+1. Go to the [Microsoft 365 admin center](https://portal.office.com/adminportal/home?#/MifoDevices), and choose **APNs Certificate for iOS**.

+1. On the Apple Push Notification Certificate Settings page, choose **Next**.

+1. Select Download your CSR file and save the certificate signing request to somewhere on your computer that you'll remember. Select **Next**.

+1. On the Create an APNs certificate page:

+1. Go back to Microsoft 365, and select **Next** to get to the **Upload APNS certificate** page.

+1. Browse to the APN certificate you downloaded from the Apple Push Certificates Portal.

+1. Select **Finish**.

+1. From your browser, type <https://compliance.microsoft.com/basicmobilityandsecurity>.

+ :::image type="content" source="../../media/basic-mobility-security/basic-mobility-microsoft-purview.png" alt-text="Basic Mobility and Security policy settings.":::

+1. From your browser, type [https://compliance.microsoft.com/basicmobilityandsecurity](https://compliance.microsoft.com/basicmobilityandsecurity).

+1. From your browser type: [https://compliance.microsoft.com/basicmobilityandsecurity](https://compliance.microsoft.com/basicmobilityandsecurity).

+1. From your browser, type [https://compliance.microsoft.com/basicmobilityandsecurity](https://compliance.microsoft.com/basicmobilityandsecurity).

+3. To block unsupported devices, choose **Access** under **If a device isn't supported by Basic Mobility and Security for Microsoft 365**, and then select **Save**.

+ :::image type="content" source="../../media/basic-mobility-security/basic-mobility-access.png" alt-text="Basic Mobility and Security block access option.":::

+1. From your browser, type [https://compliance.microsoft.com/basicmobilityandsecurity](https://compliance.microsoft.com/basicmobilityandsecurity).

+ :::image type="content" source="../../media/basic-mobility-security/basic-mobility-microsoft-purview.png" alt-text="Basic Mobility and Security create a policy option.":::

+ :::image type="content" source="../../media/basic-mobility-security/basic-mobility-groups.png" alt-text="Basic Mobility and Security allow access option.":::

+4. Select **Access**.

+ :::image type="content" source="../../media/basic-mobility-security/basic-mobility-access.png" alt-text="Basic Mobility and Security block access checkbox.":::

+1. Sign in to the Microsoft 365 admin center, and go to the [Mobile Device Management page](https://portal.office.com/adminportal/home?#/MifoDevices).

+1. Select **Let's get started**.

+2. Go to the [Microsoft 365 admin center](https://portal.office.com/adminportal/home?#/MifoDevices), and choose **APNs Certificate for iOS**.

+ :::image type="content" source="../../media/basic-mobility-security/basic-mobility-microsoft-purview.png" alt-text="Basic Security and Mobility policy settings.":::

+1. In your browser type: [https://compliance.microsoft.com/basicmobilityandsecurity](https://compliance.microsoft.com/basicmobilityandsecurity).

+1. In your browser type: [https://compliance.microsoft.com/basicmobilityandsecurity](https://compliance.microsoft.com/basicmobilityandsecurity).

+1. Sign in to the Microsoft 365 admin center, and go to the [Mobile Device Management page](https://portal.office.com/adminportal/home?#/MifoDevices).

+1. Select **Manage devices**.

+1. Select the device you want to wipe.

+1. Select **Manage**.

+1. Select the type of remote wipe you want to do.

+1. Select **Yes** to confirm.

+> [!NOTE]

+> The **Send As** and **Send on Behalf** permissions do not work in the Outlook desktop client with the *HiddenFromAddressListsEnabled* parameter on the mailbox set to **True**, since they require the mailbox to be visible in Outlook via the Global Address List.

+1. Go to the Microsoft Purview compliance portal at [https://compliance.microsoft.com](https://compliance.microsoft.com) and sign in.

+Depending on the specific alert, you can view your alerts in either the Microsoft 365 Defender portal or the Microsoft Purview compliance portal.

+| Compliance alert, such as when a user shares sensitive or confidential information (data loss prevention alert) or there's an unusual volume of external file sharing (information governance alert) | Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>, and then select **Policies** > **Alert** > **Alert policies**. |

+> [!NOTE]

+> Cancel your free trial any time to stop future charges. After your 1-month free trial, you will be charged the applicable subscription fee.

+- Microsoft Business Standard subscription

+ > [!NOTE]

+ > Source Code is trained to detect when the bulk of the text is source code. It does not detect source code text that is interspersed with plain text.

+- Arabic

+- Chinese (Traditional)

+- Dutch

+- Korean

+2. Select **Copy policy** command bar button on the command bar or select **Copy policy** from the action menu for the policy.

+3. In the **Copy policy** pane, you can accept the default name for the policy in the **Policy name** field or rename the policy. The policy name for the new policy can't be the same as an existing active or deactivated policy. Complete the **Description** field as needed.

+[Built-in trainable and global classifiers](/microsoft-365/compliance/classifier-learn-about) scan sent or received messages across all communication channels in your organization for different types of compliance issues. Classifiers use a combination of artificial intelligence and keywords to identify language in messages likely to violate anti-harassment policies. Built-in classifiers currently support message keyword identification in several languages:

+- **Customer Complaints**: Scans for feedback and complaints made about your organization's products or services.

+- **Harassment**: Scans for offensive conduct targeting people regarding race, color, religion, national origin.

+The data lifecycle management capabilities for inactive mailboxes and import of PST files don't require end-user documentation because these are admin operations only. To help users understand and interact with their archive mailboxes in Outlook after you've enabled this capability, see [Manage email storage with online archive mailboxes](https://support.microsoft.com/office/manage-email-storage-with-online-archive-mailboxes-1cae7d17-7813-4fe8-8ca2-9a5494e9a721).

+|Description of limit|Classic Case Limit|New Case Limit|

+||||

+|Total number of documents that can be added to a case (for all review sets in a case).|3 million|40 million|

+|Total file size per load set. This includes loading non-Office 365 into a review set.|300 GB|1 TB|

+|Total amount of data loaded into all review sets in the organization per day.<br/>|2 TB|2 TB|

+|Maximum number of load sets per case.|200|200|

+|Maximum number of review sets per case.|20|20|

+|Maximum number of tag groups per case.|1,000|1,000|

+|Maximum number of unique tags per case.|1,000¹|1,000¹|

+|Maximum concurrent jobs in your organization to add content to a review set. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case.|10²|10²|

+|Maximum concurrent jobs to add content to a review set per user. These jobs are named **Adding data to a review set** and are displayed on the **Jobs** tab in a case.|3|3|

+1. Go to the [Microsoft Purview compliance portal](https://compliance.microsoft.com/permissions).

+Note that Exceptions are considered conditions and all of these conditions work in Outlook, where they will match content and enforce protective actions on content. But showing policy tips to users is not yet supported.

+> [!NOTE]

+> Outlook does not support showing policy tips for a DLP polies that's applied to a dynamic distribution group or non-email enabled security groups.

+ Title: "Data move general FAQ"

+audience: ITPro

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+f1.keywords:

+- NOCSH

+description: Find answers to frequently asked questions (FAQs) about moving core data to a new Office 365 datacenter geo.

+# Data move general FAQ

+Here are answers to general questions about moving core customer data at rest to a new datacenter geo.

+### What customers are eligible to request a move?

+<details><summary>Click to expand</summary>

+Existing Microsoft 365 commercial customers who selected a country eligible for the new datacenter geo will be able to request a move. The program exists only for tenants with an eligible country code assigned to the Microsoft 365 tenant to migrate core customer data at rest for eligible workloads to the corresponding Microsoft 365 datacenter geo. See [How to request your data move](request-your-data-move.md) to confirm country eligibility.

+</details>

+### How do we define Core Customer Data?

+<details><summary>Click to expand</summary>

+Core customer data is a term that refers to a subset of customer data defined in the [Microsoft Online Services Terms](https://aka.ms/ost):

+- Exchange Online mailbox content (email body, calendar entries, and the content of email attachments)

+- SharePoint Online site content and the files stored within that site

+- Files uploaded to OneDrive for Business

+</details>

+### What is in scope for Teams migration?

+<details><summary>Click to expand</summary>

+In addition to Exchange Online, SharePoint Online, and OneDrive for Business; Microsoft will migrate Teams data to the local datacenter.

+- Teams chat messages, including private messages and channel messages.

+- Teams images used in chats.

+Teams files are stored in SharePoint Online and Teams chat files are stored in OneDrive for Business. Voicemail, calendar, and contacts are stored in Exchange Online. In many cases, Exchange Online, SharePoint Online, and OneDrive for Business are already used by the customer in the local datacenter geo and are also part of the Microsoft 365 migration program for eligible customer countries.

+</details>

+### At what point is my migration complete so that my tenant's core customer data is being stored at rest in my new geo?

+<details><summary>Click to expand</summary>

+Due to shared dependencies between Exchange Online and SharePoint Online/OneDrive for Business, any migration cannot be considered

+completed until both services are migrated. Exchange Online and SharePoint Online/OneDrive for Business often migrate at separate times and independently from one another. Customer tenant admins receive confirmation in Message Center when each service migration is completed and can view the data location card in the Admin Center at any time to confirm the core customer data at rest location for

+each service.

+</details>

+### How do you make sure my customer data is safe during the move and that I won't experience downtime?

+<details><summary>Click to expand</summary>

+Data moves are a back-end service operation with minimal impact to end users. Features that can be impacted are listed in [During and after your data move](during-and-after-your-data-move.md). We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there is nothing that customers need to prepare for or to monitor during the move.

+All Microsoft 365 services run the same versions in the datacenters, so you can be assured of consistent functionality. Your service is fully supported throughout the process.

+</details>

+### What is the impact of having different services located in different geos?

+<details><summary>Click to expand</summary>

+Some of the Microsoft 365 services may be located in different geos for some existing customers and for customers that are in the middle of the move process. Our services run independently of each other and there is no impact on the user experience if this is the case. However, for data residency purposes, a tenant migration cannot be considered as complete until both Exchange Online and SharePoint Online/OneDrive for Business are migrated to the same datacenter geo.

+</details>

+### Where is my core customer data located?

+<details><summary>Click to expand</summary>

+Customer tenant admins can view the data location card in the Admin Center at any time to confirm the core customer data at rest location for each service, specifically for their tenant. We also publish the location of datacenter geos, datacenters, and location of Office 365 customer data on the [Microsoft 365 interactive datacenter maps](https://office.com/datamaps) as a reference for the current default core customer data at rest locations for new tenants. You can verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 admin center.

+</details>

+### When will I be able to request a move?

+<details><summary>Click to expand</summary>

+Please refer to the [How to request your data move](request-your-data-move.md) page for supported timeframes for your datacenter geo.

+</details>

+### How can I request to be moved?

+<details><summary>Click to expand</summary>

+Eligible customers will see a page in their [Microsoft 365 admin center](https://admin.microsoft.com/). Please see [How to request your data move](request-your-data-move.md) for instructions on how to request a move.

+</details>

+### Can I change my selection after requesting a move?

+<details><summary>Click to expand</summary>

+It is not possible for us to remove you from the process after you submit your request.

+</details>

+### What happens if I do not request a move before the deadline?

+<details><summary>Click to expand</summary>

+We cannot accept requests for migration after the open enrollment period.

+</details>

+### What if I want to move my data in order to get better network performance?

+<details><summary>Click to expand</summary>

+Physical proximity to a Microsoft 365 datacenter is not a guarantee for a better networking performance. There are many factors and components that affect the network performance between the end user and the Microsoft 365 service. For more information about this and performance tuning, see [Network planning and performance tuning for Microsoft 365](network-planning-and-performance.md).

+</details>

+### Do all the services move their data on the same day?

+<details><summary>Click to expand</summary>

+Each service moves independently and will likely move their data at different times.

+</details>

+### Can I choose when I want my data to be moved?

+<details><summary>Click to expand</summary>

+Customers are not able to select a specific date, they cannot delay their move, and we cannot share a specific date or timeframe for the moves.

+</details>

+### Can you share when my data will be moved?

+<details><summary>Click to expand</summary>

+Data moves are a back-end operation with minimal impact to end users. The complexity, precision, and scale at which we need to perform data moves within a globally operated and automated environment prohibit us from sharing when a data move is expected to complete for your tenant or any other single tenant. Customers will receive one confirmation in Message Center per participating service when its data move has completed.

+</details>

+### What happens if users access services while the data is being moved?

+<details><summary>Click to expand</summary>

+See [During and after your data move](during-and-after-your-data-move.md) for a complete list of features that may be limited during portions of the data move for each service.

+</details>

+### How do I know the move is complete?

+<details><summary>Click to expand</summary>

+Watch the Microsoft 365 Message Center for confirmation that the move of each service's data is complete. When each service's data is moved, we'll post a completion notice so you'll get three completion notices: one each for Exchange Online, SharePoint Online, and Skype for Business Online. You can also verify the location of your customer data at rest via the Data Location section under your Organization Profile in the Microsoft 365 admin center.

+</details>

+### I am a Microsoft 365 customer in one of the new datacenter geos, but when I signed up, I selected a different country. How can I be moved to the new datacenter geo?

+<details><summary>Click to expand</summary>

+It is not possible to change the signup country associated with your tenant. Instead, you need to create a new Microsoft 365 tenant with a new subscription and manually move your users and data to the new tenant.

+</details>

+### What happens if we are in process of email data migration to Microsoft 365 during the Exchange Online move?

+<details><summary>Click to expand</summary>

+This is a very common scenario and is fully supported. Cloud migration between datacenter geos does not interfere with any on-premises to cloud mailbox migrations.

+</details>

+### Can I pilot some users?

+<details><summary>Click to expand</summary>

+You can create a separate trial tenant to test connectivity, but the trial tenant can't be combined in any way with your existing tenant.

+</details>

+### I don't want to wait for Microsoft to move my data. Can I just create a new tenant and move myself?

+<details><summary>Click to expand</summary>

+Yes, however the process will not be as seamless as if Microsoft were to perform the data move.

+If you create a new tenant after the new datacenter geo is available, the new tenant will be hosted in the new geo. This new tenant is completely separate from your previous tenant and you would be responsible for moving all user mailboxes, site content, domain names, and any other data. Note that you can't move the tenant name from one tenant to another. We recommend that you wait for the move program provided by Microsoft as we'll take care of moving all settings, data, and subscriptions for your users.

+</details>

+### My customer data has already been moved to a new datacenter geo. Can I move back?

+<details><summary>Click to expand</summary>

+No, this is not possible. Customers who have been moved to new geo datacenters cannot be moved back. As a customer in any geo, you will experience the same quality of service, performance, and security controls as you did before. [Microsoft 365 Multi Geo](https://aka.ms/multi-geo) is available to some customers as an add-on and lets a single tenant create multiple satellite geos and move user data to those geos with data residency commitments.

+</details>

+### Will Microsoft 365 tenants hosted in the new datacenters be available to users outside of the country?

+<details><summary>Click to expand</summary>

+Yes. Microsoft maintains a large global network with public Internet connections in more than 130 locations in 35 countries around the world with peering agreements with more than 2,700 Internet Service Providers (ISPs). Users will be able to access the datacenters from wherever they are on the Internet.

+</details>

+### My tenant has configured the Multi Geo add-on. Can I still enroll in my tenant in the Microsoft 365 Move Program? to change my default geo and move any user not in a satellite region to the new default geo?

+<details><summary>Click to expand</summary>

+Yes, your tenant is eligible to enroll but there are significant considerations as tenant-level move is not fully supported for customers that have configured [Multi-Geo](https://aka.ms/multi-geo).

+SharePoint Online and OneDrive for Business cannot migrate to the new datacenter geo at the tenant level through this program. The customer administrator can configure OneDrive for Business shares to move to any available region using Multi-Geo, but the default location for the tenant cannot be changed once Multi-Geo has been configured for a tenant.

+For customers that opt-in for migration - we will move all Exchange Online mailboxes from your current default geo to your new local datacenter geo and update the default Exchange Online region. We will not move any EXO mailboxes configured in Multi Geo satellite regions to continue to respect satellite region data residency as you"ve intended. Teams chat service tenant migrations for customers with a Multi Geo configuration behave similarly to Exchange Online.

+</details>

+### I have public folders deployed in my tenant. What will be the impact on public folder access during or after the move?

+<details><summary>Click to expand</summary>

+There is no impact to end users accessing public folders during or after the move of public folders. However, the public folders may not be available for administration in the Exchange Admin Center tool till all public folder mailboxes are moved in same region. Please check [this article](https://aka.ms/pfxrf) for more details.

+</details>

+### Related topics

+[Moving core data to new Microsoft 365 datacenter geos](moving-data-to-new-datacenter-geos.md)

+[How to request your data move](request-your-data-move.md)

+[Microsoft 365 Multi Geo](https://aka.ms/multi-geo)

+[Microsoft 365 interactive datacenter map](https://office.com/datamaps)

+[Microsoft 365 Support](../admin/get-help-support.md)

+[New datacenter geos for Microsoft Dynamics CRM Online](/power-platform/admin/new-datacenter-regions)

+[Azure services by region](https://azure.microsoft.com/regions/)

+> Moves occur at different times for each service. As a result, you'll see the described reduced functionality for each service at a different time.

+Watch the Microsoft 365 Message Center for confirmation when moves for each of Exchange Online, SharePoint Online, and Teams chat service complete. As shown in the table below, it can take up to 24 months after the end of the enrollment period to complete core customer data at rest moves to the new datacenter geo.

+Some users open a shared mail folder from another mailbox (that the user has read or write permissions to) in Outlook Web Access using the "Shared Folder" feature. The following table describes how access to shared folders works during a mailbox move. Please note that users with full permissions to a shared mailbox can open the mailbox by using Outlook Web Access during the move.

+In the course of moving your SharePoint Online data, we migrate your search index and search settings to a new location. Until we've **completed** the move of your SharePoint Online data, we continue to serve your users from the index in the original location. In the new location, search automatically starts crawling your content after we've completed moving your SharePoint Online data. From this point and onwards we serve your users from the migrated index. Changes to your content that occurred after the migration aren't included in the migrated index until crawling picks them up. Most customers don't notice that results are less fresh right after we've completed moving their SharePoint Online data, but some customers might experience reduced freshness in the first 24-48 hours.

+Skype for Business moves are no longer available. [Skype for Business Online will be retired](/lifecycle/announcements/skype-for-business-online-retirement) on July 31, 2021. After that time, the service will no longer be accessible.

+## Related topics

+[Data move general FAQ](data-move-faq.md)

+With the growing adoption and support of IPv6 across enterprise networks, service providers and devices, many customers are wondering if their users can continue to access Microsoft 365 services from IPv6 clients and IPv6 networks. Microsoft 365 services can be successfully used from both IPv6 dual stack and IPv6-only devices. In fact, we have an increasing number of customers, from consumers to large enterprises, who are moving towards greater adoption of IPv6. For most customers, IPv4 won't completely disappear from their digital landscape, so we aren't planning to require IPv6 or to de-prioritize IPv4 in any Microsoft 365 features or services.

+One of our key priorities with Microsoft 365 is to ensure seamless customer and user experiences over the Internet from any location, from any device. This includes access to Microsoft 365 from customer devices that are using IPv6 in the dual stack configuration as well as transitioning to IPv6-only client deployments. In most cases, when you follow a standard Internet-based model of connecting to Microsoft 365 as described in [Microsoft 365 network connectivity principles](microsoft-365-network-connectivity-principles.md), [Microsoft 365 URLs and IP address ranges](urls-and-ip-address-ranges.md), and [Microsoft 365 network planning best practices](network-and-migration-planning.md#best-practices-for-network-planning-and-improving-migration-performance-for-office-365), IPv6 transitions won't be disruptive to your user experience.

+Many Microsoft 365 services already provide native IPv6 support today and can be accessed directly from IPv6 dual stack and IPv6-only clients. Microsoft 365 also allows access through conventional IPv6 to IPv4 translation technologies (such as base 64 proxies or DNS64/NAT64) commonly used by customers and network solution providers to connect to IPv4 Internet resources.

+As with any SaaS service and the Internet overall, the scope of natively IPv6 enabled Microsoft 365 interfaces, features and APIs expands continuously and without direct customer action or control. If you're running IPv6 or IPv6-only services on your networks that need access to Microsoft 365 and the Internet, it is recommended that you include dynamic IPv6/IPv4 transitional mechanisms such as DNS64/NAT64 to ensure end-to-end IPv6 connectivity to Microsoft 365 without any further network reconfigurations.

+Most of Microsoft 365 services have been or will be enabled with IPv6 capabilities completely transparently for end users and IT admins. Some Microsoft 365 scenarios (such as anonymous inbound e-mail) do have special requirements and considerations for use in conjunction with IPv6. For more details about scenario specific IPv6 requirements and considerations, please contact your Microsoft account team or Microsoft support.

+Here's a short link you can use to come back: [https://aka.ms/o365ip6](https://aka.ms/o365ip6)

+## See also

+[Microsoft 365 Network Connectivity Overview](microsoft-365-networking-overview.md)

+[Managing Office 365 endpoints](managing-office-365-endpoints.md)

+[Office 365 URLs and IP address ranges](urls-and-ip-address-ranges.md)

+[Office 365 IP Address and URL Web service](microsoft-365-ip-web-service.md)

+[Assessing Microsoft 365 network connectivity](assessing-network-connectivity.md)

+[Network planning and performance tuning for Microsoft 365](network-planning-and-performance.md)

+[Office 365 performance tuning using baselines and performance history](performance-tuning-using-baselines-and-history.md)

+[Performance troubleshooting plan for Office 365](performance-troubleshooting-plan.md)

+[Content Delivery Networks](content-delivery-networks.md)

+[Microsoft 365 connectivity test](https://aka.ms/netonboard)

+[How Microsoft builds its fast and reliable global network](https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/)

+[Office 365 Networking blog](https://techcommunity.microsoft.com/t5/Office-365-Networking/bd-p/Office365Networking)

+We continue to open new datacenter geos for Microsoft 365 services. These new datacenter geos add capacity and compute resources to support our ongoing customer demand and usage growth. Additionally, the new datacenter geos offer in-geo data residency for core customer data.

+Core customer data is a term that refers to a subset of customer data including:

+A complete list of all datacenter geos, datacenters, and the location of customer data at rest is available as part of the [interactive datacenter maps](https://office.com/datamaps).

+The complexity, precision and scale at which we need to perform data moves within a globally operated and automated environment prohibit us from sharing when a data move is expected to complete for your tenant or any other single tenant. Customers will receive one confirmation in Message Center per participating service when its data move has completed.

+Data moves are a back-end service operation with minimal impact to end-users. Features that can be impacted are listed on the [During and after your data move](during-and-after-your-data-move.md) page. We adhere to the [Microsoft Online Services Service Level Agreement (SLA)](https://go.microsoft.com/fwlink/p/?LinkId=523897) for availability so there is nothing that customers need to prepare for or to monitor during the move. Notification of any service maintenance is done if needed.

+## Related topics

+[Data move general FAQ](data-move-faq.md)

+If your business is located in the European Union, see [Data locations for the European Union](EU-data-storage-locations.md) for more information.

+Customers should view tenant specific data location information in your Microsoft 365 admin center in **Settings** > **Org settings** > <a href="https://go.microsoft.com/fwlink/p/?linkid=2067339" target="_blank">**Organization profile** tab</a> > **Data location**. If you [requested to move to a new Geo](request-your-data-move.md), the data location information in the Microsoft 365 admin center may show only your new Geo even though some data may be stored temporarily in your prior Geo during the transition.

+If Customer's billing address is outside Europe and Customer has an Office 365 Education subscription, then notwithstanding the "Location of Customer Data at Rest for Core Online Services" section of the OST, Microsoft may provision Customer's Office 365 tenant in, transfer Customer Data to, and store Customer Data at rest anywhere within Europe or North America. If Customer's billing address is in Europe and Customer has an Office 365 Education subscription, then notwithstanding the "Location of Customer Data at Rest for Core Online Services" section of the OST, Microsoft may provision Customer's Office 365 tenant in, transfer Customer Data to, and store Customer Data at rest anywhere within the European Union.

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+[Multi-Geo](https://go.microsoft.com/fwlink/p/?linkid=872033) gives customers the ability to allocate core customer data at rest to our available locations in the Microsoft 365 cloud.

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+</details>

+<details><summary>Click to expand</summary>

+Microsoft will not store Intune customer data at rest outside the stated geo, except if:

+Regardless, Microsoft does not control or limit the Geo from which customers or their end users may access customer data. Similarly, where customer data in other services is subsequently integrated into Intune, the originating customer data will continue to be stored subject to the other service's own Geo commitments (if any); only the copy of the customer data integrated into Intune will be stored in the stated Geo for Intune.

+</details>

+<details><summary>Click to expand</summary>

+ - Data for the Dashboard, Resources, and desktop app is stored in SharePoint Online.

+ - The Feed includes content from SharePoint Online (News), Stream (stored at rest in SharePoint Online), and Yammer (stored at rest in Yammer).

+</details>

+The following global geographies can store data at rest. The locations where customer data may be stored can change.

+Eligible Microsoft 365 customers may request migration for their entire organization's core customer data at rest. The program supports requests for each country in the time period described in the table and from customers with an eligible signup country associated with their Microsoft 365 tenant.

+[Data move general FAQ](data-move-faq.md)

+## [Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-endpoint)

+- [Microsoft Defender for Endpoint Plan 1](/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1)

+> Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](/windows-hardware/test/assessments/out-of-box-experience) phase. Make sure users complete OOBE after running Windows installation or upgrading.

+- [Intune](/mem/intune/fundamentals/deployment-guide-intune-setup)

+|Microsoft Defender for Endpoint URL list for commercial customers| Spreadsheet of specific DNS records for service locations, geographic locations, and OS for commercial customers. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/6/b/f/6bfff670-47c3-4e45-b01b-64a2610eaefa/mde-urls-commercial.xlsx) <p> Note that Microsoft Defender for Endpoint Plan 1 and Plan 2 share the same proxy service URLs.

+- Windows 10 Enterprise

+- Windows 10 Enterprise LTSC 2016 (or later)](/windows/whats-new/ltsc/)

+- Windows 10 Enterprise IoT

+- macOS (the three most recent releases are supported)

+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)

+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Microsoft Defender for Cloud*](/azure/defender-for-cloud/endpoint-protection-recommendations-technical)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.

+Article | Description

+For Azure-based virtual machines, see [Install Endpoint Protection in Microsoft Defender for Cloud](/azure/defender-for-cloud/endpoint-protection-recommendations-technical).

+ Title: Get started with troubleshooting mode in Microsoft Defender for Endpoint (preview)

+# Get started with troubleshooting mode in Microsoft Defender for Endpoint (preview)

+>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)

+> [!IMPORTANT]

+> Some information relates to pre-released products which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+Microsoft is part of the [Microsoft Virus Information Alliance (VIA)](/microsoft-365/security/intelligence/virus-information-alliance-criteria) program. This effort is a public collaboration program to help fight cybercrime. Microsoft names specific malware according to the [Computer Antivirus Research Organization (CARO)](/microsoft-365/security/intelligence/malware-naming). For example, Microsoft detects the Sunburst cyberattack as **Trojan:MSIL/Solorigate.BR!dha**.

+The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sample configuration file (name *ProcessMitigation.xml* (Selfhost v4) you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an [Enhanced Mitigation Experience Toolkit (no longer supported)](/lifecycle/products/enhanced-mitigation-experience-toolkit-emet) configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and review the settings in the Windows Security app.

+- **MAM without device enrollment**: MAM without device enrollment, or MAM-WE, allows IT administrators to manage apps using [App Protection Policies](/mem/intune/apps/app-protection-policy) on devices not enrolled with Intune MDM. This means apps can be managed by Intune on devices enrolled with third-party EMM providers.

+After your deployment you should consider creating and deploying a configuration file to the servers based on [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences).

+ |For RHEL/Centos/Oracle 7.2-7.9 & Amazon Linux 2 |</azure/cognitive-services/speech-service/how-to-configure-rhel-centos-7>|

+ <!--|For RHEL/Centos 6.7-6.10|<https://packages.microsoft.com/config/rhel/6/[channel].repo>|-->

+> - The analyzer requires 'lxml' to produce the result output. If not installed, the analyzer will try to fetch it from the official repository for python packages below: <https://pypi.org/search/?q=lxml>

+- Audited_info.txt

+ Description: details on audited service and related components for [Linux](/microsoft-365/security/defender-endpoint/linux-resources) OS

+> - [Reparse point files](/windows-hardware/drivers/ifs/reparse-points)

+> - [Sparse files](/windows-server/administration/windows-commands/fsutil-sparse)

+Access the device inventory page by selecting **Device inventory** from the **Endpoints** navigation menu in the [Microsoft 365 Defender portal](/microsoft-365/security/defender-business/mdb-get-started).

+|**Manage your organization's attack surface reduction rules** <br/><br/> *Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.*|[Customize attack surface reduction rules with Group Policy Objects](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement)|

+You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.

+|**Configure attack surface reduction rules** with PowerShell <br/><br/> *You can use PowerShell to exclude files and folders from attack surface reduction rules.*|[Customize attack surface reduction rules: Use PowerShell to exclude files & folders](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction) <br/><br/> Also, see [Ant├│nio Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell](https://github.com/anvascon/MDATP_PoSh_Scripts/tree/master/ASR%20GUI).|

+- [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft anti-malware](/microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus) <sup>[[2](#fn1)]

+> You can, however, [set the number of days before protection is reported as out-of-date](/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus).<p>

+- Potentially unwanted applications (PUA) protection is turned on by default for consumers (See [Block potentially unwanted applications with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).)

+> - On Windows 8.1, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](/previous-versions/system-center/system-center-2012-R2/hh508760(v=technet.10)), which is managed through Microsoft Endpoint Configuration Manager.

+|Windows Server 2022 <br/> Windows Server 2019<br/> Windows Server, version 1803, or newer <br/> Windows Server 2016 <br/> Windows Server 2012 R2 |Microsoft Defender Antivirus|Active mode|

+|Windows Server 2022<br/>Windows Server 2019<br/>Windows Server, version 1803, or newer <br/> Windows Server 2016 |A non-Microsoft antivirus/antimalware solution|Disabled (set manually) ^[[1](#fn1)]|

+3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check your current against the latest version available for manual download, or review the change log for that version. See [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus).

+| [BDO Digital](/openspecs/ie_standards/ms-html401/ad459f6f-5219-4f68-829c-a58f7397a11f) | BDO Digital's Managed Defense uses best practice tools, AI, and in-house security experts for 24/7/365 identity protection

+- Run a malware detection test on an Android device: Install any test virus app from the Google play store and verify that it gets detected by Microsoft Defender for Endpoint. Here is an example app that can be used for this test: [Test virus](https://play.google.com/store/apps/details?id=com.antivirus&hl=en_US&gl=US). Note that on Android Enterprise with a work profile, only the work profile is supported.

+> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1). Alternatively, a Microsoft Defender for servers license is required, per node, in order to onboard a Windows server through Microsoft Defender for Cloud (Option 2), see [Supported features available in Microsoft Defender for Cloud](/azure/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers).

+ [For Windows Server 2008 R2 x64](/iis/install/installing-iis-7/install-windows-server-2008-and-windows-server-2008-r2)

+|[XM Cyber](/microsoft-365/compliance/insider-risk-management-configure)|Prioritize your response to an alert based on risk factors and high value assets

+|[Blue Hexagon for Network](/learn/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection

+- Your Windows devices must be running Windows 11 or Windows 10 [1709](/lifecycle/announcements/revised-end-of-service-windows-10-1709), [1803](/lifecycle/announcements/windows-server-1803-end-of-servicing), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later. (For more information about releases, see [Windows 10 release information](/windows/release-health/release-information).)

+> After you've made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.

+- Windows 10 OS [1709](/lifecycle/announcements/revised-end-of-service-windows-10-1709), [1803](/lifecycle/announcements/windows-server-1803-end-of-servicing), [1809](/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint).

+Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](/windows/whats-new/whats-new-windows-10-version-1507-and-1511), also see the [Security auditing](/windows/security/threat-protection/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-microsoft-defender-antivirus.md).

+You can also [monitor malware events using the Malware Assessment solution in Log Analytics](/security/benchmark/azure/security-control-logging-monitoring).

+> - For Linux, the analyzer requires 'lxml' to produce the result output. If not installed, the analyzer will try to fetch it from the official repository for python packages below: <https://pypi.org/search/?q=lxml>

+- Audited_info.txt

+ Description: details on audited service and related components for [Linux](/microsoft-365/security/defender-endpoint/linux-resources) OS

+|Windows 11 <br/><br/>Windows 10, [version 1803](/lifecycle/announcements/windows-server-1803-end-of-servicing) or later (See [Windows 10 release information](/windows/release-health/release-information))<br/><br/>Windows 10, version 1703 or 1709 with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/><br/> Windows Server 2022<br/><br/>[Windows Server 2019](/windows/release-health/status-windows-10-1809-and-windows-server-2019) <br/><br/>[Windows Server 2016](/windows/release-health/status-windows-10-1607-and-windows-server-2016)<br/><br/>[Windows Server 2012 R2](/windows/release-health/status-windows-8.1-and-windows-server-2012-r2)<br/><br/>[Windows Server, version 1803](/windows-server/get-started/whats-new-in-windows-server-1803) | `C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCM.exe`<br/><br/>In addition, on Windows Server 2012 R2 and 2016 running the modern, unified solution the following exclusions are required after updating the Sense EDR component using [KB5005292](https://support.microsoft.com/en-us/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac):<br/> <br/> `C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\MsSense.exe` <br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCnCProxy.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseIR.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCE.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseSampleUploader.exe`<br/><br/>`C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exe` |

+<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.

+<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.

+<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.

+<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.

+<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.

+The real-time protection feature has restarted. If this event happens again, contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.

+<li>If it fails in the same way, look up the error code by accessing the <a href="https://go.microsoft.com/fwlink/?LinkId=215163">Microsoft Support Site</a> and entering the error number in the <b>Search</b> box, and contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.</li>

+<li>Contact <a href="/microsoft-365/admin/get-help-support">Microsoft Technical Support</a>.

+ - /windows/iot/iot-enterprise/commercialization/licensing

+ Title: Troubleshooting mode scenarios in Microsoft Defender for Endpoint (preview)

+# Troubleshooting mode scenarios in Microsoft Defender for Endpoint (preview)

+> [!IMPORTANT]

+> Some information relates to pre-released products which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)

+ Title: Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender

+description: How to redirect accounts and sessions from Defender for Identity to Microsoft 365 Defender.

+keywords: Microsoft 365 Defender, Getting started with Microsoft 365 Defender, security center redirection

+search.product: eADQiWindows 10XVcnh

+search.appverid: met150

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ - M365-security-compliance

+ms.technology: m365d

+# Redirecting accounts from Microsoft Defender for Identity to Microsoft 365 Defender

+**Applies to:**

+- Microsoft 365 Defender

+- Defender for Identity

+This guide explains how to route accounts to Microsoft 365 Defender by enabling automatic redirection from the former Microsoft Defender for Identity portal (portal.atp.azure.com), to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>.

+## What to expect

+Once automatic redirection is enabled, accounts accessing the former Microsoft Defender for Identity portal at portal.atp.azure.com, will be automatically routed to the Microsoft 365 Defender portal at <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">security.microsoft.com</a>.

+## When does this take effect?

+Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied won't be ejected from their session and will only be routed to Microsoft 365 Defender after ending their current session and signing back in again.

+### Set up portal redirection

+To start routing accounts to Microsoft 365 Defender:

+1. Make sure you're a global administrator or have security administrator permissions in Azure Active Directory.

+1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a>.

+1. Navigate to **Settings** > **Identities** > **General** > **Portal redirection** or [click here](https://security.microsoft.com/preferences2/portal_redirection).

+ :::image type="content" source="../../media/portal-redirection.png" alt-text="Portal redirection."lightbox="../../media/portal-redirection.png":::

+1. Toggle the Automatic redirection setting to **On**.

+>[!IMPORTANT]

+>Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to Microsoft 365 Defender after ending their current session and signing in again.

+>[!NOTE]

+>You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.

+## Can I go back to using the former portal?

+If something isn't working for you or if there's anything you're unable to complete through Microsoft 365 Defender, we want to hear about it. If you've encountered any issues with redirection, we encourage you to let us know by using the Give feedback submission form.

+To revert to the former Microsoft Defender for Identity portal:

+1. Sign in to <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender</a> as a global administrator or using and account with security administrator permissions in Azure Active directory.

+2. Navigate to **Settings** > **Identities** > **General** > **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).

+3. Toggle the Automatic redirection setting to **Off**.

+This setting can be enabled again at any time.

+Once disabled, accounts will no longer be routed to security.microsoft.com.

+## Related information

+- [Microsoft 365 Defender overview](microsoft-365-defender.md)

+- [About Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)

+- [Microsoft security portals and admin centers](portals.md)

+- Use a tool like [Office 365 Secure Score](/microsoft-365/security/defender/microsoft-secure-score) to manage account security configurations and behaviors.

+To add spoofed sender entries in the Tenant Allow/Block List in [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell), use the following syntax:

+For more information about using Defender for Cloud Apps, see [Microsoft Defender for Cloud Apps documentation](/defender-cloud-apps/).

+- [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo)

+> For information about securing _privileged accounts_ (admin accounts), see [this topic](/security/compass/critical-impact-accounts).

+See: [Named locations in Azure Active Directory](/azure/active-directory/conditional-access/location-condition)

+- For information about securing _privileged accounts_ (admin accounts), see [this topic](/security/compass/critical-impact-accounts).

+> Changes to cross-tenant access settings may take up to three hours fifteen minutes to take effect.

+ Title: 'Clone an existing package'

+description: How to clone an existing package

+search.appverid: MET150

+audience: Software-Vendor

+ms.localizationpriority: medium

+f1.keywords: NOCSH

+# Clone an existing package

+In this section, you'll learn how to create a new package by duplicating your previously published package as a starting point. There are multiple entrances on Test Base portal for you to start the clone package journey.

+> [!IMPORTANT]

+> To use the clone package function, you need to have at least one successfully uploaded package on Test Base.

+## Starting from the New package page

+> [!div class="mx-imgBorder"]

+> [  ](Media/clonepackage01_guidance.png#lightbox)

+1. On the **New package** page, you can select on the **Clone existing package**. Then select one package from the existing package list and click on **'Clone'**.

+ > [!div class="mx-imgBorder"]

+ > [  ](Media/clonepackage02_clone_package.png#lightbox)

+2. You'll be directed to the New package creation steps with all information and configuration pre-populated as same as the package you cloned. The only information you must have to change is the **Package version** under the **Basic information** section.

+ > [!NOTE]

+ > The combination of package name and version must be unique within your Test Base account.

+ > [!div class="mx-imgBorder"]

+ > [  ](Media/clonepackage03_basic_information.png#lightbox)

+3. You're able to:

+ - preview all pre-populated package setting information duplicating from the clone package.

+ - make any changes from step 1 to step 4 (See Uploading pre-built zip package for more detailed instruction).

+ - review and publish to Test Base.

+## Starting from the Manage packages page

+On the **Manage packages** page, you can clone a package by selecting on the **'Clone'** icon under the Quick actions column.

+> [!div class="mx-imgBorder"]

+> [  ](Media/clonepackage04_manage_packages.png#lightbox)

+Or you can go to the **Package overview** page of the specific package youΓÇÖve selected from the **Manage packages** page and select on the **Clone package** icon in the top action menu.

+> [!div class="mx-imgBorder"]

+> [  ](Media/clonepackage05_overview.png#lightbox)

+In this section, you'll learn how to create packages with different types of applications for uploading and testing on **Test Base**. Application types consist of the following values:

+ > [!div class="mx-imgBorder"]

+ > 

+ - **Test Binaries files**

+ See [Creating and Testing Binary Files on Test Base](testapplication.md) to prepare a package with a Binary application file (.exe, .msi) for uploading and testing.

+ - **Intunewin app**

+ See [Test your Intune app on Test Base](testintuneapplication.md) to prepare a package with an Intune application file (.intunewin) for uploading and testing.

+ - **Pre-built Zip package**

+ See [Uploading pre-built zip package](uploadApplication.md) if you already have an offline built package in .zip format.

+ - **Clone existing package**

+ See [Clone an existing package](clonepackage.md) to create a new package by duplicating your previously published package.