me"

+description: "Use Bookings with me to let others schedule meetings with you in Outlook."

+# Bookings with me

+**Bookings with me** in Outlook is a web-based personal scheduling page that integrates with the free/busy information from your Outlook calendar. Bookings with me lets people schedule a meeting or appointment with you. You can create custom meeting types to share with others so they can easily schedule time with you based on your availability and preferences. You both get an email confirmation and attendees can update or cancel scheduled meetings with you from your Bookings with me page.

+> Bookings with me is available worldwide in preview. Features included in preview might not be complete and could undergo changes before becoming available in the public release.

+Bookings with me has two different views:

+- **Organizer view** A personal booking page where you can create meeting types that others can book with you. Custom meeting types give you the ability to customize when you want to meet and how that meeting type is shared with others. You control whether each meeting type is public to your scheduling page or is private and can only be accessed by a select group of people. You can also choose to add a Teams meeting to all meetings booked through your Bookings with me page. You can access your Bookings with me page through Outlook on the web. After you set up your page and publish it, you can share it with others. For example, you can add it to your Outlook signature.

+- **Attendee view** When you share your Bookings with me page with others, they will see the attendee view. If the organizer has shared their Bookings with me page link with you, you'll be able to see all of their public meeting types. If the organizer has shared a meeting link, you'll only be able to view that meeting.

+ - Public meetings can be viewed and scheduled by anyone that has your Bookings with me page link. You are in control of who you share that link with. All public meeting types will be visible to anyone that has your Bookings with me page link.

+## When to use Bookings with me

+Bookings with me is an ideal solution for enterprise, small business, and users in education to schedule 1:1 meetings with those outside and inside their organizations. Below are a few examples of how you can use Bookings with me.

+- Schedule interviews with external candidates

+- Set up customer and client meetings

+- Schedule tech support

+- Set up office hours

+- Set up mentoring hours

+- 1:1 meetings with direct reports

+- Lunch and coffee breaks

+Bookings with me can be turned on or off for your entire organization or for specific users. When you turn on Bookings for users, they can create a Bookings page, share their page with others, and allow other people to book time with them. This article is for owners and administrators who manage Bookings with me for their organizations.

+Bookings with me is available in the following subscriptions:

+Bookings with me is on by default for users with these subscriptions.

+Bookings with me needs the **Microsoft Bookings App (service plan)** assigned to users for them to be able to access Bookings. This service plan can be enabled/disabled by tenant admins. So, if **Microsoft Bookings** is not assigned to them, Bookings access will be denied to users even if they are in one of the previously listed SKUs.

+For more information, see the [Bookings with me Microsoft 365 Roadmap item](https://go.microsoft.com/fwlink/?linkid=328648).

+### Prerequisites for using Bookings with me

+1. Bookings with me and Bookings share the same licensing model. However, Bookings doesn't have to be turned on for the organization using tenant settings for users to access Bookings with me. The Bookings app must be enabled for users to have access to Bookings with me.

+ To turn on Bookings with me without access to Bookings, block access to Microsoft Bookings using the [OWA Mailbox policy PowerShell command](/powershell/module/exchange/set-owamailboxpolicy?view=exchange-ps) or follow the instructions here: [Turn Microsoft Bookings on or off](turn-bookings-on-or-off.md).

+2. Calendar FreeBusy Anonymous sharing must be enabled to use Bookings with me. This allows the Bookings page to have access to the free/busy information in your Outlook calendar. Use PowerShell to check the status.

+ ```PowerShell

+ Get-SharingPolicy -Identity "Default Sharing Policy" | fl Domains

+ ```

+ "Anonymous:CalendarSharingFreeBusyReviewer"" should be one of the domains in the response.

+ To enable anonymous sharing, use the following command.

+ ```PowerShell

+ Set-SharingPolicy "Default Sharing Policy" -Domains @{Add="Anonymous:CalendarSharingFreeBusyReviewer

+ ```

+## Turn Bookings with me on or off

+Bookings with me can be turned on or off for your entire organization or specific users. When Bookings with me is turned on, users can create a Bookings with me page and share links with others inside or outside your organization.

+### Turn Bookings with me on or off for your organization using PowerShell

+You'll need to run the following commands using Exchange Online PowerShell. For more information on running Exchange Online cmdlets, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To turn Bookings with me on or off for your organization using the PowerShell cmdlet [Set-OrganizationConfig](/powershell/module/exchange/set-organizationconfig), [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and run the following commands.

+Use the **Get-OrganizationConfig** and **Set-OrganizationConfig** commands to find out the status and turn Bookings with me on or off for your organization.

+ - To turn off Bookings with me for your organization, remove **MicrosoftOWSPersonalBookings**, if present, from **EwsAllowList** by running the following command:

+ - To turn on Bookings with me for your organization, add **MicrosoftOWSPersonalBookings** to **EwsAllowList** by running the following command:

+ - To turn off Bookings with me for your organization, add **MicrosoftOWSPersonalBookings** by running the following command:

+ - To turn on Bookings with me if blocked, remove **MicrosoftOWSPersonalBookings** by running the following command:

+ - To turn off Bookings with me for your organization set the **EnforceBlockList** policy and add **MicrosoftOWSPersonalBookings** to the block list by running the following command:

+### Turn Bookings with me off or on for individual users

+Use the **Get-CASMailbox** and **Set-CASMailbox** commands to check user status and turn Bookings with me on or off for individual users in your organization.

+ - To turn off Bookings with me for this user, remove **MicrosoftOWSPersonalBookings**, if present from **EwsAllowList** by running the following command:

+ - Turn on Bookings with me for this user, add **MicrosoftOWSPersonalBookings** to **EwsAllowList** by running the following command:

+ - To turn off Bookings with me for this user, add **MicrosoftOWSPersonalBookings** to **EnforceBlockList** by running the following command:

+ - To turn on Bookings with me for this user, remove **MicrosoftOWSPersonalBookings**, if present from EnforceBlockList by running the following command:

+ - To turn off Bookings with me for this user, set the **EnforceBlockList** policy and add **MicrosoftOWSPersonalBookings** to EWSBlockList by running the following command:

+## Frequently asked questions

+### What is the difference between Bookings and Bookings with me?

+Bookings with me integrates with your Outlook calendar and can only be used for 1:1 meetings. Bookings with me is intended for scheduling meeting times with individual users. Bookings is intended for managing scheduling for a group of people.

+Also, Bookings with me won't create a new mailbox for each Bookings with me page.

+### Why is Bookings with me in preview?

+Bookings with me is in preview for all enterprise users worldwide. We're collecting feedback and making improvement while it is being integrated into scheduling experiences in Bookings and Outlook.

+### Who can access my public Bookings page?

+Public meeting types can be accessed by anyone that has your Bookings with me page address. You decide who you share your Bookings with me page address with.

+### What is the difference between public and private meeting types?

+Meeting types can be public or private. Public meeting types are available to anyone that you share your Bookings page link with. Private meeting types are only available to people that you share the individual private meeting type with.

+Private meeting types can also generate single use links. Single use links expire after their first booking.

+### Do people need to have a Microsoft account or Bookings license to schedule time with me?

+No. Anyone can schedule time with you using your Bookings with me page, even if they donΓÇÖt have a Microsoft account. You need a Bookings license to create a Bookings with me page.

+## Privacy

+### Where is Bookings with me data stored?

+Bookings with me is a feature of Outlook powered by Bookings. All data is stored within the Microsoft 365 platform and in Exchange. Bookings with me follows data storage policies set by Microsoft, which are the same policies that all Office apps follow. All customer data (including information provided by attendees when booking) is captured in Bookings and is stored within Exchange. For more information, check out [Privacy: It's all about you](https://www.microsoft.com/en-us/trust-center/privacy).

+## Recommended actions

+ - Choose the communication channels to scan, including Exchange, Microsoft Teams, or Yammer. You'll also choose to scan third-party sources if you've configured a connector in Microsoft 365.

+| **Inappropriate text** | Detect inappropriate text | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound, Internal <br> - Review Percentage: 100% <br> - Conditions: Threat, Discrimination, and Targeted harassment classifiers |

+| **Inappropriate images** | Detect inappropriate images | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound, Internal <br> - Review Percentage: 100% <br> - Conditions: Adult and Racy image classifiers |

+| **Sensitive information** | Monitor for sensitive info | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound, Internal <br> - Review Percentage: 10% <br> - Conditions: Sensitive information, out-of-the-box content patterns, and types, custom dictionary option, attachments larger than 1 MB |

+| **Regulatory compliance** | Monitor for regulatory compliance | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Inbound, Outbound <br> - Review Percentage: 10% <br> - Conditions: custom dictionary option, attachments larger than 1 MB |

+| **Conflict of interest** | Monitor for conflict of interest | - Locations: Exchange Online, Microsoft Teams, Yammer <br> - Direction: Internal <br> - Review Percentage: 100% <br> - Conditions: None |

+## Pause a policy

+## Copy a policy

+>Use [recommended actions](communication-compliance-configure.md#recommended-actions) to help you determine if you need a sensitive information type policy or if you need to update existing inappropriate content policies.

+For more information, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md)

+Here's a list of applicable role groups. To learn more about the, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md)

+- Advanced settings supported by built-in labeling are included in the PowerShell documentation. For more help in specifying these PowerShell advanced settings, see the [PowerShell tips for specifying the advanced settings](#powershell-tips-for-specifying-the-advanced-settings) section. For additional advanced settings supported by the Azure Information Protection unified labeling client, see the [documentation from this client's admin guide](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-labels).

+#### PowerShell tips for specifying the advanced settings

+Although you can specify a sensitivity label by its name, we recommend using the label GUID to avoid potential confusion over specifying the label name or display name. The label name is unique in your tenant, so you can be sure you're configuring the correct label. The display name isn't unique and could result in configuring the wrong label. To find the GUID and confirm the label's scope:

+````powershell

+Get-Label | Format-Table -Property DisplayName, Name, Guid, ContentType

+````

+To remove an advanced setting from a sensitivity label, use the same AdvancedSettings parameter syntax, but specify a null string value. For example:

+````powershell

+Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultSharingScope=""}

+````

+To check your label's configuration, including advanced settings, use the following syntax with your own label GUID:

+```powershell

+(Get-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e).settings

+```

+This documentation includes the advanced settings that are supported by built-in labeling. For additional advanced settings supported by the Azure Information Protection unified labeling client, see the [documentation from this client's admin guide](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-label-policies).

+> [!TIP]

+> When you're configuring advanced settings for a sensitivity label, you might find it helpful to reference the [PowerShell tips for specifying the advanced settings](#powershell-tips-for-specifying-the-advanced-settings) section on this page.

+You can also use [Remove-Label](/powershell/module/exchange/remove-label) and [Remove-LabelPolicy](/powershell/module/exchange/remove-labelpolicy) if you need to script the deletion of sensitivity labels or sensitivity label policies. However, before you delete sensitivity labels, make sure you read the next section.

+**If you decide not to use Customer Key for assigning multi-workload DEPs anymore then you'll need to file a support ticket using your Microsoft admin portal and provide the following details in your request:**

+1. Tenant FQDN

+2. Tenant contact for offboarding request

+3. Reason for offboarding

+4. Include a note in the service ticket that the request should be directed to the M365 Customer Key team and include the incident #

+You must still retain your Customer Key AKVs and encryption keys with proper permissions for data to be rewrapped using Microsoft managed keys. Please reach out to m365-ck@service.microsoft.com if you have any questions.

+The temporary or permanent loss of root encryption keys can be disruptive or even catastrophic to service operation and can result in data loss. For this reason, the resources used with Customer Key require strong protection. All the Azure resources that are used with Customer Key offer protection mechanisms beyond the default configuration. You can tag or register Azure subscriptions for a *mandatory retention period*. A mandatory retention period prevents immediate and irrevocable cancellation of your Azure subscription. The steps required to register Azure subscriptions for a mandatory retention period require collaboration with the Microsoft 365 team. Previously, mandatory retention period was sometimes referred to as "Do Not Cancel". This process will take five business days to complete.

+2. Run the Register-AzProviderFeature cmdlet to register your subscriptions to use a mandatory retention period. Complete this action for **each** subscription.

+Advanced classification scanning and protection allows the more advanced Microsoft Purview cloud based data classification service to scan items, classify them and return the results to the local machine. This means you can take advantage of classification techniques like [exact data match](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) classification, and [named entities](named-entities-learn.md) in your DLP policies.

+description: Learn about the Microsoft Purview solution catalog, including what it contains, how to access it, and your next steps.

+Are you looking for a way to quickly get started with compliance tasks in Microsoft Purview? Check out the [Microsoft Purview solution catalog](https://compliance.microsoft.com/solutioncatalog) to discover, learn, and quickly get started with risk and compliance solutions.

+Risk and compliance solutions in Microsoft Purview are collections of integrated capabilities you can use to help you manage end-to-end compliance scenarios. A solution's capabilities and tools might include a combination of policies, alerts, reports, and more.

+Read this article to get acquainted with the solution catalog in the Microsoft Purview compliance portal, [how to access](#how-do-i-access) and your [next steps](#next-steps).

+The solution catalog is organized into sections that contain information cards for each risk and compliance solution available in your Microsoft 365 subscription. Each section contains cards for solutions grouped by risk and compliance area.

+When you select **View** for a solution card, you'll see detailed information about the solution and how to get started. This information includes an overview, pre-configuration requirements, learning resources, controls that allow you to pin the card to the navigation pane, and an option to share the solution as a link, email, or Microsoft Teams message.

+- [App governance](/defender-cloud-apps/app-governance-manage-app-governance): Helps you understand all applications that connect to your organization and govern their API activity.

+- [Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp): Detects sensitive content as it's used and shared throughout your organization, in the cloud and on devices, and helps prevent accidental data loss.

+The **Privacy** section shows you at a glance how your organization can build a more privacy-resilient workplace.

+The **Insider risk management** section shows you at a glance how your organization can identify, analyze, and take action on internal risks before they cause harm.

+- [Information barriers](/microsoft-365/compliance/information-barriers): Allows you to restrict two-way communication and collaboration between groups and users in Microsoft Teams, SharePoint Online, and OneDrive for Business.

+The **Discovery & response** section shows you at a glance how your organization can quickly find, investigate, and respond to compliance issues with relevant data.

+- **Visit your Microsoft Purview solution catalog often**, and make sure to review new solutions to help you with your compliance needs. Sign in at the [compliance portal](https://compliance.microsoft.com) and then select **Catalog** in the left navigation pane.

+For more help to specify PowerShell advanced settings, see [PowerShell tips for specifying the advanced settings](create-sensitivity-labels.md#powershell-tips-for-specifying-the-advanced-settings).

+ This PDF format designed for long-term archiving isn't supported when the label applies encrytion and will prevent users from converting Office documents to PDF. For configuration information, see the Group Policy documentation for [Enforce PDF compliance with ISO 19005-1 (PDF/A)](https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_EnforcePDFcompliancewithISO190051PDFA).

+For more help in specifying PowerShell advanced settings, see [PowerShell tips for specifying the advanced settings](create-sensitivity-labels.md#powershell-tips-for-specifying-the-advanced-settings).

+|**Last updated:** 06/01/2022 -  [Change Log subscription](https://endpoints.office.com/version/USGOVDoD?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVDoD?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|

+|**Last updated:** 06/01/2022 -  [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|

+### Block use of Internet Explorer in your organization

+Microsoft support for Internet Explorer 11 is ending soon for most versions of Windows 10. The [Block use of Internet Explorer in your organization guide](https://aka.ms/retireinternetexplorer) ensures that your users can still run legacy web apps that rely on Internet Explorer. This guide also helps you move those users to Microsoft Edge with IE mode.

+### Audit solutions setup guide

+The [Microsoft 365 auditing solutions guide](https://aka.ms/auditsolutionsetup) provides an integrated solution to help organizations effectively respond to security events, forensic investigations, and compliance obligations. When you use the auditing solutions in Microsoft 365, you can search the audit log for activities performed in different Microsoft 365 services.

+### eDiscovery solutions setup guide

+eDiscovery is the process of identifying and delivering electronic information that can be used as evidence in legal cases. The eDiscovery solutions setup guide assists in the use of eDiscovery tools in Microsoft Purview that allow you to search for content in Exchange Online, OneDrive for Business, SharePoint Online, Microsoft Teams, Microsoft 365 Groups, and Yammer communities.

+The [SDS Rollover setup guide](https://aka.ms/sdsrolloversetupguide) provides the steps to help your organization sync student information data to Azure Active Directory and Office 365. This guide streamlines the term lifecycle management process by creating Office 365 Groups for Exchange Online and SharePoint Online, class teams for Microsoft Teams and OneNote, as well as Intune for Education, and rostering and single sign-on integration for third-party apps. YouΓÇÖll perform end-of-year closeout, tenant cleanup and archive, new school year preparation, and new school year launch. Then you can create new profiles using the sync deployment method that suits your organization.

+**Last updated:** 06/01/2022 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)

+|**Last updated:** 06/01/2022 - |

+>Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the [blog announcement](https://aka.ms/microsoftpurviewblog) and the [What is Microsoft Purview?](/purview/purview) article.

+To learn more, see [Overview of Microsoft 365 Lighthouse](../../lighthouse/m365-lighthouse-overview.md).

+## See also

+[Microsoft Defender for Business and managed service provider resources](mdb-partners.md)

+ Title: Microsoft Defender for Business and MSP resources

+description: Learn about resources available for managed service providers and Microsoft Defender for Business.

+search.appverid: MET150

+audience: Admin

+ms.technology: mdb

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+- SMB

+- M365-security-compliance

+# Microsoft Defender for Business and managed service provider resources

+As you already know, most managed service providers (MSPs) offer a sophisticated stack of capabilities. For example, many MSPs offer software and services that include backup & recovery, network management, line of business apps, and cybersecurity capabilities. Small and medium-sized businesses recognize security as a key component to their success, but often don't have the capacity or expertise to have a dedicated security operations team. These customers often need help with managing the security of their endpoints and network, and addressing alerts or detected threats.

+If you're a Microsoft MSP, Defender for Business (and Microsoft 365 Business Premium) can help you build your cybersecurity stack. You can integrate Defender for Business and Microsoft 365 Business Premium with your remote monitoring and management (RMM) tools and professional service automation (PSA) software.

+## Use APIs to integrate with your MSP solution

+Using our APIs for custom integration, you can:

+- Get access to your customers' Microsoft 365 Defender portalΓÇï to [address alerts and incidents](mdb-respond-mitigate-threats.md).

+- Get [email notifications](mdb-email-notifications.md)ΓÇï about new alerts or vulnerabilities across your customers' tenants.

+- Fetch and view [incidents and alerts](mdb-view-manage-incidents.md) with your security information and event management (SIEM) tools.

+- Orchestrate [remediation actions](mdb-review-remediation-actions.md), such as approving actions following automated investigations, or taking manual response actions on a device.

+## Resources to learn more

+Use the following resources to learn more:

+| Resource | Description |

+|:|:|

+| [Defender for Business partner kit](https://aka.ms/MDBPartnerKit) | The Defender for Business partner kit provides you with practical guidance, technical information, and customer-ready resources to market and sell Defender for Business to small and medium-sized businesses. |

+| [Overview of management and APIs](../defender-endpoint/management-apis.md) | Defender for Business is built on Microsoft Defender for Endpoint, and is an integration-ready platform. This article describes how to automate workflows and innovate using the Defender for Endpoint APIs. |

+| [Configure managed security service provider integration](../defender-endpoint/configure-mssp-support.md) | Provides an overview of steps to take to successfully integrate a customer's tenant with your MSP solution. |

+## What if I'm not a Microsoft MSP yet?

+- If you're not a Microsoft MSP, [learn more about the program](https://partner.microsoft.com/solutions/managed-services).

+- If you're a Microsoft cloud solution provider (CSP), see [Microsoft 365 Lighthouse and Microsoft Defender for Business](mdb-lighthouse-integration.md).

+- To learn more about all Microsoft partner programs and options, visit the [Microsoft Partner Network](https://partner.microsoft.com).

+## See also

+[Microsoft 365 Lighthouse and Microsoft Defender for Business](mdb-lighthouse-integration.md)

+[Microsoft Partner Network](https://partner.microsoft.com)

+You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft 365 Defender portal for their response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.

+Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for Cloud. You can onboard servers automatically, have servers monitored by Microsoft Defender for Cloud appear in Defender for Endpoint, and conduct detailed investigations as a Microsoft Defender for Cloud customer.

+You can use this article to help clarify what protection is provided by the different features available in Defender for Endpoint Plan 1, Defender for Endpoint Plan 2, the new Defender Vulnerability Management add-on, and Microsoft 365 Defender.

+| [Defender Vulnerability Management add-on](../defender-vulnerability-management/defender-vulnerability-management-capabilities.md) | Additional Defender Vulnerability Management capabilities for Defender for Endpoint Plan 2:<ul><li>[Security baselines assessment](../defender-vulnerability-management/tvm-security-baselines.md)</li><li>[Block vulnerable applications](../defender-vulnerability-management/tvm-block-vuln-apps.md)</li><li>[Browser extensions](../defender-vulnerability-management/tvm-browser-extensions.md)</li><li>[Digital certificate assessment](../defender-vulnerability-management/tvm-certificate-inventory.md)</li><li>[Network share analysis](../defender-vulnerability-management/tvm-network-share-assessment.md)</li><li>Support for [Windows](configure-endpoints.md) (client and server) and [non-Windows platforms](configure-endpoints-non-windows.md) (macOS, iOS, Android, and Linux)</li></ul> |

+| [Microsoft 365 Defender](../defender/microsoft-365-defender.md) | Services include: <ul><li>[Defender for Endpoint Plan 2](microsoft-defender-endpoint.md)</li><li>[Microsoft Defender Vulnerability Management](../defender-vulnerability-management/defender-vulnerability-management.md)</li><li>[Microsoft Defender for Office 365](../office-365-security/overview.md)</li><li>[Microsoft Defender for Identity](/defender-for-identity/)</li><li>[Microsoft Defender for Cloud Apps](/cloud-app-security/)</li></ul>|

+> [!IMPORTANT]

+> The standalone versions of Defender for Endpoint Plan 1 and Plan 2 do not include server licenses. To onboard servers, such as endpoints running Windows Server or Linux, you'll need Defender for Servers Plan 1 or Plan 2 as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).

+1. Enable or Disable Device control as follows:

+ - **Name** as **Enable Device Control**

+ You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`).

+ For example, you have either a **Deny** or an **Allow** policy for `RemovableMediaDevices`, but you do not have a policy for `CdRomDevices` or `WpdDevices`. You can set **Default Deny** through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` will be blocked. If you only want to manage storage, make sure create an **Allow** policy for your printer; otherwise, this default enforcement will be applied to printers as well.

+ You can create an Audit policy for Default Deny as follows:

+ Use the following XML data to create your Audit policy for Default Deny:

+ You can create a removable storage group with ReadOnly access as follows:

+ You can create a ReadOnly policy and apply it to the ReadOnly removable storage group to allow read activity as follows:

+6. Create a Group for Allowed Media: You can create your allowed media group as follows:

+ Use the following XML data to create allowed media group:

+7. Create a policy to allow the approved USB Group: You can create a policy to allow the approved USB group as follows:

+The Removable Storage Access Control feature enables you to apply a policy by using Group Policy to either user or device, or both.

+ You can enable Device control as follows:

+ You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).

+ For example, you have either Deny or Allow policy for RemovableMediaDevices, but you do not have any policy for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure create Allow policy for Printer, otherwise, this Default Enforcement will be applied to Printer as well.

+<summary>May-2022 (Platform: 4.18.2205.7 | Engine: 1.1.19300.2)</summary>

+&ensp;Security intelligence update version: **1.369.88.0**<br/>

+&ensp;Released: **June 22, 2022**<br/>

+&ensp;Platform: **4.18.2205.7**<br/>

+&ensp;Engine: **1.1.19300.2**<br/>

+&ensp;Support phase: **Security and Critical Updates**<br/>

+Engine version: 1.1.19300.2<br/>

+Security intelligence update version: 4.18.2205.7<br/>

+### What's new

+- Added fix for ETW channel configuration for updates

+- Added support for contextual exclusions allowing more specific exclusion targeting

+- Fixed context maximum size

+- Added fix for [ASR LSASS detection](attack-surface-reduction-rules-reference.md)

+- Added fix to SHSetKnownFolder for rule exclusion logic

+- Added AMSI disk usage limits for The History Store

+- Added fix for Defender service refusing to accept signature updates

+### Known Issues

+No known issues

+<br/><br/>

+</details><details>

+</details>

+### Previous version updates: Technical upgrade support only

+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.<br/><br/>

+<details>

+&ensp;Support phase: **Technical upgrade support (only)**<br/>

+</details><details>

+Customers can engage our security experts directly from within Microsoft 365 Defender portal to get their response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:

+For information licensing requirements for Microsoft Defender for Endpoint, see [Microsoft Defender for Endpoint licensing information](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-defender-for-endpoint).

+- Windows 8.1 Enterprise

+- Windows 8.1 Pro

+- Windows 7 SP1 Enterprise ([Requires ESU for support](/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).)

+- Windows 7 SP1 Pro ([Requires ESU for support](/troubleshoot/windows-client/windows-7-eos-faq/windows-7-extended-security-updates-faq).)

+> - Endpoints running mobile versions of Windows (such as Windows CE and Windows 10 Mobile) aren't supported.

+> - Virtual Machines running Windows 10 Enterprise 2016 LTSB may encounter performance issues if run on non-Microsoft virtualization platforms.

+> - For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 or later.

+>

+> - The standalone versions of [Defender for Endpoint Plan 1 and Plan 2](defender-endpoint-plan-1-2.md) do not include server licenses. To onboard servers to those plans, you'll need Defender for Servers Plan 1 or Plan 2 as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction).

+Network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level. It provides the web protection functionality found in Microsoft Edge to other supported browsers and non-browser applications. Network protection also provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md) that you can use to block specific domains or host names.

+Network protection requires Windows 10 or 11 (Pro or Enterprise), or Windows Server version 1803 or later, and Microsoft Defender Antivirus real-time protection.

+- Block IP/URL addresses from your own threat intelligence ([indicators](indicator-ip-domain.md))

+- Block unsanctioned services from [Microsoft Defender for Cloud Apps](/defender-cloud-apps/what-is-defender-for-cloud-apps) (formerly known as Microsoft Cloud App Security)

+- Block sites based on category ([Web content filtering](web-content-filtering.md))

+Network protection is a critical part of the Microsoft protection and response stack.

+> [!TIP]

+> For details about network protection for Windows Server, Linux, MacOS and Mobile Threat Defense (MTD), see [Proactively hunt for threats with advanced hunting](advanced-hunting-overview.md).

+Command and Control (C2) server computers are used by malicious users to send commands to systems compromised by malware, and then exert some type of control over compromised systems. C2 attacks typically hide in cloud-based services such as file-sharing and webmail services, enabling the C2 servers to avoid detection by blending in with typical traffic.

+- Steal data (for example, by way of phishing)

+- Control compromised computers in a botnet

+- Disrupt legitimate applications

+- Spread malware, such as ransomware

+The network protection component of Defender for Endpoint identifies and blocks connections to C2 infrastructures used in human-operated ransomware attacks, using techniques like machine learning and intelligent indicator-of-compromise (IoC) identification.

+Support for Command and Control servers (C2) is a key part of this ransomware evolution and is what enables these attacks to adapt to the environment they target. Breaking the link to the command-and-control infrastructure stops the progression of an attack to its next stage.

+Defender for Endpoint's command and control detection isn't limited to CobaltStrike. Defender for Endpoint can capture key IoCs of multiple malware families. The indicators are shared across the Microsoft protection stack to protect customers and alert them if there's a compromise.

+Blocking command-and-control communication can severely impede a targeted attack, giving your security team time to find the initial entry vectors and close them down before another attempted attack.

+## SmartScreen Unblock

+A new feature in Defender for Endpoint indicators enables administrators to allow end users to bypass warnings that are generated for some URLs and IPs. Depending on why the URL was blocked, when a SmartScreen block is encountered it may offer administrators the ability to unblock the site for up to 24 hours. In such cases, a Windows Security toast notification will appear, permitting the end-user to **Unblock** the URL or IP for the defined period of time.

+Microsoft Defender for Endpoint Administrators can configure SmartScreen Unblock functionality at [Microsoft 365 Defender](https://security.microsoft.com/), using the following configuration tool. From the Microsoft 365 Defender portal, navigate to the path to the ConfigToolName.

+ > 

+You can enable network protection in **Audit** mode or **Block** mode. If you want to evaluate the impact of enabling network protection before actually blocking IP addresses or URLs, you can enable network protection in Audit mode for a period of time to gather data on what would be blocked. Audit mode logs when end users have connected to an address or site that would otherwise have been blocked by network protection.

+## Advanced hunting

+If you're using advanced hunting to identify audit events, you'll have up to 30 days history available from the console. See [Advanced hunting](advanced-hunting-overview.md).

+You can find the audit data in **Advanced hunting** in the Defender for Endpoint portal ([https://security.microsoft.com](https://security.microsoft.com)).

+The events are in DeviceEvents with an ActionType of `ExploitGuardNetworkProtectionAudited`. Blocks are shown by `ExploitGuardNetworkProtectionBlocked`.

+```kusto

+```

+ > 

+> These entries have data in the **AdditionalFields** column which gives you great info around the action, if you expand **AdditionalFields** you can also get the fields: **IsAudit**, **ResponseCategory**, and **DisplayName**.

+Here's an another example:

+```kusto

+```

+The Response category tells you what caused the event, for example:

+You can use the resulting list of URLs and IPs to determine what would have been blocked if the device was in block mode, and which feature blocked them. Review each item on the list to identify URLS or IPs whether any are necessary to your environment. If you find any entries that have been audited which are critical to your environment, create an Indicator to allow them in your network. Allow URL / IP indicators take precedence over any block.

+Once you've created an indicator, you can look at resolving the underlying issue:

+- SmartScreen ΓÇô request review

+Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](investigate-alerts.md). You can view these details in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) in the [alerts queue](review-alerts.md) or by using [advanced hunting](advanced-hunting-overview.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.

+With network protection, the determination of whether to allow or block access to a site is made after the completion of the [three-way handshake via TCP/IP](/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip). Thus, when a site is blocked by network protection, you might see an action type of `ConnectionSuccess` under `NetworkConnectionEvents` in the Microsoft 365 Defender portal, even though the site was blocked. `NetworkConnectionEvents` are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.

+2. The three-way handshake via TCP/IP commences. Before it completes, a `NetworkConnectionEvents` action is logged, and its `ActionType` is listed as `ConnectionSuccess`. However, as soon as the three-way handshake process completes, network protection blocks access to the site. All of this happens quickly. A similar process occurs with [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview); it's when the three-way handshake completes that a determination is made, and access to a site is either blocked or allowed.

+ - `Set-MpPreference -EnableNetworkProtection Enabled`

+ - `Set-MpPreference -AllowNetworkProtectionOnWinServer 1`

+ - `Set-MpPreference -AllowNetworkProtectionDownLevel 1`

+ - `Set-MpPreference -AllowDatagramProcessingOnWinServer 1`

+## Network protection troubleshooting

+Due to the environment where network protection runs, Microsoft might not be able to detect operating system proxy settings. In some cases, network protection clients are unable to reach the cloud service. To resolve the connectivity problem, [configure a static proxy for Microsoft Defender Antivirus](configure-proxy-internet.md#configure-a-static-proxy-for-microsoft-defender-antivirus).

+Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long connections after they're validated and allowed by SmartScreen, which might provide a potential reduction in the cost that inspection has on bandwidth and can also help with app compatibility problems. This optimization capability is on by default. You can turn off this capability by using the following PowerShell cmdlet:

+- Suppressing notifications in the Windows Security app

+keywords: microsoft 365 defender, conditional access, office, Microsoft Defender for Endpoint, microsoft defender for identity, microsoft defender for office, Microsoft Defender for Cloud, microsoft cloud app security, azure sentinel

+## Precedence for multiple active policies

+Applying multiple different web content filtering policies to the same device will result in the more restrictive policy applying for each category. Consider the following scenario:

+- **Policy 1**: blocks categories 1 and 2 and audits the rest

+- **Policy 2**: blocks categories 3 and 4 and audits the rest

+The result is that categories 1 - 4 are all blocked. This is illustrated in the following image.

+## June 2022

+- [Defender for Servers Plan 2 now integrates with MDE unified solution](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-servers-plan-2-now-integrates-with-mde-unified/ba-p/3527534)<br>You can now start deploying the modern, unified solution for Windows Server 2012 R2 and 2016 to servers covered by Defender for Servers Plan 2 using a single button.

+### View associated alert for user and admin email submissions

+> [!IMPORTANT]

+> Only applicable for customers having Microsoft Defender for Office 365 Plan 2 or above.

+> Today, for user submissions only alert are generated for messages which are reported as Phish.

+So for each user reported phish message and admin email submission a corresponding alert is generated.

+To view the corresponding alert for user reported phish message, click on **User reported messages** tab, double click on the message to open the submission flyout. From the overflow menu inside the flyout select **View alert**.

+To view the corresponding alert for admin email submission, click on **Emails** tab, double click on the message to open the submission flyout.

+Select **View alert** on the right side of **Open email entity** option.

+You can't directly modify the Tenant Allow/Block List to add allow entries. Instead, use [admin submissions](admin-submission.md) to submit the blocked message. This action will add the corresponding URL, file, spoofed sender domain pair, impersonated domain (or user) and/or sender to the Tenant Allow/Block List. If the item has not been blocked, then the allow won't be created. In most cases where the message was determined to be a false positive that was incorrectly blocked, the allow entry will be removed on the specified expiration date.

+> - Because Microsoft manages the allow entries for you, unneeded sender, URL, or file allow entries that aren't needed will be removed. This behavior protects your organization and helps prevent misconfigured allow entries. If you disagree with the verdict, you might need to open a support case to help determine why a message is still considered bad.

+7. Add why you are adding the allow using the **Optional Note** box.

+8. When you're finished, select the **Submit** button.

+Only messages from that domain _and_ sending infrastructure pair are allowed to spoof. Other senders attempting to spoof gmail.com aren't allowed. Messages from senders in other domains originating from tms.mx.com are checked by spoof intelligence.

+> [!NOTE]

+> Email from these senders will be blocked as _phish_.

+>

+> Only the _combination_ of the spoofed user _and_ the sending infrastructure as defined in the domain pair is specifically allowed or blocked from spoofing.

+>

+> When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight.

+>

+> Entries for spoofed senders never expire.

+### Use Tenant allow block list in Microsoft 365 Defender

+### Use Admin Submission in Microsoft 365 Defender

+You can also allow spoofed senders using the **Submissions** page in Microsoft 365 Defender.

+Use [admin submissions](admin-submission.md) to submit the blocked message. This action will add the corresponding URL, file, spoofed sender domain pair, impersonated domain (or user) and/or sender to the Tenant Allow/Block List. If the item has not been blocked, then the allow won't be created.

+> [!IMPORTANT]

+>

+> - Spoof allows take care of intra-org, cross-org and DMARC spoofing.

+> - The optional note in the admin submission don't apply to spoof allows.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, verify that the **Emails** tab is selected, and then click  **Submit to Microsoft for analysis**.

+3. Use the **Submit to Microsoft for review** flyout to submit a message by adding the network message ID or uploading the email file.

+4. In the **Select a reason for submitting to Microsoft** section, select **Should not have been blocked (false positive)**.

+5. Turn on **Allow messages like this** option.

+6. From the **Remove after** drop-down list, specify how long you want the allow option to work though it does not applies to spoof allows as they never expire.

+7. When you're finished, select the **Submit** button.

+ :::image type="content" source="../../media/admin-submission-allow-messages.png" alt-text="Submit malware to Microsoft for analysis example." lightbox="../../media/admin-submission-allow-messages.png":::

+> [!NOTE]

+>

+> - The spoofed sender domain pair will be created and visible in the **Spoofed** tab under the **Tenant allow/block list** page.

+## Create impersonated sender entries

+### Use Admin Submission in Microsoft 365 Defender

+You can also allow impersonated senders using the **Submissions** page in Microsoft 365 Defender.

+Use [admin submissions](admin-submission.md) to submit the blocked message. This action will add the corresponding URL, file, spoofed sender domain pair, impersonated domain (or user) and/or sender to the Tenant Allow/Block List. If the item has not been blocked, then the allow won't be created.

+> [!IMPORTANT]

+>

+> - Impersonation allows take care of domain and user impersonation.

+> - Graph Impersonation is not taken care from here for now.

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>.

+2. On the **Submissions** page, verify that the **Emails** tab is selected, and then click  **Submit to Microsoft for analysis**.

+3. Use the **Submit to Microsoft for review** flyout to submit a message by adding the network message ID or uploading the email file.

+4. In the **Select a reason for submitting to Microsoft** section, select **Should not have been blocked (false positive)**.

+5. Turn on **Allow messages like this** option.

+6. From the **Remove after** drop-down list, specify how long you want the allow option to work though it does not applies to impersonated allows as they never expire.

+7. When you're finished, select the **Submit** button.

+ :::image type="content" source="../../media/admin-submission-allow-messages.png" alt-text="Submit malware to Microsoft for analysis example." lightbox="../../media/admin-submission-allow-messages.png":::

+> [!NOTE]

+>

+> - The impersonated domain (or user) will be created and visible under the respective **Antiphishing Policy** under <https://security.microsoft.com/antiphishing>.

+- [Allow or block URLs in the Tenant Allow/Block List](allow-block-urls.md)

+- **Common attachments filter**: There are certain types of files that you really shouldn't send via email (for example, executable files). Why bother scanning these types of files for malware, when you should probably block them all, anyway? That's where the common attachments filter comes in. The file types you specify are automatically treated as malware.

+ - The default file types: `ace, ani, app, cab, docm, exe, iso, jar, jnlp, reg, scr, vbe, vbs`.

+ - Additional file types that you can select from in the Microsoft 365 Defender portal^\*: `ade, adp, asp, bas, bat, cer, chm, cmd, com, cpl, crt, csh, der, dll, dos, fxp, gadget, hlp, hta, inf, ins, isp, its, js, jse, ksh, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mde, mdt, mdw, mdz, msc, msh, msh1, msh1xml, msh2, msh2xml, msi, msp, mst, obj, ops, os2, pcd, pif, plg, prg, prgps1, ps1xml, ps2, ps2xml, psc1, psc2, pst, rar, scf, sct, shb, shs, tmp, url, vb, vsmacros, vsw, vxd, w16, ws, wsc, wsf, wsh, xnk`.

+ ^\* You can enter any text value using the _FileTypes_ parameter in the [New-MalwareFilterPolicy](/powershell/module/exchange/new-malwarefilterpolicy) or [Set-MalwareFilterPolicy](/powershell/module/exchange/set-malwarefilterpolicy) cmdlets in Exchange Online PowerShell.

+ The common attachments filter uses best effort true-typing to detect the file type regardless of the file name extension. If true-typing fails or isn't supported for the specified file type, then simple extension matching is used.

+- **Zero-hour auto purge (ZAP) for malware**: ZAP for malware quarantines messages that are found to contain malware _after_ they've been delivered to Exchange Online mailboxes. By default, ZAP for malware is turned on, and we recommend that you leave it on.

+- **Admin notifications**: You can specify an additional recipient (an admin) to receive notifications for malware detected in messages from internal or external senders. You can customize the **From address**, **subject**, and **message text** for internal and external notifications.

+ >

+ > The _quarantine_ policy that's assigned to the anti-malware policy determines whether recipients receive email notifications for messages that were quarantined as malware. By default, recipients don't receive notifications for messages that were quarantined as malware. For more information, see [Quarantine policies](quarantine-policies.md).

+### Users are assigned training after they report a simulated message

+If users are assigned training after they report a phishing simulation message, check to see if your organization has a **custom mailbox** configured in your **user submission policy**. When configuring a **custom mailbox**, this mailbox needs to be excluded from Safe Links and Safe Attachments policies as per the [Custom mailbox prerequisites](user-submission.md).

+If your organization has a **custom mailbox** configured and has not set up the required exclusions, these messages may be detonated, causing training assignments.

+### Q: Does Microsoft collect or store any information that users enter at the Credential Harvest sign-in page, used in the Credential Harvest simulation technique?

+A: No. Any information entered at the credential harvest login page is discarded silently. Only the 'click' is recorded to capture the compromise event. Microsoft does not collect, log or store any details that users enter at this step.

+4. On the **Users and domains** page, identify the internal recipients that the policy applies to (recipient conditions):

+5. On the **Protection settings** page, configure the following settings:

+ - **Enable the common attachments filter**: If you select this option, messages with the specified attachments are treated as malware and are automatically quarantined. You can modify the list by clicking **Customize file types** and selecting or deselecting values in the list the list.

+ For the default and available values, see [Anti-malware policies](anti-malware-protection.md#anti-malware-policies).

+ **When these types are found**: Select one of the following values:

+ - **Reject the message with a non-delivery report (NDR)** (this is the default value)

+ - **Quarantine the message**

+ - **Enable zero-hour auto purge for malware**: If you select this option, ZAP quarantines malware messages that have already been delivered. For more information, see [Zero-hour auto purge (ZAP) in Exchange Online](zero-hour-auto-purge.md).

+ > The quarantine policy determines whether recipients receive email notifications for messages that were quarantined as malware. Quarantine notifications are disabled in the AdminOnlyAccessPolicy, so you'll need to create and assign a custom quarantine policy where notifications are turned on. For more information, see [Quarantine policies](quarantine-policies.md).

+ >

+ - **Admin notifications**: Select none, one, or both of the following options:

+ - **Notify an admin about undelivered messages from internal senders**: If you select this option, enter a recipient email address in the **Admin email address** box that appears.

+ - **Notify an admin about undelivered messages from external senders**: If you select this option, enter a recipient email address in the **Admin email address** box that appears.

+ > Admin notifications are sent only for _attachments_ that are classified as malware.

+ - **Customize notifications**: Use the settings in this section to customize the message properties that are used for admin notifications.

+ - **Use customized notification text**: If you select this option, use the **From name** and **From address** boxes to specify the sender's name and email address for admin notification messages.

+ - **Customize notifications for messages from internal senders**: If you previously selected **Notify an admin about undelivered messages from internal senders**, use the **Subject** and **Message** boxes to specify the subject and message body of admin notification messages.

+ - **Customize notifications for messages from external senders**: If you previously selected **Notify an admin about undelivered messages from external senders**, you need to use the **Subject** and **Message** boxes to specify the subject and message body of admin notification messages.

+6. On the **Review** page, review your settings. You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

+New-MalwareFilterPolicy -Name "<PolicyName>" [-AdminDisplayName "<OptionalComments>"] [-CustomNotifications <$true | $false>] [<Inbound notification options>] [<Outbound notification options>] [-QuarantineTag <QuarantineTagName>]

+- Notify admin@contoso.com when malware is detected in a message from an internal sender.

+4. Verify that the message was quarantined, and verify the admin notification results based on your anti-malware policy settings. For example, the admin email address that you specified is notified for internal or external message senders, with the default or customized notification messages.

+> [!NOTE]

+> You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#create-block-url-entries-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.

+- In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Tenant Allow/Block Lists** in the **Rules** section. To go directly to the **Tenant Allow/Block Lists** page, use <https://security.microsoft.com/tenantAllowBlockList>.

+These articles contain the instructions to add or remove or modify entries in Tenant Allow/Block List using both Microsoft 365 Defender Portal and Exchange Online PowerShell or standalone EOP PowerShell.

+- [Allow or block URLs in the Tenant Allow/Block List](allow-block-urls.md)

+|**Allow recipients to release a message from quarantine** (_PermissionToRelease_)^\*||||

+^\*The **Allow recipients to release a message from quarantine** permission is not honored in anti-malware policies or for the high confidence phishing verdict in anti-spam policies. Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the **Allow recipients to request a message to be released from quarantine** permission.

+> [!NOTE]

+> This permission is not honored in anti-malware policies or for the high confidence phishing verdict in anti-spam policies. Users cannot release their own malware or high confidence phishing messages from quarantine. At best, you can use the [Allow recipients to request a message to be released from quarantine permission](#allow-recipients-to-request-a-message-to-be-released-from-quarantine-permission) permission.

+|**Enable the common attachments filter** <p> _EnableFileFilter_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|This setting quarantines messages that contain attachments based on file type, regardless of the attachment content. For the list of file types, see [Anti-malware policies](anti-malware-protection.md#anti-malware-policies).|

+|**Customize notifications for messages from internal senders**||||These settings are used only if **Notify an admin about undelivered messages from internal senders** is selected.|

+|**Customize notifications for messages from external senders**||||These settings are used only if **Notify an admin about undelivered messages from external senders** is selected.|

+|**Block the following URLs** <p> _ExcludedUrls_|Blank <p> `$null`|Blank <p> `$null`|We have no specific recommendation for this setting. <p> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links). <p> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#create-block-url-entries-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|

+|**Do not rewrite the following URLs in email** <p> _DoNotRewriteUrls_|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|We have no specific recommendation for this setting. <p> **Note**: The purpose of the "Do not rewrite the following URLs" list is to skip the Safe Links wrapping of the specified URLs. Instead of using this list, you can now [create allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#create-allow-url-entries).|

+> [!NOTE]

+> You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#create-block-url-entries-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.

+> The purpose of the "Do not rewrite the following URLs" list is to skip the Safe Links wrapping of the specified URLs. Instead of using this list, you can now [create allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#create-allow-url-entries).

+ > [!NOTE]

+ > The purpose of the "Do not rewrite the following URLs" list is to skip the Safe Links wrapping of the specified URLs. Instead of using this list, you can now [create allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#create-allow-url-entries).

+ >

+ > If you do phishing simulations using [Attack simulation training](attack-simulation-training-get-started.md) or a third-party product, you need to [configure this mailbox as a SecOps mailbox](configure-advanced-delivery.md). If you don't, reporting messages may trigger training assignments in the phishing simulation product.

+You can require guests to access your teams, sites, and files by using a web browser only. This reduces the chance that they might download sensitive files and leave them on an unmanaged device. This is also useful when sharing with environments that use shared devices.

+You can use [Microsoft Purview Data Loss Prevention (DLP)](../compliance/dlp-learn-about-dlp.md) to prevent unwanted guest sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label and remove guest access.