Updates from: 07/13/2022 01:38:09
Category Microsoft Docs article Related commit history on GitHub Change details
admin M365 Feature Descriptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/m365-feature-descriptions.md
For other issues, visit the [Microsoft support center](https://support.microsoft
**Azure Active Directory
-# [**Service health and continuity**](#tab/Service-health-and-continuity)
-
-## Service health and continuity
-
-Microsoft admins can view the status of services and find out when maintenance is scheduled. Service health information is available at any time by signing in. If you're using Office 365 operated by 21Vianet, some of the information below might not apply. Instead, see the [**21Vianet service level agreement**](https://www.21vbluecloud.com/office365/O365-SLA/).
-
-**View status of
-
-**Service incidents:** A service incident is an event that affects the delivery of a service. Service incidents may be caused by hardware or software failure in the Microsoft data center, a faulty network connection due to a change made by Microsoft, or a major data center challenge such as fire, flood, or regional catastrophe. Interruptions caused by third party service providers, or changes made within customer managed environment, aren't considered service incidents. Most service incidents can be addressed using Microsoft technology and process solutions and are resolved within a short time. However, some service incidents are more serious and can lead to longer term outages.
-
-**Service notifications:** There are two types of notifications about times when services may not be available: **Planned maintenance events** and **Unplanned downtime.**
-
-**Planned maintenance events:** Planned maintenance is regular Microsoft-initiated service updates to the infrastructure and software applications. Planned maintenance notifications inform customers about service work that might affect the functionality of a Microsoft service. Customers are notified no later than five days in advance of all planned maintenance through Message center on the Microsoft 365 admin center. Microsoft typically plans maintenance for times when service usage is historically at its lowest based on regional time zones.
-
-**Unplanned downtime:** Unplanned service incidents occur when one of the services is unavailable or unresponsive due to a failure within the Microsoft managed environment. Customers are notified of known service incidents through Service health on the Microsoft 365 admin center.
-
-**Recent worldwide uptimes:** Moving to a cloud service shouldn't mean losing the ability to know what's going on. With Microsoft 365, it doesn't. We aim to be transparent in our operations so you can monitor the state of your service, track issues, and have a historical view of availability. The following tables show recent worldwide uptime data.
-
-| Years| Q1 | Q2 | Q3 | Q4 |
-|:--|:--|:--|:--|:--|
-| 2022 | | | | |
-| 2021 | 99.97% | 99.98% | 99.99% | 99.98%|
-| 2020 | 99.98% | 99.99% | 99.97% | 99.97%|
-| 2019 | 99.97% | 99.97% | 99.98% | 99.98%|
-| 2018 | 99.99% | 99.98% | 99.97% | 99.98%|
-| 2017 | 99.99% | 99.97% | 99.98% | 99.99%|
-
-**Notification policy:** When a service incident occurs, Microsoft recognizes that timely, targeted, and accurate communications are critical for customers. Microsoft notifies administrators by communicating directly to impacted customers via Service health on the Microsoft 365 admin center. Service incident updates are provided on an hourly cadence or, if a different cadence is required, it will be stated in the SHD communication posting.
-
-**Service health communication channels --** **Admin App:** The Admin App for organization administrators gives you the ability to connect with your organization's Microsoft service status on the go. Microsoft administrators will have the ability to view service health information and maintenance status updates from their mobile devices. For more information, visit the [Admin App FAQ](/office365/admin/admin-overview/admin-mobile-app).
-
-**Microsoft 365 Management Pack for Microsoft System Center Operations
-
-**Microsoft 365 Service Communications API in Graph:** The Microsoft 365 Service Communications API lets you access service communications the way you want. With this API, you can create or connect your tools to service communications, potentially simplifying how you monitor your environment. The Service Communications API lets you monitor the following items your environment: Real-time service health and Message Center communications. For more information, see the [Microsoft 365 Service Communications API reference](/graph/api/resources/service-communications-api-overview).
-
-**Post-incident reviews:** Microsoft's commitment to continuous improvement involves analysis of unplanned customer-impacting service incidents to minimize future recurrence. Unplanned service incidents are defined as multi-tenant service disruptions that impact service usage as defined by our service-level agreements (SLAs), and have been declared as such through Service health on Microsoft 365 admin center. For unplanned customer-impacting service incidents in which there was broad and noticeable impact across a large number of organizations, a preliminary post-incident review (PIR) will be delivered via your Service health within 48 hours of incident resolution, followed by a final PIR within five business days.
-
-**PIR report:** The detailed PIR report includes: User experience and customer impact, Incident start and end date/time, Detailed timeline of impact and resolution measures, and Root cause analysis and actions being taken for continuous improvement. For all other service incidents, the Service health page on Microsoft 365 admin center will provide an incident closure summary including a final summary of the event, root cause, start and end times, and information detailing next steps. For this category of service incident, a PIR won't be generated.
-
-**Service continuity:** Microsoft offerings are delivered by highly resilient systems that help to maintain peak service performance. Service continuity provisions are part of the system design. These provisions enable Microsoft to recover quickly from unexpected events such as hardware or application failure, data corruption, or other incidents that affect users. These service continuity solutions also apply during catastrophic outages (for example, natural disasters or an incident within a Microsoft data center that renders the entire data center inoperable).
-
-**Outage recovery:** After recovery from catastrophic outages, there may be a period of time before full data center redundancy is restored for the service. For example, if Data Center 1 fails, services are restored by resources in Data Center 2. However, there may be a period of time until services in Data Center 2 have service continuity support either by restored resources in Data Center 1, or new resources in Data Center 3. The Microsoft [Service Level Agreement](/office365/servicedescriptions/office-365-platform-service-description/service-level-agreement) (SLA) applies during this time. Office 365 operated by 21Vianet has a different SLA. For more information, see the [21Vianet site](https://www.21vbluecloud.com/office365/O365-SLA/).
-
-**Ensuring data availability:** Microsoft ensures that customer data is available whenever it's needed through the following features: **Data storage and redundancy, Data monitoring,** and **Completing preventative maintenance.**
-
-**Data storage and redundancy:** Customer data is stored in a redundant environment with robust data protection capabilities to enable availability, business continuity, and rapid recovery. Multiple levels of data redundancy are implemented, ranging from redundant disks to guard against local disk failure to continuous, full data replication to a geographically diverse data center.
-
-**Data monitoring:** Microsoft services maintain high levels of performance by monitoring: Databases, Blocked processes, Packet loss, Queued processes, and Query latency.
-
-**Completing preventative maintenance:** Preventative maintenance includes database consistency checks, periodic data compression, and error log reviews.
-
-**Reports:** Administrators of Microsoft can view reports showing how your organization is using Microsoft services. You can use these reports to identify issues, filter data, and download data to Microsoft Excel. You can also create your own reports using the Microsoft 365 reporting web services. Exchange Online and Exchange Online Protection (EOP) administrators can [use mail protection reports to view data about malware, spam, and rule detections](/exchange/monitoring/use-mail-protection-reports). For more information, see [View and download reports about service usage](/microsoft-365/admin/activity-reports/activity-reports). For Office 365 operated by 21Vianet, see [View and download reports for Office 365 operated by 21Vianet](/microsoft-365/admin/activity-reports/activity-reports).
- # [**Support, help, and training**](#tab/Support) ## Support
admin Assign Licenses To Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/assign-licenses-to-users.md
- AdminTemplateSet search.appverid: MET150 description: "Assign licenses depending on whether you want to assign product licenses to specific users or assign users licenses to a specific product." Previously updated : 06/23/2022 Last updated : 07/12/2022 # Assign Microsoft 365 licenses to users
You can assign licenses to users on either the **Active users** page, or on the
- To use group-based licensing, see [Assign licenses to users by group membership in Azure Active Directory](/azure/active-directory/users-groups-roles/licensing-groups-assign) - Some services, like Sway, are automatically assigned to users, and don't need to be assigned individually. - ## Use the Licenses page to assign licenses to users
-The **Licenses** page lets you assign or unassign licenses for up to 20 users at a time. The page shows the products you own, the number of available licenses for each product, and the number of assigned licenses out of the total licenses available. The number of licenses is an aggregate total of licenses for all subscriptions for the same product name.
+The **Licenses** page lets you assign or unassign licenses for up to 20 users at a time. The page shows the products you own, the number of available licenses for each product, and the number of assigned licenses out of the total licenses available.
-For example, you might have one subscription for Microsoft 365 Business Premium that has 5 licenses, and another subscription that has 8 licenses for the same product. The **Licenses** page shows that you have a total of 13 licenses for Microsoft 365 Business Premium across all your subscriptions. This is different from what you see on the **Your products** page, which displays a row for each subscription you own, even if they are for the same product.
+The **Licenses** page shows an aggregate total of licenses for all subscriptions for the same product name. For example, you might have one subscription for Microsoft 365 Business Premium that has 5 licenses, and another subscription that has 8 licenses for the same product. The **Licenses** page shows that you have a total of 13 licenses for Microsoft 365 Business Premium across all your subscriptions. This is different from what you see on the **Your products** page, which displays a row for each subscription you own, even if they are for the same product.
::: moniker range="o365-worldwide"
For example, you might have one subscription for Microsoft 365 Business Premium
4. In the **Assign licenses to users** pane, begin typing a name, and then choose it from the results to add it to the list. You can add up to 20 users at a time.
-4. Select **Turn apps and services on or off** to assign or remove access to specific items.
+5. Select **Turn apps and services on or off** to assign or remove access to specific items.
6. When you're finished, select **Assign**, then close the right pane.
admin Health Dashboard Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/health-dashboard-overview.md
+
+ Title: "Microsoft 365 Health Dashboard"
+++
+audience: Admin
++
+ms.localizationpriority: medium
+
+- AdminSurgePortfolio
+- okr_smb
+- AdminTemplateSet
+description: "Get an overview of Microsoft 365 Health dashboard and its role in keeping you up to date about the health of your Microsoft 365 organization."
++
+# Microsoft 365 Health dashboard
+
+As the admin of your organization, youΓÇÖre charged with keeping many apps and services running smoothly with a limited amount of time. We've created the Microsoft 365 Health dashboard to help you understand how well apps and services are running in your organization.
+
+The Health dashboard is designed to give you a snapshot of the overall health of your environment. You can see how well your organization is keeping desktop software up to date, following best practices for security, and using the products and services youΓÇÖve paid for.
+
+> [!NOTE]
+> Microsoft 365 Health dashboard is in public preview and may not be available to all customers.
+
+## Health dashboard in the Microsoft 365 admin center
+
+1. Sign in to the admin center, and then go to this url: https://admin.microsoft.com/AdminPortal/Home?#/healthoverview.
+
+You need to be a member of the global admin role or global reader role to access the health dashboard.
++
+At the top of the dashboard, youΓÇÖll see critical alerts about any issues that need your attention. Two types of notifications will appear here:
+
+- General service incidents.
+
+- Billing issues that may cause future problems, like an expired subscription.
+
+If there are no alerts, a green banner lets you know that the health dashboard didn't find any issues.
+
+### Service health and usage
+
+In the center of the page, youΓÇÖll see current service health status of your top apps and services. This is a selected view of the top products. If you want to see the list of all your products, you can follow the link to see the full list. This section also shows you average daily usage and a view of license utilization. This helps you understand how products are being used in your organization.
++
+### Microsoft 365 app updates
+
+To help you keep up to date with software updates, this section of the dashboard provides an at-a-glance view of whether Microsoft 365 desktop apps like Word, Excel, and PowerPoint are up-to-date. If some devices have fallen behind, youΓÇÖll see a list of devices and vulnerabilities to help you understand the risk. This information is powered by the Software Updates page, which you can access for more information.
++
+### Recommended actions
+
+At the bottom of the dashboard, youΓÇÖll see recommendations on what you can do to improve your organizationΓÇÖs health:
+
+- **Turn on multi-factor authentication**: See a summary of how many accounts are currently enabled for multi-factor authentication (MFA), and a link to the MFA setup wizard.
+
+- **Turn on monthly updates for Office**: See whether your organization's Office update frequency is set so that you receive updates more than once every six months.
+
+- **Share OneDrive training**: Encourage users to store files in OneDrive to help with recovery against ransomware or device failure. Send them a video overview to help them set up and use OneDrive.
+
+## Note for Microsoft enterprise customers
+
+The initial version of the Health dashboard focuses on smaller IT teams, where it's common for one person to manage Microsoft 365. We intend to evolve the dashboard to address the needs of more IT roles and larger organizations over time.
admin Idle Session Timeout Web Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/idle-session-timeout-web-apps.md
When a user reaches the idle timeout session you've set, they'll get a notificat
## Turn on Idle session timeout
-You must be a member of the Global admin, Security admin, Application admin or Cloud Application admin roles to see the idle session timeout setting.
+You must be a member of the Global admin, Security admin, Application admin, or Cloud Application admin roles to see the idle session timeout setting.
1. In the Microsoft 365 admin center, select **Org Settings** **->** [Security & privacy](https://go.microsoft.com/fwlink/p/?linkid=2072756) tab and select **Idle session timeout**.
admin Remove Licenses From Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/remove-licenses-from-users.md
- AdminTemplateSet search.appverid: MET150 description: "The method you use to unassign product licenses depends on whether you unassign licenses from specific users or from a specific product." Previously updated : 06/23/2022 Last updated : 07/12/2022 # Unassign Microsoft 365 licenses from users
Last updated 06/23/2022
You can unassign licenses from users on either the **Active users** page, or on the **Licenses** page. The method you use depends on whether you want to unassign product licenses from specific users or unassign users licenses from a specific product. > [!NOTE]
->
+>
> - As an admin, you can't assign or unassign licenses for a self-service purchase subscription bought by a user in your organization. You can [take over a self-service purchase subscription](../../commerce/subscriptions/manage-self-service-purchases-admins.md#take-over-a-self-service-purchase-subscription), and then assign or unassign licenses.
->
+>
> - For some subscriptions, you can only cancel during a limited window of time after you buy or renew your subscription. If the cancellation window has passed, turn off recurring billing to cancel the subscription at the end of its term. ## Before you begin
You can unassign licenses from users on either the **Active users** page, or on
## Use the Licenses page to unassign licenses
-The **Licenses** page lets you assign or unassign licenses for up to 20 users at a time. The page shows the products you own, the number of available licenses for each product, and the number of assigned licenses out of the total licenses available. The number of licenses is an aggregate total of licenses for all subscriptions for the same product name.
+The **Licenses** page lets you assign or unassign licenses for up to 20 users at a time. The page shows the products you own, the number of available licenses for each product, and the number of assigned licenses out of the total licenses available.
-For example, you might have one subscription for Microsoft 365 Business Premium that has 5 licenses, and another subscription that has 8 licenses for the same product. The **Licenses** page shows that you have a total of 13 licenses for Microsoft 365 Business Premium across all your subscriptions. This is different from what you see on the **Your products** page, which displays a row for each subscription you own, even if they are for the same product.
+The **Licenses** page shows an aggregate total of licenses for all subscriptions for the same product name. For example, you might have one subscription for Microsoft 365 Business Premium that has 5 licenses, and another subscription that has 8 licenses for the same product. The **Licenses** page shows that you have a total of 13 licenses for Microsoft 365 Business Premium across all your subscriptions. This is different from what you see on the **Your products** page, which displays a row for each subscription you own, even if they are for the same product.
::: moniker range="o365-worldwide"
For example, you might have one subscription for Microsoft 365 Business Premium
::: moniker-end
-1. Select a product.
+2. Select a product.
-2. Select the check boxes of the users for which you want to unassign licenses.
+3. Select the check boxes of the users for whom you want to unassign licenses.
-3. Select **Unassign licenses**.
+4. Select **Unassign licenses**.
-4. In the **Unassign licenses** box, select **Unassign**.
+5. In the **Unassign licenses** box, select **Unassign**.
## Use the Active users page to unassign licenses
business-premium M365bp Upgrade Windows 10 Pro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-upgrade-windows-10-pro.md
You can choose from several methods to upgrade:
[Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227#WindowsVersion=Windows_10)
-[Microsoft 365 for business training videos](../admin/admin-video-library.yml)
+[Microsoft 365 for business training videos](https://go.microsoft.com/fwlink/?linkid=2197659)
compliance Information Protection Solution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection-solution.md
- m365solution-overview - m365solution-mip - m365initiative-compliance
+- zerotrust-solution
description: "Prescriptive guidance to deploy Microsoft Purview Information Protection for your organization."
compliance Sensitivity Labels Aip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-aip.md
The following configurations from the AIP add-in aren't yet supported by built-i
Although new capabilities for built-in labeling are being added all the time, the AIP Office Add-in supports the following capabilities that aren't planned to be available in future releases for built-in labeling: - Application of labels to Microsoft Office 97-2003 formats, such as .doc files
+- Local usage logging to the Windows event log
- Permanently disconnected computers - Standalone editions of Office (sometimes called "Office Perpetual") rather than subscription-based
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
Make sure you understand the following prerequisites before you turn on this fea
- Sensitivity labels must be [enabled for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md) for the tenant. If this feature isn't already enabled, it will be automatically enabled when you select the setting to turn on co-authoring for files with sensitivity labels. - Microsoft 365 Apps for enterprise:
- - **Windows**: Minimum version 2107 from Current Channel or Monthly Enterprise Channel, or minimum version 2202 from Semi-Annual Enterprise Channel (Preview)
+ - **Windows**: Minimum version 2107 from Current Channel or Monthly Enterprise Channel, or minimum version 2202 from Semi-Annual Enterprise Channel
- **macOS**: Minimum version 16.51
- - **iOS**: Now in preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 2.58
- - **Android**: Now in preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 16.0.14931
+ - **iOS**: In preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 2.58
+ - **Android**: In preview when you [opt in](#opt-in-to-the-preview-of-co-authoring-for-ios-and-android) with minimum version 16.0.14931
- All apps, services, and operational tools in your tenant must support the new [labeling metadata](#metadata-changes-for-sensitivity-labels). If you use any of the following, check the minimum versions required:
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
> > And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) to learn about Microsoft 365 features that were launched, are rolling out, are in development, have been cancelled, or previously released.
+## June 2022
+
+### Compliance Manager
+
+- [Microsoft Purview Compliance Manager alerts and alert policies](compliance-manager-alert-policies.md) - added three ADD roles that have permissions to create or edit alert policies.
+- [Configuration Analyzer for Microsoft Purview](compliance-manager-mcca.md) - new name and updated reference links for this getting-started tool for Compliance Manager formerly named 'Microsoft Compliance Configuration Analyzer'.
+
+### Data Loss Prevention
+
+- Numerous page updates for Microsoft Purview branded screenshots.
+
+### Data lifecycle management and records management
+
+- In preview: [Microsoft Graph API for records management](compliance-extensibility.md#microsoft-graph-api-for-records-management-preview)
+
+### Microsoft Priva
+
+- [Subject Rights Requests](/privacy/priva/subject-rights-requests) - significant updates, and restructuring of SRR content to better assist users through each progress step; details below.
+ - [Learn about Priva Subject Rights Requests](/privacy/priva/subject-rights-requests) - clearer articulation of customer value prop and general outline of the SRR process.
+ - [Understand the workflow and details pages](/privacy/priva/subject-rights-requests-workflow) - articulates the steps in completing a request, indicating manual vs. automatic progression, and linking off to detailed content; a section explains how to interpret and work with a request's details page, including the new "History" tab.
+ - [Create a request and define search settings](/privacy/priva/subject-rights-requests-create) - new framing with subheads explaining there are now two ways to create a request: via a custom method using a guided process, and via the new feature of using a template, whose search parameters aim to retrieve the most relevant content for the situation.
+ - [Data estimate and retrieval](/privacy/priva/subject-rights-requests-data-retrieval) - explains why some requests pause at the data estimate stage and how to adjust the search as a result; also explains how to set a request to pause first before automatically progressing to data retrieval.
+ - [Review data for a subject rights request](/privacy/priva/subject-rights-requests-data-review) - new import file features allows users to bring files from non-Microsoft 365 locations, or files otherwise not picked up by the search, into the Data collected tab.
+ - [Generate reports and close requests](/privacy/priva/subject-rights-requests-reports) - clarifies when final data packages are generated and what types of files they include.
+ - [Integrate and extend through Microsoft Graph API and Power Automate](/privacy/priva/subject-rights-requests-automate) - revised the title of this previous Power Automate page and expanded page content to include Graph API content and reference links that previously lived on another page.
+
+### Sensitive Information Types
+
+- [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md) - added section on services that EDM supports.
+
+### Sensitivity labels
+
+- In preview: [PDF support for Office apps](sensitivity-labels-office-apps.md#pdf-support), which includes converting documents to PDF format, inheriting the label with any visual markings and encryption. Print to PDF isn't supported, and this option becomes unavailable for users if their label policy is configured for mandatory labeling.
+- In preview: The dialog box that users see when their label policy is configured to require justification to remove or downgrade a label is updated to warn users that their typed response should not include sensitive data. The screenshot in the [What label policies can do](sensitivity-labels.md#what-label-policies-can-do) section shows this updated dialog box that will make its way into the Office deployment channels for production use.
+- In preview: [Support for Outlook to apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) is just starting to roll out across client platforms.
+- For [auto-labeling policies](apply-sensitivity-label-automatically.md#creating-an-auto-labeling-policy), a new setting that can automatically turn on the policy if not edited within a set number of days.
+
+### Trainable Classifiers
+
+- [Learn about trainable classifiers](classifier-learn-about.md) - added Adult, Racy, Gory images trainable classifier.
+ ## May 2022 ### Communication compliance
To meet the challenges of today's decentralized, data-rich workplace, we're intr
- New [monitoring capabilities](apply-sensitivity-label-automatically.md#monitoring-your-auto-labeling-policy) for auto-labeling policies. - Now rolling out: default label for existing documents, and justification text for Office on the web. - Announced for the July Semi-Annual Enterprise Channel with version 2202+: Co-authoring and auditing for Outlook.-
-## December 2021
-
-### Compliance and service assurance
--- [Azure, Dynamics 365, and Windows breach notification under the GDPR](/compliance/regulatory/gdpr-breach-notification) - updated to clarify that customers don't need to use a pay service such as Defender for Cloud to receive security and privacy notifications-
-### eDiscovery
--- [eDiscovery (Premium) workflow for content in Microsoft Teams](teams-workflow-in-advanced-ediscovery.md#reference-guide) - updated with a new downloadable quick reference guide for managing Teams content in eDiscovery (Premium)-
-### Data lifecycle management
--- [Enable archive mailboxes in the compliance center](enable-archive-mailboxes.md#run-diagnostics-on-archive-mailboxes) - added section about new diagnostics tool for archive mailboxes-- [Use network upload to import your organization's PST files to Microsoft 365](use-network-upload-to-import-pst-files.md#step-2-upload-your-pst-files-to-microsoft-365) - PST import now supports AzCopy v10-- [Restore an inactive mailbox](restore-an-inactive-mailbox.md) - revised procedure to restore an inactive mailbox by first adding LegacyExchangeDN of inactive mailbox to target mailbox-
-### Information protection
--- [Deploy an information protection solution with Microsoft Purview](information-protection-solution.md) - New step-by-step guidance for customers looking for a prescriptive roadmap to deploy Microsoft Purview Information Protection-
-### Retention and records management
--- New guidance for [How long it takes for retention policies to take effect](create-retention-policies.md#how-long-it-takes-for-retention-policies-to-take-effect)-- New tenant settings rolling out: A records management setting that prevents the editing of properties for labeled SharePoint items that are marked as a record and locked, and other setting to prevent users from unlocking items that are marked as a record-
-### Sensitivity labels
--- Mandatory labeling and a default label for Power BI are now generally available (GA)
enterprise Deploy Identity Solution Identity Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-identity-solution-identity-model.md
- Ent_O365 - M365-identity-device-management - M365-security-compliance
+- m365solution-m365-identity
+- m365solution-scenario
+- zerotrust-solution
f1.keywords: - CSH
enterprise Deploy Identity Solution Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-identity-solution-overview.md
- m365initiative-coredeploy - m365solution-m365-identity - m365solution-overview
+- zerotrust-solution
- intro-overview description: Deploy your identity infrastructure for Microsoft 365.
enterprise Microsoft 365 Secure Sign In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-secure-sign-in.md
- M365-security-compliance - Strat_O365_Enterprise - m365initiative-coredeploy
+- m365solution-m365-identity
+- m365solution-scenario
+- zerotrust-solution
description: Require that your users sign in securely with multi-factor authentication (MFA) and other features.
enterprise Protect Your Global Administrator Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/protect-your-global-administrator-accounts.md
ms.localizationpriority: medium
- Strat_O365_IP - m365initiative-coredeploy
+- m365solution-m365-identity
+- m365solution-scenario
+- zerotrust-solution
search.appverid: - MET150 - MOE150
lighthouse M365 Lighthouse Deploy Standard Tenant Configurations Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md
Lighthouse baseline configurations are designed to make sure all managed tenants
| Require MFA for end users | A Conditional Access policy that requires multi-factor authentication for all users. It's required for all cloud applications. For more information about this baseline, see [Conditional Access: Require MFA for all users](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa). | | Block legacy authentication | A Conditional Access policy to block legacy client authentication. For more information about this baseline, see [Block legacy authentication to Azure AD with Conditional Access](/azure/active-directory/conditional-access/block-legacy-authentication).| | Set up device enrollment | Device enrollment to allow your tenant devices to enroll in Microsoft Endpoint Manager. This is done by setting up Auto Enrollment between Azure Active Directory and Microsoft Endpoint Manager. For more information about this baseline, see [Set up enrollment for Windows devices](/mem/intune/enrollment/windows-enroll). |
+| Set up Microsoft Defender for Business | Provisions the tenant for Microsoft Defender for Business and onboards the devices already enrolled in Microsoft Endpoint Manager to Microsoft Defender for Business. For more information, see [What is Microsoft Defender for Business?](../security/defender-business/mdb-overview.md) |
| Set up Exchange Online Protection and Microsoft Defender for Office 365 | A policy to apply recommended anti-spam, anti-malware, anti-phishing, safe links and safe attachment policies to your tenants Exchange Online mailboxes. | | Configure Microsoft Defender Antivirus for Windows 10 and later | A device configuration profile for Windows devices with pre-configured Microsoft Defender Antivirus settings. For more information about this baseline, see [Configure Microsoft Defender for Endpoint in Intune](/mem/intune/protect/advanced-threat-protection-configure).| | Configure Microsoft Defender Firewall for Windows 10 and later | A firewall policy to help secure devices by preventing unwanted and unauthorized network traffic. For more information about this baseline, see [Best practices for configuring Windows Defender Firewall](/windows/security/threat-protection/windows-firewall/best-practices-configuring). |
security Microsoft 365 Zero Trust https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/Microsoft-365-zero-trust.md
- m365solution-zerotrust - m365solution-overview - M365-security-compliance
+- zerotrust-solution
# Microsoft 365 Zero Trust deployment plan
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Evaluate controlled folder access](evaluate-controlled-folder-access.md) ##### [Enable controlled folder access](enable-controlled-folders.md) ##### [Customize controlled folder access](customize-controlled-folders.md)
+#### [Device Control]()
+##### [Removable Storage Protection](device-control-removable-storage-protection.md)
+##### [Removable Storage Access Control](device-control-removable-storage-access-control.md)
+##### [Device Installation](mde-device-control-device-installation.md)
+##### [Device Control Printer Protection](printer-protection.md)
+##### [Device Control Reports](device-control-report.md)
#### [Exploit protection]() ##### [Protect devices from exploits](exploit-protection.md) ##### [Exploit protection evaluation](evaluate-exploit-protection.md)
##### [Protect your network](network-protection.md) ##### [Evaluate network protection](evaluate-network-protection.md) ##### [Turn on network protection](enable-network-protection.md)
+#### [Web protection]()
+##### [Web protection overview](web-protection-overview.md)
+##### [Web threat protection]()
+###### [Web threat protection overview](web-threat-protection.md)
+###### [Monitor web security](web-protection-monitoring.md)
+###### [Respond to web threats](web-protection-response.md)
+##### [Web content filtering](web-content-filtering.md)
+ ### Next-generation protection #### [Next-generation protection overview](next-generation-protection.md)
##### [Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md) ##### [Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution](troubleshoot-microsoft-defender-antivirus-when-migrating.md)
-#### [Web protection]()
-##### [Web protection overview](web-protection-overview.md)
-##### [Web threat protection]()
-###### [Web threat protection overview](web-threat-protection.md)
-###### [Monitor web security](web-protection-monitoring.md)
-###### [Respond to web threats](web-protection-response.md)
-##### [Web content filtering](web-content-filtering.md)
-
-#### [Device Control]()
-##### [Removable Storage Protection](device-control-removable-storage-protection.md)
-##### [Removable Storage Access Control](device-control-removable-storage-access-control.md)
-##### [Device Installation](mde-device-control-device-installation.md)
-##### [Device Control Printer Protection](printer-protection.md)
-##### [Device Control Reports](device-control-report.md)
- #### [Behavioral blocking and containment]() ##### [Behavioral blocking and containment](behavioral-blocking-containment.md) ##### [Client behavioral blocking](client-behavioral-blocking.md)
#### [Increase compliance to the security baseline](configure-machines-security-baseline.md) #### [Optimize attack surface reduction rule deployment and detections](configure-machines-asr.md)
-## [Guidance for active threats and campaigns]()
-### [Manage the Log4Shell vulnerability](tvm-manage-log4shell-guidance.md)
- ## [Investigate and respond to threats]() ### [Endpoint detection and response]() #### [Endpoint detection and response overview](overview-endpoint-detection-response.md)
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
Here are some examples:
> [!TIP] > For more examples and a discussion of the criteria we use to label applications for special attention from security features, see [How Microsoft identifies malware and potentially unwanted applications](/windows/security/threat-protection/intelligence/criteria).
-Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or waste IT resources in cleaning them up. PUA protection is supported on Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2016. In Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA for Enterprise (E5) devices by default.
+Potentially unwanted applications can increase the risk of your network being infected with actual malware, make malware infections harder to identify, or cost your IT and security teams time and effort to clean them up. PUA protection is supported on Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, and Windows Server 2016. If your organization's subscription includes [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), Microsoft Defender Antivirus blocks apps that are considered to be PUA by default on Windows devices.
+
+[Learn more about Windows Enterprise subscriptions](https://www.microsoft.com/microsoft-365/windows/windows-11-enterprise).
## Microsoft Edge
Although Microsoft Defender for Endpoint has its own blocklist based upon a data
The potentially unwanted application (PUA) protection feature in Microsoft Defender Antivirus can detect and block PUA on endpoints in your network. > [!NOTE]
-> This feature is available in Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and Windows Server 2016.
+> This feature is available in Windows 11, Windows 10, Windows Server 2022, Windows Server 2019, and Windows Server 2016.
Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine. When a PUA file is detected on an endpoint, Microsoft Defender Antivirus sends a notification to the user ([unless notifications have been disabled](configure-notifications-microsoft-defender-antivirus.md) in the same format as other threat detections. The notification is prefaced with `PUA:` to indicate its content.
The notification appears in the usual [quarantine list within the Windows Securi
You can enable PUA protection with [Microsoft Intune](/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](/powershell/module/defender/?preserve-view=true&view=win10-ps).
-You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log.
-
-PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
+You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. PUA protection in audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
### Use Intune to configure PUA protection
security Enable Microsoft Defender For Iot Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-microsoft-defender-for-iot-integration.md
ms.technology: mde
**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint P2](https://go.microsoft.com/fwlink/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) [!include[Prerelease information](../../includes/prerelease.md)]
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
The following table summarizes the state of Microsoft Defender Antivirus in seve
| Windows Server 2016 <br/> Windows Server 2012 R2 | A non-Microsoft antivirus/antimalware solution | Yes | Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[2](#fn2)]<sup> | |Windows Server 2016 <br/> Windows Server 2012 R2 | A non-Microsoft antivirus/antimalware solution | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[3](#fn3)]<sup> |
-(<a id="fn2">2</a>) On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
-
-**Registry Key Method**
-
- You can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
+(<a id="fn2">2</a>) On Windows Server 2019, Windows Server, version 1803 or newer, Windows Server 2016, or Windows Server 2012 R2, Microsoft Defender Antivirus doesn't enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, set Microsoft Defender Antivirus to passive mode to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using a registry key as follows:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: `ForceDefenderPassiveMode` - Type: `REG_DWORD` - Value: `1`
-**GPO Method**
-
-1. Open Group Policy Management Editor > **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus**.
-
-2. Select **Turn Off Microsoft Defender Antivirus**.
-
-3. Set the GPO to **Enabled**.
-
-You can view your protection status in PowerShell by using the command [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus) and the key `AMRunningMode`. Here's an example of what the output looks like:
-
-```
-PS C:\Users\contoso> Get-MpComputerStatus
--
-AMEngineVersion : 0.0.0.0
-AMProductVersion : 4.18.2205.4
-AMRunningMode : Not running
-AMServiceEnabled : False
-AMServiceVersion : 0.0.0.0
-AntispywareEnabled : False
-AntispywareSignatureAge : 4294967295
-AntispywareSignatureLastUpdated :
-AntispywareSignatureVersion : 0.0.0.0
-AntivirusEnabled : False
-AntivirusSignatureAge : 4294967295
-AntivirusSignatureLastUpdated :
-AntivirusSignatureVersion : 0.0.0.0
-BehaviorMonitorEnabled : False
-ComputerID : 5CF99D95-BF09-4B2E-9911-8E01C55642E5
-ComputerState : 0
-DefenderSignaturesOutOfDate : False
-DeviceControlDefaultEnforcement : N/A
-DeviceControlPoliciesLastUpdated : 01/01/1601 00:00:00
-DeviceControlState : N/A
-FullScanAge : 4294967295
-FullScanEndTime :
-FullScanOverdue : False
-FullScanRequired : False
-FullScanSignatureVersion :
-FullScanStartTime :
-IoavProtectionEnabled : False
-IsTamperProtected : False
-IsVirtualMachine : True
-LastFullScanSource : 0
-LastQuickScanSource : 0
-NISEnabled : False
-NISEngineVersion : 0.0.0.0
-NISSignatureAge : 4294967295
-NISSignatureLastUpdated :
-NISSignatureVersion : 0.0.0.0
-OnAccessProtectionEnabled : False
-ProductStatus : 1
-QuickScanAge : 4294967295
-QuickScanEndTime :
-QuickScanOverdue : False
-QuickScanSignatureVersion :
-QuickScanStartTime :
-RealTimeProtectionEnabled : False
-RealTimeScanDirection : 0
-RebootRequired : False
-TamperProtectionSource : Signatures
-TDTMode : N/A
-TDTStatus : N/A
-TDTTelemetry : N/A
-TroubleShootingDailyMaxQuota :
-TroubleShootingDailyQuotaLeft :
-TroubleShootingEndTime :
-TroubleShootingExpirationLeft :
-TroubleShootingMode :
-TroubleShootingModeSource :
-TroubleShootingQuotaResetTime :
-TroubleShootingStartTime :
-PSComputerName :
-```
-
-In the preceding example, the Defender status is **Not Running**.
+You can view your protection status in PowerShell by using the command [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus). Check the value for `AMRunningMode`. You should see **Normal**, **Passive**, or **EDR Block Mode** if Microsoft Defender Antivirus is enabled on the endpoint.
> [!NOTE] > For passive mode to work on endpoints running Windows Server 2016 and Windows Server 2012 R2, those endpoints must be onboarded with the modern, unified solution described in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016).
Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa
| [Network protection](network-protection.md) | Yes | No | No | No | | [Attack surface reduction rules](attack-surface-reduction.md) | Yes | No | No | No | | [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | Yes | No |
-| [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) | Yes | Yes<sup>[[5](#fn5)]</sup> | No | Yes |
+| [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) | Yes | Yes <sup>[[5](#fn5)]</sup> | No | Yes |
| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[6](#fn6)]</sup> | No | Yes | | [Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes <sup>[[7](#fn7)]</sup> | No | Yes <sup>[[7](#fn7)]</sup> | | [Data Loss Prevention](../../compliance/endpoint-dlp-learn-about.md) | Yes | Yes | No | No |
Defender for Endpoint affects whether Microsoft Defender Antivirus can run in pa
(<a id="fn8">8</a>) When Microsoft Defender Antivirus is in passive mode, web content filtering only works with the Microsoft Edge browser.
+> [!IMPORTANT]
+> - [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
+>
+> - Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+>
+> - In Defender for Endpoint, you can turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
+
+## How to confirm the state of Microsoft Defender Antivirus
+
+You can use one of several methods to confirm the state of Microsoft Defender Antivirus. You can:
+
+- [Use the Windows Security app to identify your antivirus app](#use-the-windows-security-app-to-identify-your-antivirus-app).
+- [Use Task Manager to confirm that Microsoft Defender Antivirus is running](#use-task-manager-to-confirm-that-microsoft-defender-antivirus-is-running).
+- [Use Windows PowerShell to confirm that Microsoft Defender Antivirus is running](#use-windows-powershell-to-confirm-that-microsoft-defender-antivirus-is-running).
+- [Use Windows PowerShell to confirm that antivirus protection is running](#use-windows-powershell-to-confirm-that-antivirus-protection-is-running).
+
+### Use the Windows Security app to identify your antivirus app
+
+1. On a Windows device, open the Windows Security app.
+
+2. Select **Virus & threat protection**.
+
+3. Under **Who's protecting me?** select **Manage providers**.
+
+4. On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**.
+
+### Use Task Manager to confirm that Microsoft Defender Antivirus is running
+
+1. On a Windows device, open the Task Manager app.
+
+2. Select the **Details** tab.
+
+3. Look for **MsMpEng.exe** in the list.
+
+### Use Windows PowerShell to confirm that Microsoft Defender Antivirus is running
+ > [!NOTE]
-> [Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in either active or passive mode.
+> Use this procedure only to confirm whether Microsoft Defender Antirivus is running on an endpoint.
-## Important notes
+1. On a Windows device, open Windows PowerShell.
-- Don't disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+2. Run the following PowerShell cmdlet: `Get-Process`.
-- In Defender for Endpoint, turn EDR in block mode on, even if Microsoft Defender Antivirus isn't your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
+3. Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled.
-## How to confirm the state of Microsoft Defender Antivirus
+### Use Windows PowerShell to confirm that antivirus protection is running
-You can use one of several methods to confirm the state of Microsoft Defender Antivirus, as described in the following table:
+> [!NOTE]
+> Use this procedure only to confirm whether antivirus protection is enabled on an endpoint.
+
+1. On a Windows device, open Windows PowerShell.
+
+2. Run following PowerShell cmdlet: `Get-MpComputerStatus | select AMRunningMode`.
- | Method | Procedure |
- |:|:|
- | Windows Security app | <ol><li>On a Windows device, open the Windows Security app.</li><li>Select **Virus & threat protection**.</li><li>Under **Who's protecting me?** select **Manage providers**.</li><li>On the **Security providers** page, under **Antivirus**, you should see **Microsoft Defender Antivirus is turned on**.</li></ol> |
- | Task Manager | <ol><li>On a Windows device, open the Task Manager app.</li><li>Select the **Details** tab.</li><li>Look for **MsMpEng.exe** in the list.</li></ol> |
- | Windows PowerShell <br/> (To confirm that Microsoft Defender Antivirus is running) | <ol><li>On a Windows device, open Windows PowerShell. </li><li>Run the following PowerShell cmdlet: `Get-Process`.</li><li>Review the results. You should see **MsMpEng.exe** if Microsoft Defender Antivirus is enabled.</li></ol> |
- | Windows PowerShell <br/>(To confirm that antivirus protection is in place) | You can use the [Get-MpComputerStatus PowerShell cmdlet](/powershell/module/defender/get-mpcomputerstatus).<ol><li>On a Windows device, open Windows PowerShell.</li><li>Run following PowerShell cmdlet:<br/>`Get-MpComputerStatus | select AMRunningMode`.</li><li>Review the results. You should see either **Normal**, **Passive**, or **EDR Block Mode** if Microsoft Defender Antivirus is enabled on the endpoint. </li></ol> |
+3. Review the results. You should see **Normal**, **Passive**, or **EDR Block Mode** if antivirus protection is enabled on the endpoint.
+
+> [!NOTE]
+> Note that this procedure is only to confirm whether antivirus protection is enabled on an endpoint.
## More details about Microsoft Defender Antivirus states
-The table in this section describes various states you might see with Microsoft Defender Antivirus.
+The following sections describe what to expect when Microsoft Defender Antivirus is:
- | State | What happens |
- |:|:|
- | Active mode | In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). |
- | Passive mode or EDR Block mode | In passive mode, Microsoft Defender Antivirus isn't used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. <p>Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) when running in EDR Block Mode, however. <p> Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <p> When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <p> For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <p> Note that passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the [modern, unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints). |
- | Disabled or Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus isn't used as the antivirus app. Files aren't scanned and threats aren't remediated. <p> Disabling or uninstalling Microsoft Defender Antivirus isn't recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you're using a non-Microsoft antimalware/antivirus solution. <p> In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints. <p> You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you're using a non-Microsoft antivirus app. |
+- [In active mode](#active-mode)
+- [In passive mode, or when EDR in block mode is turned on](#passive-mode-or-edr-block-mode)
+- [Disabled or uninstalled](#disabled-or-uninstalled)
-> [!TIP]
-> If you're looking for Antivirus related information for other platforms, see:
-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-> - [Configure Defender for Endpoint on Android features](android-configure.md)
-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
+### Active mode
+
+In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as in the Microsoft Endpoint Manager admin center or the Microsoft Defender Antivirus app on the endpoint).
+
+### Passive mode or EDR Block mode
+
+In passive mode, Microsoft Defender Antivirus isn't used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. However, threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md). Files are scanned by EDR, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
+
+When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware.
+
+**Make sure to get your antivirus and antimalware updates, even if Microsoft Defender Antivirus is running in passive mode**. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).<br/><br/>Note that passive mode is only supported on Windows Server 2012 R2 & 2016 when the machine is onboarded using the [modern, unified solution](/microsoft-365/security/defender-endpoint/configure-server-endpoints).
+
+### Disabled or uninstalled
+
+When disabled or uninstalled, Microsoft Defender Antivirus isn't used as the antivirus app. Files aren't scanned and threats aren't remediated. Disabling or uninstalling Microsoft Defender Antivirus isn't recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you're using a non-Microsoft antimalware/antivirus solution.
+
+In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires, is uninstalled, or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.
+
+You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you're using a non-Microsoft antivirus app. |
+
+## What about non-Windows devices?
+
+ If you're looking for Antivirus related information for other platforms, see:
+
+- [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
+- [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
+- [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
+- [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
+- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
+- [Configure Defender for Endpoint on Android features](android-configure.md)
+- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
## See also
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-threat-experts.md
Title: Microsoft Threat Experts
-description: Microsoft Threat Experts provides an additional layer of expertise to Microsoft Defender for Endpoint.
-keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts, MTE-TAN, targeted attack notification, Targeted Attack Notification
+description: Microsoft Threat Experts provides an extra layer of expertise to Microsoft Defender for Endpoint.
+keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts, endpoint attack notification, Endpoint Attack Notification
search.product: Windows 10 ms.prod: m365-security ms.mktglfcycl: deploy
ms.technology: mde
Microsoft Threat Experts is a managed threat hunting service that provides your Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in your unique environments don't get missed.
-This managed threat hunting service provides expert-driven insights and data through these two capabilities: targeted attack notification and access to experts on demand.
+This managed threat hunting service provides expert-driven insights and data through these two capabilities: endpoint attack notification and access to experts on demand.
Watch this video to learn how Microsoft Threat Experts provides Security Operation Centers (SOCs) with expert-level monitoring and analysis and ensures that no critical threat is missed. > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qZ0B]
Watch this video to learn how Microsoft Threat Experts provides Security Operati
> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service. > Threat Experts is not currently available in the Microsoft 365 for U.S. Government clouds.
-If you're a Microsoft Defender for Endpoint customer, you need to apply for **Microsoft Threat Experts - Targeted Attack Notifications** to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.
+If you're a Microsoft Defender for Endpoint customer, you need to apply for **Endpoint Attack Notifications** to get special insights and analysis that help identify the most critical threats in your environment so you can respond to them quickly.
-To enroll to Microsoft Threat Experts - Targeted Attack Notifications benefits, go to **Settings** \> **Endpoints** \> **General** \> **Advanced features** \> **Microsoft Threat Experts - Targeted Attack Notifications** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications.
+To enroll to Endpoint Attack Notifications benefits, go to **Settings** \> **Endpoints** \> **General** \> **Advanced features** \> **Endpoint Attack Notifications** to apply. Once accepted, you'll get the benefits of Endpoint Attack Notifications.
Contact your account team or Microsoft representative to subscribe to **Microsoft Threat Experts - Experts on Demand** to consult with our threat experts on relevant detections and adversaries that your organization is facing. See [Configure Microsoft Threat Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts#before-you-begin) for details.
-## Microsoft Threat Experts - Targeted attack notification
+## Endpoint attack notification
-Microsoft Threat Experts - Targeted attack notification provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyber-espionage. These notifications show up as a new alert. The managed hunting service includes:
+Endpoint attack notification provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyber-espionage. These notifications show up as a new alert. The managed hunting service includes:
- Threat monitoring and analysis, reducing dwell time and risk to the business - Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
Microsoft Threat Experts - Targeted attack notification provides proactive hunti
## Microsoft Threat Experts - Experts on Demand
-Customers can engage our security experts directly from within Microsoft 365 Defender portal to get their response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
+Customers can engage our security experts directly from within Microsoft 365 Defender portal to get their response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to more threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
-- Get additional clarification on alerts including root cause or scope of the incident
+- Get more clarification on alerts including root cause or scope of the incident
- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker - Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
Watch this video for a quick overview of the Microsoft Services Hub.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
-## Related topic
+## See also
- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
To configure attack surface reduction in your environment, follow these steps:
1. [Enable hardware-based isolation for Microsoft Edge](/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
-2. Enable application control.
+2. [Enable attack surface reduction rules](attack-surface-reduction-rules-deployment.md)
+
+3. Enable application control.
1. Review base policies in Windows. See [Example Base Policies](/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies). 2. See the [Windows Defender Application Control design guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide). 3. Refer to [Deploying Windows Defender Application Control (WDAC) policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).
-3. [Enable controlled folder access](enable-controlled-folders.md).
+4. [Enable controlled folder access](enable-controlled-folders.md).
+
+5. [Removable Storage Protection](device-control-removable-storage-protection.md)
-4. [Turn on Network protection](enable-network-protection.md).
+6. [Turn on Network protection](enable-network-protection.md).
-5. [Enable exploit protection](enable-exploit-protection.md).
+7. Enable [Web protection overview](web-protection-overview.md)
-6. [Deploy attack surface reduction rules](attack-surface-reduction-rules-deployment.md).
+8. [Enable exploit protection](enable-exploit-protection.md).
-7. Set up your network firewall.
+9. Set up your network firewall.
1. Get an overview of [Windows Defender Firewall with advanced security](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). 2. Use the [Windows Defender Firewall design guide](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide) to decide how you want to design your firewall policies.
As mentioned in the video, Defender for Endpoint includes several attack surface
| [Network protection](network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus). | | [Exploit protection](exploit-protection.md) | Help protect the operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. | | [Device control](device-control-report.md) | Protects against data loss by monitoring and controlling media used on devices, such as removable storage and USB drives, in your organization. |
-| [Attack surface reduction (ASR) rules deployment guide](attack-surface-reduction-rules-deployment.md) | Presents overview information and prerequisites for deploying attack surface reduction rules. |
+| [Attack surface reduction (ASR) rules deployment guide](attack-surface-reduction-rules-deployment.md) | Presents overview information and prerequisites for deploying attack surface reduction rules, followed by step-by-step guidance for testing, enabling and monitoring. |
| [Plan attack surface reduction (ASR) rules deployment](attack-surface-reduction-rules-deployment-plan.md) | Lists the recommended steps for attack surface reduction rules deployment. | | [Test attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-test.md) | Provides steps to use audit mode to test attack surface reduction rules. | | [Enable attack surface reduction (ASR) rules](attack-surface-reduction-rules-deployment-implement.md) | Shows the steps to transition attack surface reduction rules from test (audit) mode to the active, enabled (Block) mode. |
security Tvm Manage Log4shell Guidance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-manage-Log4shell-guidance.md
+
+ Title: Learn how to mitigate the Log4Shell vulnerability in Microsoft Defender for Endpoint - threat and vulnerability management
+description: Learn how to mitigate the Log4Shell vulnerability in Microsoft Defender for Endpoint
+keywords: tvm, lo4j
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+- m365-initiative-defender-endpoint
++
+ms.technology: m365d
++
+# Learn how to manage the Log4Shell vulnerability in Microsoft Defender for Endpoint
+
+**Applies to:**
+
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Threat and vulnerability management](defender-vulnerability-management.md)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+The Log4Shell vulnerability is a remote code execution (RCE) vulnerability found in the Apache Log4j 2 logging library. As Apache Log4j 2 is commonly used by many software applications and online services, it represents a complex and high-risk situation for companies across the globe. Referred to as "Log4Shell" ([CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228), [CVE-2021-45046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046) ) it introduces a new attack vector that attackers can exploit to extract data and deploy ransomware in an organization.
+
+> [!NOTE]
+> Refer to the blogs [Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability and](https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/) [Microsoft Security Response Center](https://msrc-blog.microsoft.com/2021/12/11/microsofts-response-to-cve-2021-44228-apache-log4j2/) for guidance and technical information about the vulnerability and product specific mitigation recommendations to protect your organization.
+
+## Overview of discovery, monitoring and mitigation capabilities
+
+Threat and vulnerability management provides you with the following capabilities to help you identify, monitor, and mitigate your organizational exposure to the Log4Shell vulnerability:
+
+- **Discovery**: Detection of exposed devices, both Microsoft Defender for Endpoint onboarded devices as well as devices that have been discovered but are not yet onboarded, is based on vulnerable software and vulnerable files detected on disk.
+- **Threat awareness:** A consolidated view to assess your organizational exposure. This view shows your exposure at the device level and software level, and provides access to details on vulnerable files like, the last time it was seen, the last time it was executed and the last time it was executed with open ports. You can use this information to prioritize your remediation actions. It can take up to 24 hours for data related to exposed devices to appear on the dashboard.
+- **Mitigation options:** Apply mitigation options to help lower your exposure risk.
+- **Advanced hunting:** Use advanced hunting to return details for vulnerable log4j files identified on disk.
+
+> [!NOTE]
+> These capabilities are supported on Windows 10 & Windows 11, Windows Server, Linux and macOS.
+>
+> Support on Linux requires Microsoft Defender for Endpoint Linux client version 101.52.57 (30.121092.15257.0) or later.
+>
+> Support on macOS requires Microsoft Defender for Endpoint macOS client version 20.121111.15416.0 or later.
+>
+>For more information on supported versions, see [Supported operating systems platforms and capabilities](tvm-supported-os.md).
+
+## Exposed devices discovery
+
+Embedded threat and vulnerability management capabilities, along with enabling Log4j detection, in the Microsoft 365 Defender portal, will help you discover devices exposed to the Log4Shell vulnerability.
+
+Onboarded devices, are assessed using existing embedded threat and vulnerability management capabilities that can discover vulnerable software and files.
+
+For detection on discovered but not yet onboarded devices, Log4j detection must be enabled. This will initiate probes in the same way device discovery actively probes your network. This includes probing from multiple onboarded endpoints (Windows 10+ and Windows Server 2019+ devices) and only probing within subnets, to detect devices that are vulnerable and remotely exposed to CVE-2021-44228.
+
+To enable Log4 detection:
+
+1. Go to **Settings** > **Device discovery** > **Discovery setup**.
+2. Select **Enable Log4j2 detection (CVE-2021-44228)**.
+3. Select **Save**.
++
+Running these probes will trigger the standard Log4j flow without causing any harmful impact on either the device being probed or the probing device. The probing itself is done by sending multiple HTTP requests to discovered devices, targeting common web application ports (for example - 80,8000,8080,443,8443) and URLs. The request contains HTTP headers with a JNDI payload that triggers a DNS request from the probed machine.
+
+For example, User-Agent: ${jndi:dns://192.168.1.3:5353/MDEDiscoveryUser-Agent} where 192.168.1.3 is the IP of the probing machine.
+
+> [!NOTE]
+> Enabling Log4j2 detection also means onboarded devices will use self-probing to detect local vulnerabilities.
+
+## Vulnerable software and files detection
+
+Threat and vulnerability management provides layers of detection to help you discover:
+
+- **Vulnerable software**: Discovery is based on installed application Common Platform Enumerations (CPE) that are known to be vulnerable to Log4j remote code execution.
+- **Vulnerable files:** Both files in memory and files in the file system are assessed. These files can be Log4j-core jar files with the known vulnerable version or an Uber-JAR that contains either a vulnerable jndi lookup class or a vulnerable log4j-core file. Specifically, it:
+
+ - determines if a JAR file contains a vulnerable Log4j file by examining JAR files and searching for the following file:
+ \\META-INF\\maven\\org.apache.logging.log4j\\log4j-core\\pom.properties - if this file exists, the Log4j version is read and extracted.
+ - searches for the JndiLookup.class file inside the JAR file by looking for paths that contain the string "/log4j/core/lookup/JndiLookup.class" - if the JndiLookup.class file exists, threat and vulnerability management determines if this JAR contains a Log4j file with the version defined in pom.properties.
+ - searches for any vulnerable Log4j-core JAR files embedded within a nested-JAR by searching for paths that contain any of these strings:
+ - lib/log4j-core-
+ - WEB-INF/lib/log4j-core-
+ - App-INF/lib/log4j-core-
+
+This table describes the search capabilities supported platforms and versions:
+
+|Capability|File Type|Windows10+,<br>server2019+|Server 2012R2,<br>server2016|Server 2008R2|Linux + macOS|
+|:|:|:|:|:|:|
+|Search In Memory | Log4j-core | Yes |Yes<sup>[1]| - | Yes |
+| |Uber-JARs | Yes |Yes<sup>[1]| - | Yes |
+| Search all files on disk |Log4j-core | Yes |Yes<sup>[1]| Yes | - |
+| | Uber-JARs|Yes |Yes<sup>[1]| - | -|
+
+(1) Capabilities are available when [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac) is installed on Windows Server 2012 R2 and 2016.
+
+## Learn about your Log4Shell exposure and mitigation options
+
+1. In the Microsoft 365 Defender portal, go to **Vulnerability management** > **Weaknesses**.
+2. Select **CVE-2021-44228**.
+3. Select **Open vulnerability page**.
+++
+### Log4Shell vulnerability mitigation
+
+The log4Shell vulnerability can be mitigated by preventing JNDI lookups on Log4j versions 2.10 - 2.14.1 with default configurations. To create this mitigation action, from the **Threat awareness dashboard**:
+
+1. Select **View vulnerability details**.
+2. Select **Mitigation options**.
+
+You can choose to apply the mitigation to all exposed devices or select specific onboarded devices. To complete the process and apply the mitigation on devices, select **Create mitigation action**.
++
+### Mitigation status
+
+The mitigation status indicates whether the workaround mitigation to disable JDNI lookups has been applied to the device. You can view the mitigation status for each affected device in the Exposed devices tabs. This can help prioritize mitigation and/or patching of devices based on their mitigation status.
++
+The table below lists the potential mitigation statuses:
+
+| Mitigation status | Description |
+|:|:|
+| Workaround applied | _Windows_: The LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable was observed before latest device reboot. <br/><br/> _Linux + macOS_: All running processes have LOG4J_FORMAT_MSG_NO_LOOKUPS=true in its environment variables. |
+| Workaround pending reboot | The LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable is set, but no following reboot detected. |
+| Not applied | _Windows_: The LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable was not observed. <br/><br/> _Linux + macOS_: Not all running processes have LOG4J_FORMAT_MSG_NO_LOOKUPS=true in its environment variables, and mitigation action was not applied on device. |
+| Partially mitigated | _Linux + macOS_: Although mitigation action was applied on device, not all running processes have LOG4J_FORMAT_MSG_NO_LOOKUPS=true in its environment variables. |
+|Not applicable | Devices that have vulnerable files that are not in the version range of the mitigation. |
+|Unknown | The mitigation status couldn't be determined at this time. |
+
+> [!NOTE]
+> It may take a few hours for the updated mitigation status of a device to be reflected.
+
+### Revert mitigations applied for the Log4Shell vulnerability
+
+In cases where the mitigation needs to be reverted, follow these steps:
+
+**_For Windows:_**
+
+1. Open an elevated PowerShell window.
+2. Run the following command:
+
+ ```Powershell
+ [Environment]::SetEnvironmentVariable("LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS", $null,[EnvironmentVariableTarget]::Machine)
+```
+
+The change will take effect after the device restarts.
+
+**_For Linux:_**
+
+1. Open the file /etc/environment and delete the line LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS=true
+2. Delete the file /etc/systemd/system.conf.d/log4j\_disable\_jndi\_lookups.conf
+3. Delete the file /etc/systemd/user.conf.d/log4j\_disable\_jndi\_lookups.conf
+
+The change will take effect after the device restarts.
+
+**_For macOS:_**
+
+Remove the file setenv.LOG4J\_FORMAT\_MSG\_NO\_LOOKUPS.plist from the following folders:
+
+- */Library/LaunchDaemons/*
+- */Library/LaunchAgents/*
+- */Users/\[username\]/Library/LaunchAgents/ - for all users*
+
+The change will take effect after the device restarts.
+
+### Apache Log4j security recommendations
+
+To see active security recommendation related to Apache log4j, select the **Security recommendations** tab from the vulnerability details page. In this example, if you select **Update Apache Log4j** you'll see another flyout with more information:
++
+Select **Request remediation** to create a remediation request.
+
+## Explore the vulnerability in the Microsoft 365 Defender portal
+
+Once exposed devices, files and software are found, relevant information will also be conveyed through the following experiences in the Microsoft 365 Defender portal:
+
+### Software inventory
+
+ On the software inventory page, search for **CVE-2021-44228** to see details about the Log4j software installations and exposure:
++
+### Weaknesses
+
+On the weaknesses page, search for **CVE-2021-44228** to see information about the Log4Shell vulnerability:
++
+## Use advanced hunting
+
+You can use the following advanced hunting query to identify vulnerabilities in installed software on devices:
+
+ ```text
+ DeviceTvmSoftwareVulnerabilities
+ | where CveId in ("CVE-2021-44228", "CVE-2021-45046")
+ ```
+
+You can use the following advanced hunting query to identify vulnerabilities in installed software on devices to surface file-level findings from the disk:
+
+ ```text
+ DeviceTvmSoftwareEvidenceBeta
+ | mv-expand DiskPaths
+ | where DiskPaths contains "log4j"
+ | project DeviceId, SoftwareName, SoftwareVendor, SoftwareVersion, DiskPaths
+ ```
+
+## Related articles
+
+- [Threat and vulnerability management overview](http://next-gen-threat-and-vuln-mgt.md)
+- [Security recommendations](tvm-security-recommendation.md)
security Eval Create Eval Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-create-eval-environment.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Endpoint Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-architecture.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Endpoint Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-enable-eval.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Endpoint Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-overview.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Endpoint Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-pilot.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Identity Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-architecture.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Identity Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-enable-eval.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Identity Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-overview.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Identity Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-pilot.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Investigate Respond Additional https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-additional.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Investigate Respond Simulate Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md
- M365-security-compliance - m365solution-scenario - m365solution-pilotmtpproject
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Investigate Respond https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Mcas Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-architecture.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Mcas Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-enable-eval.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Mcas Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-overview.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Mcas Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Office 365 Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Office 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-overview.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Defender Office 365 Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
- -
+ - zerotrust-solution
+ ms.technology: m365d
security Eval Defender Promote To Production https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-promote-to-production.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Eval Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-overview.md
- M365-security-compliance - m365solution-overview - m365solution-evalutatemtp
+ - zerotrust-solution
ms.technology: m365d
security Microsoft Secure Score Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-whats-new.md
Microsoft Secure Score can be found at https://security.microsoft.com/securescor
## June 2022 -- New Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management recommendations are now available as a Secure Score improvement actions:
+- New Microsoft Defender for Endpoint and Microsoft Defender Vulnerability Management recommendations are now available as Secure Score improvement actions:
- Disallow offline access to shares - Remove share write permission set to **Everyone**
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-threat-experts.md
[!INCLUDE [Prerelease](../includes/prerelease.md)]
-Microsoft Threat Experts - Targeted Attack Notifications is a managed threat hunting service. Once you apply and are accepted, you'll receive targeted attack notifications from Microsoft threat experts, so you won't miss critical threats to your environment. These notifications will help you protect your organization's endpoints, email, and identities.
+Endpoint Attack Notifications (previously referred to as Microsoft Threat Experts - Targeted Attack Notification) is a managed threat hunting service. Once you apply and are accepted, you'll receive endpoint attack notifications from Microsoft threat experts, so you won't miss critical threats to your environment. These notifications will help you protect your organization's endpoints, email, and identities.
Microsoft Threat Experts ΓÇô Experts on Demand lets you get expert advice about threats your organization is facing. You can reach out for help on threats your organization is facing. It's available as a subscription service.
-## Apply for Microsoft Threat Experts ΓÇô Targeted Attack Notifications
+## Apply for Endpoint Attack Notifications
> [!IMPORTANT]
-> Before you apply, make sure to discuss the eligibility requirements for Microsoft Threat Experts ΓÇô Targeted Attack Notifications with your Microsoft Technical Service provider and account team.
+> Before you apply, make sure to discuss the eligibility requirements for Endpoint Attack Notifications with your Microsoft Technical Service provider and account team.
-If you already have Microsoft Defender for Endpoint and Microsoft 365 Defender, you can apply for Microsoft Threat Experts ΓÇô Targeted Attack Notifications through their Microsoft 365 Defender portal. Go to **Settings > Endpoints > General > Advanced features > Microsoft Threat Experts ΓÇô Targeted Attack Notifications**, and select **Apply**. See [Configure Microsoft Threat Experts capabilities](./configure-microsoft-threat-experts.md) for a full description.
+If you already have Microsoft Defender for Endpoint and Microsoft 365 Defender, you can apply for Endpoint Attack Notifications through their Microsoft 365 Defender portal. Go to **Settings > Endpoints > General > Advanced features > Endpoint Attack Notifications**, and select **Apply**. See [Configure Microsoft Threat Experts capabilities](./configure-microsoft-threat-experts.md) for a full description.
:::image type="content" source="../../media/mte/mte-collaboratewithmte.png" alt-text="The Advanced features option on the left-navigation pane of the Endpoints page in the Microsoft 365 Defender portal" lightbox="../../media/mte/mte-collaboratewithmte.png":::
-Once your application is approved, you'll start receiving targeted attack notifications whenever Threat Experts detect a threat to your environment.
+Once your application is approved, you'll start receiving endpoint attack notifications whenever Threat Experts detect a threat to your environment.
## Subscribe to Microsoft Threat Experts - Experts on Demand Contact your Microsoft representative to subscribe to Experts on Demand. See [Configure Microsoft Threat Experts capabilities](./configure-microsoft-threat-experts.md) for full details.
-## Receive targeted attack notification
+## Receive endpoint attack notification
-The Microsoft Threat Experts ΓÇô Targeted Attack Notification capability provides proactive hunting for the most important threats to your network. Our threat experts hunt for human adversary intrusions, hands-on-keyboard attacks, and advanced attacks, such as cyberespionage. These notifications will show up as a new alert. The managed hunting service includes:
+The Endpoint Attack Notification capability provides proactive hunting for the most important threats to your network. Our threat experts hunt for human adversary intrusions, hands-on-keyboard attacks, and advanced attacks, such as cyberespionage. These notifications will show up as a new alert. The managed hunting service includes:
- Threat monitoring and analysis, reducing dwell time and the risk to your business - Hunter-trained artificial intelligence to discover and target both known attacks and emerging threats
security Identity Access Policies Guest Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md
- M365-security-compliance - m365solution-identitydevice - m365solution-scenario
+ - zerotrust-solution
ms.technology: mdo
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
- remotework - m365solution-identitydevice - m365solution-scenario
+ - zerotrust-solution
ms.technology: mdo
security Identity Access Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
- M365-security-compliance - m365solution-identitydevice - m365solution-scenario
+ - zerotrust-solution
ms.technology: mdo
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
> > - The spoof intelligence insight and the **Spoof** tab in the Tenant Allow/Block list replace the functionality of the spoof intelligence policy that was available on the anti-spam policy page in the Security & Compliance Center. >
->- The spoof intelligence insight shows 7 days worth of data. The **Get-SpoofIntelligenceInsight** cmdlet shows 30 days worth of data.
+> - The spoof intelligence insight shows 7 days worth of data. The **Get-SpoofIntelligenceInsight** cmdlet shows 30 days worth of data.
+>
+> - The latest available data is 3 to 4 days old.
## What do you need to know before you begin?
The rest of this article explains how to use the spoof intelligence insight in t
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell). - You need to be assigned permissions in **Exchange Online** before you can do the procedures in this article:
- - To modify the spoof intelligence policy or enable or disable spoof intelligence, you need to be a member of
- - **Organization Management**
- - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**.
+ - To modify the spoof intelligence policy or enable or disable spoof intelligence, you need to be a member of one of the following role groups:
+ - **Organization Management**
+ - **Security Administrator** <u>and</u> **View-Only Configuration** or **View-Only Organization Management**.
- For read-only access to the spoof intelligence policy, you need to be a member of the **Global Reader** or **Security Reader** role groups. For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo).
security Mcas Saas Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mcas-saas-access-policies.md
- M365-identity-device-management - M365-security-compliance
+- zerotrust-solution
ms.prod: m365-security
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
- m365solution-identitydevice - m365solution-overview - m365solution-zero-trust
+ - zerotrust-solution
ms.technology: mdo # Zero Trust identity and device access configurations
security Permissions In The Security And Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
To see how to grant access to the Security & Compliance Center, check out [Give
|**Information Protection Admins**|Create, edit, and delete DLP policies, sensitivity labels and their policies, and all classifier types. Manage endpoint DLP settings and simulation mode for auto-labeling policies.|Information Protection Admin| |**Information Protection Analysts**|Access and manage DLP alerts and activity explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification List Viewer <br/><br/> Information Protection Analyst| |**Information Protection Investigators**|Access and manage DLP alerts, activity explorer, and content explorer. View-only access to DLP policies, sensitivity labels and their policies, and all classifier types.|Data Classification Content Viewer <br/><br/> Information Protection Analyst <br/><br/> Information Protection Investigator|
-|**Information Protection Readers**|View-only access to reports for DLP polcies and sensitivity labels and their policies.|Information Protection Reader|
+|**Information Protection Readers**|View-only access to reports for DLP policies and sensitivity labels and their policies.|Information Protection Reader|
|**Insider Risk Management**|Use this role group to manage insider risk management for your organization in a single group. By adding all user accounts for designated administrators, analysts, and investigators, you can configure insider risk management permissions in a single group. This role group contains all the insider risk management permission roles. This is the easiest way to quickly get started with insider risk management and is a good fit for organizations that do not need separate permissions defined for separate groups of users.|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> Insider Risk Management Analysis <br/><br/> Insider Risk Management Audit <br/><br/> Insider Risk Management Investigation <br/><br/> Insider Risk Management Sessions <br/><br/> View-Only Case| |**Insider Risk Management Admins**|Use this role group to initially configure insider risk management and later to segregate insider risk administrators into a defined group. Users in this role group can create, read, update, and delete insider risk management policies, global settings, and role group assignments.|Case Management <br/><br/> Data Connector Admin <br/><br/> Insider Risk Management Admin <br/><br/> View-Only Case| |**Insider Risk Management Analysts**|Use this group to assign permissions to users that will act as insider risk case analysts. Users in this role group can access all insider risk management alerts, cases, and notices templates. They cannot access the insider risk Content Explorer.|Case Management <br/><br/> Insider Risk Management Analysis <br/><br/> View-Only Case|
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
In PowerShell, you use the [Set-AtpPolicyForO365](/powershell/module/exchange/se
|Security feature name|Default|Built-in protection|Comment| ||::|::|| |**Block the following URLs** <p> _ExcludedUrls_|Blank <p> `$null`|Blank <p> `$null`|We have no specific recommendation for this setting. <p> For more information, see ["Block the following URLs" list for Safe Links](safe-links.md#block-the-following-urls-list-for-safe-links). <p> **Note**: You can now manage block URL entries in the [Tenant Allow/Block List](allow-block-urls.md#create-block-url-entries-in-the-tenant-allowblock-list). The "Block the following URLs" list is in the process of being deprecated. We'll attempt to migrate existing entries from the "Block the following URLs" list to block URL entries in the Tenant Allow/Block List. Messages containing the blocked URL will be quarantined.|
-|**Use Safe Links in Office 365 apps** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
-|**Do not track when users click protected links in Office 365 apps** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
-|**Do not let users click through to the original URL in Office 365 apps** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
#### Safe Links policy settings
In PowerShell, you use the [New-SafeLinksPolicy](/powershell/module/exchange/new
|**Do not rewrite the following URLs in email** <p> _DoNotRewriteUrls_|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|Not selected <p> blank|We have no specific recommendation for this setting. <p> **Note**: The purpose of the "Do not rewrite the following URLs" list is to skip the Safe Links wrapping of the specified URLs. Instead of using this list, you can now [create allow URL entries in the Tenant Allow/Block List](allow-block-urls.md#create-allow-url-entries).| |**Action for potentially malicious URLs in Microsoft Teams**|||||| |**On: Safe Links checks a list of known, malicious links when users click links in Microsoft Teams** <p> _EnableSafeLinksForTeams_|Not selected <p> `$false`|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`||
+|**Use Safe Links in Office 365 apps** <p> _EnableSafeLinksForO365Clients_|On <p> `$true`|On <p> `$true`|Use Safe Links in supported Office 365 desktop and mobile (iOS and Android) apps. For more information, see [Safe Links settings for Office 365 apps](safe-links.md#safe-links-settings-for-office-365-apps).|
+|**Do not track when users click protected links in Office 365 apps** <p> _TrackClicks_|On <p> `$false`|Off <p> `$true`|Turning off this setting (setting _TrackClicks_ to `$true`) tracks user clicks in supported Office 365 apps.|
+|**Do not let users click through to the original URL in Office 365 apps** <p> _AllowClickThrough_|On <p> `$false`|On <p> `$false`|Turning on this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL in supported Office 365 apps.|
|**Click protection settings**|||||| |**Track user clicks** <p> _TrackUserClicks_|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|Selected <p> `$true`|| |**Let users click through to the original URL** <p> _AllowClickThrough_|Selected <p> `$true`|Selected <p> `$true`|Not selected <p> `$false`|Not selected <p> `$false`|Turning off this setting (setting _AllowClickThrough_ to `$false`) prevents click through to the original URL.|
security Secure Email Recommended Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-email-recommended-policies.md
- remotework - m365solution-identitydevice - m365solution-scenario
+ - zerotrust-solution
ms.technology: mdo
security Sharepoint File Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sharepoint-file-access-policies.md
- M365-security-compliance - m365solution-identitydevice - m365solution-scenario
+ - zerotrust-solution
ms.technology: mdo
security Teams Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-access-policies.md
- M365-security-compliance - m365solution-identitydevice - m365solution-scenario
+ - zerotrust-solution
ms.technology: mdo
solutions Collaborate Teams Direct Connect https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-teams-direct-connect.md
Azure AD B2B direct connect is disabled by default. To enable collaboration in s
As part of this configuration, we enable the **Office 365** application, which includes Teams and Teams-integrated services such as SharePoint. > [!NOTE]
-> Changes to cross-tenant access settings may take up to three hours fifteen minutes to take effect.
+> Changes to cross-tenant access settings may take up to six hours to take effect.
> [!NOTE] > Shared channels between Commercial and GCC clouds are not supported.
Add each organization with which you want to participate in shared channels.
To add an organization 1. Sign in to [Azure Active Directory](https://aad.portal.azure.com) using a Global administrator or Security administrator account.
-1. Select **External Identities**, and then select **Cross-tenant access settings (preview)**.
+1. Select **External Identities**, and then select **Cross-tenant access settings**.
1. Select **Organizational settings**. 1. Select **Add organization**. 1. On the **Add organization** pane, type the full domain name (or tenant ID) for the organization and press Enter.
To add an organization
Follow this procedure for each organization where you want to invite external participants. To configure inbound settings for an organization
-1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**.
+1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings**.
1. Select the inbound access link for the organization that you want to modify. 1. On the **B2B direct connect** tab, choose **Customize settings**. 1. On the **External users and groups** tab, choose **Allow access** and **All external users and groups**. (You can choose **Select external users and groups** if you want to limit access to specific users and groups, such as those who have signed a non-disclosure agreement.)
To configure inbound settings for an organization
Follow this procedure for each organization where you want your users to be able to participate in external shared channels. To configure outbound settings for an organization
-1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings (preview)**.
+1. In [Azure Active Directory](https://aad.portal.azure.com), select **External Identities**, and then select **Cross-tenant access settings**.
1. Select the outbound access link for the organization that you want to modify. 1. On the **B2B direct connect** tab, choose **Customize settings**. 1. On the **External users and groups** tab, choose **Allow access** and set an **Applies to** of all users.
solutions Information Protection Deploy Assess https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-assess.md
- Strat_O365_Enterprise - m365solution-infoprotection - m365solution-scenario
+- zerotrust-solution
description: Determine the data privacy regulations, the relevant scenarios, your readiness, and the sensitive information types that are in your Microsoft 365 environment.
solutions Information Protection Deploy Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-compliance.md
- Strat_O365_Enterprise - m365solution-infoprotection - m365solution-scenario
+- zerotrust-solution
description: Learn how to use Compliance Score and Compliance Manager to improve your level of protection for personal data.
solutions Information Protection Deploy Govern https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-govern.md
- Strat_O365_Enterprise - m365solution-infoprotection - m365solution-scenario
+- zerotrust-solution
description: Use Microsoft 365 retention labels and policies to manage personal data in your Microsoft 365 environment.
solutions Information Protection Deploy Identity Device Threat https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-identity-device-threat.md
- Strat_O365_Enterprise - m365solution-infoprotection - m365solution-scenario
+- zerotrust-solution
description: Prevent personal data breaches with identity, device, and threat protection services of Microsoft 365.
solutions Information Protection Deploy Monitor Respond https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-monitor-respond.md
- Strat_O365_Enterprise - m365solution-infoprotection - m365solution-scenario
+- zerotrust-solution
description: Use auditing and alert policies and data subject requests to monitor and respond to personal data incidents.
solutions Information Protection Deploy Protect Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy-protect-information.md
- Strat_O365_Enterprise - m365solution-infoprotection - m365solution-scenario
+- zerotrust-solution
description: Deploy Microsoft 365 security and compliance features and protect your personal information.
solutions Information Protection Deploy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/information-protection-deploy.md
- Strat_O365_Enterprise - m365solution-infoprotection - m365solution-overview
+- zerotrust-solution
description: Configure information protection in Microsoft 365 for data privacy regulations like GDPR and the California Consumer Privacy Act (CCPA), including Microsoft Teams, SharePoint, and email.
solutions Manage Devices With Intune App Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-app-protection.md
- M365-security-compliance - m365solution-managedevices - m365solution-scenario
+- zerotrust-solution
keywords:
solutions Manage Devices With Intune Compliance Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-compliance-policies.md
- M365-security-compliance - m365solution-managedevices - m365solution-scenario
+- zerotrust-solution
keywords:
solutions Manage Devices With Intune Configuration Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-configuration-profiles.md
- M365-security-compliance - m365solution-managedevices - m365solution-scenario
+- zerotrust-solution
keywords:
solutions Manage Devices With Intune Dlp Mip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-dlp-mip.md
- M365-security-compliance - m365solution-managedevices - m365solution-scenario
+- zerotrust-solution
keywords: description: Implement Endpoint DLP by working with your information protection and governance team to create DLP policies for your organization.
solutions Manage Devices With Intune Enroll https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-enroll.md
- M365-security-compliance - m365solution-managedevices - m365solution-scenario
+- zerotrust-solution
keywords:
solutions Manage Devices With Intune Monitor Risk https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-monitor-risk.md
- deploy security baselines - m365solution-managedevices - m365solution-scenario
+- zerotrust-solution
keywords:
solutions Manage Devices With Intune Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-overview.md
- M365-security-compliance - m365solution-managedevices - m365solution-overview
+- zerotrust-solution
keywords:
solutions Manage Devices With Intune Require Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-devices-with-intune-require-compliance.md
- M365-security-compliance - m365solution-managedevices - m365solution-scenario
+- zerotrust-solution