+<!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->

+## Week of June 20, 2022

+| Published On |Topic title | Change |

+|||--|

+| 6/23/2022 | [Defender Threat Intelligence](/defender-threat-intelligence/index) | modified |

+ Title: Defender Threat Intelligence

+description: Defender Threat Intelligence

+search.appverid: MET150

+ms.technology: m365d

+ms.localizationpriority: medium

+f1.keywords: CSH

+- adminvideo

+The URL is https://graph.microsoft.com/beta/admin/reportSettings

+The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md).

+In the **Project activity report**, you can understand the activity of every user licensed to use Microsoft Project by looking at their interaction with Project. It also helps you to understand the level of collaboration going on by looking at the number of projects visited and tasks created or edited.

+2. From the dashboard homepage, click on the **View more** button on the Project card.

+- **Task activity** - Shows you the daily number of tasks created or edited over time in Project for the Web

+Select **Choose columns** to add or remove columns from the table.

+

+You can also export the report data into an Excel .csv file by selecting the **Export** link. This exports data of all users and enables you to do simple sorting and filtering for further analysis.

+The following are definitions for each metric in the user activity table.

+|User name|The user's principal name.|

+|Display name|The full name of the user.|

+|Last activity date|The latest date the user in that row had activity in Project, including any of the activities in the summary reports.|

+|Projects visited (Desktop)|The number of projects opened by the user in the Project Online desktop client during the time range selected in the top right of the page.|

+|Projects visited (Web)| The number of tasks created by the user in Project for the Web during the time range selected in the top right of the page.|

+|Tasks created (Web)|The number of tasks created by the user in Project for the Web during the time range selected in the top right of the page.|

+|Tasks edited (Web)|The number of tasks edited by the user in Project for the Web during the time range selected in the top right of the page.|

+|Other|This value is true if the user has performed an activity in Project Online desktop client or in Project for the Web (that is not covered by the other columns) in the time range selected in the top right of the page. If the user has not, this value is false.|

+- adminvideo

+The **Licenses** page lets you assign or unassign licenses for up to 20 users at a time. The page shows the products you own, the number of available licenses for each product, and the number of assigned licenses out of the total licenses available. The number of licenses is an aggregate total of licenses for all subscriptions for the same product name.

+For example, you might have one subscription for Microsoft 365 Business Premium that has 5 licenses, and another subscription that has 8 licenses for the same product. The **Licenses** page shows that you have a total of 13 licenses for Microsoft 365 Business Premium across all your subscriptions. This is different from what you see on the **Your products** page, which displays a row for each subscription you own, even if they are for the same product.

+6. When you're finished, select **Assign**, then close the right pane.

+If there's a conflict, you see a message that tells you what the problem is, and how to fix it. For example, if you selected licenses that contain conflicting services, the error message says to review the services included with each license and try again.

+# Idle session timeout for Microsoft 365

+The **Licenses** page lets you assign or unassign licenses for up to 20 users at a time. The page shows the products you own, the number of available licenses for each product, and the number of assigned licenses out of the total licenses available. The number of licenses is an aggregate total of licenses for all subscriptions for the same product name.

+For example, you might have one subscription for Microsoft 365 Business Premium that has 5 licenses, and another subscription that has 8 licenses for the same product. The **Licenses** page shows that you have a total of 13 licenses for Microsoft 365 Business Premium across all your subscriptions. This is different from what you see on the **Your products** page, which displays a row for each subscription you own, even if they are for the same product.

+1. Select a product.

+2. Select the check boxes of the users for which you want to unassign licenses.

+3. Select **Unassign licenses**.

+4. In the **Unassign licenses** box, select **Unassign**.

+- adminvideo

+2. Select an existing *.onmicrosoft.com* domain.

+3. On the **Overview** tab, select **Add onmicrosoft.com domain**.

+ 

+4. On the **Add onmicrosoft domain** page, in the **Domain name** box, enter the name for your new onmicrosoft.com domain.

+ 

+- adminvideo

+ Set-SharingPolicy "Default Sharing Policy" -Domains @{Add="Anonymous:CalendarSharingFreeBusyReviewer"}

+## Turn Bookings with me on or off

+ Title: "Create and edit Autopilot profiles"

+description: "Learn to create an Autopilot profile and apply it to a device, and edit or delete a profile or remove a profile from a device."

+# Create and edit Autopilot profiles

+You can apply a [Windows Autopilot deployment profile](/mem/autopilot/profiles) to devices that are in a [device group](m365bp-device-groups-mdb.md). Deployment profiles determine the Windows deployment and enrollment experience that users will have.

+1. In the Microsoft 365 admin center, choose **Devices** \> **Autopilot**.

+2. On the **Autopilot** page, choose the **Profiles** tab \> **Create profile**.

+3. On the **Create profile** page, enter a name for the profile that helps you identify it, for example Marketing. Turn on the setting you want, and then choose **Save**. For more information about Autopilot profile settings, see [About Autopilot Profile settings](m365bp-Autopilot-profile-settings.md).

+After you create a profile, you can apply it to a device or a group of devices. You can pick an existing profile in the [step-by-step guide](m365bp-add-Autopilot-devices-and-profile.md) and apply it to new devices, or replace an existing profile for a device or group of devices.

+ If you do this task before a user connects the device to the internet, then the profile gets applied to the setup process.

+> [!NOTE]

+ Title: "Sign up for Microsoft 365 Business Premium"

+# How to sign up for Microsoft 365 Business Premium

+When you're ready to sign up for Microsoft 365 Business Premium, you have several options. You can:

+- [Try or buy Microsoft 365 Business Premium on your own](#sign-up-for-microsoft-365-business-premium-on-your-own)

+## Sign up for Microsoft 365 Business Premium on your own

+ Title: "Get Microsoft 365 for Campaigns"

+> [!NOTE]

+> When a term or directive is unclear, you can find definitions in the [glossary of terms](m365bp-glossary.yml).

+> [!NOTE]

+> When a term or directive is unclear, you can find definitions in the [glossary of terms](m365bp-glossary.yml).

+> [!NOTE]

+> When a term or directive is unclear, you can find definitions in the [glossary of terms](m365bp-glossary.yml).

+description: "What you can do to help protect your campaign from digital cyberattacks and other security threats."

+### Enable basic security capabilities on BYOD Windows 10 and Mac devices

+ Title: "Use this step-by-step guide to add Autopilot devices and profile"

+description: "Learn how to use Windows Autopilot to set up new Windows 10 devices for your business so they're ready for employee use."

+You can use Windows Autopilot to set up **new** Windows 10 devices for your business so they're ready for use when you give them to your employees.

+If you haven't created device groups or profiles yet, the best way to get started is by using the step-by-step guide. You can also [add Autopilot devices](m365bp-create-and-edit-Autopilot-devices.md) and [assign profiles](../admin/devices/create-and-edit-Autopilot-profiles.md) to them without using the guide.

+2. On the left navigation pane, choose **Devices** \> **Autopilot**.

+ 

+3. On the **Autopilot** page, click or tap **Start guide**.

+4. On the **Upload .csv file with list of devices** page, browse to a location where you have the prepared .CSV file, then **Open** \> **Next**. The file must have three headers:

+You can get this information from your hardware vendor, or you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo) to generate a CSV file.

+5. On the **Assign a profile** page, you can either pick an existing profile or create a new one. If you don't have one yet, you'll be prompted to create one.

+ For more information, see [About Autopilot Profile settings](m365bp-Autopilot-profile-settings.md).

+6. The other settings are **Skip privacy settings** and **Don't allow user to become the local admin**. These are both set to **Off** by default.

+7. **You're done** indicates that the profile you created (or chose) will be applied to the device group you created by uploading the list of devices. The settings will be in effect when the device users sign in next. Choose **Close**.

+- [About Autopilot Profile settings](../business-premium/m365bp-Autopilot-profile-settings.md) (article)\

+2. Click **Add a user**.

+3. Enter the basic information and the *personal* email address of the new employee.

+4. Have the new user sign in to use Microsoft 365 Business Premium. Give them the following sign in information:

+2. Under **Policies**, choose **Add policy**.

+3. In the **Add policy** pane, enter a name under **Policy name**, and choose the policy type that you want under **Policy type**.

+4. Turn on **Protect work files when devices are lost or stolen**, and then make sure the following three settings are turned on:

+5. Turn on **Manage how users access Office files on Mobile devices** and ensure the settings are turned on or set for each item.

+6. Under **Files in these apps will be protected**, select the Office apps you want to protect on mobile devices.

+7. Under **Who will get these settings?**, all users are selected by default, but you can choose **Change** to select any security groups you've created.

+8. To finish creating the policy, choose **Add**.

+9. On the **Add policy** page, choose **Close**.

+10. On the admin center home page, confirm that your new policy was added by choosing **Policies** and reviewing your policy on the **Policies** page.

+2. In the left nav, choose **Devices** \> **Policies** \> **Add**.

+3. On the **Add policy** pane, enter a unique name for this policy.

+4. Under **Policy type**, choose **Application Management for Android** or **Application Management for iOS**, depending on which set of policies you want to create.

+5. Expand **Protect work files when devices are lost or stolen** and **Manage how users access Office files on mobile devices**. Configure the settings how you would like. **Manage how users access Office files on mobile devices** is **Off** by default, but we recommend that you turn it **On** and accept the default values. For more information, see [Available settings](#available-settings).

+6. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups that get these settings \> **Select**.

+7. Finally, choose **Done** to save the policy, and assign it to devices.

+2. On the **Edit policy** pane, choose the policy you want to change.

+3. Choose **Edit** next to each setting to change the values in the policy. When you change a value, it's automatically saved in the policy.

+4. When you're finished, close the **Edit policy** pane.

+2. On the **Delete policy** pane, choose **Confirm** to delete the policy or policies you chose.

+ Title: "About Autopilot Profile settings"

+description: "Autopilot profiles help you control how Windows gets installed on user devices. The profiles contain default and optional settings like skip Cortana installation."

+# About Autopilot Profile settings

+## Autopilot profile settings

+You can use Autopilot profiles to control how Windows is installed on user devices. The profiles contain the following settings.

+## Autopilot default features (required) that are set automatically

+> To learn more security concepts, see our [Glossary of terms](m365bp-glossary.yml).

+ Title: "Create and edit Autopilot devices"

+description: "Learn how to upload devices using Autopilot in Microsoft 365 Business Premium. You can assign a profile to a device or a group of devices."

+# Create and edit Autopilot devices

+You can use the [Step-by-step guide](m365bp-add-Autopilot-devices-and-profile.md) to upload devices, but you can also upload devices in the **Devices** tab.

+1. In the Microsoft 365 admin center, choose **Devices** \> **Autopilot**.

+2. On the **Autopilot** page, choose the **Devices** tab \> **Add devices**.

+ You can get this information from your hardware vendor, or you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo) to generate a CSV file.

+ If you don't have any profiles yet, see [Create and edit Autopilot profiles](../admin/devices/create-and-edit-Autopilot-profiles.md) for instructions.

+description: "Learn about device groups and how to apply policies with Intune in Microsoft 365 Business Premium, and increase protection from cyberattacks."

+# Device groups and categories in Microsoft 365 Business Premium

+Microsoft 365 Business Premium includes endpoint protection through Microsoft Defender for Business and Microsoft Intune. Device protection policies are applied to devices through certain collections that are called device groups. In Intune, devices are grouped into device categories as a different way of organizing them.

+This article includes the following sections:

+- [Working with device groups](#working-with-device-groups)

+- [How to create a new device group](#create-a-device-group-in-the-microsoft-365-defender-portal)

+- [How to create a new device category in Intune](#create-a-device-category-in-intune)

+## Working with device groups

+A device group is a collection of devices that are grouped together because of certain specified criteria, such as the operating system version. Devices that meet the criteria are included in that device group, unless you exclude them.

+With Microsoft 365 Business Premium, you have default device groups that you can use. The default device groups include all the devices that are onboarded to Defender for Business. However, you can also create new device groups to assign device protection policies with specific settings to certain devices.

+## Create a device group in the Microsoft 365 Defender portal

+You can create a new device group while you are in the process of creating or editing a device protection policy.

+1. Go to the [Microsoft 365 Defender portal](https://security.microsoft.com) and sign in.

+2. In the navigation pane, choose **Device configuration**.

+5. Choose **Create new group**.

+## Create a device category in Intune

+Create device categories in Intune from which users must choose when they enroll a device.

+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).

+2. Choose **Devices** > **Device categories** > **Create device category** to add a new category.

+3. On the **Create device category** pane, enter a name for the new category, and an optional description.

+4. When you're done, select **Create**. You can see the new category in the list.

+Use the device category name when you create the Azure Active Directory (Azure AD) security groups. When users enroll their devices, they are presented with a list of the categories you configured in Intune. After they choose a category and finish enrollment, their device is added to the Active Directory security group that is associated with it.

+## Create dynamic device groups in Azure Active Directory

+You can also enter the Azure Active Directory (Azure AD) portal ([https://portal.azure.com](https://portal.azure.com)) from the Microsoft 365 admin center. In the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com/)), choose **All admin centers**, and then choose **Azure Active Directory**.

+In the Azure AD portal, you can create dynamic groups based on the device category and device category name. Use dynamic group rules to automatically add and remove devices. If a device's attributes change, the system looks at your dynamic group rules for the directory to see if the device meets the rule requirements (is added) or no longer meets the rules requirements (is removed).

+You can create a dynamic group for either devices or users, but not for both. You also can't create a device group based on the device owners' attributes. Device membership rules can only reference device attributions.

+## After device groups are created

+Now that categories and device groups are established, users of iOS and Android devices enroll their devices, and as they do so, they must choose a category from the list of categories that were configured. Windows users can use the Company Portal website or the Company Portal app to select a category.

+1. After enrolling the device go to the [company portal](https://portal.microsoft.com) and choose **My Devices**.

+2. Select the enrolled device from the list, and then select a category.

+After choosing a category, the device is automatically added to the corresponding group. If a device is already enrolled before you configure categories, the user sees a notification about the device on the Company Portal website. This lets the user know to select a category the next time they access the Company Portal app on iOS/iPadOS or Android.

+> [!NOTE]

+> - You can edit a device category in the Azure portal, but you must manually update any Azure AD security groups that reference this category.

+> - If you delete a category, devices assigned to it display the category name **Unassigned**.

+## View the categories of devices that you manage

+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), choose **Devices** > **All devices**.

+2. In the list of devices, examine the **Device category** column.

+3. If the Device category column isn't shown, select **Columns** > **Category** > **Apply**.

+## Change the category of a device

+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), choose **Devices** > **All devices**.

+2. Select the category you want from the list, to see its properties.

+## Next steps

+Now that you've completed your primary missions, take time to set up your [response teams](m365bp-security-incident-management.md) and [maintain your environment](m365bp-maintain-environment.md).

+Every device is a possible attack avenue into your network and must be monitored and managed properly, even those devices that are personally owned but used for work. In this critical mission, you set up protection for all the bring-your-own devices (BYODs), which are those that are most risky to your organization due to being unmanaged. It's important to get these devices protected as soon as possible.

+description: "An overview about maintaining your organization's network and systems security environment, and defending against cyberattacks."

+## Possible device actions and statuses

+2. From the enrollment methods listed, select **Automatic enrollment**.

+2. From the list of policies, select a policy to see its details.

+3. Select **Properties** to manage the policy.

+4. Select **Settings** > **System Security** and configure security details in Intune.

+5. Look at configuration profiles.

+6. Create a profile and push it to the devices in your organization, as needed.

+2. Choose **Managed Google Play** and grant Microsoft permission to send information to Google.

+ > A Microsoft 365 Business Premium subscription gives you a license to modify only the Intune settings that map to the settings available in Microsoft 365 Business Premium.

+2. On the left nav, choose **Devices** \> **Policies** .

+3. Choose an existing Windows app policy and then **Edit**.

+4. Choose **Edit** next to a setting you want to change and then **Save**.

+2. On the left nav, choose **Devices** \> **Policies** \> **Add**.

+3. On the **Add policy** pane, enter a unique name for this policy.

+4. Under **Policy type**, choose **Application Management for Windows 10**.

+5. Under **Device type**, choose either **Personal** or **Company Owned**.

+6. The **Encrypt work files** is turned on automatically.

+7. Set **Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business** to **On** if you don't want the users to save work files on their PC.

+8. Expand **Recover data on Windows devices**. We recommend that you turn it **On**.

+9. Expand **Protect additional network and cloud locations** if you want to add additional domains or SharePoint Online locations to make sure that files in all the listed apps are protected. If you need to enter more than one item for either field, use a semicolon (;) between the items.

+10. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups who will get these settings \> **Select**.

+11. Finally, choose **Add** to save the policy, and assign it to devices.

+There are times when an admin may want to force password resets on accounts.

+1. In the Admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.

+We strongly recommend that you set up the self-service password reset. This way you don't have to manually reset passwords for your users. To learn how, see [Let users reset their own passwords in Office 365](/admin/add-users/let-users-reset-passwords.md).

+1. Select your name (icon) in the upper-right corner > **My Account** > **Personal Info**.

+3. Sign out: select your name in the upper-right corner \> **Sign out**.

+If you forgot your password and can't sign in:

+- Ask another global admin in your business to reset your password for you.

+- Make sure you've provided alternate contact information, including a mobile phone number.

+2. Select the option next to **Display name** to select everyone in your business. Then, unselect yourself. You can't reset your own password at the same time you reset everyone else's password.

+description: See how to view remediations that were taken automatically or that are awaiting approval in the Action center.

+4. Select the **History** tab to view a list of completed actions.

+# Review detected threats

+As soon as a malicious file or software is detected, Microsoft Defender blocks it and prevents it from running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus and antimalware engine so that your other devices and users are protected, as well.

+## Actions you can take

+| Restart device | Forces a Windows device to restart within five minutes.<br><br>**IMPORTANT:** The device owner or user isn't automatically notified of the restart and could lose unsaved work. |

+1. Go to the ([Microsoft 365 Defender portal](https://security.microsoft.com)) and sign in.

+1. In the navigation pane, choose **Threat Analytics** to see all the current threats. They are categorized by threat severity and type.

+1. Click on a threat to see more details about the threat.

+1. In the table, you can filter the alerts according to a number of criteria.

+## Manage threat detections in Microsoft InTune

+You can use Microsoft Endpoint Manager to manage threat detections as well. First, all devices whether Windows, iOS or Android, must be [enrolled in Intune](/mem/intune/enrollment/windows-enrollment-methods) (part of Microsoft Endpoint Manager).

+3. Under **Manage**, select **Antivirus**. You'll see tabs for **Summary**, **Unhealthy endpoints**, and **Active malware**.

+For example, suppose that devices are listed on the **Active malware** tab. When you select a device, you'll have certain actions available, such as **Restart**, **Quick Scan**, **Full Scan**, **Sync**, or **Update signatures**. Select an action for that device.

+| Restart | Forces a Windows device to restart within five minutes.<br><br>**IMPORTANT:** The device owner or user isn't automatically notified of the restart and could lose unsaved work. |

+Watch the following video to see how Microsoft 365 Business Premium helps your business be more productive and secure: <p>

+description: "How to set up Microsoft 365 Business Premium or work with a solution provider to do so."

+> [!NOTE]

+description: "Learn how to validate the Microsoft 365 Business Premium app protection settings on your Android or iOS devices. Making security settings for your applications is critical in order to protect the files on your mobile apps and devices from any kind of security threats."

+| Granular delegated administrator | Partners who manage products and services for your organization or school, but who have limited access to what they can do in the Microsoft 365 admin center. Granular delegated administrator privileges (GDAP) let partners complete tasks in the admin center without having global admin permission. By giving GDAP to partners, you ensure they have the least-permissive roles and limit the risk to your organization. |

+| Power Apps per user* | CFQ7TTC0LH2H |

+| Microsoft 365 F3 | CFQ7TTC0LH05 |

+5. Add one or more users in your organization as custodians to the case by typing the first part of a person's name or alias. Both active and inactive users are searched. After you find the correct person, select their name to add them to the list.

+After you select custodians, the system automatically attempts to identify and verify these users and their data sources. After adding custodians to the list, the tool automatically includes the primary mailbox and OneDrive account for each active user that has been added as a custodian. If the user is inactive, the tool will only identify the primary mailbox. You can choose not to include these data sources when adding custodians to the case.

+ - **SharePoint**: Use to associate SharePoint sites to the custodian. Select a site in the list or search for a site by typing a URL in the search box. Select the sites to assign to the custodian and then click **Add**. If a user is inactive, their OneDrive site will need to be added as an additional SharePoint location here.

+ - For PDF files, if the label applies encryption, these files, if unencrypted, are now encrypted by using [Message encryption](ome.md) when your tenant is [enabled for PDF attachments](ome-faq.yml#are-pdf-file-attachments-supported-). The encryption settings applied are inherited from the email.

+ - For these Office files, Word, PowerPoint, and Excel are supported. If the label applies encryption and these files are unencrypted, they're now encrypted by using [Message encryption](ome.md). The encryption settings are inherited from the email.

+10. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Then decide whether to automatically turned on the policy if it's not edited for 7 days:

+

+

+ If you're not ready to run simulation, select **Leave policy turned off**.

+- You can import a maximum of 1,000 custodians (rows) per CSV file. Note that importing 1,000 custodians at the same time might result in timeout errors and some custodians might fail the import. To remediate this, repeat the import and the failed custodians should be imported. To avoid timeouts we recommend importing 200 custodians at a time.

+description: "A case study for Contoso and how they quickly configure a communication compliance policy to detect inappropriate text in Microsoft Teams, Exchange Online, and Yammer communications."

+The Contoso Corporation is a fictional organization that needs to quickly configure a policy to detect inappropriate text. They have been using Microsoft 365 primarily for email, Microsoft Teams, and Yammer support for their users but have new requirements to enforce company policy around workplace harassment. Contoso IT administrators and compliance specialists have a basic understanding of the fundamentals of working with Microsoft 365 and are looking for end-to-end guidance for how to quickly get started with communication compliance.

+This case study will cover the basics for quickly configuring a communication compliance policy to detect inappropriate text. This guidance includes:

+The quickest way to access the solution is to sign in directly to the **Communication compliance** (<https://compliance.microsoft.com/supervisoryreview>) solution. Using this link, Contoso IT administrators and compliance specialists will be directed to the communication compliance home page where you can quickly review the status of alerts and create new policies from the pre-defined templates.

+

+Another easy way for Contoso IT administrators and compliance specialists to access the communication compliance solution is to sign in directly to the [Microsoft Purview compliance portal](https://compliance.microsoft.com). After signing in, users simply need to select the **Show all** control to display all the compliance solutions, and then select the **Communication compliance** solution to get started.

+

+

+To get started with a communication compliance policy, there are several prerequisites that Contoso IT administrators need to configure before setting up the new policy to detect inappropriate text. After these prerequisites have been completed, Contoso IT administrators and compliance specialists can configure the new policy, and compliance specialists can start investigation and remediating any generated alerts.

+Communication compliance requires that the Yammer tenant for an organization is in Native Mode to detect inappropriate text in private messages and public community conversations.

+Contoso compliance specialists want to add all users to the communication policy that will detect inappropriate text. They could decide to add each user account to the policy separately, but they've decided it's much easier and saves time to use an **All Users** distribution group for the users for this policy.

+### Creating the policy to detect inappropriate text

+With all the prerequisites completed, the IT administrators and the compliance specialists for Contoso are ready to configure the communication compliance policy to detect inappropriate text. Using the new inappropriate text policy template, configuring this policy is simple and quick.

+Now that the communication compliance policy to detect inappropriate text is configured, the next step for the Contoso compliance specialists will be to investigate and remediate any alerts generated by the policy. It will take up to an hour for the policy to fully process communications in all the communication source channels and for alerts to show up in the **Alert dashboard**.

+- **For Teams Channel communications:** Assign every Microsoft Teams channel or Microsoft 365 group you want to scan that contains a specific user to the communication compliance policy. If you add the same user to other Microsoft Teams channels or Microsoft 365 groups, be sure to add these new channels and groups to the communication compliance policy. If any member of the channel is a supervised user within a policy and the *Inbound* direction is configured in a policy, all messages sent within the channel are subject to review, and potential policy matches (even for users in the channel that aren't explicitly supervised). For example, User A is the owner or a member of a channel. User B and User C are members of the same channel and use language that is matched to the inappropriate content policy that supervises only User A. User B and User C create policy matches for conversations within the channel even though they aren't directly supervised in the inappropriate content policy. Teams conversations between User B and User C that are outside of the channel that includes User A wouldn't be subject to the inappropriate content policy that includes User A. To exclude channel members from supervision when other members of the channel are explicitly supervised, turn off the *Inbound* communication direction setting in the applicable communication compliance policy.

+- **For Teams chat communications with hybrid email environments**: Communication compliance can detect chat messages for users for organizations with an Exchange on-premises deployment or an external email provider that have enabled Microsoft Teams. You must create a distribution group for the users with on-premises or external mailboxes to monitor. When creating a communication compliance policy, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard. For more information about the requirements and limitations for enabling cloud-based storage and Teams support for on-premises users, see [Search for Teams chat data for on-premises users](search-cloud-based-mailboxes-for-on-premises-users.md).

+Use communication compliance policies to identify user communications for examination by internal or external reviewers. For more information about how communication compliance policies can help you detect communications in your organization, see [communication compliance policies](communication-compliance.md). If you'd like to review how Contoso quickly configured a communication compliance policy to detect inappropriate content in Microsoft Teams, Exchange Online, and Yammer communications, check out this [case study](communication-compliance-case-study.md).

+ When you create a communication compliance policy, you define who has their communications reviewed and who performs reviews. In the policy, you'll use email addresses to identify individuals or groups of people. To simplify your setup, you can create groups for people who have their communication reviewed and groups for people who review those communications. If you're using groups, you may need several. For example, if you want to detect communications between two distinct groups of people or if you want to specify a group that isn't going to be supervised.

+When you assign a *distribution group* in the policy, the policy monitors all emails and Teams chats from each user in the *distribution group*. When you assign a *Microsoft 365 group* in the policy, the policy detects all emails and Teams chats sent to the *Microsoft 365 group*,* not the individual emails and chats received by each group member. Using distribution groups in communication compliance policies are recommended so that individual emails and Teams chats from each user are automatically monitored.

+If you're an organization with an Exchange on-premises deployment or an external email provider and you want to detect Microsoft Teams chats for your users, you must create a distribution group for the users with on-premises or external mailboxes to monitor. Later in these steps, you'll assign this distribution group as the **Supervised users and groups** selection in the policy wizard. For more information about the requirements and limitations for enabling cloud-based storage and Teams support for on-premises users, see [Search for Teams chat data for on-premises users](search-cloud-based-mailboxes-for-on-premises-users.md).

+ - Choose the communication direction to detect, including inbound, outbound, or internal communications.

+- All organizations have different communication standards and policy needs. Detect specific keywords using communication compliance [policy conditions](communication-compliance-policies.md#conditional-settings) or detect specific types of information with [custom sensitive information types](create-a-custom-sensitive-information-type.md).

+To configure communication compliance for your Microsoft 365 organization, see [Configure communication compliance](communication-compliance-configure.md) or check out the [case study for Contoso](communication-compliance-case-study.md) and how they quickly configured a communication compliance policy to detect inappropriate content in Microsoft Teams, Exchange Online, and Yammer communications.

+## User-reported messages policy

+>[!NOTE]

+>Availability for user-reported messages for organizations licensed and using [communication compliance](/microsoft-365/compliance/communication-compliance-configure#subscriptions-and-licensing) and Microsoft Teams started in May 2022. This feature will be available by August 31, 2022 for all organizations licensed and using communication compliance through July 2022. For organizations starting to use communication compliance after July 2022, user-reported messages policy availability may take up to 30 days from the date of your licensing and first use of communication compliance.

+As part of a layered defense to detect and remediate inappropriate messages in your organization, you can supplement communication compliance policies with user-reported messages in Microsoft Teams. This feature empowers users in your organization to self-report inappropriate internal chat messages, such as harassing or threatening language, sharing of adult content, and sharing of sensitive or confidential information, to help foster a safe and compliant work environment.

+Enabled by default in the [Teams admin center](/microsoftteams/manage-teams-in-modern-portal), the *Report a concern* option in Teams messages allows users in your organization to submit inappropriate internal chat messages for review by communication compliance reviewers for the policy. These messages are supported by a default system policy that supports reporting messages in Teams group and private chats.

+

+When a user submits a Teams chat message for review, the message is copied to the User-reported message policy. Reported messages initially remain visible to all chat members and there isn't any notification to chat members or the submitter that a message has been reported in channel, private, or group chats. A user can't report the same message more than once and the message remains visible to all users included in the chat session during the policy review process.

+During the review process, communication compliance reviewers can perform all the standard [remediation actions](/microsoft-365/compliance/communication-compliance-investigate-remediate#step-3-decide-on-a-remediation-action) on the message, including removing the message from the Teams chat. Depending on how the messages are remediated, the message sender and recipients will see different [notification messages](/microsoftteams/communication-compliance#act-on-inappropriate-messages-in-microsoft-teams) in Teams chats after the review.

+

+User reported messages from Teams chats are the only messages processed by the User-reported message policy and only the assigned reviewers for the policy can be modified. All other policy properties aren't editable. When the policy is created, the initial reviewers assigned to the policy are all members of the *Communication Compliance Admins* role group (if populated with at least one user) or all members of your organization's *Global Admin* role group. The policy creator is a randomly selected user from the *Communication Compliance Admins* role group (if populated with at least one user) or a randomly selected user from your organization's *Global Admin* role group.

+Admins should immediately assign custom reviewers to this policy as appropriate for your organization. This may include reviewers such as your Compliance Officer, Risk Officer, or members of your Human Resources department. To customize the reviewers for chat messages submitted as user-reported messages, complete the following steps:

+1. Sign into [Microsoft Purview compliance portal](https://compliance.microsoft.com/) using credentials for an admin account in your Microsoft 365 organization.

+2. In the compliance portal, go to **Communication compliance**.

+3. On the **Policy** tab, select the *User-reported messages* policy and select **Edit**.

+4. On the **Monitor for user-reported messages** pane, assign reviewers for the policy. Reviewers must have mailboxes hosted on Exchange Online. When reviewers are added to a policy, they automatically receive an email message that notifies them of the assignment to the policy and provides links to information about the review process.

+5. Select **Save**.

+The *Report a concern* option is enabled by default and can be controlled via Teams messaging policies in the [Teams Admin Center](/microsoftteams/manage-teams-in-modern-portal). Users in your organization will automatically get the global policy, unless you create and assign a custom policy. Edit the settings in the global policy or create and assign one or more custom policies to turn on or turn off the *Report a concern* option. To learn more, see [Manage messaging policies in Teams](/microsoftteams/messaging-policies-in-teams).

+>[!IMPORTANT]

+>If you're using PowerShell to turn on or turn off the **End user reporting** option in the Teams Admin Center, you must use [Microsoft Teams cmdlets module version 4.2.0](/MicrosoftTeams/teams-powershell-release-notes) or later.

+## Policy activity detection

+Communications are scanned every hour from the time policies are created. For example, if you create an inappropriate content policy at 11:00 AM, the policy will gather communication compliance signals every hour starting from when the policy was created. Editing a policy doesn't change this time. To view the last scan date and time for a policy, navigate to the Last policy scan column on the Policy page. After creating a new policy, it may take up to an hour to view the first policy scan date and time. The date and time of the last scan are converted to the time zone of your local system.

+The following table outlines the time to detection for supported content types:

+|**Content type**|**Time to detection**|

+|:|:--|

+| Email body content | 1 hour |

+| Teams body content | 1 hour |

+| Yammer body content | 13 hours |

+| Email OCR | 13 hours |

+| Teams OCR | 13 hours |

+| Email attachment | 13 hours |

+| Team attachment | 13 hours |

+| Teams modern attachment | 13 hours |

+| Teams metadata | 1 hour |

+| Email metadata | 1 hour |

+For existing policies created before July 31, 2022 it may take up to 24 hours to detect messages and review alerts that match these policies. To reduce the latency for these policies, [copy the existing policy](/microsoft-365/compliance/communication-compliance-policies#copy-a-policy) and create a new policy from the copy. If you don't need to retain any data from the older policy, it can be paused or deleted.

+To identify an older policy, review Last policy scan column on the Policy page. Older policies will display a full date for the scan while policies created after July 31, 2022 will display 1 hour ago for the scan. Another option to reduce latency is to wait until December 31, 2022 for your existing policies to be automatically migrated to the new detection criteria.

+> Policies using classifiers will inspect and evaluate messages with a word count of six or greater. Messages containing less than six words aren't evaluated in policies using classifiers. To identify and take action on shorter messages containing inappropriate content, we recommend including a custom keyword dictionary to communication compliance policies detecting this type of content.

+### Message details report

+### Microsoft Graph API for records management (preview)

+Organizations of all types require a records management solution to manage critical records across their data. [Microsoft Purview Records Management](records-management.md) helps an organization manage their legal obligations, provides the ability to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required.

+The records management solution is used by organizations in large volumes to utilize its various capabilities in protecting, labeling, retaining, or deleting their data. The Microsoft Graph APIs for records management lets organizations manage retention labels and their associated actions more efficiently, automate repetitive tasks, and equip customers with flexibility in options.

+Now rolling out, the first release of Graph APIs for records management support the management of retention labels, and event-based retention. Example scenarios:

+- **Managing retention labels**

+

+ Record management admins and developers need to maintain their record management systems with labels that are periodically created, updated, and deleted.

+

+ Developers and compliance admins use the Graph APIs for records management to perform CRUD operations on the label entity to maintain their systems.

+- **Triggering an event for an existing label**

+

+ When an employee leaves an organization, the information is updated in the HR management system. From the date of leaving, confidential documents need to be retained for seven years. These documents already have the retention label "Employee_departure" applied to them.

+

+ Developers and compliance admins use the Graph APIs for records management to read the label ΓÇ£Employee_departureΓÇ¥ and look up the associated event type "Event-employee_departure".

+

+ They then use the Graph APIs for records management to create an event for the associated event type. The retention period for the confidential documents starts after this event is created.

+For more information about the Graph APIs for records management, see [Use the Microsoft Graph Records Management API](/graph/api/resources/security-recordsmanagement-overview?view=graph-rest-beta&preserve-view=true).

+For licensing requirements to use these APIs, see the records management section from [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).

+|condition or exception in DLP|condition/exception parameters in Security & Compliance PowerShell|property type|description|

+|condition or exception in DLP|condition/exception parameters in Security & Compliance PowerShell|property type|description|

+|condition or exception in DLP|condition/exception parameters in Security & Compliance PowerShell|property type|description|

+|condition or exception in DLP|condition/exception parameters in Security & Compliance PowerShell|property type|description|

+|Document property is|condition: *ContentPropertyContainsWords* <br/><br/> exception: *ExceptIfContentPropertyContainsWords*|Words|Messages with documents where an attachment's custom property matches the given value.|

+|condition or exception in DLP|condition/exception parameters in Security & Compliance PowerShell|property type|description|

+|condition or exception in DLP|condition/exception parameters in Security & Compliance PowerShell|property type|description|

+|action in DLP|action parameters in Security & Compliance PowerShell|property type|description|

+- Microsoft Defender for Cloud Apps

+#### Email notifications support by selected location

+|Selected location |Email notifications supported |

+|||

+|Devices |- Not supported |

+|Exchange + Devices |- Supported for Exchange </br>- Not supported for Devices |

+|Exchange |- Supported |

+|SharePoint + Devices |- Supported for SharePoint </br>- Not supported for Devices |

+|SharePoint |- Supported |

+|Exchange + SharePoint |- Supported for Exchange </br>- Supported for SharePoint |

+|Devices + SharePoint + Exchange |- Not supported for Devices </br>- Supported for SharePoint </br> Supported for Exchange |

+|Teams |- Not supported |

+|OneDrive for Business |- Supported |

+|OneDrive for Business + Devices |- Supported for OneDrive for Business </br>- Not supported for Devices |

+|Power-BI|- Not supported|

+|Microsoft Defender for Cloud Apps|- Not supported|

+|On-premises repositories|- Not supported|

+You can scope DLP policies to Microsoft Defender for Cloud Apps to monitor, detect and take actions when sensitive items are used and shared via non-Microsoft cloud apps.

+Before you start using DLP policies, confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) and any add-ons. To access and use this functionality, you must have one of these subscriptions or add-ons:

+Before you configure DLP policies scoped to Microsoft Defender for Cloud Apps, you must prepare your Defender for Cloud Apps environment. For instructions, see [Quickstart: Get started with Microsoft Defender for Cloud Apps](/defender-cloud-apps/get-started).

+To use a DLP policy thats scoped to a specific non-Microsoft cloud app, the app must be connected to Defender for Cloud Apps. For information, see:

+- [Connect Box](/defender-cloud-apps/connect-box)

+- [Connect Dropbox](/defender-cloud-apps/connect-dropbox)

+- [Connect Google Workspace](/defender-cloud-apps/connect-google-workspace)

+- [Connect Salesforce](/defender-cloud-apps/connect-salesforce)

+- [Connect Cisco Webex](/defender-cloud-apps/connect-webex)

+After you connect your cloud apps to Defender for Cloud Apps, you can create DLP policies for them.

+## Create a DLP policy scoped to a non-Microsoft cloud app

+Refer to [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) for the procedures to create a DLP policy. Keep these points in mind as you configure your policy.

+- Select the turn on the **Microsoft Defender for Cloud Apps** location.

+- To select a specific app or instance, select **Choose instance**. If you don't select an instance, the policy will be scoped to all connected apps in your Microsoft Defender for Cloud Apps tenant.

+- You can select from a number of **Actions** to enforce on third party apps. To restrict third-party apps, select **Restrict Third Party Apps** and then select the specific actions.

+

+> When you create a DLP policy that is scoped to Microsoft Defender for Cloud Apps, the same policy will be automatically created in Microsoft Defender for Cloud Apps.

+Locate the `JwtAudience`. Replace `<yourhostname>` with the hostname of the machine where the DKE service will run. For example: "https://dkeservice.contoso.com"

+ > The value for `JwtAudience` must match the name of your host *exactly*.

+Your setup is now complete. Before you publish the keystore, in appsettings.json, for the JwtAudience setting, ensure the value for hostname exactly matches your App Service host name.

+ For example: `https://dkeservice.contoso.scm.azurewebsites.net/ZipDeployUI`

+key_store_tester.ps1 https://dkeservice.contoso.com/TestKey1

+ For example:

+ - In all cases, the scheme must be **https**.

+ Ensure the hostname exactly matches your App Service hostname.

+## Known Issues

+Under very rare circumstances, enterprise users may see certificate validation errors where the Root CA "DigiCert Global Root G2" appears as revoked. This is due to a known Windows bug under both of the following conditions:

+- The Root CA is in the [CurrentUser\Root certificate store](/windows/win32/seccrypto/system-store-locations#cert_system_store_current_user) and is missing the `NotBeforeFileTime` and `NotBeforeEKU` properties

+- The Root CA is also in the [LocalMachine\AuthRoot certificate store](/windows/win32/seccrypto/system-store-locations#cert_system_store_local_machine) but has both the `NotBeforeFileTime` and `NotBeforeEKU` properties

+All leaf certificates issued from this Root CA after the `NotBeforeFileTime` will appear revoked.

+Administrators can identify and troubleshoot the issue by inspecting the CAPI2 Log for this error:

+```text

+Log Name: Microsoft-Windows-CAPI2/Operational

+Source: Microsoft-Windows-CAPI2

+Date: 6/23/2022 8:36:39 AM

+Event ID: 11

+Task Category: Build Chain

+Level: Error

+[...]

+ <ChainElement>

+ <Certificate fileRef="DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.cer" subjectName="DigiCert Global Root G2" />

+ [...]

+ <TrustStatus>

+ <ErrorStatus value="4000024" CERT_TRUST_IS_REVOKED="true" CERT_TRUST_IS_UNTRUSTED_ROOT="true" CERT_TRUST_IS_EXPLICIT_DISTRUST="true" />

+ <InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />

+ </TrustStatus>

+ [...]

+ <RevocationInfo freshnessTime="PT0S">

+ <RevocationResult value="80092010">The certificate is revoked.</RevocationResult>

+ </RevocationInfo>

+ </ChainElement>

+ </CertificateChain>

+ <EventAuxInfo ProcessName="Teams.exe" />

+ <Result value="80092010">The certificate is revoked.</Result>

+```

+Note the presence of the `CERT_TRUST_IS_EXPLICIT_DISTRUST="true"` element.

+You can confirm that two copies of the Root CA with different `NotBeforeFileTime` properties are present by running the following `certutil` commands and comparing the output:

+```

+certutil -store -v authroot DF3C24F9BFD666761B268073FE06D1CC8D4F82A4

+certutil -user -store -v root DF3C24F9BFD666761B268073FE06D1CC8D4F82A4

+```

+A user can resolve the issue by deleting the copy of the Root CA in the `CurrentUser\Root` certificate store:

+```

+certutil -user -delstore root DF3C24F9BFD666761B268073FE06D1CC8D4F82A4

+```

+|RetentionDuration|String|No, unless **RetentionAction** or **RetentionType** are specified|This property specifies the number of days to retain the content. Valid values are: </br>**Unlimited**: Items will be retained indefinitely. </br>***n**: A positive integer in days; for example, **365**. The maximum number supported is 36,525, which is 100 years. If you need longer than this maximum, use Unlimited instead.</br> </br> Group dependencies: When this property is specified, RetentionAction and RetentionType must also be specified.

+A number of different subscriptions support records management and the licensing requirements for users depends on the features you use.

+| Programatically create and manage retention labels, event-based retention, and automate repetitive tasks for records management | [Microsoft Graph API for records management (preview)](compliance-extensibility.md#microsoft-graph-api-for-records-management-preview) |

+# Get started with Microsoft Service Trust Portal

+The Service Trust Portal is Microsoft's public site for publishing audit reports and other compliance-related information associated with MicrosoftΓÇÖs cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored whitepapers that provide details on how Microsoft builds and operates cloud services. To access some of the resources on the Service Trust Portal, you must log in as an authenticated user with your Microsoft cloud services account (Azure Active Directory organization account) and review and accept the Microsoft Non-Disclosure Agreement for Compliance Materials.

+ > Azure Active Directory accounts associated with organizations have access to the full range of documents and resources like Compliance Manager.

+### Certifications, Standards, Regulations, and Industry Resources

+Provides a wealth of security implementation and design information with the goal of making it easier for you to meet regulatory compliance objectives by understanding how Microsoft Cloud services keep your data secure. To review content, select one of the following tiles.

+- **DoD** - Cloud computing security requirements for the US Department of Defense.

+- **FedRAMP** - US government program providing a standard approach to security, authorization, and monitoring.

+- **Financial Services** - The Microsoft Cloud for FInancial Services provides capabilities to manage data.

+- **GDPR** - How Microsoft helps support our customers on their GDPR compliance journeys.

+- **GRC Assessment** - Provides audit and assurance professionals with a common set of assessment procedures.

+- **HIPAA** - US Privacy requirements for personal health information held by covered entities.

+- **IRS 1075** - US government program providing guidance to protect the confidentiality of Federal Tax Information (FTI).

+- **ISO** - Compliance with specific information security and risk management requirements.

+- **ITAR** - US regulation that controls the manufacture, sale, and distribution of defense.

+- **NIST 800-171 (DFARS)** - US security requirements for protecting Controlled Unclassified Information in Non Federal Systems and Organizations.

+- **PCI DSS** - Validation of controls around cardholder data to reduce credit card fraud.

+- **SOC Reports** - SOC 1, 2, and 3 reports designed to build trust and confidence in Microsoft Services.

+Resources with the series check mark indicate that the document has multiple versions, which can be viewed once you click on the document and click ΓÇ£view all versionsΓÇ¥ on the following page.

+Filter by date and cloud service - When viewing the available documents, you can sort the results by date range by selecting **Dates** and then selecting the range you want to use.

+Document download view - When viewing the available documents, you can sort the results by the applicable **Cloud Service**.

+> [!NOTE]

+> Many of the files on the STP require acceptance of a license agreement. Some browser-based PDF viewers do not allow Javascript to run, which prevents the license agreement from being displayed and the file from opening.

+This feature lets you save (or *pin*) documents so that you can quickly access them on your My Library page. You can also set up notifications so that Microsoft sends you an email message when documents in your My Library are updated. For more information, see the [My Library](#my-library-1) section in this article.

+### All Documents

+This section displays all available documents. Select the documents to save into your My Library section. Documents are sorted under the same categories shown under Certifications, Standards, Regulations, and Industry Resources.

+

+By default, the search returns document results. You can filter the results by using the dropdown lists to refine the list of documents displayed. You can use multiple filters to narrow the list of documents. Filters include the specific cloud services, and regions. Click the document name link to download the document.

+

+When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. By using either the Microsoft 365 HR connector or the option to automatically detect user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.

+Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. By using either the [Microsoft 365 HR connector](import-hr-data.md) or the option to automatically detect user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these security activities and how they correlate with user employment status.

+3. Install the Microsoft Edge browser on the endpoint device to detect actions for the cloud upload activity. See, [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium).

+You must enable device monitoring and onboard your endpoints before you can detect insider risk management activities on a device. Both actions are taken in the Microsoft Purview compliance portal.

+In this deployment scenario, you'll onboard devices that haven't been onboarded yet, and you just want to detect insider risk activities on Windows 10 devices.

+3. On the **Priority physical assets** page, you can either manually add the physical asset IDs you want to detect asset events imported by the Physical badging connector or import a .csv file of all physical assets IDs imported by the Physical badging connector:

+[Microsoft Purview Privileged Access Management](privileged-access-management.md) allows granular access control over privileged Exchange Online admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.

+> When you create a query-based hold, all content from selected locations is initially placed on hold. After the timer job in either Exchange or SharePoint runs, any content that doesn't match the specified query is cleared from the hold. After the character count across all queries on a single location exceeds 10,000 characters, the entire location is placed on hold.

+Service-side auto-labeling helps label sensitive documents at rest, and emails in transit. The default service-side auto-labeling policy creates policies that run in simulation mode for documents stored in all SharePoint or OneDrive sites, and all emails that are sent via Exchange Online.

+In simulation mode, items aren't actually labeled until the policy is turned on. You can manually turn on the policy, or unless you change the default setting, the policy will be automatically turned on for you if there aren't any changes to the policy within a set number of days from when the simulation completes.

+> [!NOTE]

+> Automatically turning on auto-labeling policies is new and gradually rolling out for new auto-labeling policies. You might not see this configuration immediately, or for all policies.

+In most cases, the number of days before an unedited policy is automatically turned on is 7. However, specific to new customers from June 23, 2022, the initial number of days is 25, and then 7 after the policy is edited.

+Simulation mode allows you to preview what items would get labeled when the policy is turned on, so you have confidence in the labeling feature before you deploy the policy to your tenant for actual labeling.

+The default service-side auto-labeling policies have the following configuration:

+For all customers:

+- If there are 1-9 instances of credit card numbers found in a document or email, apply the sensitivity label **Confidential** \ **Anyone (unrestricted)**

+

+For new customers from June 23, 2022, and the Microsoft 365 tenant is in the US region:

+- If there are 1-9 instances of US personal data and full names found in a document or email, apply the sensitivity label **Confidential** \ **Anyone (unrestricted)**

+- If there are 10 or more instances of US personal data and full names found in a document or email, apply the sensitivity label **Confidential** \ **All Employees**

+New customers from June 23, 2022 have two auto-labeling policies for each setting. One policy is for the Exchange location, and the other for the SharePoint and OneDrive locations. Although the policies are created at the same time, simulation isn't immediately turned on for SharePoint and OneDrive:

+- Exchange location: The auto-labeling policy is created and immediately starts simulation.

+- SharePoint and OneDrive locations: The auto-labeling policy is created but waits 25 days before it automatically starts simulation. This delay gives you time for files to be created and saved to these locations.

+When the simulation is complete, review the results and if you are happy with them, turn on the policies. Slowly rolling out starting June 23, 2022, by default, the policies will be automatically turned on if they're not edited within the set time period (25 days initially for new customers, otherwise 7 days).

+1. Learn about [privileged access management](privileged-access-management.md)

+- [Frequently asked questions about privileged access management](privileged-access-management.md#frequently-asked-questions)

+ Title: "Learn about privileged access management"

+description: This article provides an overview about privileged access management in Microsoft Purview, including answers to frequently asked questions (FAQs).

+keywords: Microsoft 365, Microsoft Purview, compliance, privileged access management

+audience: ITPro

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+- Strat_O365_IP

+- m365-security-compliance

+- m365solution-insiderrisk

+- m365initiative-compliance

+ - Ent_Solutions

+ - seo-marvel-apr2020

+# Learn about privileged access management

+Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Enabling privileged access management allows your organization to operate with zero standing privileges and provide a layer of defense against standing administrative access vulnerabilities.

+For a quick overview of the integrated Customer Lockbox and privileged access management workflow, see this [Customer Lockbox and privileged access management video](https://go.microsoft.com/fwlink/?linkid=2066800).

+## Layers of protection

+Privileged access management complements other data and access feature protections within the Microsoft 365 security architecture. Including privileged access management as part of an integrated and layered approach to security provides a security model that maximizes protection of sensitive information and Microsoft 365 configuration settings. As shown in the diagram, privileged access management builds on the protection provided with native encryption of Microsoft 365 data and the role-based access control security model of Microsoft 365 services. When used with [Azure AD Privileged Identity Management](/azure/active-directory/active-directory-privileged-identity-management-configure), these two features provide access control with just-in-time access at different scopes.

+

+Privileged access management is defined and scoped at the **task** level, while Azure AD Privileged Identity Management applies protection at the **role** level with the ability to execute multiple tasks. Azure AD Privileged Identity Management primarily allows managing accesses for AD roles and role groups, while Microsoft Purview Privileged Access Management applies only at the task level.

+- **Enabling privileged access management while already using Azure AD Privileged Identity Management:** Adding privileged access management provides another granular layer of protection and audit capabilities for privileged access to Microsoft 365 data.

+- **Enabling Azure AD Privileged Identity Management while already using Microsoft Purview Privileged Access Management:** Adding Azure AD Privileged Identity Management to Microsoft Purview Privileged Access Management can extend privileged access to data outside of Microsoft 365 that's primarily defined by user roles or identity.

+## Privileged access management architecture and process flow

+Each of the following process flows outline the architecture of privileged access and how it interacts with the Microsoft 365 substrate, auditing, and the Exchange Management runspace.

+### Step 1: Configure a privileged access policy

+When you configure a privileged access policy with the [Microsoft 365 admin center](https://admin.microsoft.com) or the Exchange Management PowerShell, you define the policy and the privileged access feature processes and the policy attributes in the Microsoft 365 substrate. The activities are logged in the Security &amp; Compliance Center. The policy is now enabled and ready to handle incoming requests for approvals.

+

+### Step 2: Access request

+In the [Microsoft 365 admin center](https://admin.microsoft.com) or with the Exchange Management PowerShell, users can request access to elevated or privileged tasks. The privileged access feature sends the request to the Microsoft 365 substrate for processing against the configured privilege access policy and records the Activity in the Security &amp; Compliance Center logs.

+

+### Step 3: Access approval

+An approval request is generated and the pending request notification is emailed to approvers. If approved, the privileged access request is processed as an approval and the task is ready to be completed. If denied, the task is blocked and no access is granted to the requestor. The requestor is notified of the request approval or denial via email message.

+

+### Step 4: Access processing

+For an approved request, the task is processed by the Exchange Management runspace. The approval is checked against the privileged access policy and processed by the Microsoft 365 substrate. All activity for the task is logged in the Security &amp; Compliance Center.

+

+## Frequently asked questions

+### What SKUs can use privileged access in Office 365?

+Privileged access management is available for customers for a wide selection of Microsoft 365 and Office 365 subscriptions and add-ons. See [Get started with privileged access management](privileged-access-management-configuration.md) for details.

+### When will privileged access support Office 365 workloads beyond Exchange?

+Privileged access management will be available in other Office 365 workloads soon. Visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) for more details.

+### My organization needs more than 30 privileged access policies, will this limit be increased?

+Yes, raising the current limit of 30 privileged access policies per organization is on the feature roadmap.

+### Do I need to be a Global Admin to manage privileged access in Office 365?

+No, you need the Exchange Role Management role assigned to accounts that manage privileged access in Office 365. If you don't want to configure the Role Management role as a stand-alone account permission, the Global Administrator role includes this role by default and can manage privileged access. Users included in an approvers' group don't need to be a Global Admin or have the Role Management role assigned to review and approve requests with PowerShell.

+### How is privileged access management related to Customer Lockbox?

+[Customer Lockbox](/office365/admin/manage/customer-lockbox-requests) allows a level of access control for organizations when Microsoft accesses data. Privileged access management allows granular access control within an organization for all Microsoft 365 privileged tasks.

+## Ready to get started?

+Start [configuring your organization for privileged access management](privileged-access-management-configuration.md).

+## Learn more

+[Interactive guide: Monitor and control administrator tasks with privileged access management](https://content.cloudguides.com/guides/Privileged%20Access%20Management)

+- [Overview of privileged access management](privileged-access-management.md)

+ Title: "Identify the available PowerShell cmdlets for retention"

+f1.keywords:

+- NOCSH

+audience: Admin

+ms.localizationpriority: normal

+- M365-security-compliance

+- SPO_Content

+- m365initiative-compliance

+description: Identify the PowerShell cmdlets for retention that support configuration at-scale, automation, or might be needed for advanced configuration scenarios.

+# PowerShell cmdlets for retention policies and retention labels

+>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*

+Use the following sections to identify the main PowerShell cmdlets that are available for retention policies and retention labels that you might need for configuration at-scale, automated scripts, or advanced configuration scenarios. For the full list of cmdlets, see the [policy-and-compliance-retention list](/powershell/module/exchange#policy-and-compliance-retention) from the PowerShell documentation.

+Before you use these cmdlets, you must first [connect to Office 365 Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).

+In the descriptions that follow, a policy for retention can refer to a retention policy (no labels), or a retention label policy. Each policy defines whether it's static or adaptive and the locations for the policy to be applied. The policy then requires one rule to complete the configuration.

+For example:

+- A retention policy needs a rule that defines the retention settings, such as retain for five years and then delete.

+When you use retention labels, these contain the retention settings and their policies need different rules:

+- A retention label policy that you publish needs a rule that defines which labels should be displayed in apps.

+- An auto-apply retention label policy needs a rule that defines the label to apply and the conditions for applying the label.

+## Retention cmdlets for most locations

+Use the cmdlets in the following table when the locations are **Exchange email**, **SharePoint sites**, **OneDrive accounts**, **Microsoft 365 Groups**, **Skype for Business**, **Exchange public folders**, **Teams chat messages**, or **Teams channel messages**.

+Don't use these cmdlets when the locations are for Teams private channel messages, Yammer user messages, or Yammer community messages. These locations have alternative cmdlets that are identified in the [next section](#retention-cmdlets-specific-to-teams-private-channels-and-yammer).

+|Cmdlet|Description|Applicable locations|

+|:--|:--|:--|:--|

+|[Enable-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) |A one-time operation to create storage for retention labels |Exchange email <br /><br />SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[Get-ComplianceTag](/powershell/module/exchange/get-compliancetag) |View retention labels |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups|

+|[Get-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) |View the created storage for retention labels |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[Get-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/get-recordreviewnotificationtemplateconfig) |View the configuration for disposition review notification and reminder settings |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[Get-RetentionCompliancePolicy](/powershell/module/exchange/get-retentioncompliancepolicy) |View policies for retention |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

+|[Get-RetentionComplianceRule](/powershell/module/exchange/get-retentioncompliancepolicy) | View settings for polices for retention or retention labels |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

+|[New-ComplianceTag](/powershell/module/exchange/new-compliancetag) |Create a retention label |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy) |Create a policy for retention |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages|

+|[New-RetentionComplianceRule](/powershell/module/exchange/get-retentioncompliancepolicy) | Create settings for policies for retention or a retention label |Exchange email <br /><br /> SharePoint sites<br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages|

+|[Remove-ComplianceTag](/powershell/module/exchange/remove-compliancetag) |Delete a retention label |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups|

+|[Remove-RetentionCompliancePolicy](/powershell/module/exchange/remove-retentioncompliancepolicy) |Delete policies for retention |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

+|[Set-ComplianceTag](/powershell/module/exchange/set-compliancetag) |Configure the settings for a retention label |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[Set-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/remove-retentioncompliancepolicy) |Configure the settings for disposition review notification and reminder settings |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups|

+|[Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy)| Configure a policy for retention | Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders<br /><br /> Teams chat messages <br /><br /> Teams channel messages |

+|[Set-RetentionComplianceRule](/powershell/module/exchange/set-retentioncompliancerule) | Configure settings for retention policies or retention labels |Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages |

+## Retention cmdlets specific to Teams private channels and Yammer

+Use the following cmdlets when the locations are for **Teams private channel messages**, **Yammer user messages**, or **Yammer community messages**.

+When the locations are for Teams chat messages, Teams channel messages, Exchange email, SharePoint sites, OneDrive accounts, Microsoft 365 Groups, Skype for Business, or Exchange public folders, use the cmdlets listed in the [previous section](#retention-cmdlets-for-most-locations).

+|Cmdlet|Description|Applicable locations|

+|:--|:--|:--|:--|

+|[Get-AppRetentionCompliancePolicy](/powershell/module/exchange/get-appretentioncompliancepolicy) | View retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[Get-AppRetentionComplianceRule](/powershell/module/exchange/get-appretentioncompliancerule) | View retention settings for retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[New-AppRetentionCompliancePolicy](/powershell/module/exchange/new-appretentioncompliancepolicy) | Create a retention policy |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[New-AppRetentionComplianceRule](/powershell/module/exchange/new-appretentioncompliancerule) | Create retention settings for retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[Remove-AppRetentionCompliancePolicy](/powershell/module/exchange/remove-appretentioncompliancepolicy) | Delete a retention policy and corresponding settings |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[Remove-AppRetentionComplianceRule](/powershell/module/exchange/remove-appretentioncompliancerule) | Delete settings for retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[Set-AppRetentionCompliancePolicy](/powershell/module/exchange/remove-appretentioncompliancepolicy) | Configure retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+|[Set-AppRetentionComplianceRule](/powershell/module/exchange/remove-appretentioncompliancerule) | Configure settings for retention policies |Teams private channel messages <br /><br /> Yammer user messages <br /><br /> Yammer community messages|

+## Configuration guidance

+Use the help pages associated with each cmdlet for detailed information and examples.

+For guided help to create and then publish retention labels, see [Create and publish retention labels by using PowerShell](bulk-create-publish-labels-using-powershell.md).

+Use [Office 365 Security & Compliance Center PowerShell](/powershell/exchange/scc-powershell) for Purview retention cmdlets that support configuration at scale, scripting for automation, or might be necessary for advanced configuration scenarios.

+For a list of available cmdlets, and to identify which ones are supported for the different locations, see [PowerShell cmdlets for retention policies and retention labels](retention-cmdlets.md).

+|[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 2.21+ | 16.0.11231+ | Under review |

+|[Multi-language support](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-powershell)| Current Channel: 1910+ <br /><br> Monthly Enterprise Channel: 1910+ <br /><br> Semi-Annual Enterprise Channel: 2002+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |

+ This PDF format designed for long-term archiving isn't supported when the label applies encryption and will prevent users from converting Office documents to PDF. For configuration information, see the Group Policy documentation for [Enforce PDF compliance with ISO 19005-1 (PDF/A)](https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_EnforcePDFcompliancewithISO190051PDFA).

+- **Specify a default label** for unlabeled documents and emails, new containers (when you've [enabled sensitivity labels for Microsoft Teams, Microsoft 365 groups, and SharePoint sites](sensitivity-labels-teams-groups-sites.md)), and also a default label for [Power BI content](/power-bi/admin/service-security-sensitivity-label-default-label-policy). You can specify the same label for all four types of items, or different labels. Users can change the applied default sensitivity label to better match the sensitivity of their content or container.

+## Services that EDM supports

+|Service |Locations |

+|||

+| Microsoft Purview Data Loss Prevention | - SharePoint online </br>- OneDrive for Business </br>- Teams Chat </br>- Exchange Online </br>- Devices |

+|Microsoft Defender for Cloud Apps | - SharePoint Online </br>- OneDrive for Business |

+|Auto-labeling (service side) |- SharePoint online </br>- OneDrive for Business </br>- Exchange Online |

+|Auto-labeling (client side) |- Word </br>- Excel </br>- PowerPoint </br>- Exchange desktop clients |

+|Customer Managed Key |- SharePoint online </br>- OneDrive for Business </br>- Teams Chat </br>- Exchange Online </br>- Word </br>- Excel </br>- PowerPoint </br>- Exchange desktop clients </br>- Devices |

+|eDiscovery |- SharePoint online </br>- OneDrive for Business </br>- Teams Chat </br>- Exchange Online </br>- Word </br>- Excel </br>- PowerPoint </br>- Exchange desktop clients |

+|Insider Risk Management |- SharePoint online </br>- OneDrive for Business </br>- Teams Chat </br>- Exchange Online </br>- Word </br>- Excel </br>- PowerPoint </br>- Exchange desktop clients |

+|%%BlockedMessageInfo%%|The details of the message that was blocked. Use this token to inform people of the details of the message that was blocked.|

+Use document understanding models to identify and extract data from unstructured documents, such as letters or contracts, where the text entities you want to extract is in sentences or specific regions of the document. For example, an unstructured document could be a contract renewal letter that can be written in different ways. However, information exists consistently in the body of each contract renewal document, such as the text string `Service start date of` followed by an actual date.

+[Teams experience in a multi-geo environment](/microsoftteams/teams-experience-o365odb-spo-multi-geo)

+> The Office 365 CDN is only available to tenants in the **Production** (worldwide) cloud. Tenants in the US Government and China clouds do not currently support the Office 365 CDN.

+## Week of June 20, 2022

+| Published On |Topic title | Change |

+|||--|

+| 6/20/2022 | [Microsoft Defender Antivirus compatibility with other security products](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-21vianet) | modified |

+| 6/20/2022 | [Customize and publish your booking page](/microsoft-365/bookings/customize-booking-page?view=o365-21vianet) | modified |

+| 6/20/2022 | [Cross-tenant mailbox migration](/microsoft-365/enterprise/cross-tenant-mailbox-migration?view=o365-21vianet) | modified |

+| 6/20/2022 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-21vianet) | modified |

+| 6/20/2022 | [Microsoft Purview solution catalog](/microsoft-365/compliance/microsoft-365-solution-catalog?view=o365-21vianet) | modified |

+| 6/20/2022 | [Stream Microsoft 365 Defender events to Azure Event Hubs](/microsoft-365/security/defender/streaming-api-event-hub?view=o365-21vianet) | modified |

+| 6/21/2022 | [Microsoft Defender for Business and MSP resources](/microsoft-365/security/defender-business/mdb-partners?view=o365-21vianet) | added |

+| 6/21/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-21vianet) | modified |

+| 6/21/2022 | [Add-in deployment email alerts](/microsoft-365/admin/manage/add-in-deployment-email-alerts?view=o365-21vianet) | added |

+| 6/21/2022 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-21vianet) | modified |

+| 6/21/2022 | [Microsoft Purview solution catalog](/microsoft-365/compliance/microsoft-365-solution-catalog?view=o365-21vianet) | modified |

+| 6/21/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-21vianet) | modified |

+| 6/21/2022 | [Allow or block emails using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-email-spoof?view=o365-21vianet) | modified |

+| 6/21/2022 | [Manage allows and blocks in the Tenant Allow/Block List](/microsoft-365/security/office-365-security/manage-tenant-allow-block-list?view=o365-21vianet) | modified |

+| 6/21/2022 | [Set up Customer Key](/microsoft-365/compliance/customer-key-set-up?view=o365-21vianet) | modified |

+| 6/21/2022 | [Setup guides for Microsoft 365 and Office 365 services](/microsoft-365/enterprise/setup-guides-for-microsoft-365?view=o365-21vianet) | modified |

+| 6/22/2022 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-21vianet) | modified |

+| 6/22/2022 | [Anti-malware protection](/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-21vianet) | modified |

+| 6/22/2022 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/configure-anti-malware-policies?view=o365-21vianet) | modified |

+| 6/22/2022 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-21vianet) | modified |

+| 6/22/2022 | [Communication compliance policies](/microsoft-365/compliance/communication-compliance-policies?view=o365-21vianet) | modified |

+| 6/22/2022 | [Create and publish sensitivity labels](/microsoft-365/compliance/create-sensitivity-labels?view=o365-21vianet) | modified |

+| 6/22/2022 | [Use sensitivity labels to configure the default sharing link type](/microsoft-365/compliance/sensitivity-labels-default-sharing-link?view=o365-21vianet) | modified |

+| 6/22/2022 | [Web content filtering](/microsoft-365/security/defender-endpoint/web-content-filtering?view=o365-21vianet) | modified |

+| 6/22/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-21vianet) | modified |

+| 6/22/2022 | [Microsoft 365 admin center activity reports](/microsoft-365/admin/activity-reports/activity-reports?view=o365-21vianet) | modified |

+| 6/22/2022 | [Minimum requirements for Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-21vianet) | modified |

+| 6/22/2022 | [Allow or block emails using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-email-spoof?view=o365-21vianet) | modified |

+| 6/22/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-21vianet) | modified |

+| 6/22/2022 | [Data loss prevention and Microsoft Teams](/microsoft-365/compliance/dlp-microsoft-teams?view=o365-21vianet) | modified |

+| 6/23/2022 | [Export software vulnerabilities assessment per device](/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities?view=o365-21vianet) | modified |

+| 6/23/2022 | [Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses?view=o365-21vianet) | modified |

+| 6/23/2022 | [Identify the available PowerShell cmdlets for retention](/microsoft-365/compliance/retention-cmdlets?view=o365-21vianet) | added |

+| 6/23/2022 | [Create and edit Autopilot profiles](/microsoft-365/business-premium/create-and-edit-autopilot-profiles?view=o365-21vianet) | modified |

+| 6/23/2022 | [Microsoft 365 Business Premium overview](/microsoft-365/business-premium/index?view=o365-21vianet) | modified |

+| 6/23/2022 | [Use this step-by-step guide to add Autopilot devices and profile](/microsoft-365/business-premium/m365bp-add-autopilot-devices-and-profile?view=o365-21vianet) | modified |

+| 6/23/2022 | [Add a new user to your network and systems](/microsoft-365/business-premium/m365bp-add-users?view=o365-21vianet) | modified |

+| 6/23/2022 | [Set app protection settings for Android or iOS devices](/microsoft-365/business-premium/m365bp-app-protection-settings-for-android-and-ios?view=o365-21vianet) | modified |

+| 6/23/2022 | [About Autopilot Profile settings](/microsoft-365/business-premium/m365bp-autopilot-profile-settings?view=o365-21vianet) | modified |

+| 6/23/2022 | [Create and edit Autopilot devices](/microsoft-365/business-premium/m365bp-create-and-edit-autopilot-devices?view=o365-21vianet) | modified |

+| 6/23/2022 | [Working with device groups in Microsoft 365 Business Premium](/microsoft-365/business-premium/m365bp-device-groups-mdb?view=o365-21vianet) | modified |

+| 6/23/2022 | [Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business](/microsoft-365/business-premium/m365bp-manage-windows-devices?view=o365-21vianet) | modified |

+| 6/23/2022 | [Set up managed devices](/microsoft-365/business-premium/m365bp-managed-devices-setup?view=o365-21vianet) | modified |

+| 6/23/2022 | [How do protection features in Microsoft 365 Business Premium map to Intune settings](/microsoft-365/business-premium/m365bp-map-protection-features-to-intune-settings?view=o365-21vianet) | modified |

+| 6/23/2022 | [Edit or set application protection settings for Windows devices](/microsoft-365/business-premium/m365bp-protection-settings-for-windows-10-devices?view=o365-21vianet) | modified |

+| 6/23/2022 | [Remove company data from devices](/microsoft-365/business-premium/m365bp-remove-company-data?view=o365-21vianet) | modified |

+| 6/23/2022 | [Reset passwords](/microsoft-365/business-premium/m365bp-reset-passwords?view=o365-21vianet) | modified |

+| 6/23/2022 | [Review detected threats on devices and take action](/microsoft-365/business-premium/m365bp-review-threats-take-action?view=o365-21vianet) | modified |

+| 6/23/2022 | [Validate app protection settings on Android or iOS devices](/microsoft-365/business-premium/m365bp-validate-settings-on-android-or-ios?view=o365-21vianet) | modified |

+| 6/23/2022 | [Validate app protection settings for Windows 10 PCs](/microsoft-365/business-premium/m365bp-validate-settings-on-windows-10-pcs?view=o365-21vianet) | modified |

+| 6/23/2022 | [Microsoft 365 Business Premium frequently asked questions](/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-21vianet) | modified |

+| 6/23/2022 | [Learn about retention policies & labels to automatically retain or delete content](/microsoft-365/compliance/retention?view=o365-21vianet) | modified |

+| 6/23/2022 | [Schedule Microsoft Defender Antivirus protection updates](/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus?view=o365-21vianet) | modified |

+| 6/23/2022 | [Contextual file and folder exclusions](/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus?view=o365-21vianet) | added |

+| 6/23/2022 | Glossary of terms | removed |

+| 6/23/2022 | [Use DLP policies for non-Microsoft cloud apps](/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps?view=o365-21vianet) | modified |

+| 6/23/2022 | [What's new in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365?view=o365-21vianet) | modified |

+| 6/23/2022 | [Sign up for Microsoft 365 Business Premium](/microsoft-365/business-premium/get-microsoft-365-business-premium?view=o365-21vianet) | modified |

+| 6/23/2022 | [Double Key Encryption (DKE)](/microsoft-365/compliance/double-key-encryption?view=o365-21vianet) | modified |

+| 6/23/2022 | [Learn about the default labels and policies to protect your data](/microsoft-365/compliance/mip-easy-trials?view=o365-21vianet) | modified |

+| 6/24/2022 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-21vianet) | modified |

+| 6/24/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-21vianet) | modified |

+| 6/24/2022 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-21vianet) | modified |

+| 6/24/2022 | [Assign licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users?view=o365-21vianet) | modified |

+| 6/24/2022 | [Unassign licenses from users](/microsoft-365/admin/manage/remove-licenses-from-users?view=o365-21vianet) | modified |

+| 6/24/2022 | [Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control?view=o365-21vianet) | modified |

+ Title: "Overview of the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse"

+f1.keywords: NOCSH

+audience: Admin

+ms.localizationpriority: medium

+- M365-subscription-management

+- Adm_O365

+- AdminSurgePortfolib

+- M365-Lighthouse

+search.appverid: MET150

+description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view security risks."

+# Overview of the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse

+Microsoft Defender for Endpoint provides endpoint security to secure your customersΓÇÖ devices from ransomware, malware, phishing, and other threats. Microsoft 365 Lighthouse allows you to view endpoint security insights and information for all your customer tenants.

+You can access the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse from the **Home** page under **Security Incidents** card or from the left navigation pane, **Devices \> Device Security tab**. You'll see any security incidents and alerts in your tenants that need attention, and devices that have been onboarded to Microsoft Defender for Endpoint.

+## Incidents and alerts tab

+The Incidents and alerts tab provides a multi-tenant incidents queue of incidents and alerts that were flagged from devices in your customersΓÇÖ network. By default, the queue displays any active incidents seen in the last 30 days. You can select any incident or alert to view more information.

+## Devices tab

+The Devices tab list of all devices in your customer tenants that have been onboarded to Microsoft Defender for Endpoint. This list includes devices that are managed by Microsoft Endpoint Manager and Microsoft Defender for Endpoint.

+The Devices tab also includes the following options:

+- **Export**: Select to export device compliance data to an Excel comma-separated values (.csv) file.

+- **Search**: Enter keywords to quickly locate a specific device in the list.

+## Related content

+[Manage Microsoft Defender for Endpoint incidents](../security/defender-endpoint/manage-incidents.md) (article)\

+[Investigate incidents in Microsoft Defender for Endpoint](../security/defender-endpoint/investigate-incidents.md) (article)

+2. Go to **Billing** > **Purchase Services** > **Microsoft 365 Services**.

+

+3. Under **Microsoft 365 Lighthouse**, select **Details**.

+4. Select **Buy**.

+- Get access to your customers' Microsoft 365 Defender portal to [address alerts and incidents](mdb-respond-mitigate-threats.md).

+- Get [email notifications](mdb-email-notifications.md) about new alerts or vulnerabilities across your customers' tenants.

+##### [Contextual file and folder exclusions](configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md)

+## Authenticated telemetry

+You can **Turn on** Authenticated telemetry to prevent spoofing telemetry into your dashboard.

+It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Endpoint Manager Admin center as well as add trusted certificates. Admins can also enable [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to configure the data that is sent by Defender for Endpoint from Android devices.

+ > 

+1. In Settings page, select **'Use configuration designer'** and add **'Enable Network Protection in Microsoft Defender'** as the key and value as **'0'** to disable Network Protection. (Network protection is enabled by default)

+|Vulnerability assessment of apps (Android-only) |By default only information about apps installed in the work profile is sent for vulnerability assessment. Admins can disable privacy to include personal apps|

+|Network Protection (preview)| Admins can enable or disable privacy in network protection - If enabled, then Defender will not send network details.|

+ 1. In the **Assignments** page, select the user group to which this app config policy would be assigned. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.

+Admins also can set up **privacy controls** from the Microsoft Endpoint Manager admin center to control what data can be sent by the Defender mobile client to the security portal. For more information, see [configuring privacy controls](android-configure.md).

+## Microsoft defender on Android enterprise BYOD personal profile

+Microsoft Defender for Endpoint is now supported on Android Enterprise personal profile (BYOD only) with all the key features including malware scanning, protection from phishing links, network protection and vulnerability management. This support is coupled with [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to ensure user privacy on personal profile. For more information, read the [announcement](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-the-public-preview-of-defender-for-endpoint-personal/ba-p/3370979) and the [deployment guide](/microsoft-365/security/defender-endpoint/android-intune#set-up-microsoft-defender-in-personal-profile-on-android-enterprise-in-byod-mode).

+- Run requests for any method and see responses in real-time.

+- Quickly browse through the API samples and learn what parameters they support.

+- Make API calls with ease; no need to authenticate beyond the management portal signin.

+From the left navigation menu, select **Partners & APIs** \> **[API Explorer](https://security.microsoft.com/interoperability/api-explorer)**.

+- Script files (such as a PowerShell .ps1, Visual Basic .vbs, or JavaScript .js file)

+ Title: Contextual file and folder exclusions

+description: Describes the contextual file and folder exclusions capability for Windows Defender Antivirus. This capability allows you to be more specific when you define under which context Windows Defender Antivirus shouldn't scan a file or folder, by applying restrictions

+keywords: Microsoft Defender Antivirus, process, exclusion, files, scans

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Contextual file and folder exclusions

+This article/section describes the contextual file and folder exclusions capability for Windows Defender Antivirus. This capability allows you to be more specific when you define under which context Windows Defender Antivirus shouldn't scan a file or folder, by applying restrictions.

+## Overview

+Exclusions are primarily intended to mitigate affects on performance. They come at the penalty of reduced protection value. These restrictions allow you to limit this protection reduction by specifying circumstances under which the exclusion should apply. Contextual exclusions arenΓÇÖt suitable for addressing false positives in a reliable way. If you encounter a false positive, you can Submit files for analysis through the [Microsoft 365 Defender](https://security.microsoft.com/) portal (subscription required) or through the [Microsoft Security Intelligence](https://www.microsoft.com/wdsi/filesubmission) website. For a temporary suppression method, consider creating a custom _allow_ indicator.

+There are four restrictions you can apply to limit the applicability of an exclusion:

+- **File/folder path type restriction**. You can restrict exclusions to only apply if the target is a file, or a folder by making the intent specific. If the target is a file but the exclusion is specified to be a folder, it will not apply. Conversely, if the target is folder but the exclusion is specified to be a file, the exclusion will apply.

+- **Scan type restriction**. Enables you to define the required scan type for an exclusion to apply. For example, you only want to exclude a certain folder from Full scans but not from a ΓÇ£resourceΓÇ¥ scan (targeted scan).

+- **Scan trigger type restriction**. You can use this restriction to specify that the exclusion should only apply when the scan was initiated by a specific event:

+ - on demand

+ - on access

+ - or originating from behavioral monitoring

+- **Process restriction**. Enables you to define that an exclusion should only apply when a file or folder is being accessed by a specific process.

+## Configuring restrictions

+Restrictions are typically applied by adding the restriction type to the file or folder exclusion path.

+| Restriction | TypeName | value |

+|:|:|:|

+| File/folder | PathType | file <br> folder |

+| Scan type | ScanType | quick <br> full |

+| Scan trigger | ScanTrigger | OnDemand <br> OnAccess <br> BM |

+| Process | Process | "<image_path>" |

+### Requirements

+This capability requires Windows Defender Antivirus:

+- Platform: **4.18.2205.7** or later

+- Engine: **1.1.19300.2** or later

+### Syntax

+As a starting point, you may already have exclusions in place that you wish to make more specific. To form the exclusion string, first define the path to the file or folder to be excluded, then add the type name and associated value, as shown in the following example.

+`<PATH>\:{TypeName:value,TypeName:value}`

+Keep in mind that _all_ **types** and **values** are case sensitive.

+### Examples

+The following string excludes ΓÇ£c:\documents\design.docΓÇ¥ only if itΓÇÖs a file and only in on-access scans:

+`c:\documents\design.doc\:{PathType:file,ScanTrigger:OnAccess}`

+The following string excludes ΓÇ£c:\documents\design.docΓÇ¥ only if itΓÇÖs scanned (on-access) due to it being accessed by a process having the image name ΓÇ£winword.exeΓÇ¥:

+`c:\documents\design.doc\:{Process:ΓÇ¥winword.exeΓÇ¥}`

+The process image path may contain wildcards, as in the following example:

+`c:\documents\design.doc\:{Process:ΓÇ¥C:\Program Files*\Microsoft Office\root\Office??\winword.exeΓÇ¥}`

+### File/folder restriction

+You can restrict exclusions to only apply if the target is a file or a folder by making the intent specific. If the target is a file but the exclusion is specified to be a folder, the exclusion won't apply. Conversely, if the target is folder but the exclusion is specified to be a file, the exclusion will apply.

+#### File/folder exclusions default behavior

+If you donΓÇÖt specify any other options, the file/folder is excluded from all types of scans _and_ the exclusion applies regardless of whether the target is a file or a folder. For more information about customizing exclusions to only apply to a specific scan type, see [Scan type restriction](#scan-type-restriction).

+#### Folders

+To ensure an exclusion only applies if the target is a folder, not a file you can use the **PathType:folder** restriction. For example:

+`C:\documents\:{PathType:folder}`

+#### Files

+To make sure an exclusion only applies if the target is a file, not a folder you can use the PathType: file restriction.

+Example:

+`C:\documents\database.mdb\:{PathType:file}`

+### Scan type restriction

+By default, exclusions apply to all scan types:

+- **resource**: a single file or folder is scanned in a targeted way (for example, right-click, Scan)

+- **quick**: common startup locations utilized by malware, memory and certain registry keys

+- **full**: includes quick scan locations and complete file system (all files and folders)

+To mitigate performance issues, you can exclude a folder or a set of files from being scanned by a specific scan type. You can also define the required scan type for an exclusion to apply.

+To exclude a folder from being scanned only during a full scan, specify a restriction type together with the file or folder exclusion, as in the following example:

+`C:\documents\:{ScanType:full}`

+To exclude a folder from being scanned only during a quick scan, specify a restriction type together with the file or folder exclusion:

+`C:\program.exe\:{ScanType:quick}`

+If you want to make sure this exclusion only applies to a specific file and not a folder (c:\foo.exe could be a folder), also apply the PathType restriction:

+`C:\program.exe\:{ScanType:quick,PathType:file}`

+### Scan trigger restriction

+By default, basic exclusions apply to all scan triggers. ScanTrigger restriction enables you to specify that the exclusion should only apply when the scan was initiated by a specific event; on demand (including quick, full and targeted scans), on access or originating from behavioral monitoring (including memory scans).

+- **OnDemand**: a scan was triggered by a command or admin action. Remember that scheduled quick and full scans also fall under this category.

+- **OnAccess**: a file or folder is opened/written/read/modified (typically considered real-time protection)

+- **BM**: a behavioral trigger causes the behavioral monitoring to scan a specific file

+To exclude a file or folder and its contents from being scanned only when the file is being scanned after being accessed, define a scan trigger restriction such as the following example:

+`c:\documents\:{ScanTrigger:OnAccess}`

+### Process restriction

+This restriction allows you to define that an exclusion should only apply when a file or folder is being accessed by a specific process. A common scenario is when you want to avoid excluding the process as that avoidance would cause Defender Antivirus to ignore other operations by that process.

+> [!NOTE]

+>

+> Using a large amount of process exclusion restrictions on a machine may adversely affect performance.

+> In addition, because you restricted the exclusion to a certain process or processes, other active processes (such as indexing, backup, updates) can still trigger file scans.

+To exclude a file or folder only when accessed by a specific process, create a normal file or folder exclusion and add the process to restrict the exclusion to:

+`c:\documents\design.doc\:{Process:ΓÇ¥winword.exeΓÇ¥, Process:ΓÇ¥msaccess.exeΓÇ¥}`

+### How to configure

+After constructing your desired contextual exclusions, you can use your existing management tool to configure file and folder exclusions using the string you created.

+See: [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)

+|Security intelligence updates Alternate Download Location (ADL)<p>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).|`*.download.microsoft.com` <p> `*.download.windowsupdate.com`<p> `go.microsoft.com`<p> `https://www.microsoft.com/security/encyclopedia/adlpackages.aspx` <p> `https://definitionupdates.microsoft.com/download/DefinitionUpdates/` <p> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|

+- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)

+## Integration with Microsoft Defender for Cloud

+Microsoft Defender for Endpoint integrates seamlessly with Microsoft Defender for Servers. You can onboard servers automatically, have servers monitored by Microsoft Defender for Cloud appear in Defender for Endpoint, and conduct detailed investigations as a Microsoft Defender for Cloud customer.

+For more information, see [Integration with Microsoft Defender for Cloud](azure-server-integration.md).

+> [!NOTE]

+> For Windows Server 2012 R2 and 2016 running the modern unified solution, you can either manually install/upgrade the new solution on these machines, or use the integration to automatically deploy or upgrade servers covered by your respective Microsoft Defender for Server plan. More information about making the switch at [Protect your endpoints with Defender for Cloud's integrated EDR solution: Microsoft Defender for Endpoint](/azure/defender-for-cloud/integration-defender-for-endpoint?tabs=windows).

+> - When you use Microsoft Defender for Cloud to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European users, and in the UK for UK users).

+Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning.

+> - If you use Defender for Endpoint before using Microsoft Defender for Cloud, your data will be stored in the location you specified when you created your tenant even if you integrate with Microsoft Defender for Cloud at a later time.

+> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.

+> - The integration between Microsoft Defender for servers and Microsoft Defender for Endpoint has been expanded to support Windows Server 2022, [Windows Server 2019, and Windows Virtual Desktop (WVD)](/azure/security-center/release-notes#microsoft-defender-for-endpoint-integration-with-azure-defender-now-supports-windows-server-2019-and-windows-10-virtual-desktop-wvd-in-preview).

+> - Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.

+> - The Onboarding package for Windows Server 2012 R2, 2016, 2019 and 2022 through Microsoft Endpoint Manager currently ships as a script. For more information on how to deploy programs and scripts in Configuration Manager, see [Packages and programs in Configuration Manager](/configmgr/apps/deploy-use/packages-and-programs).

+-DisableGradualRelease 1|0

+> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)

+- **4.18.2205 or later**: Expand the default enforcement to **Printer**. If you set it to **Deny**, it will block Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer.

+ For example, you have either a **Deny** or an **Allow** policy for `RemovableMediaDevices`, but you do not have a policy for `CdRomDevices` or `WpdDevices`. You can set **Default Deny** through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` will be blocked. If you only want to manage storage, make sure to create an **Allow** policy for your printer; otherwise, this default enforcement will be applied to printers as well.

+ For example, you have either Deny or Allow policy for RemovableMediaDevices, but you do not have any policy for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create Allow policy for Printer, otherwise, this Default Enforcement will be applied to Printer as well.

+An inactive device isn't necessarily flagged because of an issue. The following actions taken on a device can cause a device to be categorized as inactive:

+- Device isn't in use

+- Device was reinstalled or renamed

+- Device was offboarded

+- Device isn't sending signals

+### Device isn't in use

+Any device that isn't in use for more than seven days will retain 'Inactive' status in the portal.

+### Device isn't sending signals

+If the device isn't sending any signals to any Microsoft Defender for Endpoint channels for more than seven days for any reason, a device can be considered inactive; this includes conditions that fall under misconfigured devices classification.

+- [Ensure that Microsoft Defender Antivirus isn't disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)</br>

+If you're a Global or security administrator, you can now host firewall reporting to the [Microsoft 365 Defender portal](https://security.microsoft.com). This feature enables you to view Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022 firewall reporting from a centralized location.

+ - `auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable`

+ - `auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable`

+- After enabling the events, Microsoft 365 Defender will start to monitor the data, which includes:

+ - Remote IP

+ - Remote Port

+ - Local Port

+ - Local IP

+ - Computer Name

+ - Process across inbound and outbound connections

+ - Additional reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.

+ - It can take up to 12 hours before the data is reflected.

+The following scenarios are supported during Ring0 Preview:

+- [Firewall reporting](#firewall-reporting)

+- [From "Computers with a blocked connection" to device](#from-computers-with-a-blocked-connection-to-device)

+- [Drill into advanced hunting (preview refresh)](#drill-into-advanced-hunting-preview-refresh)

+Here are some examples of the firewall report pages. Here you'll find a summary of inbound, outbound, and application activity. You can access this page directly by going to <https://security.microsoft.com/firewall>.

+For more reporting, or custom changes, the query can be exported into Power BI for further analysis. Custom reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.

+It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Endpoint Manager Admin center. Admins can also enable privacy controls to configure the data that is sent by Defender for Endpoint from iOS devices. For more information, read [Configure Network Protection](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-network-protection).

+Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the app store. With this update, the app will be available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals).

+This article is updated frequently to let you know what's new in the latest releases of Microsoft Defender for Endpoint on Linux.

+- [What's new in Defender for Endpoint on macOS](mac-whatsnew.md)

+- [What's new in Defender for Endpoint on iOS](ios-whatsnew.md)

+<details>

+ <summary>Jun-2022 (Build: 101.71.18 | Release version: 30.122052.17118.0)</summary>

+&ensp;Released: **June 24, 2022**<br/>

+&ensp;Published: **June 24, 2022**<br/>

+&ensp;Build: **101.71.18**<br/>

+&ensp;Release version: **30.122042.16880.0**<br/>

+**What's new**

+- Fixed an issue in the product sensor used on RHEL 6 that could lead to an OS hang

+- `mdatp connectivity test` was extended with an extra URL that the product requires to function correctly. The new URL is [https://go.microsoft.com/fwlink/?linkid=2144709](https://go.microsoft.com/fwlink/?linkid=2144709).

+- Up until now, the product log level wasn't persisted between product restarts. Starting from this version, there's a new command-line tool switch that persists the log level. The new command is `mdatp log level persist --level <level>`.

+- Removed the dependency on `python` from the product installation package

+- Performance improvements for file copy operations and processing of network events originating from `auditd`

+</br>

+<br/><br/>

+</details>

+<details>

+ <summary>May-2022 (Build: 101.68.80 | Release version: 30.122042.16880.0)</summary>

+&ensp;Released: **May 23, 2022**<br/>

+&ensp;Published: **May 23, 2022**<br/>

+&ensp;Build: **101.68.80**<br/>

+&ensp;Release version: **30.122042.16880.0**<br/>

+**What's new**

+- Added support for kernel version `2.6.32-754.47.1.el6.x86_64` when running on RHEL 6

+- On RHEL 6, product can now be installed on devices running Unbreakable Enterprise Kernel (UEK)

+- Fixed an issue where the process name was sometimes incorrectly displayed as `unknown` when running `mdatp diagnostic real-time-protection-statistics`

+- Fixed a bug where the product sometimes was incorrectly detecting files inside the quarantine folder

+- Fixed an issue where the `mdatp` command-line tool was not working when `/opt` was mounted as a soft-link

+</br>

+<br/><br/>

+</details>

+<details>

+<summary>May-2022 (Build: 101.65.77 | Release version: 30.122032.16577.0)</summary>

+&ensp;Released: **May 2, 2022**<br/>

+&ensp;Published: **May 2, 2022**<br/>

+&ensp;Build: **101.65.77**<br/>

+&ensp;Release version: **30.122032.16577.0**<br/>

+**What's new**

+- Improved the `conflicting_applications` field in `mdatp health` to show only the most recent 10 processes and also to include the process names. This makes it easier to identify which processes are potentially conflicting with Microsoft Defender for Endpoint for Linux.

+<br/><br/>

+</details><details>

+<summary>Mar-2022 (Build: 101.62.74 | Release version: 30.122022.16274.0)</summary>

+&ensp;Released: **Mar 24, 2022**<br/>

+&ensp;Published: **Mar 24, 2022**<br/>

+&ensp;Build: **101.62.74**<br/>

+&ensp;Release version: **30.122022.16274.0**<br/>

+**What's new**

+- Addressed an issue where the product would incorrectly block access to files greater than 2GB in size when running on older kernel versions

+- Bug fixes

+<br/><br/>

+</details><details>

+<summary>Mar-2022 (Build: 101.60.93 | Release version: 30.122012.16093.0)</summary>

+&ensp;Released: **Mar 9, 2022**<br/>

+&ensp;Published: **Mar 9, 2022**<br/>

+&ensp;Build: **101.60.93**<br/>

+&ensp;Release version: **30.122012.16093.0**<br/>

+**What's new**

+- This version contains a security update for [CVE-2022-23278](https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoofing-in-microsoft-defender-for-endpoint/)

+<br/><br/>

+</details><details>

+<summary>Mar-2022 (Build: 101.60.05 | Release version: 30.122012.16005.0)</summary>

+&ensp;Released: **Mar 3, 2022**<br/>

+&ensp;Published: **Mar 3, 2022**<br/>

+&ensp;Build: **101.60.05**<br/>

+&ensp;Release version: **30.122012.16005.0**<br/>

+**What's new**

+- Added support for kernel version 2.6.32-754.43.1.el6.x86_64 for RHEL 6.10

+- Bug fixes

+<br/><br/>

+</details><details>

+<summary>Feb-2022 (Build: 101.58.80 | Release version: 30.122012.15880.0)</summary>

+&ensp;Released: **Feb 20, 2022**<br/>

+&ensp;Published: **Feb 20, 2022**<br/>

+&ensp;Build: **101.58.80**<br/>

+&ensp;Release version: **30.122012.15880.0**<br/>

+**What's new**

+- The command-line tool now supports restoring quarantined files to a location other than the one where the file was originally detected. This can be done through `mdatp threat quarantine restore --id [threat-id] --path [destination-folder]`.

+- Starting with this version, network protection for Linux can be evaluated on demand

+<br/><br/>

+</details><details>

+<summary>Jan-2022 (Build: 101.56.62 | Release version: 30.121122.15662.0)</summary>

+&ensp;Released: **Jan 26, 2022**<br/>

+&ensp;Published: **Jan 26, 2022**<br/>

+&ensp;Build: **101.56.62**<br/>

+&ensp;Release version: **30.121122.15662.0**<br/>

+**What's new**

+- Fixed a product crash introduced in 101.53.02 and that has impacted multiple customers

+<br/><br/>

+</details><details>

+<summary>Jan-2022 (Build: 101.53.02 | Release version: (30.121112.15302.0)</summary>

+&ensp;Released: **Jan 8, 2022**<br/>

+&ensp;Published: **Jan 8, 2022**<br/>

+&ensp;Build: **101.53.02**<br/>

+&ensp;Release version: **30.121112.15302.0**<br/>

+**What's new**

+</details>

+<details><summary> 2021 releases</summary><blockquote>

+ <details><summary>(Build: 101.52.57 | Release version: 30.121092.15257.0)</summary>

+

+ <p><b>

+ Build: 101.52.57 <br>

+ Release version: 30.121092.15257.0</b></p>

+

+ <p><b> What's new </b></p>

+ - Added a capability to detect vulnerable log4j jars in use by Java applications. The machine is periodically inspected for running Javaprocesses with loaded log4j jars. The information is reported to the Microsoft Defender for Endpoint backend and is exposed in theVulnerability Management area of the portal.

+

+ </details>

+ <details><summary>(Build: 101.47.76 | Release version: 30.121092.14776.0)</summary>

+

+ <p><b>

+ Build: 101.47.76 <br>

+ Release version: 30.121092.14776.0</b></p>

+

+ <p><b>What's new</b></p>

+ - Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through mdatp config scan-archives --value [enabled/disabled]. By default, this is set to enabled.

+ - Bug fixes

+ </details>

+ <details><summary>(Build: 101.45.13 | Release version: 30.121082.14513.0)</summary>

+

+ <p>

+ Build: <b>101.45.13 </b> <br>

+ Release version:<b> 30.121082.14513.0 </b></p>

+

+ <p><b>What's new</b></p>

+ - Starting with this version, we are bringing Microsoft Defender for Endpoint support to the following distros:

+ - RHEL6.7-6.10 and CentOS6.7-6.10 versions.

+ - Amazon Linux 2

+ - Fedora 33 or higher

+ - Bug fixes

+ </details>

+ <details><summary>(Build: 101.45.00 | Release version: 30.121072.14500.0)</summary>

+

+ <p>

+ Build:<b> 101.45.00</b> <br>

+ Release version: <b>30.121072.14500.0</b></p>

+

+ <p><b>What's new</b></p>

+

+ - Added new switches to the command-line tool:

+ - Control degree of parallelism for on-demand scans. This can be configured through `mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]`. By default, a degree of parallelism of `2` is used.

+ - Control whether scans after security intelligence updates are enabled or disabled. This can be configured through `mdatp config scan-after-definition-update --value [enabled/disabled]`. By default, this is set to `enabled`.

+ - Changing the product log level now requires elevation

+ - Bug fixes

+ </details>

+ <details><summary>(Build: 101.39.98 | Release version: 30.121062.13998.0)</summary>

+

+ <p>

+ Build: <b>101.39.98 </b><br>

+ Release version: <b>30.121062.13998.0</b></p>

+

+ <p><b>What's new</b></p>

+ - Performance improvements & bug fixes

+

+ </details>

+ <details><summary>(Build: 101.34.27 | Release version: 30.121052.13427.0)</summary>

+

+ <p>

+ Build:<b> 101.34.27</b> <br>

+ Release version: <b>30.121052.13427.0</b></p>

+

+ <p><b>What's new</b></p>

+ - Performance improvements & bug fixes

+

+ </details>

+ <details><summary>(Build: 101.29.64 | Release version: 30.121042.12964.0)</summary>

+

+ <p>

+ Build:<b> 101.29.64 </b><br>

+ Release version:<b> 30.121042.12964.0</b></p>

+

+ <p><b>What's new</b></p>

+ - Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.

+ - `mdatp diagnostic real-time-protection-statistics` now supports two additional switches:

+ - `--sort`: sorts the output descending by total number of files scanned

+ - `--top N`: displays the top N results (only works if `--sort` is also specified)

+ - Performance improvements & bug fixes

+

+ </details>

+ <details><summary>(Build: 101.25.72 | Release version: 30.121022.12563.0)</summary>

+

+ <p>

+ Build:<b> 101.25.72</b> <br>

+ Release version: <b>30.121022.12563.0</b></p>

+

+ <p><b>What's new</b></p>

+ - Microsoft Defender for Endpoint on Linux is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md).

+ - Fixed an issue where usage of Microsoft Defender for Endpoint on Linux on systems with FUSE filesystems was leading to OS hang

+ - Performance improvements & other bug fixes

+

+ </details>

+

+ <details><summary>(Build: 101.25.63 | Release version: 30.121022.12563.0)</summary>

+

+ <p>

+ Build:<b> 101.25.63</b> <br>

+ Release version: <b>30.121022.12563.0</b></p>

+

+ <p><b>What's new</b></p>

+ - Performance improvements & bug fixes

+

+ </details>

+ <details><summary>(Build: 101.23.64 | Release version: 30.121021.12364.0)</summary>

+

+ <p>

+ Build:<b> 101.23.64 </b><br>

+ Release version: 30.121021.12364.0</b></p>

+

+ <p><b>What's new</b></p>

+ - Performance improvement for the situation where an entire mount point is added to the antivirus exclusion list. Prior to this version, file activity originating from the mount point was still processed by the product. Starting with this version, file activity for excluded mount points is suppressed, leading to better product performance

+ - Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus`

+ - Other performance improvements & bug fixes

+

+ </details>

+ <details><summary>(Build: 101.18.53)</summary>

+

+ <p>

+ Build:<b> 101.18.53 </b><br>

+

+ <p>What's new</b></p>

+ - EDR for Linux is now [generally available](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-is-generally-available/ba-p/2048539)

+ - Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`)

+ - Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory

+ - Performance improvements & bug fixes

+

+ </details>

+</blockquote></details>

+- Potential for high resource utilization (CPU and/or memory). See the Platform 4.18.2203.5 and Engine 1.1.19200.5 update for March 2022.

+| Licensing requirements | Defender for Endpoint Plan 1 (standalone, or as part of Microsoft 365 E3 or A3) |

+| Operating systems | Windows 11, or Windows 10, version 1709, or later <br/>macOS (the three most recent releases are supported) <br/>iOS <br/>Android OS <br/><br/>Note that the standalone version of Defender for Endpoint Plan 1 does not include server licenses. To onboard servers, you'll need Defender for Servers Plan 1 or Plan 2 as part of the [Defender for Cloud](/azure/defender-for-cloud/defender-for-cloud-introduction) offering. To learn more. see [Overview of Microsoft Defender for Servers](/azure/defender-for-cloud/defender-for-servers-introduction). |

+Here is an example of the request. If there is no JSON comment added, it will error out with code **400**.

+2. Go to [Data export settings page](https://security.microsoft.com/settings/mtp_settings/raw_data_export) in Microsoft 365 Defender.

+ Description: List of x64 installed software on x64 OS collected from registry.

+ Description: List of x86 installed software on x64 OS collected from registry.

+These instructions apply to the new unified solution and installer (MSI) package of Microsoft Defender for Endpoint for Windows Server 2012 R2 and Windows Server 2016. This article contains high-level instructions for various possible migration scenarios from the previous to the current solution. These high-level steps are intended as guidelines to be adjusted to the deployment and configuration tools available in your environment.

+**If you are using Microsoft Defender for Cloud to perform deployment, you can automate installation and upgrade. See [Defender for Servers Plan 2 now integrates with MDE unified solution] (https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/defender-for-servers-plan-2-now-integrates-with-mde-unified/ba-p/3527534)**

+To facilitate upgrades when Microsoft Endpoint Configuration Manager is not yet available or updated to perform the automated upgrade, you can use this [upgrade script](https://github.com/microsoft/mdefordownlevelserver). It can help automate the following required steps:

+>You'll need Microsoft Endpoint Configuration Manager, version 2107 or later to perfom Endpoint Protection policy configuration.

+- Contain devices from the network

+|- Collect investigation package <br/>- Isolate device (this action can be undone)<br/>- Offboard machine <br/>- Release code execution <br/>- Release from quarantine <br/>- Request sample <br/>- Restrict code execution (this action can be undone) <br/>- Run antivirus scan <br/>- Stop and quarantine <br/>- Contain devices from the network |- Block URL (time-of-click)<br/>- Soft delete email messages or clusters<br/>- Quarantine email<br/>- Quarantine an email attachment<br/>- Turn off external mail forwarding |- Disable user<br />- Reset user password<br />- Confirm user as compromised |

+- [Contain devices from the network](../defender-endpoint\respond-machine-alerts.md#contain-devices-from-the-network)

+> The new Defender for Cloud Apps experience in the Microsoft 365 Defender portal is currently available for all users detailed in [Manage admin access](/defender-cloud-apps/manage-admins), except for **App/Instance admin**, **User group admin**, **Cloud Discovery global admin**, and **Cloud Discovery report admin**, as defined in [Built-in admin roles in Defender for Cloud Apps](/defender-cloud-apps/manage-admins#built-in-admin-roles-in-defender-for-cloud-apps).

+Watch this short video to learn how to use admin submissions in Microsoft Defender for Office 365 to submit messages to Microsoft for evaluation.

+## Undo user submissions

+## Convert user reported messages from the custom mailbox into an admin submission

+## View associated alert for user and admin email submissions

+> The information in this section applies only to Defender for Office 365 Plan 2 or higher.

+>

+> Currently, user submissions generate alerts only for messages that are reported as phishing.

+For each user reported phishing message and admin email submission, a corresponding alert is generated.

+To view the corresponding alert for a user reported phishing message, select the **User reported messages** tab, and then double-click the message to open the submission flyout. Click  **More options** and then select **View alert**.

+To view the corresponding alert for admin email submissions, select the **Emails** tab, and then double-click the message to open the submission flyout. Select **View alert** on the **Open email entity** option.

+### Use the Tenant Allow/Block List in Microsoft 365 Defender

+> The impersonated domain (or user) will be created and visible in the **Trusted senders and domains** section in the anti-phishing policy at <https://security.microsoft.com/antiphishing>.

+|`CAT:`|The category of protection policy, applied to the message: <ul><li>`BULK`: Bulk</li><li>`DIMP`: Domain Impersonation</li><li>`GIMP`: [Mailbox intelligence based impersonation](set-up-anti-phishing-policies.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>`HPHSH` or `HPHISH`: High confidence phishing</li><li>`HSPM`: High confidence spam</li><li>`MALW`: Malware</li><li>`PHSH`: Phishing</li><li>`SPM`: Spam</li><li>`SPOOF`: Spoofing</li><li>`UIMP`: User Impersonation</li><li>`AMP`: Anti-malware</li><li>`SAP`: Safe attachments</li><li>`OSPM`: Outbound spam</li></ul> <p> An inbound message may be flagged by multiple forms of protection and multiple detection scans. Policies have different priorities, and the policy with the highest priority is applied first. For more information, see [What policy applies when multiple protection methods and detection scans run on your email](how-policies-and-protections-are-combined.md).|

+ Title: Login pages in Attack simulation training

+audience: ITPro

+ms.localizationpriority: medium

+ - M365-security-compliance

+ - m365initiative-defender-office365

+description: Admins can learn how to create and manage login pages for simulated phishing attacks in Microsoft Defender for Office 365 Plan 2.

+ms.technology: mdo

+# Login pages in Attack simulation training

+**Applies to**

+ [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md)

+In Attack simulation training in Microsoft 365 E5 or Microsoft Defender for Office 365 Plan 2, login pages are displayed to users in simulations that use the **Credential harvest** and **Link in attachment** [social engineering techniques](attack-simulation-training.md#select-a-social-engineering-technique).

+To see the available login pages, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Login pages**. To go directly to the **Simulation content library** tab where you can select **Login pages**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

+**Login pages** has two tabs:

+- **Global login pages**: Contains the built-in, non-modifiable login pages. There are four built-in login pages localized into 12 languages:

+ - **GitHub login page**

+ - **LinkedIn login page**

+ - **Microsoft login page**

+ - **Non-branded login page**

+- **Tenant login pages**: Contains the custom login pages that you've created.

+The following information is shown for each login page:

+- **Name**

+- **Language**

+- **Source**: For built-in login pages, the value is **Global**. For custom login pages, the value is **Tenant**.

+- **Status**: **Ready** or **Draft**.

+- **Created by**: For built-in login pages, the value is **Microsoft**. For custom login pages, the value is the UPN of the user who created the login page.

+- **Last modified**

+To find a login page in the list, use the  **Search** box to find the name of the login page.

+Click  **Filter** to filter the login pages by **Language** or **Status**.

+To remove one or more columns that are displayed, click  **Customize columns**.

+When you select a login page from the list, a details flyout appears with the following information:

+-  **Edit** is available only in custom login pages on the **Tenant login pages** tab.

+- . If the login page is already the default,  **Mark as default** isn't available.

+- **Preview** tab: View the login page as users will see it. **Page 1** and **Page 2** links are available at the bottom of the page for custom two-page login pages.

+- **Details** tab: View details about the login page:

+ - **Description**

+ - **Status**: **Ready** or **Draft**.

+ - **Login page source**: For built-in login pages, the value is **Global**. For custom login pages, the value is **Tenant**.

+ - **Modified by**

+ - **Language**

+ - **Last modified**

+## Create login pages

+1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Attack simulation training** \> **Simulation content library** tab \> and then select **Login pages**. To go directly to the **Simulation content library** tab where you can select **Login pages**, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>.

+You can create custom login pages in the following locations:

+ Click  **Create new** to start the create end user login page wizard.

+ > [!NOTE]

+ > The  **Create new** is also available during payload and payload automation creation. For more information, see the following topics:

+ >

+ > - [Create custom payloads for Attack simulation training in Defender for Office 365](attack-simulation-training-payloads.md#create-payloads)

+ > - [Create payload automations for Attack simulation training](attack-simulation-training-payload-automations.md#create-payload-automations)

+ >

+ > At any point during the creation wizard, you can click **Save and close** to save your progress and continue configuring the login page later. You can pick up where you left off by selecting the login page on the **Tenant login pages** tab in **Login pages**, and then clicking  **Edit**. The partially-completed login page will have the **Status** value **Draft**.

+2. On the **Define details for login page** page, configure the following settings:

+ - **Name**: Enter a unique name.

+ - **Description**: Enter an optional description.

+ When you're finished, click **Next**.

+3. On the **Configure login page** page, configure the following settings:

+ - **Select a language**

+ - **Make this the default login page**: If you select this option, the login page will be the default selection in **Credential harvest** or **Link in attachment** [payloads](attack-simulation-training-payloads.md) or [payload automations](attack-simulation-training-payload-automations.md).

+ - **Create a two-page login**: If you don't select this option, the login page is one page. If you select this option, **Page 1** and **Page 2** tabs appear for you to configure separately.

+ - On the **Text** tab, a rich text editor is available for you to create your login page.

+ - Use the **Dynamic tag** control to customize the login page by inserting the available tags:

+ - **Insert user name**: The value that's added in the message body is `${userName}`.

+ - **Insert email**: The value that's added in the message body is `${emailAddress}`.

+ - **Insert date**: The value that's added in the message body is `${date|MM/dd/yyyy|offset}`.

+ - Use the **Use from default** control to select a built-in login page to start with as a template.

+ - The **Add Next button** control is available only on **Page 1** of two-page logins. The default text on the button is **Next** but you can change it.

+ - The **Add compromise button** control in available on one-page logins or on **Page 2** of two-page logins. The default text on the button is **Submit**, but you can change it.

+ - On the **Code** tab, you can view and modify the HTML code directly. Formatting and other controls like **Dynamic tag** and **Use from default** or **Add compromise button** aren't available.

+ - Use the **Preview login page** button at the top of the page to review the login page.

+ When you're finished, click **Next**.

+4. On the **Review login page** page, you can review the details of your login page.

+ You can select **Edit** in each section to modify the settings within the section. Or you can click **Back** or select the specific page in the wizard.

+ When you're finished, click **Submit**.

+5. On the **New login page \<Name\> created** page, you can use the links to create a new login page, launch a simulation, or view all login pages.

+ When you're finished, click **Done**.

+Back on the **Tenant login pages** tab in **Login pages**, the login page that you created is now list.

+## Modify login pages

+You can't modify built-in login pages on the **Global login pages** tab. You can only modify custom login pages on the **Tenant login pages** tab.

+To modify an existing custom login page on the **Tenant login pages** tab, do one of the following steps:

+- Select the login page from the list by clicking the check box. Click the  **Edit** icon that appears.

+- Click **Γï«** (**Actions**) between the **Name** and **Language** values of the login page in the list, and then select  **Edit**.

+- Select the login page from the list by clicking the name. In the details flyout that opens, click  **Edit**.

+The login page wizard opens with the settings and values of the selected login page. The steps are the same as described in the [Create login pages](#create-login-pages) section.

+## Copy login pages

+To copy an existing login page on the **Tenant login pages** or **Global login pages** tabs, do one of the following steps:

+- Select the login page from the list by clicking the check box, and then click the  **Create a copy** icon that appears.

+- Click **Γï«** (**Actions**) between the **Name** and **Language** values of the login page in the list, and then select  **Create a copy**.

+The login page wizard opens with the settings and values of the selected login page. The steps are the same as described in the [Create login pages](#create-login-pages) section.

+> [!NOTE]

+> When you copy a built-in login page on the **Global login pages** tab, be sure to change the **Name** value. This step ensures the copy is saved as a custom login page on the **Tenant login pages** tab.

+>

+> The **Use from default** control on the **Configure login page** page in the login page wizard allows you to copy the contents of a built-in login page.

+## Remove login pages

+You can't remove built-in login pages from the **Global login pages** tab. You can only remove custom login pages on the **Tenant login pages** tab.

+To remove an existing custom login page from the **Tenant login pages** tab, do one of the following steps:

+- Select the login page from the list by clicking the check box, and then click the  **Delete** icon that appears.

+- Click **Γï«** (**Actions**) between the **Name** and **Language** values of the login page in the list, and then select  **Delete**.

+## Make a login page the default

+The default login page is the default selection that's used in **Credential harvest** or **Link in attachment** [payloads](attack-simulation-training-payloads.md) or [payload automations](attack-simulation-training-payload-automations.md).

+To make a login page the default on the **Tenant login pages** or **Global login pages** tabs, do one of the following steps:

+- Select the login page from the list by clicking the check box. Click the  **Mark as default** icon that appears.

+- Click **Γï«** (**Actions**) between the **Name** and **Language** values of the login page in the list, and then select  **Mark as default**.

+- Select the login page from the list by clicking the name. In the details flyout that opens, click  **Mark as default**.

+- Select **Make this the default login page** on the **Configure login page** page in the wizard when you [create or modify a login page](#create-login-pages).

+> [!NOTE]

+> The previous procedures are not available if the login page is already the default.

+>

+> The default login page is also marked in the list, although you might need to widen the **Name** column to see it:

+>

+> 

+## Related links

+[Get started using Attack simulation training](attack-simulation-training-get-started.md)

+[Create a phishing attack simulation](attack-simulation-training.md)

+[Simulation automations for Attack simulation training](attack-simulation-training-simulation-automations.md)

+ Title: Payloads in Attack simulation training

+# Payloads in Attack simulation training in Defender for Office 365

+ > Use the domain from the `5321.MailFrom` address (also known as the **MAIL FROM** address, P1 sender, or envelope sender) that's used in the SMTP transmission of the message **or** a DomainKeys Identified Mail (DKIM) domain as specified by your phishing simulation vendor.

+ > To configure a third-party phishing simulation in Advanced Delivery, you need to provide the following information:

+ >

+ >

+- **Third-party filters**: If your domain's MX record _doesn't_ point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) _is not available_. If you'd like to add protection, you'll need to enable Enhanced Filtering for Connectors (also known as _skip listing_). For more information, see [Manage mail flow using a third-party cloud service with Exchange Online](/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud). If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl).

+- **False positives under review**: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via [admin submissions](admin-submission.md) to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, we _**highly recommended**_ that these allowances are temporary.

+2. On the **Priority account protection** page, turn on **Priority account protection** (:::image type="icon" source="../../media/scc-toggle-on.png" border="false":::).

+If you want to use Exchange Online PowerShell to turn on priority account protection, do the following steps:

+1. [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) and run the following command:

+ ```powershell

+ Set-EmailTenantSettings -EnablePriorityAccountProtection $true

+ ```

+2. To verify that priority account protection is turned on, run the following command to verify the EnablePriorityAccountProtection property value:

+ ```powershell

+ Get-EmailTenantSettings | Format-List Identity,EnablePriorityAccountProtection

+ ```

+ The value True means priority account protection is turned on. The value False means priority account protection is turned off.

+### Assign the Priority account tag to users

+Instead of an organizational setting, users or admins can add the sender email addresses to the Safe Senders list in the mailbox. For instructions, see [Configure junk email settings on Exchange Online mailboxes in Office 365](configure-junk-email-settings-on-exo-mailboxes.md). This method is not desirable in most situations since senders will bypass parts of the filtering stack. Although you trust the sender, the sender can still be compromised and send malicious content. Itt's better when you let our filters check every message and then [report the false positive/negative to Microsoft](report-junk-email-messages-to-microsoft.md) if we got it wrong. Bypassing the filtering stack also interferes with [zero-hour auto purge (ZAP)](zero-hour-auto-purge.md).

+By design and for increased security of Exchange Online mailboxes, only the junk email settings for safe senders, blocked senders, and blocked domains are recognized. Safe domains settings are ignored.

+- seo-marvel-apr2020

+- adminvideo

+For more information about Advanced Spam Filter (ASF) settings in anti-spam policies, see [Advanced Spam Filter (ASF) settings in EOP](advanced-spam-filtering-asf-options.md).

+|Security feature name|Default|Recommended<br/>Standard|Recommended<br/>Strict|Comment|

+||::|::|::||

+|**Image links to remote sites** <p> _IncreaseScoreWithImageLinks_|Off|Off|Off||

+|**Numeric IP address in URL** <p> _IncreaseScoreWithNumericIps_|Off|Off|Off||

+|**URL redirect to other port** <p> _IncreaseScoreWithRedirectToOtherPort_|Off|Off|Off||

+|**Links to .biz or .info websites** <p> _IncreaseScoreWithBizOrInfoUrls_|Off|Off|Off||

+|**Empty messages** <p> _MarkAsSpamEmptyMessages_|Off|Off|Off||

+|**Embed tags in HTML** <p> _MarkAsSpamEmbedTagsInHtml_|Off|Off|Off||

+|**JavaScript or VBScript in HTML** <p> _MarkAsSpamJavaScriptInHtml_|Off|Off|Off||

+|**Form tags in HTML** <p> _MarkAsSpamFormTagsInHtml_|Off|Off|Off||

+|**Frame or iframe tags in HTML** <p> _MarkAsSpamFramesInHtml_|Off|Off|Off||

+|**Web bugs in HTML** <p> _MarkAsSpamWebBugsInHtml_|Off|Off|Off||

+|**Object tags in HTML** <p> _MarkAsSpamObjectTagsInHtml_|Off|Off|Off||

+|**Sensitive words** <p> _MarkAsSpamSensitiveWordList_|Off|Off|Off||

+|**SPF record: hard fail** <p> _MarkAsSpamSpfRecordHardFail_|Off|Off|Off||

+|**Sender ID filtering hard fail** <p> _MarkAsSpamFromAddressAuthFail_|Off|Off|Off||

+|**Backscatter** <p> _MarkAsSpamNdrBackscatter_|Off|Off|Off||

+|**Test mode** <p> _TestModeAction_)|None|None|None|For ASF settings that support **Test** as an action, you can configure the test mode action to **None**, **Add default X-Header text**, or **Send Bcc message** (`None`, `AddXHeader`, or `BccMessage`). For more information, see [Enable, disable, or test ASF settings](advanced-spam-filtering-asf-options.md#enable-disable-or-test-asf-settings).|

+- [Spoofing allows using admin submission](allow-block-email-spoof.md#use-admin-submission-in-microsoft-365-defender): Create allowed spoofed sender entries using the Tenant Allow/Block List.

+- [Impersonation allows using admin submission](allow-block-email-spoof.md#create-impersonated-sender-entries): Add allows for impersonated senders using the Submissions page in Microsoft 365 Defender.

+- [View converted admin submission from user submission](admin-submission.md#convert-user-reported-messages-from-the-custom-mailbox-into-an-admin-submission): Configure the custom mailbox to intercept user-reported messages without sending the messages to Microsoft for analysis.

+- [View associated alert for user and admin submissions](admin-submission.md#view-associated-alert-for-user-and-admin-email-submissions): View the corresponding alert for each user reported phish message and admin email submission.

+ - (Choose to) Apply Preset Strict/Standard policies to entire organization and avoid the hassle of selecting specific recipient users, groups, or domains, thereby securing all recipient users of your organization.

+ - Configure impersonation protection settings for custom users and custom domains within Preset Strict/Standard policies and automatically protect your targeted users and targeted domain against impersonation attacks.

+- [Simplifying the quarantine experience (part two) in Microsoft 365 Defender for office 365](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/simplifying-the-quarantine-experience-part-two/ba-p/3354687): Highlights additional features to make the quarantine experience even more easy to use.

+This poster helps you decide which Microsoft telephony solution is right for users in your organization. It describes Phone System, Microsoft's technology for enabling call control and Private Branch Exchange (PBX) capabilities in Microsoft 365 with Microsoft Teams. The poster also describes options for connecting Phone System to the Public Switched Telephone Network (PSTN).

+|[](https://download.microsoft.com/download/4/3/5/435cd4e9-ca56-4fd1-acb6-d1fda7952320/microsoft-voice-solutions.pdf) <br/> [PDF](https://download.microsoft.com/download/4/3/5/435cd4e9-ca56-4fd1-acb6-d1fda7952320/microsoft-voice-solutions.pdf) \| [Visio](https://download.microsoft.com/download/7/5/c/75c13012-e20c-48bd-a6dd-ea49d1a3420d/microsoft-voice-solutions.vsdx) <br/>Updated June 2022 | For more information, see [Plan your Teams voice solution](/microsoftteams/cloud-voice-landing-page).|