Updates from: 06/08/2021 03:10:34
Category Microsoft Docs article Related commit history on GitHub Change details
admin Activity Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/activity-reports.md
You can easily see how people in your business are using Microsoft 365 services.
Reports are available for the last 7 days, 30 days, 90 days, and 180 days. Data won't exist for all reporting periods right away. The reports become available within 48 hours.
-Watch this video for on overview: on how you can use the reports:
+## Watch: Act on a usage report in Office 365
> [!VIDEO https://www.microsoft.com/videoplayer/embed/fb726f8e-aead-43b2-ba0f-53ba5b886bf7?autoplay=false]
Depending on your subscription, here are the available reports.
- [Microsoft browser usage](browser-usage-report.md) - [Email activity](email-activity-ww.md)--- [Email activity for US Government](email-activity.md) - [Mailbox usage](mailbox-usage.md) - [Office activations](microsoft-office-activations-ww.md) -- [Office activations for US Government](microsoft-office-activations.md)- - [Active Users](active-users-ww.md)--- [Active Users for US Government](active-users.md) - [Email apps usage](email-apps-usage-ww.md) -- [Email apps usage for US Government](email-apps-usage.md)- - [Forms activity](forms-activity-ww.md) -- [Forms activity for US Government](forms-activity.md)- - [Dynamics 365 Customer Voice activity](forms-pro-activity-ww.md)
-
-- [Dynamics 365 Customer Voice activity for US Government](forms-pro-activity.md) - [Microsoft 365 groups](office-365-groups-ww.md)--- [Microsoft 365 groups for US Government](office-365-groups.md) - [OneDrive for Business user activity](onedrive-for-business-activity-ww.md) -- [OneDrive for Business user activity for US Government](onedrive-for-business-activity.md)- - [OneDrive for Business usage](onedrive-for-business-usage-ww.md) -- [OneDrive for Business usage for US Government](onedrive-for-business-usage.md)- - [Microsoft 365 Apps usage](microsoft365-apps-usage-ww.md) - [SharePoint site usage](sharepoint-site-usage-ww.md)--- [SharePoint site usage for US Government](sharepoint-site-usage.md) - [SharePoint activity](sharepoint-activity-ww.md)--- [SharePoint activity for US Government](sharepoint-activity.md) - [Skype for Business Online activity](/SkypeForBusiness/skype-for-business-online-reporting/activity-report)
Depending on your subscription, here are the available reports.
- [Yammer activity](yammer-activity-report-ww.md) -- [Yammer activity for US Government](yammer-activity-report.md)- - [Yammer device usage](yammer-device-usage-report-ww.md) -- [Yammer device usage for US Government](yammer-device-usage-report.md)- - [Yammer groups activity report](yammer-groups-activity-report-ww.md) -- [Yammer groups activity report for US Government](yammer-groups-activity-report.md)- - [Microsoft Teams user activity](microsoft-teams-user-activity-preview.md) -- [Microsoft Teams user activity for US Government](microsoft-teams-user-activity.md)- - [Microsoft Teams device usage](microsoft-teams-device-usage-preview.md) -- [Microsoft Teams device usage for US Government](microsoft-teams-device-usage.md)- ## How to view licensing information - To see how many licenses you have assigned and unassigned, in the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842264" target="_blank">Licenses</a> page.
However, when you select a particular day (see number 3), up to 28 days from the
## Related content
-[Reports in the Security &amp; Compliance Center](../../compliance/reports-in-security-and-compliance.md) (article)
-
-[Microsoft 365 usage analytics](../usage-analytics/usage-analytics.md) (article)
-
+[Reports in the Security &amp; Compliance Center](../../compliance/reports-in-security-and-compliance.md) (article)\
+[Microsoft 365 usage analytics](../usage-analytics/usage-analytics.md) (article)\
[Customize the reports in Microsoft 365 usage analytics](../usage-analytics/customize-reports.md) (article)
admin About Admin Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-admin-roles.md
You'll probably only need to assign the following roles in your organization. By
|License admin | Assign the License admin role to users who need to assign and remove licenses from users and edit their usage location. <br/><br/> License admins also can: <br> - Reprocess license assignments for group-based licensing <br> - Assign product licenses to groups for group-based licensing | |Office Apps admin | Assign the Office Apps admin role to users who need to do the following: <br> - Use the Office cloud policy service to create and manage cloud-based policies for Office <br> - Create and manage service requests <br> - Manage the What's New content that users see in their Office apps <br> - Monitor service health | |Password admin | Assign the Password admin role to a user who needs to reset passwords for non-administrators and Password Administrators. |
-|Service support admin | Assign the Service Support admin role as an additional role to admins or users need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts <br> - Monitor service health |
+|Message center reader | Assign the Reports reader role to users who need to do the following: <br> - Monitor message center notifications <br> - Get weekly email digests of message center posts and updates <br> - Share message center posts <br> - Have read-only access to Azure AD services, such as users and groups|
+|Power Platform admin | Assign the Reports reader role to users who need to do the following: <br> - Manage all admin features for PowerApps, Microsoft Flow, and data loss prevention <br> - Create and manage service requests <br> - Monitor service health |
+|Reports reader | Assign the Reports reader role to users who need to do the following: <br> - View usage data and the activity reports in the Microsoft 365 admin center <br> - Get access to the Power BI adoption content pack <br> - Get access to sign-in reports and activity in Azure AD <br> - View data returned by Microsoft Graph reporting API|
+|Service Support admin | Assign the Service Support admin role as an additional role to admins or users who need to do the following in addition to their usual admin role: <br> - Open and manage service requests <br> - View and share message center posts <br> - Monitor service health |
|SharePoint admin | Assign the SharePoint admin role to users who need to access and manage the SharePoint Online admin center. <br><br>SharePoint admins can also: <br> - Create and delete sites <br> - Manage site collections and global SharePoint settings | |Teams service admin | Assign the Teams service admin role to users who need to access and manage the Teams admin center. <br><br>Teams service admins can also: <br> - Manage meetings <br> - Manage conference bridges <br> - Manage all org-wide settings, including federation, teams upgrade, and teams client settings | |User admin | Assign the User admin role to users who need to do the following for all users: <br> - Add users and groups <br> - Assign licenses <br> - Manage most users properties <br> - Create and manage user views <br> - Update password expiration policies <br> - Manage service requests <br> - Monitor service health <br><br> The user admin can also do the following actions for users who aren't admins and for users assigned the following roles: Directory reader, Guest inviter, Helpdesk admin, Message center reader, Reports reader: <br> - Manage usernames<br> - Delete and restore users<br> - Reset passwords <br> - Force users to sign out <br> - Update (FIDO) device keys |
admin Download Office App For Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/services-in-china/download-office-app-for-Android.md
A few Office app for Android features aren't available for Office 365 operated b
Download the Office app for Android phones from any of these China stores: - [Baidu](https://shouji.baidu.com/software/26842919.html) - [Xiaomi](http://app.mi.com/details?id=com.microsoft.office.officehub&ref=search)-- [Huawei](https://appstore.huawei.com/app/C10888510) - [Lenovo](https://www.lenovomm.com/appdetail/com.microsoft.office.officehub/43003745) - [360](http://zhushou.360.cn/detail/index/soft_id/708682?recrefer=SE_D_office%20mobile) - [tencent](https://sj.qq.com/myapp/detail.htm?apkName=com.microsoft.office.officehub)
admin Customize Your Organization Theme https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/customize-your-organization-theme.md
You can add or update a default theme that applies to everyone within your org.
1. In the admin center, go to the **Settings** \> **Org Settings** page, and then choose the **Organization profile** tab.
-2. On the **Organization profile** tab, select **Organization theme**.
+2. On the **Organization profile** tab, select **Custom themes**.
All themes can be customized using the following tabs.
Any theme appears in the top navigation bar for everyone in the organization as
## Related content [Add custom tiles to the My apps page and app launcher](../manage/customize-the-app-launcher.md) (article)\
-[Overview of Microsoft 365 Groups for administrators](../create-groups/office-365-groups.md) (article)
+[Overview of Microsoft 365 Groups for administrators](../create-groups/office-365-groups.md) (article)
compliance Ediscovery Troubleshooting Common Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-troubleshooting-common-issues.md
When running an eDiscovery search that includes SharePoint Online and One Drive
2. Use the procedures at [Manually request crawling and re-indexing of a site, a library, or a list](/sharepoint/crawl-site-content) to reindex the site.
+## Error/issue: This file wasn't exported because it doesn't exist anymore. The file was included in the count of estimated search results because it's still listed in the index. The file will eventually be removed from the index, and won't cause an error in the future.
+
+You may see that error when running an eDiscovery search that includes SharePoint Online and One Drive For Business locations. eDiscovery relies on teh SPO index to identify the file locations. If the file was deleted but the SPO index was not yet updated this error may occur.
+
+### Resolution
+Open the SPO location and verify that this file indeed is not there.
+Suggested solution is to manually reindex the site, or wait till the site reindexes by the automatic background process.
++
+## Error/issue: This search result was not downloaded as it is a folder or other artefact that can't be downloaded by itself, any items inside the folder or library will be downloaded.
+
+You may see that error when running an eDiscovery search that includes SharePoint Online and One Drive For Business locations. It means that we were going to try and export the item reported in the index, but it turned out to be a folder so we did not export it. As mentioned in the error, we don't export folder items but we do export their contents.
++ ## Error/issue: Search fails because recipient is not found An eDiscovery search fails with error the `recipient not found`. This error may occur if the user object cannot be found in Exchange Online Protection (EOP) because the object has not synced.
compliance Endpoint Dlp Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md
When a policy's **Access by unallowed apps and browsers** setting is turned on a
> [!IMPORTANT] > Do not include the path to the executable, but only the executable name (such as browser.exe).
+### Unallowed Bluetooth apps
+
+Prevent people from transferring files protected by your policies via specific Bluetooth apps.
### Browser and domain restrictions Restrict sensitive files that match your policies from being shared with unrestricted cloud service domains.
You can control how users interact with the business justification option in DLP
- Users can only select a built-in justification. - Users can only enter their own justification.
+### Always audit file activity for devices
+
+By default, when devices are onboarded, activity for Office, PDF, and CSV files is automatically audited and available for review in activity explorer. Turn this feature off if you want this activity to be audited only when onboarded devices are included in an active policy.
+
+File activity will always be audited for onboarded devices, regardless of whether they are included in an active policy.
## Tying DLP settings together
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
The following table lists the activities that can be logged by mailbox audit log
The following table lists user administration activities that are logged when an admin adds or changes a user account by using the Microsoft 365 admin center or the Azure management portal. > [!NOTE]
-> The operation names listed in the the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
|Activity|Operation|Description| |:--|:--|:--|
The following table lists user administration activities that are logged when an
The following table lists group administration activities that are logged when an admin or a user creates or changes a Microsoft 365 group or when an admin creates a security group by using the Microsoft 365 admin center or the Azure management portal. For more information about groups in Office 365, see [View, create, and delete Groups in the Microsoft 365 admin center](../admin/create-groups/create-groups.md). > [!NOTE]
-> The operation names listed in the the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
|Friendly name|Operation|Description| |:--|:--|:--|
The following table lists group administration activities that are logged when a
The following table lists application admin activities that are logged when an admin adds or changes an application that's registered in Azure AD. Any application that relies on Azure AD for authentication must be registered in the directory. > [!NOTE]
-> The operation names listed in the the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
|Friendly name|Operation|Description| |:--|:--|:--|
The following table lists application admin activities that are logged when an a
The following table lists Azure AD role administration activities that are logged when an admin manages admin roles in the Microsoft 365 admin center or in the Azure management portal. > [!NOTE]
-> The operation names listed in the the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
|Friendly name|Operation|Description| |:--|:--|:--|
The following table lists Azure AD role administration activities that are logge
The following table lists Azure AD directory and domain-related activities that are logged when an administrator manages their organization in the Microsoft 365 admin center or in the Azure management portal. > [!NOTE]
-> The operation names listed in the the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
+> The operation names listed in the **Operation** column in the following table contain a period ( `.` ). You must include the period in the operation name if you specify the operation in a PowerShell command when searching the audit log, creating audit retention policies, creating alert policies, or creating activity alerts. Also be sure to use double quotation marks (`" "`) to contain the operation name.
|Friendly name|Operation|Description| |:--|:--|:--|
No. We currently have auditing pipeline deployments in the NA (North America), E
Auditing data is stored in Exchange mailboxes (data at rest) in the same region where the unified auditing pipeline is deployed. Mailbox data at rest is not encrypted by Exchange. However, service-level encryption encrypts all mailbox data because Exchange servers in Microsoft datacenters are encrypted via BitLocker. For more information, see [Office 365 Encryption for Skype for Business, OneDrive for Business, SharePoint Online, and Exchange Online](/compliance/assurance/assurance-encryption-for-microsoft-365-services).
-Mail data in transit is always encrypted.
+Mail data in transit is always encrypted.
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
To read the release announcement, see the blog post [Announcing co-authoring on
Before you enable the setting to support co-authoring for Office desktop apps, it's important to understand that this action makes changes to the labeling metadata that is saved to and read from Office files.
-The labeling metadata includes information that identifies your tenant and applied sensitivity label. The change that this setting makes is the metadata format and location for unencrypted files for Word, Excel, and PowerPoint. There are no labeling metadata changes for encrypted files or emails.
+The labeling metadata includes information that identifies your tenant and applied sensitivity label. The change that this setting makes is the metadata format and location for Word, Excel, and PowerPoint files. You do not need to take any action for encrypted files or emails; the metadata change for encrypted files is backward-compatible and there are no changes for emails. However, you do need to be aware of the metadata changes for encrypted files that can be automatically upgraded but aren't backward-compatible.
This change affects both files that are newly labeled and files that are already labeled. When you use apps and services that support the co-authoring setting: - For files that are newly labeled, only the new format and location is used for the labeling metadata.
enterprise Ms Cloud Germany Transition Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
Customers with Dynamics 365 require additional engagement to migrate the organiz
| Step(s) | Description | Impact | |:-|:-|:-|
-| Microsoft Dynamics resources | Customers with Microsoft Dynamics will be engaged by Microsoft Engineering or Microsoft FastTrack to transition Microsoft Dynamics 365 to the Office 365 Global services instance.* |<ul><li>After migration, the admin validates the organization. <</li><li>The admin modifies workflows, as necessary. </li><li>The admin clears AdminOnly mode as appropriate.</li><li>The admin changes the organization type from _Sandbox_, as appropriate</li><li>Notify end users of the new URL to access the instance (org).</li><li>Update any inbound connections to the new endpoint URL. </li><li>The Dynamics service will be unavailable to users during the transition. </li><li>Users are required to validate the org health and features after migration of each org.</li></ul>|
+| Microsoft Dynamics resources | Customers with Microsoft Dynamics will be engaged by Microsoft Engineering or Microsoft FastTrack to transition Microsoft Dynamics 365 to the Office 365 Global services instance.* |<ul><li>After migration, the admin validates the organization. </li><li>The admin modifies workflows, as necessary. </li><li>The admin clears AdminOnly mode as appropriate.</li><li>The admin changes the organization type from _Sandbox_, as appropriate</li><li>Notify end users of the new URL to access the instance (org).</li><li>Update any inbound connections to the new endpoint URL. </li><li>The Dynamics service will be unavailable to users during the transition. </li><li>Users are required to validate the org health and features after migration of each org.</li></ul>|
|||| \*
enterprise Ms Cloud Germany Transition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition.md
description: "Summary: Understand the migration from Microsoft Cloud Germany (Mi
> [!NOTE] > This article only applies to eligible Microsoft Cloud Deutschland customers.
-In August 2018, Microsoft announced our intention to deliver the complete Microsoft cloud ΓÇô Azure, Office 365, Dynamics 365, and Power Platform ΓÇô from new cloud regions in Germany to better enable the digital transformation of our customers. In August 2019, we announced we are now in the process of opening of the new cloud regions in Germany. We have since announced the availability of Azure, Office 365, Dynamics 365, and Power Platform.
+In August 2018, Microsoft announced our intention to deliver the complete Microsoft cloud ΓÇö Azure, Office 365, Dynamics 365, and Power Platform ΓÇö from new cloud regions in Germany to better enable the digital transformation of our customers. In August 2019, we announced we are now in the process of opening of the new cloud regions in Germany. We have since announced the availability of Azure, Office 365, Dynamics 365, and Power Platform.
The new regions are designed to address the evolving needs of German customers with greater flexibly, the latest intelligent cloud services, and full connectivity to our Microsoft 365 services cloud network as well as customer data residency within Germany.
Office 365 Video is being retired on March 1, 2021. If you choose to migrate you
This figure shows the ten phases of migration to the new German datacenters.
-![The ten phases of migration to the new Germany datacenters](../media/ms-cloud-germany-migration-opt-in/migration-organization.png)
These phases start when you [opt-in for migration](./ms-cloud-germany-migration-opt-in.md). Most of the migration phases are executed as back-end service operations with minimal customer interaction required and are executed one phase after the other. The start for additional customer-led tasks and overall migration status will be communicated through the Message center of the Microsoft 365 admin center during the migration process. Example of tasks may include customer-managed DNS updates, reconfiguration of hybrid setup for Exchange hybrid customers, or Azure migration.
includes Microsoft 365 Client Support Conditional Access Include https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-client-support-conditional-access-include.md
|MICROSOFT ROOMS|Planned|Planned|N/A|N/A|N/A| |OFFICE 365 ADMIN|Planned|N/A|N/A|N/A|N/A| |OFFICE LENS|Planned|Planned|N/A|N/A|N/A|
-|OFFICE MOBILE|Planned|Planned|N/A|N/A|N/A|
+|OFFICE MOBILE|Γ£ö|Planned|N/A|N/A|N/A|
|OFFICE.COM|N/A|N/A|N/A|N/A|Planned| |ONEDRIVE|Γ£ö|Γ£ö|Γ£ö|Γ£ö|Planned| |ONENOTE|Γ£ö|Planned|Planned|Planned|Planned|
scheduler Scheduler Faqs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-faqs.md
+
+ Title: "Scheduler for Microsoft 365 FAQs"
+++
+audience: Admin
++
+localization_priority: Normal
+description: "Scheduler for Microsoft 365 FAQs"
+
+# Scheduler for Microsoft 365 FAQs
+
+**Question:** How does Scheduler integrate with other Cortana features, such as *Cortana for Windows*, *Daily Briefing Email*, and *Play My Emails*?</br>
+Scheduler is an independent service from other Cortana features. Other Cortana features can be disabled at the tenant level, and Scheduler can still be enabled by using the cortana@yourdomain.com email address. Currently, users can only interact with Scheduler via email.
+
+**Question:** Does this work only with Outlook? Are other email products supported?</br>
+As long as you have a license, other than the three requirements above, users can email cortana@yourdomain.com from any email client on any device.
+
+**Question:** Can contacts be in a personal contact list on Outlook and GAL or other company equivalent?</br>
+Meeting attendees can be anyone with an email address inside or outside the company. Unfortunately, Scheduler cannot automatically translate names to email addresses / alias by looking it up in the GAL today.
+
+**Question:** Can I use Scheduler with my installed version (on-premises) version of Outlook?</br>
+Scheduler requires Exchange Online. Does not work with Exchange Server (On-prem). Works with any email client, Outlook Desktop, OWA, iOS, android, gmail, and so on.
+
+**Question:** Does Outlook have to be open in the background?</br>
+Outlook doesn't need to be open in the background. All you need to do is send Cortana a mail and rely on it to do the bulk of the work.
+
+## Frequently Asked Trust and Privacy Questions
+
+**Question:** How does Scheduler work?</br>
+Scheduler uses Scheduling Intelligence (AI) augmented with human assistants. If AI models generate a need for support in the natural language of communication with Cortana, the meeting request escalates to a human for review and completion.
+
+**Question:** Who are the humans that review escalated requests? </br>
+Scheduler assistants are Microsoft Supplier Security and Privacy Assurance (SSPA) certified for personal and highly confidential information.
+
+**Question:** What can SSPA Assistants view?</br>
+Scheduler and the SSPA Assistants can view the emails that are addressed to Cortana. In a threaded email exchange, only the emails that include CortanaΓÇÖs email address will be processed, not the previous emails in the thread before Cortana was added.
+
+**Question:** Is customer data retained in the SchedulerΓÇÖs Data Flow?ΓÇï </br>
+Scheduler stores all customer content within the tenant boundaries and retains data in accordance with GDPR guidelines, Microsoft 365 Trust & Privacy policies, and tenant email policies.
+
+**Question:** How does Scheduler process the free/busy data of internal attendees?ΓÇï </br>
+SchedulerΓÇÖs automation uses the *findMeetingTimes* service to identify times that are mutually available for attendees and the organizer. This service powers other Outlook experiences such as *Suggested Times* in the Outlook meeting form. Free/busy attendee information is not consumed explicitly as free/busy blocks.ΓÇï
+
+**Question:** Is Scheduler GDPR Compliant? </br>
+Yes.
+
+**Question:** Who has access to the Cortana mailbox? </br>
+Scheduler processes meeting requests and associated emails that are sent to your tenantΓÇÖs Cortana mailbox. Microsoft does not have any other access to the Cortana mailbox except through Lockbox approval at the request of the tenant admin.
+
+**Question:** Is customer data used for training AI models?</br>
+No customer content from Scheduler for Microsoft 365 can be used for data training sets. All customer content resides in the customer tenant. ΓÇï
+
+**Question:** Will Scheduler process encrypted mail?</br>
+No, encrypted mail will be rejected by the Scheduler workflow.
++++
scheduler Scheduler Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-overview.md
+
+ Title: "Scheduler for Microsoft 365 Overview"
+++
+audience: Admin
++
+localization_priority: Normal
+description: "Overview of Scheduler for Microsoft 365."
++
+# Welcome to Scheduler for Microsoft 365
+
+Scheduler for Microsoft 365 is a service that lets you delegate meeting and appointment scheduling to Cortana, your digital personal assistant.
+
+Scheduler uses natural language processing to interpret emails sent to Cortana (cortana@yourdomain.com) to find a time to meet and send calendar invitations for the meeting organizer.
+
+Scheduler:
+
+- Communicates with the meeting organizer and attendees by email in natural language.
+- Finds a time to meet when everyone is available.
+- Coordinates between external attendees based on the organizerΓÇÖs availability.
+- Keeps the meeting organizer informed on scheduling progress and asks the organizer for guidance when needed.
+- Negotiates times to meet across up to two different time zones.
+- Sends the invitation to the meeting from the organizer.
+- Adds a Teams link to every meeting.
+- Reschedules or cancels meetings booked by Cortana.
+- Works from any device with access to email.
+
+## Who can benefit from Scheduler for Microsoft 365?
+
+Scheduler takes care of the time-consuming hassle of scheduling meetings so users can focus on more important things.
+
+If you regularly schedule small meetings with fewer than five attendees, you'll save time with Scheduler. Departments such as recruiting, sales, procurement, and legal can benefit from delegating meeting coordination to Scheduler.
+
+## How does Scheduler for Microsoft 365 work?
+
+Scheduler uses a combination of artificial intelligence and human intelligence to complete scheduling requests that are received by emailing Cortana (Cortana@yourdomain.com).
+
+To use Scheduler, add CortanaΓÇÖs email address to an email with the people you want to meet with and ask Cortana to book a meeting in natural language.
+
+In your request, tell Cortana how long and when you want to meet. For example, **ΓÇ£Cortana, find 45 minutes for us to meet next week.ΓÇ¥**
+
+After a user sends a meeting request to Cortana, the Scheduler service:
+
+- Finds a time to meet based on the availability of the organizer and attendees in the same tenant.
+- If the organizer does not have access to availability of the attendees, Cortana negotiates a time to meet with those attendees by email.
+- Once a mutually agreeable time has been found, Cortana adds a Teams meeting and sends out the calendar invites.
scheduler Scheduler Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-setup.md
+
+ Title: "Setting up Scheduler for Microsoft 365."
+++
+audience: Admin
++
+localization_priority: Normal
+description: "Setting up Scheduler for Microsoft 365."
+
+# Setting up Scheduler for Microsoft 365
+
+To set up the Scheduler for Microsoft 365, following are the prerequisites:
+
+|**What do I need?** |**Description** |
+|-|-|
+|Cortana mailbox |Tenant admins will need to set a mailbox to serve as the ΓÇ£CortanaΓÇ¥ mailbox (that is, cortana@yourdomain.com). |
+|Exchange Online mailbox |Users must have an Exchange Online mail and calendar |
+|Scheduler license |For licensing and pricing information, see [Scheduler for Microsoft 365](https://www.microsoft.com/microsoft-365/meeting-scheduler-pricing). |
+
+## Create a mailbox for Cortana
+An Exchange mailbox in your tenant acts as the Cortana mailbox for your tenant to send and receive emails to and from Cortana. All emails sent to Cortana are retained in your tenantΓÇÖs Cortana mailbox based on your retention policy.
+
+- Use the Microsoft 365 admin center to create a user mailbox. A 30-day retention policy is recommended.
+- Use the name Cortana in your mailboxΓÇÖs primary SMTP address. Names such as ΓÇ£Cortana@yourdomain.com,ΓÇÖ ΓÇÿCortanaScheduler@contoso.com,ΓÇÖ or ΓÇÿCortana.Scheduler@yourdomain.comΓÇÖ are recommended.
+
+## Designate the mailbox as the Scheduler Assistant
+
+After a unique mailbox for Cortana Scheduler has been created, you must designate the mailbox to Microsoft 365 formally. After you designate the Cortana Scheduler mailbox, it will be available to schedule meetings on behalf of your users.
+
+To designate the Cortana Scheduler mailbox, an authorized admin must run a one-line PowerShell command.
+
+1. Connect to Microsoft 365 remote PowerShell run space for your organization.
+2. Run the following PowerShell script to designate the mailbox for Scheduler:
+
+```powershell
+
+Set-mailbox cortana@contoso.com -SchedulerAssistant:$true
+
+```
+
+After running this "set" command on the Cortana Scheduler mailbox, a new "PersistedCapability" is set on the mailbox to note that this mailbox is the "SchedulerAssistant".
+
+> [!NOTE]
+> Follow these steps to connect your organization to PowerShell if youΓÇÖve not done so previously: [Connect to Microsoft 365 with PowerShell - Microsoft 365 Enterprise | Microsoft Docs](../enterprise/connect-to-microsoft-365-powershell.md)
+
+To discover which mailbox in your organization is currently set as the Cortana Scheduler assistant, run the get function:
+
+```powershell
+
+Get-mailbox -Organization contoso.com | where {($_.PersistedCapabilities -like "SchedulerAssistant")}
+
+```
+
+> [!IMPORTANT]
+> It might take up to two hours for the Scheduler mailbox to complete full provisioning to set the SchedulerAssistant capability.
+
+## Exchange Online mailbox
+Scheduler is an add-on to Microsoft 365. Meeting organizers must have an Exchange Online mailbox and calendar for Scheduler to work.
+
+## Exchange requirements
+
+In addition to licensing Scheduler, you must have one of the following licenses:
+
+- Microsoft 365 E3, A3, E5, A5
+- Business Basic, Business, Business Standard, Business Premium
+- Office 365 E1, A1, E3, A3, E5, A5
+- Business Essentials, Business Premium
+- Exchange Online Plan 1 or Plan 2 license.
+
+> [!Note]
+> **Scheduler for Microsoft 365** isn't available for users of Office 365 operated by 21Vianet in China. It's also not available for users of Microsoft 365 with the German cloud that uses the data trustee German Telekom. It is supported for users in Germany whose data location isn't in the German datacenter.
+>
+>This feature is also not supported for users of the Government Cloud, including GCC, Consumer, GCC High, or DoD.
scheduler Scheduler Trust Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-trust-privacy.md
+
+ Title: "Understanding Trust and Privacy in Scheduler for Microsoft 365."
+++
+audience: Admin
++
+localization_priority: Normal
+description: "Understanding Trust and Privacy in Scheduler for Microsoft 365 are used with AI models and human assisted AI."
+
+# Trust and Privacy in Scheduler for Microsoft 365
+
+Scheduler is a unique offering whose artificial intelligence is augmented with human assistance when the AI models are not confident in the userΓÇÖs intent, often due to ambiguity or contextual references.
+
+## Policies
+
+- All customer content is stored in the customerΓÇÖs tenant.
+- Scheduler is General Data Protection Regulation (GDPR) compliant.
+- All customer data is processed in the Microsoft 365 Trust and Privacy Boundaries.
+- SchedulerΓÇÖs human assistants are **Supplier Security & Privacy Assurance certified** for personal information and highly confidential information by Microsoft analogous to Microsoft support personnel / data processors.
+- Email attachments are not consumed or processed by the Scheduler service.
+- Encrypted emails are not consumed or processed by the Scheduler service.
+- Scheduler does not monitor the meeting organizerΓÇÖs or attendeeΓÇÖs calendar or inbox.
scheduler Scheduler Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-using.md
+
+ Title: "Using Scheduler for Microsoft 365"
+++
+audience: Admin
++
+localization_priority: Normal
+description: "Using Scheduler for Microsoft 365."
+
+# How to use Scheduler for Microsoft 365
+
+Cortana understands natural language. Include cortana@yourdomain.com in an email with other attendees, and Cortana will take over from there. Cortana will send email notifications confirming meeting times and keep you up to date on progress.
+
+To use Scheduler, add CortanaΓÇÖs email address to your email in addition to the people you want to meeting with. In your email to Cortana and the other attendees, tell Cortana to schedule a meeting using natural language.
+
+## When to use Scheduler?
+
+- **Scheduling meetings with internal attendees**
+Use Cortana to schedule your meetings with 5 or fewer attendees. Cortana has the same access to free/busy information that you see for others in Outlook calendar. It will pick a time that works for everyone and send an invite on your behalf. Cortana will automatically Teams-enable all the meetings that it schedules. Anyone on the CC line will receive the invite as an optional attendee.
+
+- **Scheduling meetings with external attendees**
+Cortana communicates with external invitees to negotiate times that you are available to meet. After confirming a time to meet, Cortana sends an invite to attendees and notifies you that the meeting has been scheduled.
+
+## What to say to Cortana?
+
+Cortana understands natural language, but concise language is recommended.
+
+Use the following pattern to request a meeting: Schedule a [length of time] meeting [time frame].
+
+- ΓÇ£Schedule a 30-minute meeting next week.ΓÇ¥
+- ΓÇ£Find 1 hour for us to meet in January.ΓÇ¥
+- ΓÇ£Find 45 minutes the first week of May that works for India Standard Time.ΓÇ¥
+
+If you don't specify a time range, Cortana will book the meeting as soon as the next business day.
+
+## Scheduling across multiple time zones
+
+Use the following pattern to request a multi-time zone meeting:
+"Schedule a [length of time] meeting in [time frame] that works for [time zone]."
+
+Cortana will accommodate attendees in another time zone if you request it in the first email to Cortana.
+
+You cannot change time zone(s) after sending the initial request to Cortana. As some time zone abbreviations are the same, use the full time zone name for best results.
+
+## Organizer guidance
+
+Occasionally, Cortana may ask you for guidance as the organizer. Follow the directions in CortanaΓÇÖs email and reply using the reply buttons in Cortana emails.
+
+## Reschedule or Cancel
+
+If you need to reschedule or cancel, just reply to an email in the thread with Cortana regarding the meeting and ask to ΓÇ£RescheduleΓÇ¥ or ΓÇ£Cancel.ΓÇ¥
+
+> [!NOTE]
+> Cortana can't reschedule or cancel meetings that were not scheduled by Scheduler.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
### [Network devices](network-devices.md)
+### [Host firewall reporting in Microsoft Defender for Endpoint](host-firewall-reporting.md)
+ ### [Attack surface reduction]() #### [Overview of attack surface reduction](overview-attack-surface-reduction.md) #### [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md)
#### [Get your antivirus and antimalware updates](manage-updates-baselines-microsoft-defender-antivirus.md) ##### [Manage the sources for Microsoft Defender Antivirus protection updates](manage-protection-updates-microsoft-defender-antivirus.md) ##### [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md)
+##### [Manage gradual rollout process for Microsoft Defender updates](updates.md)
+##### [Configure gradual rollout process for Microsoft Defender updates](configure-updates.md)
##### [Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) ##### [Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) ##### [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
##### [Control USB devices](control-usb-devices-using-intune.md) ##### [Removable Storage Protection](device-control-removable-storage-protection.md) ##### [Removable Storage Access Control](device-control-removable-storage-access-control.md)
+##### [Device Control Printer Protection](printer-protection.md)
#### [Behavioral blocking and containment]() ##### [Behavioral blocking and containment](behavioral-blocking-containment.md)
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
ms.technology: mde
# Client behavioral blocking - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
ms.technology: mde
## Overview
-Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/behavioral-blocking-containment) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
+Client behavioral blocking is a component of [behavioral blocking and containment capabilities](behavioral-blocking-containment.md) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
Antivirus protection works best when paired with cloud protection.
## How client behavioral blocking works
-[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
+[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
-Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+Whenever a suspicious behavior is detected, an [alert](alerts-queue.md) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
Behavior-based detections are named according to the [MITRE ATT&CK Matrix for En
|Tactic | Detection threat name | |-|-|
-|Initial Access | Behavior:Win32/InitialAccess.*!ml |
-|Execution | Behavior:Win32/Execution.*!ml |
-|Persistence | Behavior:Win32/Persistence.*!ml |
-|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml |
-|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml |
-|Credential Access | Behavior:Win32/CredentialAccess.*!ml |
-|Discovery | Behavior:Win32/Discovery.*!ml |
-|Lateral Movement | Behavior:Win32/LateralMovement.*!ml |
-|Collection | Behavior:Win32/Collection.*!ml |
-|Command and Control | Behavior:Win32/CommandAndControl.*!ml |
-|Exfiltration | Behavior:Win32/Exfiltration.*!ml |
-|Impact | Behavior:Win32/Impact.*!ml |
-|Uncategorized | Behavior:Win32/Generic.*!ml |
+|Initial Access | `Behavior:Win32/InitialAccess.*!ml` |
+|Execution | `Behavior:Win32/Execution.*!ml` |
+|Persistence | `Behavior:Win32/Persistence.*!ml` |
+|Privilege Escalation | `Behavior:Win32/PrivilegeEscalation.*!ml` |
+|Defense Evasion | `Behavior:Win32/DefenseEvasion.*!ml` |
+|Credential Access | `Behavior:Win32/CredentialAccess.*!ml` |
+|Discovery | `Behavior:Win32/Discovery.*!ml` |
+|Lateral Movement | `Behavior:Win32/LateralMovement.*!ml` |
+|Collection | `Behavior:Win32/Collection.*!ml` |
+|Command and Control | `Behavior:Win32/CommandAndControl.*!ml` |
+|Exfiltration | `Behavior:Win32/Exfiltration.*!ml` |
+|Impact | `Behavior:Win32/Impact.*!ml` |
+|Uncategorized | `Behavior:Win32/Generic.*!ml` |
> [!TIP] > To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
Behavior-based detections are named according to the [MITRE ATT&CK Matrix for En
If your organization is using Defender for Endpoint, client behavioral blocking is enabled by default. However, to benefit from all Defender for Endpoint capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Defender for Endpoint are enabled and configured: -- [Defender for Endpoint baselines](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-machines-security-baseline)--- [Devices onboarded to Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-configure)--- [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode)--- [Attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction)--- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus)
+- [Defender for Endpoint baselines](configure-machines-security-baseline.md)
-## Related articles
+- [Devices onboarded to Defender for Endpoint](onboard-configure.md)
-- [Behavioral blocking and containment](behavioral-blocking-containment.md)
+- [EDR in block mode](edr-in-block-mode.md)
-- [Feedback-loop blocking](feedback-loop-blocking.md)
+- [Attack surface reduction](attack-surface-reduction.md)
-- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
+- [Next-generation protection](configure-microsoft-defender-antivirus-features.md) (antivirus, antimalware, and other threat protection capabilities)
-- [Helpful Defender for Endpoint resources](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/helpful-resources)
security Configure Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md
+
+ Title: Create a custom gradual rollout process for Microsoft Defender updates
+description: Learn how to use supported tools to create a custom gradual rollout process for updates
+keywords: update tools, gpo, intune, mdm, microsoft endpoint manager, policy, powershell
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Create a custom gradual rollout process for Microsoft Defender updates
++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+
+> [!NOTE]
+> This functionality requires Microsoft Defender Antivirus version 4.18.2105.X or newer.
+
+To create your own custom gradual rollout process for Defender updates, you can use Group Policy, Microsoft Endpoint Manager, and PowerShell.
+
+The following table lists the available group policy settings for configuring
+update channels:
+
+| Setting title | Description | Location |
+|-|-|-|
+| Select gradual Microsoft Defender monthly platform update rollout channel | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+| Select gradual Microsoft Defender monthly engine update rollout channel | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. <br><br> Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. <br><br> Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. <br><br> Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+| Select gradual Microsoft Defender daily definition updates rollout channel | Enable this policy to specify when devices receive Microsoft Defender definition updates during the daily gradual rollout. <br><br> Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%). <br><br> Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). <br><br> If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+| Disable gradual rollout of Microsoft Defender updates | Enable this policy to disable gradual rollout of Defender updates. <br><br> Current Channel (Broad): Devices set to this channel will be offered updates last during the gradual release cycle. Best for datacenter machines that only receive limited updates. <br><br> Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. <br><br> If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. | Windows Components\Microsoft Defender Antivirus |
+
+## Group Policy
+
+> [!NOTE]
+> An updated Defender ADMX template will be published together with the 21H2 release of Windows 10.
+
+You can use [Group Policy](https://docs.microsoft.com/windows/win32/srvnodes/group-policy?redirectedfrom=MSDN) to configure and manage Microsoft Defender Antivirus on your endpoints.
+
+In general, you can use the following procedure to configure or change Microsoft Defender Antivirus group policy settings:
+
+1. On your Group Policy management machine, open theΓÇ»**Group Policy Management Console**, right-click the **Group Policy Object** (GPO) you want to configure and clickΓÇ»**Edit**.
+
+2. Using the Group Policy Management Editor go to **Computer configuration**.
+
+3. ClickΓÇ»**Administrative templates**.
+
+4. Expand the tree to **Windows components > Microsoft Defender Antivirus**.
+
+5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+
+6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx).
+
+## Intune
+
+Follow the instructions in below link to create a custom policy in Intune:
+
+[Add custom settings for Windows 10 devices in Microsoft Intune - Azure \| Microsoft Docs](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10)
+
+## PowerShell
+
+Use the `Set-MpPreference` cmdlet to configure roll out of the gradual updates.
+
+Use the following parameters:
+
+```powershell
+Set-MpPreference
+-PlatformUpdatesChannel Beta|Preview|Staged|Broad|NotConfigured
+-EngineUpdatesChannel Beta|Preview|Staged|Broad|NotConfigured
+-DisableGradualRelease True|False
+-SignaturesUpdatesChannel Staged|Broad|NotConfigured
+```
+
+Example:
+
+Use `Set-MpPreference -PlatformUpdatesChannel Beta` to configure platform updates to arrive from the Beta Channel.
+
+For more information on the parameters and how to configure them, see [Set-MpPreference (Defender) | Microsoft Docs](https://docs.microsoft.com/powershell/module/defender/set-mppreference?view=windowsserver2019-ps).
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
For each device property, see **Device Properties** section above for more detai
- CdRomDevices - DeviceId - HardwareId
- - InstancePathId
+ - InstancePathId: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0. The number at the end (for example **&0**) represents the avaliable slot and may change from device to device. For best results, use a wildcard at the end. For example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*
- FriendlyNameId - SerialNumberId - VID
The Removable Storage Access Control feature enables you to apply policy via Gro
### Licensing
-Before you get started with Removable Storage Access Control, you must confirm yourΓÇ»[Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E5.
+Before you get started with Removable Storage Access Control, you must confirm yourΓÇ»[Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3.
### Deploying policy via Group Policy
For policy deployment in Intune, the account must have permissions to create, ed
1. For each Group, create an OMA-URI rule: - OMA-URI:
- /Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**GroupGUID**%7d/GroupData
+ ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**GroupGUID**%7d/GroupData
For example, for **any removable storage and CD/DVD** group in the sample, the link must be:
For policy deployment in Intune, the account must have permissions to create, ed
- OMA-URI:
- /Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bFA6BE102-0784-4A2A-B010-A0BEBEBF68E1%7d/RuleData
+ ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bFA6BE102-0784-4A2A-B010-A0BEBEBF68E1%7d/RuleData
For example, for the **Block Write and Execute Access but allow approved USBs** rule in the sample, the link must be:
security Host Firewall Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md
+
+ Title: Host firewall reporting in Microsoft Defender for Endpoint
+description: Host and view firewall reporting in Microsoft 365 security center.
+keywords: windows defender, firewall
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localization_priority: normal
+audience: ITPro
++++
+ms.technology: mde
++
+# Host firewall reporting in Microsoft Defender for Endpoint
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+If you are an admin, you can now host firewall reporting to [Microsoft 365 security center](https://security.microsoft.com). This feature enables you to view Windows 10 and Windows Server 2019 firewall reporting from a centralized location.
+
+## What do you need to know before you begin?
+
+- You must be running Windows 10 or Windows Server 2019.
+- To onboard devices to the Microsoft Defender for Endpoint service, see [here](onboard-configure.md).
+- For Microsoft 365 security center to start receiving the data, you must enable **Audit Events** for Windows Defender Firewall with Advanced Security:
+ - [Audit Filtering Platform Packet Drop](/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop)
+ - [Audit Filtering Platform Connection](/windows/security/threat-protection/auditing/audit-filtering-platform-connection)
+- Enable these events by using Group Policy Object Editor, Local Security Policy, or the auditpol.exe commands. For more information, see [here](/windows/win32/fwp/auditing-and-logging).
+ - The two PowerShell commands are:
+ - **auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable**
+ - **auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable**
+
+## The process
+> [!NOTE]
+> Make sure to follow the instructions from the section above and properly configure your devices for the early preview participation.
+
+- After enabling the events, Microsoft 365 security center will start to monitor the data.
+ - Remote IP, Remote Port, Local Port, Local IP, Computer Name, Process across inbound and outbound connections.
+- Admins can now see Windows host firewall activity [here](https://security.microsoft.com/firewall).
+ - Additional reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.
+ - It can take up to 12 hours before the data is reflected.
+
+## Supported scenarios
+The following scenarios are supported during Ring0 Preview.
+
+### Firewall reporting in security center
+
+Here is a couple of examples of the firewall report pages. Here you will find a summary of inbound, outbound, and application activity. You can access this page directly by going to https://security.microsoft.com/firewall.
+
+> [!div class="mx-imgBorder"]
+> ![Host firewall reporting page](\images\host-firewall-reporting-page.png)
+
+These reports can also be accessed by going to **Reports** > **Security Report** > **Devices** (section) located at the bottom of the **Firewall Blocked Inbound Connections** card.
+
+### From "Computers with a blocked connection" to device
+
+Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch https://securitycenter.microsoft.com in a new tab, and take you directly to the **Device Timeline** tab.
+
+> [!div class="mx-imgBorder"]
+> ![Computers with a blocked connection](\images\firewall-reporting-blocked-connection.png)
+
+You can now select the **Timeline** tab, which will give you a list of events associated with that device.
+
+After clicking on the **Filters** button on the upper right-hand corner of the viewing pane, select the type of event you want. In this case, select **Firewall events** and the pane will be filtered to Firewall events.
+
+> [!div class="mx-imgBorder"]
+> ![Filters button](\images\firewall-reporting-filters-button.png)
+
+### Drill into advanced hunting (preview refresh)
+
+Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query will be pre-populated.
+
+> [!div class="mx-imgBorder"]
+> ![Open Advanced hunting button](\images\firewall-reporting-advanced-hunting.png)
+
+The query can now be executed, and all related Firewall events from the last 30 days can be explored.
+
+For additional reporting, or custom changes, the query can be exported into Power BI for further analysis. Custom reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.
+
+
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 06/04/2021 Last updated : 06/07/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
For information how to update or install the platform update, see [Update for Wi
All our updates contain - performance improvements; - serviceability improvements; and -- integration improvements (Cloud, Microsoft 365 Defender).
+- integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)).
<br/> <details> <summary> May-2021 (Platform: 4.18.2105.4 | Engine: 1.1.18200.4)</summary>
All our updates contain
&ensp;Support phase: **Security and Critical Updates** ### What's new-- Improvements to behavior monitoring
+- Improvements to [behavior monitoring](client-behavioral-blocking.md)
+- Fixed [network protection](network-protection.md) notification filtering feature
### Known Issues No known issues
Support phase: **No support**
- add MRT logs to support files ### Known Issues
-When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
+When this update is installed, the device needs the jump package 4.18.2001.10 to be able to update to the latest platform version.
<br/> </details>
security Printer Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md
+
+ Title: Microsoft Defender for Endpoint Device Control Printer Protection
+description: Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer.
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
++++
+audience: ITPro
+ms.technology: mde
++
+# Device Control Printer Protection
+
+Microsoft Defender for Endpoint Device Control Printer Protection blocks people from printing via non-corporate printers or non-approved USB printer.
+
+## Licensing
+
+Before you get started with Printer Protection, you should [confirm your Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1). To access and use Printer Protection, you must have the following:
+
+- Microsoft 365 E3 for functionality/policy deployment
+- Microsoft 365 E5 for reporting
+
+## Permission
+
+For Policy deployment in Intune, to deploy policy via OMA-URI, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions:
+
+- Policy and profile Manager role.
+- Or custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles
+- Or Global admin
+
+To see device configuration reports, the account must have view reports permissions. You can create custom roles or use the built-in roles with these permissions:
+
+- Global security admin
+- Security admin
+- Security Reader
+
+## Prepare your endpoints
+
+Make sure that the Windows 10 devices that you plan on deploying Printer Protection to meet these requirements.
+
+1. Join the Insider Program.
+
+1. The following Windows Updates are installed.
+
+ - For Windows 1809: install Windows Update [KB5003217](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46)
+ - For Windows 1909: install Windows Update [KB5003212](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003212-os-build-18363-1593-preview-05381524-8380-4b30-b783-e330cad3d4a1)
+ - For Windows 2004 or later
+
+1. If you're planning to deploy policy via Group Policy, the device must be MDATP joined; if you're planning to deploy policy via MEM, the device must be Intune joined.
+
+## Deploy Device Control Printer Protection policy
+
+You can deploy the policy via Group Policy or Intune.
+
+| Title | Description | CSP Support | GPO Support | User-based Support | Machine-based Support |
+|:--|:--|:--|:--|:--|:--|
+|**Enable Device control Printing Restrictions**|Block people from printing via non-corporate printer|Yes|Yes|Yes|Yes|
+|**List of Approved USB-connected print devices** \*|Allow specific USB printer|Yes|Yes|Yes|Yes|
+|||||||
+
+\* This policy must be used together with **Enable Device control Printing Restrictions**
+## Deploy policy via Intune
+
+For Intune, currently Device Control Printer Protection supports OMA-URI only.
+
+**Scenario 1: Block people from printing via any non-corporate printer**
+
+ - Apply policy over machine:
+
+ - ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl
+
+- Apply policy over user:
+
+ - ./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser
+
+The CSP support string with `` <enabled/>``:
++
+**Scenario 2: Allow specific approved USB printers**
+
+- Apply policy over machine:
+
+ - ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices
+
+- Apply policy over user:
+
+ - ./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser
+
+The CSP support string with approved USB printers via ΓÇÿApprovedUsbPrintDevicesΓÇÖ property, example `` <enabled/><data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/>``:
++
+## Deploy policy via Group Policy
+
+If the device isn't Intune joined, you can also deploy the policy via Group Policy.
+
+**Scenario 1: Block people from printing via any non-corporate printer**
+
+- Apply policy over machine:
+
+ - Computer Configuration > Administrative Templates > Printer: Enable Device control Printing Restrictions
+
+- Apply policy over user:
+
+ - User Configuration > Administrative Templates > Control Panel > Printers: Enable Device control Printing Restrictions
+
+
+
+**Scenario 2: Allow specific approved USB printers**
+
+- Apply policy over machine:
+
+ - Computer Configuration > Administrative Templates > Printer: List of Approved USB-connected print devices
+
+- Apply policy over user:
+
+ - User Configuration > Administrative Templates > Control Panel > Printers: List of Approved USB-connected print devices
+
+ :::image type="content" source="../../media/list-of-approved-connected-print-devices.png" alt-text="list of approved usb connected print devices":::
+
+## View Device Control Printer Protection data in Microsoft Defender for Endpoint portal
+
+The [Microsoft 365 security center](https://security.microsoft.com) shows printing blocked by the Device Control Printer Protection policy above.
+
+```sql
+DeviceEvents
+
+|where ActionType == 'PrintJobBlocked'
+
+| extend parsed=parse_json(AdditionalFields)
+
+| extend PrintedFile=tostring(parsed.JobOrDocumentName)
+
+| extend PrintPortName=tostring(parsed.PortName)
+
+| extend PrinterName=tostring(parsed.PrinterName)
+
+| extend Policy=tostring(parsed.RestrictionReason) 
+
+| project Timestamp, DeviceId, DeviceName, ActionType, InitiatingProcessAccountName,Policy, PrintedFile, PrinterName, PrintPortName, AdditionalFields
+
+| order by Timestamp desc
+```
+
+ :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting":::
security Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/updates.md
+
+ Title: Manage the gradual rollout process for Microsoft Defender updates
+description: Learn about the gradual update process and controls
+keywords: update, update process, controls, release
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Manage the gradual rollout process for Microsoft Defender updates
+++
+**Applies to:**
+
+- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
++
+It is important to ensure that client components are up-to-date to deliver critical protection capabilities and prevent attacks.
+
+Capabilities are provided through several components:
+
+- [Endpoint Detection & Response](overview-endpoint-detection-response.md)
+- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md#microsoft-defender-antivirus-your-next-generation-protection) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
+- [Attack Surface Reduction](overview-attack-surface-reduction.md)
+
+Updates are released monthly using a gradual release process. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout.
+
+> [!NOTE]
+> For more information on how to control daily definition updates, see [Schedule Microsoft Defender Antivirus definition updates - Windows security | Microsoft Docs](manage-protection-update-schedule-microsoft-defender-antivirus.md). Definition updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.
+
+## Microsoft gradual rollout model
+
+The following gradual rollout model is followed:
+
+1. The first release goes out to Beta channel subscribers.
+2. After validation, feedback, and fixes, we start the gradual rollout process in a throttled way and to Preview channel subscribers first.
+3. We then proceed to release the update ato the rest of the global population, scaling out from 10-100%.
+
+Our engineers continuously monitor impact and escalate any issues to create a fix as needed.
+
+## How to customize your internal deployment process
+
+If your machines are receiving Defender updates from Windows Update, the gradual rollout process may result in some of your machines receiving Defender updates sooner than others. The following section explains how to define a strategy that will allow automatic updates to flow differently to specific groups of devices by leveraging update channel configuration.
+
+> [!NOTE]
+> When planning for your own gradual release, please make sure to always have a selection of devices subscribed to the preview and staged channels. This will provide your organization as well as Microsoft the opportunity to prevent or find and fix issues specific to your environment.
+
+For machines receiving updates through, for example, Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager (MECM), more options are available to all Windows updates, including options for Microsoft Defender for Endpoint.
+
+- Read more about how to use a solution like WSUS, MECM to manage the distribution and application of updates at [Manage Microsoft Defender Antivirus updates and apply baselines - Windows security | Microsoft Docs](manage-updates-baselines-microsoft-defender-antivirus.md#product-updates).
+
+## Update channels for monthly updates
+
+You can assign a machine to an update channel to define the cadence in which a machine receives monthly engine and platform updates.
+
+For more information on how to configure updates, see [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md).
+
+The following update channels are available:
+
+| Channel name | Description | Application |
+|-|-|-|
+| Beta Channel - Prerelease | Test updates before others | Devices set to this channel will be the first to receive new monthly updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in test environments only. |
+| Current Channel (Preview) | Get Current Channel updates **earlier** during gradual release | Devices set to this channel will be offered updates earliest during the gradual release cycle. Suggested for pre-production/validation environments. |
+| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
+| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). |
+| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices. |
+
+### Update channels for daily definition updates
+
+You can assign a machine to an update channel to define the cadence in which a machine receives daily definition updates.
+
+| Channel name | Description | Application |
+|-|-|-|
+| Current Channel (Staged) | Get Current Channel updates later during gradual release | Devices will be offered updates later during the gradual release cycle. Suggested to apply to a small, representative part of your device population (~10%). |
+| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates after the gradual release cycle. Best for datacenter machines that only receive limited updates. Note: this setting applies to all Defender updates. |
+| (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices |
+
+> [!NOTE]
+> In case you wish to force an update to the newest signature instead of leveraging the time delay, you will need to remove this policy first.
+
+## Update guidance
+
+In most cases, the recommended configuration when using Windows Update is to allow endpoints to receive and apply monthly Defender updates as they arrive. This provides the best balance between protection and possible impact associated with the changes they can introduce.
+
+For environments where there is a need for a more controlled gradual rollout of automatic Defender updates, consider an approach with deployment groups:
+
+1. Participate in the Windows Insider program or assign a group of devices to the Beta Channel.
+2. Designate a pilot group that opts-in to Preview Channel, typically validation environments, to receive new updates early.
+3. Designate a group of machines that receive updates later during the gradual rollout from Staged channel. Typically, this would be a representative ~10% of the population.
+4. Designate a group of machines that receive updates after the gradual release cycle completes. These are typically important production systems.
+
+For the remainder of devices, the default setting is to receive new updates as they arrive during the Microsoft gradual rollout process and no further configuration is required.
+
+Adopting this model:
+- Allows you to test early releases before they reach a production environment
+- Ensure the production environment still receives regular updates and ensure protection against critical threats.
+
+## Management tools
+To create your own custom gradual rollout process for monthly updates, you can use the following tools:
+
+- Group policy
+- Microsoft Endpoint Manager
+- PowerShell
+
+For details on how to use these tools, see [Create a custom gradual rollout process for Microsoft Defender updates](configure-updates.md).
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
Here are some examples of valid domain pairs to identify spoofed senders:
- `chris@contoso.com, fabrikam.com` - `*, contoso.net`
-Adding a domain pair only allows or blocks the *combination* of the spoofed user *and* the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user.
+The maximum number of spoofed sender entries is 1000.
+
+Adding a domain pair only allows or blocks the *combination* of the spoofed user *and* the sending infrastructure. It does not allow email from the spoofed user from any source, nor does it allow email from the sending infrastructure source for any spoofed user.
For example, you add an allow entry for the following domain pair: