+You can add or update a default theme that applies to everyone in your organization. You can also create up to four additional group themes that can be assigned to multiple Microsoft 365 groups.

+3. Choose **Add theme** and add the required info for the tabs.

+- **Default logo**: Add a URL location that points to your logo. Make sure that the URL uses HTTPS. Add an HTTPS image url that allows anonymous access and doesn't require authentication. For default theme, you also have an option to upload a logo image that is less than 10kb. Your default logo can be in the JPG, PNG, GIF, or SVG format. For SVG images, they will be resized to fit 24 pixels vertically. JPG, PNG, GIF images will be scaled to fit 200 x 48 pixels. Logo aspect ratio will always be preserved.

+### Why am I receiving an error message every time I upload a logo URL

+ Title: "Manage payment methods for Microsoft business accounts"

+description: "Learn how to manage your payment methods for Microsoft business products or services in the Microsoft 365 admin center."

+# Manage payment methods for Microsoft business accounts

+When you buy business products or services from Microsoft, you can use an existing payment method to pay for things, or add a new one. You can use a credit or debit card to pay for the things you buy.

+> [!IMPORTANT]

+> - You must use a payment method issued from the same country/region as your tenant.

+> - The option to pay with a bank account is no longer available.

+- [Find out what type of billing account you have](../manage-billing-accounts.md#view-my-billing-accounts).

+- If you have a Microsoft Customer Agreement (MCA) billing account type, you must be a billing account owner or billing account contributor to manage the payment method on the account. For more information about billing account roles, see [Understand your Microsoft business billing account](../manage-billing-accounts.md).

+- If you have an MCA billing account type and youΓÇÖre a billing profile owner or billing profile contributor, you can use the billing profile that's backed by a credit or debit card or invoice payment to make purchases or pay bills. If you're a billing invoice manager, you can only use a billing profile to pay bills. To learn more about billing profiles and roles, see [Understand your Microsoft business billing profile](manage-billing-profiles.md).

+> [!IMPORTANT]

+>

+> Adding a payment method doesn't associate it with any subscriptions or billing profiles you have. If you want to use the new payment method to pay for a subscription, you must move a subscription to it, or replace an existing payment method in a billing profile.

+If you have an MOSA billing account type, you can replace the payment method for all subscriptions that use another payment method as part of adding one. You can also [replace a payment method](#replace-a-payment-method) later on. To assign a single subscription to the payment method, see [Replace the payment method for a single subscription](#replace-the-payment-method-for-a-single-subscription).

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

+ - If you're using the **Simplified view**, select **Subscriptions**, then select **View payment methods**.

+ - If you're using the Dashboard view, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=848039" target="_blank">Bills & payments</a> page, and select the **Payment methods** tab.

+3. On the **Add a payment method** page, enter the information for the new payment method, then select **Save**.

+4. To use the new payment method to pay for all subscriptions currently paid for with another payment method, select **Replace an existing payment method**.

+5. Select the payment method you want to replace, then select **Replace**.

+You can change the name, billing address, or expiration date for an existing credit or debit card. However, you can't change the card number. If the account number has changed, [replace it with a different payment method](#replace-a-payment-method), and then [delete the old one](#delete-a-payment-method).

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

+ - If you're using the **Simplified view**, select **Subscriptions**, then select **View payment methods**.

+ - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=848039" target="_blank">Bills & payments</a> page, and select the **Payment methods** tab.

+2. Select the payment method to update. In the right pane, select **Edit**.

+> [!IMPORTANT]

+>

+> If you update a credit or debit card, you must enter the security code before any changes are saved.

+When you replace an existing payment method, you can add a new payment method, or use a payment method thatΓÇÖs already in your account. To replace a payment method, you can do any of the following tasks:

+- [Replace the payment method for a billing profile](#replace-the-payment-method-for-a-billing-profile) (MCA billing account types only)

+- [Replace the payment method for a single subscription](#replace-the-payment-method-for-a-single-subscription) (MOSA billing account types only)

+- [Replace a single payment method for all subscriptions](#replace-a-single-payment-method-for-all-subscriptions) (MOSA billing account types only)

+> [!IMPORTANT]

+>

+> Replacing a payment method doesn't delete the existing payment method. It's still available for you to select and use for other subscriptions and billing profiles. Learn how to delete a payment method .

+### Replace the payment method for a billing profile

+If you have an MCA billing account type, you can replace the payment method for a billing profile.

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

+ - If you're using the **Simplified view**, select **Subscriptions** > **View payment methods**.

+ - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=848039" target="_blank">Bills & payments</a> page.

+2. Select the **Billing profiles** tab, then select the billing profile to update.

+3. On the **Billing profile** page, under **Payment method**, select **Replace**.

+4. If you need to add a new payment method first, select **Add payment method**, enter the details, then select **Save**.

+5. In the **Replace payment method** pane, select a different payment method from the drop-down list, then select **Replace**.

+### Replace the payment method for a single subscription

+If you have an MOSA billing account type, you can change the payment method used to pay for a single subscription.

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

+ - If you're using the **Simplified view**, select **Subscriptions**.

+ - If you're using the **Dashboard view**, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.

+2. Select the subscription that you want to pay for with the alternate payment method.

+3. On the product details page, in the **Subscription and payment settings** section, select **Replace payment method**.

+4. If you want to add a new payment method first, select **Add payment method**, enter the details, then select **Save**.

+5. In the **Replace payment method** pane select a different payment method from the drop-down list, then select **Replace**.

+### Replace a single payment method for all subscriptions

+If you have an MOSA billing account type, you can change the payment method used to pay for all your subscriptions. If you only want to change the payment method for one subscription, see [Replace the payment method for a single subscription](#replace-the-payment-method-for-a-single-subscription).

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

+ - If you're using the **Simplified view**, select **Subscriptions**, then select **View payment methods**.

+ - If you're using the Dashboard view, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=848039" target="_blank">Bills & payments</a> page, and select the **Payment methods** tab.

+2. Select the payment method to replace. The right pane lists all the individual subscriptions that use the selected payment method.

+3. In the right pane, select **Replace payment method for all items**.

+4. Review the payment method details, then select **Next**.

+5. To use a different payment method already on file, select Use another payment method. To add a new payment method, select **Add a payment method**.

+6. Select **Next**.

+7. To use an existing payment method, choose one from the drop-down list, then select **Next**. To add a new payment method, enter the information, then select **Next**.

+8. Review the list of subscriptions or billing profiles that will move to the new payment method, then select **Next**.

+9. Review the final details for replacing your payment method, then select **Replace payment method**.

+10. When youΓÇÖre finished, you can select the link to **Review payment methods**, or select **Close**.

+You can only delete a payment method that isn't attached to a subscription or billing profile. This applies to all subscriptions, regardless of their status.

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

+ - If you're using the **Simplified view**, select **Subscriptions**, then select **View payment methods**.

+ - If you're using the Dashboard view, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=848039" target="_blank">Bills & payments</a> page, and select the **Payment methods** tab.

+2. Find the payment method to delete, select the **More actions** button (the three dots), then select **Delete**.

+3. Review the payment method details, then select **Next**.

+4. On the next page, select **Delete**, then select **Close**.

+If a payment method is attached to any subscriptions or billing profiles, first replace it with an existing payment method or add a new one, then delete the old payment method.

+1. Go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">admin center</a>.

+ - If you're using the **Simplified view**, select **Subscriptions**, then select **View payment methods**.

+ - If you're using the Dashboard view, go to the **Billing** > <a href="https://go.microsoft.com/fwlink/p/?linkid=848039" target="_blank">Bills & payments</a> page, and select the **Payment methods** tab.

+2. Find the payment method to delete, select the **More actions** button (the three dots), then select **Delete**. The **Delete a payment method** pane lists existing subscriptions and billing profiles that use that payment method.

+3. Select **Next**.

+4. To use a different payment method already on file, select Use another payment method. To add a new payment method, select **Add a payment method**.

+5. Select **Next**.

+6. To use an existing payment method, choose one from the drop-down list, then select **Next**. To add a new payment method, enter the information, then select **Next**.

+7. Review the subscriptions or billing profiles to move, then select **Move subscriptions**.

+8. Review the details of the payment method you want to delete, select **Delete**, then select **Close**.

+| Issue | Troubleshooting steps |

+|:--|:-|

+|**My credit or debit card was declined.** |If you pay by credit or debit card, and your card is declined, you receive an email that says Microsoft was unable to process the payment. Double-check that the card details&mdash;card number, expiration date, name on the card, and address, including city, state, and ZIP code&mdash;appear exactly as they do on the card and your statement. You can update your card information and resubmit the payment. For more information, see [What if I have an outstanding balance?](pay-for-your-subscription.md#what-if-i-have-an-outstanding-balance)</br></br>If you continue to see the ΓÇ£declinedΓÇ¥ message, contact your bank. ItΓÇÖs possible that your card isnΓÇÖt active, or you might have insufficient funds. |

+|**I want to update a credit or debit card number.** |You can't change the card on an existing payment method. If you want to replace a credit or debit card number, [replace it with a different payment method](#replace-a-payment-method), which moves all active subscriptions from the payment method to the new one. |

+|**I only have one credit or debit card on my account and I want to remove it.** |If you only have one payment method, follow the steps in [Delete a payment method](#delete-a-payment-method). |

+|**I can't add my credit or debit card.** |You must use a payment method issued from the same country/region as your tenant. If you have trouble entering your credit or debit card information, you can [contact support](../../admin/get-help-support.md). |

+[Pay for your business subscription](pay-for-your-subscription.md) (article) \

+[Manage billing profiles](manage-billing-profiles.md) (article) \

+Audit logging is turned on by default for Microsoft 365 organizations. However, when setting up a new Microsoft 365 organization, you should verify the auditing status for your organization. For instructions, see the [Verify the auditing status for your organization](#verify-the-auditing-status-for-your-organization) section in this article.

+When auditing is turned on in the Microsoft Purview compliance portal, user and admin activity from your organization is recorded in the audit log and automatically retained for 90 days. The retention (lifetime) for audit data starts when it is added to the auditing log and is retained based on [audit log retention policies](/microsoft-365/compliance/audit-log-retention-policies) and the license assigned to users.

+Changes to the the user licensing or retention policies also change the expiration date of audit data.

+Your organization may have reasons for not wanting to record and retain audit log data. In these cases, a global admin can turn off auditing in Microsoft 365 for your organization. For instructions, see the [Turn off auditing](#turn-off-auditing) section in this article.

+> If you turn off auditing in Microsoft 365, you can't use the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference) or [Microsoft Sentinel](/azure/sentinel/overview) to access auditing data or logs for your organization. Turning off auditing by following the steps in this article means that no results will be returned when you search the audit log using the compliance portal or when you run the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell.

+- For step-by-step instructions on searching the audit log, see [Search the audit log](audit-log-search.md).

+A value of `True` for the *UnifiedAuditLogIngestionEnabled* property indicates that auditing is turned on. A value of `False` indicates that auditing isn't turned on.

+ The value of `False` for the *UnifiedAuditLogIngestionEnabled* property indicates that auditing is turned off.

+ Title: "Onboard Windows devices into Microsoft 365 overview"

+description: "Onboard Windows devices into Microsoft 365"

+# Onboard Windows devices into Microsoft 365 overview

+Before you can use copy matched items you have to onboard Windows 10/11 devices into Purview, see [Onboard Windows devices into Microsoft 365 overview](device-onboarding-overview.md#onboard-windows-devices-into-microsoft-365-overview).

+ Title: "Get started with oversharing pop ups"

+f1.keywords:

+- CSH

+audience: ITPro

+f1_keywords:

+- 'ms.o365.cc.DLPLandingPage'

+ms.localizationpriority: medium

+- tier1

+- purview-compliance

+search.appverid:

+- MET150

+- seo-marvel-apr2020

+- admindeeplinkCOMPLIANCE

+description: Get started with managing oversharing pop ups with data loss prevention policies.

+# Get started with oversharing pop ups

+When you configure the user device registry key and the appropriate Microsoft Purview Data Loss Prevention (DLP) policy, DLP will check email messages before they are sent for sensitive information and apply the actions defined in the DLP policy.

+Oversharing popup is an E5 feature.

+> [!IMPORTANT]

+> This is a hypothetical scenario with hypothetical values. It's only for illustrative purposes. You should substitute your own sensitive information types, sensitivity labels, distribution groups and users.

+> [!IMPORTANT]

+> To identify the minimum version of Outlook that supports this feature, use the [capabilities table for Outlook](sensitivity-labels-versions.md#sensitivity-label-capabilities-in-outlook), and the row **Preventing oversharing as DLP policy tip**.

+## Before you begin

+### SKU/subscriptions licensing

+Before you get started with DLP policies, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1) and any add-ons.

+AIP P2 license is supported

+For full licensing details, see: [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#microsoft-purview-data-loss-prevention-data-loss-prevention-dlp-for-exchange-online-sharepoint-online-and-onedrive-for-business)

+### Permissions

+The account you use to create and deploy policies must be a member of one of these role groups

+- Compliance administrator

+- Compliance data administrator

+- Information Protection

+- Information Protection Admin

+- Security administrator

+> [!IMPORTANT]

+> Be sure you understand the difference between an unrestricted administrator and an administrative unit restricted administrator [Administrative units](microsoft-365-compliance-center-permissions.md#administrative-units) before you start.

+### Granular Roles and Role Groups

+There are roles and role groups that you can use to fine tune your access controls.

+Here's a list of applicable roles. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+- DLP Compliance Management

+- Information Protection Admin

+- Information Protection Analyst

+- Information Protection Investigator

+- Information Protection Reader

+Here's a list of applicable role groups. To learn more, see To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md).

+- Information Protection

+- Information Protection Admins

+- Information Protection Analysts

+- Information Protection Investigators

+- Information Protection Readers

+### Prerequisites and assumptions

+In Outlook for Microsoft 365 an oversharing popup displays a popup before a message is sent. Select **Show policy tip as a dialog for the user before send** in policy tip when creating a DLP rule for the Exchange location.

+This scenario uses the *Highly confidential* sensitivity label, so it requires that you have created and published sensitivity labels. To learn more, see:

+- [Learn about sensitivity labels](sensitivity-labels.md)

+- [Get started with sensitivity labels](get-started-with-sensitivity-labels.md)

+- [Create and configure sensitivity labels and their policies](create-sensitivity-labels.md)

+This procedure uses a hypothetical company domain at Contoso.com.

+## Policy intent and mapping

+*We need to block emails to all recipients that have the ΓÇÿhighly confidentialΓÇÖ sensitivity label applied except if the recipient domain is contoso.com. We want to notify the user on send with a popup dialogue and no one can be allowed to override the block.*

+|Statement|Configuration question answered and configuration mapping|

+|||

+|"We need to block emails to all recipients..."|- **Where to monitor**: Exchange </br>- **Administrative scope**: Full directory </br>- **Action**: Restrict access or encrypt the content in Microsoft 365 locations > Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams files > Block everyone |

+|"...that have the 'highly confidential' sensitivity label applied..."| - **What to monitor**: use the Custom template </br> - **Conditions for a match**: edit it to add the *highly confidential* sensitivity label|

+|"...except if..."| **Condition group configuration** - Create a nested boolean NOT condition group joined to the first conditions using a boolean AND|

+|"...the recipient domain is contoso.com."| **Condition for match**: Recipient domain is|

+|"...Notify..."|**User notifications**: enabled|

+|"...the user on send with a popup dialogue..."| **Policy tips**: selected </br> - **Show policy tip as a dialog for the end user before send**: selected|

+|"...and no one can be allowed to override the block...| **Allow overrides from M365 Services**: not selected|

+To configure oversharing popups with default text, the DLP rule must include these conditions:

+- Content contains > Sensitivity labels > *choose your sensitivity label(s)*

+

+and a recipient-based condition

+- Recipient is

+- Recipient is a member of

+- Recipient domain is

+ When these conditions are met, the policy tip displays untrusted recipients while the user is writing the mail in Outlook, before it's sent.

+### Steps to configure Outlook client

+You need configure the *dlpwaitonsendtimeout Regkey (Value in dword)* on all the devices you want to implement oversharing popups. This registry key defines the amount of time to wait to evaluate sensitive content. It is under:

+*Software\Policies\Microsoft\office\16.0\Outlook\options\Mail\Compose message*

+You can set this *RegKey* via group policy (**Specify wait time to evaluate sensitive content**), script or other mechanism for configuring registry keys.

+If you're using Group Policy, make sure you've downloaded the most recent version of Group Policy Administrative Template files for Microsoft 365 Apps for enterprise and navigate to this setting from **User Configuration >> Administrative Templates >> Microsoft Office 2016 >> Security Settings**. If you're using the Cloud Policy service for Microsoft 365, search for the setting by name to configure it.

+When this value is set and the DLP policy are configured, email messages are checked for sensitive information before they are sent. If the message contains a match to the conditions defined in the policy, a policy tip notification appears before the user clicks **Send**..

+This *RegKey* allows you to specify the wait on send behavior on your Outlook clients. Here's what each of the settings means.

+**Not configured** or **Disabled**: This is the default. When *dlpwaitonsendtimeout* is not configured the message is not checked before the user sends it. The email message will be sent with no pause when **Send** is clicked. The DLP data classification service will evaluate the message and apply the actions defined in the DLP policy.

+**Enabled**: The email message is checked when the **Send** is clicked but before the message is actually sent. You can set a time limit on how long to wait for DLP policy evaluation to complete (**T** value in seconds). If the policy evaluation doesn't complete in the specified time a **Send anyway** button appears allowing the user to bypass the presend check. The **T** value range is 0 to 9999 seconds.

+> [!IMPORTANT]

+> If the **T** value is greater than 9999, it will be replaced with 1000 and the **Send Anyway** button will not appear. This holds the message until the policy evalution completes with no option for user override. The duration to complete the evaluation can vary depending on factors such as internet speed, content length, and the number of defined policies. Some users may encounter policy evaluation messages more frequently than others depending on what policies are deployed on their mailbox.

+To learn more about configuring and using GPO see, [Administer Group Policy in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/manage-group-policy).

+### Steps to create a DLP policy for an oversharing pop up policy tip

+> [!IMPORTANT]

+> For the purposes of this policy creation procedure, you'll accept the default include/exclude values and leave the policy turned off. You'll be changing these when you deploy the policy.

+1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>.

+1. In the Microsoft Purview compliance portal \> left navigation \> **Solutions** \> **Data loss prevention** \> **Policies** \> **+ Create policy**.

+1. Select **Custom** from the **Categories** list.

+

+1. Select **Custom** from the **Templates** list.

+

+1. Give the policy a name.

+ > [!IMPORTANT]

+ > Policies cannot be renamed.

+1. Fill in a description. You can use the policy intent statement here.

+1. Select **Next**.

+1. Select **Full directory** under **Admin units**.

+1. Set the **Exchange email** location status to **On**. Set all the other location status to **Off**.

+1. Select **Next**.

+1. Accept the default values for **Include** = **All** and **Exclude** = **None**.

+

+1. The **Create or customize advanced DLP rules** option should already be selected.

+

+1. Select **Next**.

+

+1. Select **Create rule**. Name the rule and provide a description.

+1. Select **Add condition** > **Content contains** > **Add** > **Sensitivity labels** > **Highly confidential**. Choose **Add**.

+

+1. Select **Add group** > **AND** > **NOT** > **Add condition**.

+1. Select **Recipient domain is** > **contoso.com**. Choose **Add**.

+ > [!TIP]

+ > **Recipient is** and **Recipient is a member of** can also be used in the previous step and will trigger an oversharing popup.

+

+1. Select **Add and action** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Restrict access or encrypt the content in Microsoft 365 locations** > **Block users from receiving email or accessing shared SharePoint, OneDrive, and Teams file.** > **Block everyone**.

+

+1. Set **User notifications** to **On**.

+

+1. Select **Policy tips** > **Show the policy tip as a dialog for the end user before send**.

+

+1. Make sure that **Allow override from M365 services** *isn't* selected.

+

+1. Choose **Save**.

+

+1. Choose **Next** > **Keep it off** > **Next** > **Submit**.

+#### PowerShell steps to create policy

+DLP policies and rules can also be configured in PowerShell. To configure oversharing popups using PowerShell, first you create a DLP policy (using PowerShell) and add DLP rules for each warn, justify or block popup type.

+You'll configure and scope your DLP Policy using [New-DlpCompliancePolicy](/powershell/module/exchange/new-dlpcompliancepolicy). Then, you'll configure each oversharing rule using [New-DlpComplianceRule](/powershell/module/exchange/new-dlpcompliancerule)

+To configure a new DLP policy for the oversharing popup scenario use this code snippet:

+```powershell

+PS C:\> New-DlpCompliancePolicy -Name <DLP Policy Name> -ExchangeLocation All

+```

+This sample DLP policy is scoped to all users in your organization. Scope your DLP Policies using `-ExchangeSenderMemberOf` and `-ExchangeSenderMemberOfException`.

+|Parameter| Configuration|

+|||

+|[-ContentContainsSensitiveInformation](/powershell/module/exchange/new-dlpcompliancerule?view=exchange-ps#-contentcontainssensitiveinformation&preserve-view=true)| Configures one or more sensitivity label conditions. This sample includes one. At least one label is mandatory.|

+|[-ExceptIfRecipientDomainIs](/powershell/module/exchange/new-dlpcompliancerule?view=exchange-ps#-exceptifrecipientdomainis&preserve-view=true)| List of trusted domains.|

+|[-NotifyAllowOverride](/powershell/module/exchange/new-dlpcompliancerule?view=exchange-ps#-notifyallowoverride&preserve-view=true)| "WithJustification" enables justification radio buttons, "WithoutJustification" disables them.|

+|[-NotifyOverrideRequirements](/powershell/module/exchange/new-dlpcompliancerule?view=exchange-ps#-notifyoverriderequirements&preserve-view=true) |"WithAcknowledgement" enables the new acknowledgment option. This is optional.|

+|

+To configure a new DLP rule to generate a *warn* popup using trusted domains run this PowerShell code.

+```powershell

+PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator="Or";name="Default";labels=@(@{name=<Label GUID>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")

+```

+To configure a new DLP rule to generate a *justify* popup using trusted domains run this PowerShell code.

+```powershell

+PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com") -NotifyAllowOverride "WithJustification"

+```

+To configure a new DLP rule to generate a *block* popup using trusted domains run this PowerShell code.

+```powershell

+PS C:\> New-DlpComplianceRule -Name <DLP Rule Name> -Policy <DLP Policy Name> -NotifyUser Owner -NotifyPolicyTipDisplayOption "Dialog" -BlockAccess $true -ContentContainsSensitiveInformation @(@{operator = "And"; groups = @(@{operator = "Or"; name = "Default"; labels = @(@{name=<Label GUID 1>;type="Sensitivity"},@{name=<Label GUID 2>;type="Sensitivity"})})}) -ExceptIfRecipientDomainIs @("contoso.com","microsoft.com")

+```

+Use these procedures to access the [Business justification X-Header](dlp-policy-reference.md#business-justification-x-header).

+## See also

+- [Learn about data loss prevention alerts and the alerts dashboard](dlp-alerts-dashboard-learn.md)

+- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)

+- **Partially indexed items**: Selection of this option adds partially indexed items from additional data sources to the review set. If the collection searched additional data sources (as specified on the **Additional locations** page in the collections wizard), there may be partially indexed items from these locations that you want to add to the review set. Custodial and non-custodial data sources typically don't have partially indexed items. That's because the Advanced indexing process reindexes items when custodial and non-custodial data sources are added to a case. Also, Adding partially indexed items will increase the number of items added to the review set. <p> After partially indexed items are added to the review set, you can apply a filter to specifically view these items. For more information, see [Scenario example: Filter partially indexed items](ediscovery-review-set-search.md#scenario-example-filter-partially-indexed-items)

+In most cases, it is useful to dig deeper into the content in a review set and organize it to facilitate a more efficient review. Using filters and queries in a review set helps you focus on a subset of documents that meet the criteria of your review.

+## Advanced filters

+Improving on the default filters in previous versions, eDiscovery (Premium) now provides advanced filters that let you build more flexible and advanced filters for review sets. Similar to the [collection query builder experience](/microsoft-365/compliance/ediscovery-query-builder), the advanced filtering capability enables you to:

+- Quickly search for filter conditions.

+- Create complex filters using subgroups, *AND*, or *OR* conditions.

+- Easily change your queries with **Undo filter query** and **Redo filter query** controls.

+- Manage saved filters without having to navigate to another area.

+- Use *Is empty* and *Is not empty* conditions for each filter.

+

+## Advanced filter controls

+To create and custom filtering for your review set, use the following controls:

+- **AND/OR**: These conditional logical operators allow you to select the query condition that applies to specific filters and filter subgroups. These operators allow you to use multiple filters or subgroups connected to a single filter in your query.

+- **Select a filter**: Allows you to select filters for the specific data sources and location content selected for the collection.

+- **Add filter**: Allows you to add multiple filters to your query. Is available after you've defined at least one query filter.

+- **Select an operator**: Depending on the selected filter, the operators compatible for the filter are available to select. For example, if the *Date* filter is selected, the available operators are *Before*, *After*, and *Between*. If the *Size (in bytes)* filter is selected, the available operators are *Greater than*, *Greater or equal*, *Less than*, *Less or equal*, *Between*, and *Equal*.

+- **Value**: Depending on the selected filter, the values compatible for the filter are available. Additionally, some filters support multiple values and some filters support one specific value. For example, if the *Date* filter is selected, select date values. If the *Size (in bytes)* filter is selected, select a value for bytes.

+- **Add subgroup**: After you've defined a filter, you can add a subgroup to refine the results returned by the filter. You can also add a subgroup to a subgroup for multi-layered query refinement.

+- **Remove a filter condition**: To remove an individual filter or subgroup, select the remove icon to the right of each filter line or subgroup.

+- **Clear all**: To clear the entire query of all filters and subgroups, select **Clear all**.

+- **Freetext**: A freetext filter is applied to text fields such as *Subject*. You can list multiple search terms by separating them with a comma.

+- **Date**: A date filter is used for date fields such as *Last modified date*.

+- **Search options**: A search options filter provides a list of possible values (each value is displayed with a checkbox that you can select) for particular fields in the review. This filter is used for fields, such as *Sender*, where there's a finite number of possible values in the review set.

+## Save and manage filter queries

+To save a filter, select **Save** on the **Save filter queries** command bar and name it. You or other reviewers can run previously saved filter queries by selecting the **Saved filter queries** dropdown and selecting a filter query to apply to review set documents.

+To edit or delete a saved filter query, select **Saved filter queries** and expand the filter properties to display the **Edit** and **Delete** options for the saved filter query.

+

+## Use query language support for KQL and Keyword filters

+When using the *KQL* or *Keyword* filters, you can use a KQL-like query language to build your review set search query. The query language for these two filters supports standard Boolean operators, such as **AND**, **OR**, **NOT**, and **NEAR**. It also supports a single-character wildcard (?) and a multi-character wildcard (*).

+## Scenario example: Filter for untagged items in a review set

+An eDiscovery administrator needs to create a query to find all items in the review set that haven't had any tagging applied. For this example, the administrator creates the following review set filter query:

+1. For the first filter, the administrator selects the filter and types *tag* in filter search. The filter *Tags* is displayed as a matching option, and the administrator selects it.

+2. The administrator then selects **Select an operator** and selects the *Is empty* operator. This operator returns all items that don't have any tags applied.

+The review set is immediately updated and the only the items that aren't tagged are displayed.

+

+## Scenario example: Filter for native file type items in a review set

+An eDiscovery administrator needs to create a query to find all items in the review set that are a certain type, such as .csv, .msg, or .pdf. For this example, the administrator creates the following review set filter query:

+1. For the first filter, the administrator selects the filter and types *file* in filter search. The filter *Native file extension* is one of the filter options displayed in the search results, and the administrator selects it.

+2. The administrator then selects **Select an operator** and selects the *Equals any of* operator. The administrator selects the *Any* field and selects the checkboxes for the file types to include in the filter query.

+The review set is immediately updated and the only the items that match the selected file types are displayed.

+

+## Scenario example: Filter partially indexed items

+4. After both collections are added to the review set, select the review set, and select **Load sets**.

+- [Onboard Windows devices into Microsoft 365 overview](device-onboarding-overview.md#onboard-windows-devices-into-microsoft-365-overview)

+>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).*

+> The AIP add-in used PowerShell advanced settings for [oversharing popup messages in Outlook](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#implement-pop-up-messages-in-outlook-that-warn-justify-or-block-emails-being-sent). When you use built-in labeling, the equivalent of this configuration is now detailed in [Get started with oversharing pop ups](dlp-osp-get-started.md).

+|[Get started with oversharing pop ups](dlp-osp-get-started.md)|Current Channel: 2305+ <br /><br> Monthly Enterprise Channel: 2307+ <br /><br> Semi-Annual Enterprise Channel: 2302+ |Under review |Under review |Under review |Under review |

+> 1. If using Windows Server 2016 or before, you must also [install Visual C++](/cpp/windows/latest-supported-vc-redist?view=msvc-170#visual-studio-2015-2017-2019-and-2022&preserve-view=true) prior to installing the EDM Upload Agent.

+>

+> 2. Install the [EDM Upload Agent](#links-to-edm-upload-agent-by-subscription-type) in a custom folder so you don't need administrator permissions. If you install it into the default (*Program Files*), administrator permissions are required.

+>

+- **General availability (GA)**: Auto-labeling retention policies for [cloud attachments](apply-retention-labels-automatically.md#auto-apply-labels-to-cloud-attachments) that are shared via Viva Engage are now in general availability.

+- **General availability (GA)**: Oversharing Popup for Outlook Win 32. [Get started with oversharing pop ups](dlp-osp-get-started.md) and [Business justification X-Header](dlp-policy-reference.md#business-justification-x-header).

+- **In preview**: Prevent oversharing of labeled emails as a DLP policy tip using [Get started with oversharing pop ups](dlp-osp-get-started.md). This DLP policy configuration is an equivalent for the AIP add-in with PowerShell advanced settings that implement pop-up messages in Outlook that warn, justify, or block emails being sent.

+ Title: Microsoft 365 Defender tech community

+description: Microsoft 365 Defender tech community engagement.

+> [!TIP]

+> Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: [Microsoft 365 Defender Tech Community](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/bg-p/MicrosoftThreatProtectionBlog).

+## Disable sign out

+Defender for Endpoint allows you to deploy the app and disabling the sign out button. By hiding the sign out button, users are prevented from signing out of the Defender app. This action helps prevent tampering with the device when Defender for Endpoint isn't running.

+Use the following steps to configure the Disable sign out:

+1. In the Microsoft Intune admin center, go to **Apps > App configuration policies > Add > Managed apps**.

+2. Provide the policy a **name**.

+3. Under **Select Public Apps**, choose **Microsoft Defender for Endpoint** as the target app.

+4. In the **Settings** page, under the **General Configuration Settings**, add **DisableSignOut** as the key and set the value as 1.

+ - By default, Disable Sign Out = 0.

+ - Admin needs to make Disable Sign Out = 1 to disable the sign-out button in the app. Users will not see the sign out button once the policy is pushed to the device.

+5. Select **Next** and assign this profile to targeted devices/users.

+## Disable sign-out

+Defender for Endpoint supports deployment without the sign-out button in the app to prevent users from signing out of the Defender app. This is important to prevent users from tampering with the device.

+Use the following steps to configure Disable sign-out:

+1. In [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.

+2. Give the policy a name, select **Platform > Android Enterprise**, and select the profile type.

+3. Select **Microsoft Defender for Endpoint** as the target app.

+4. In the Settings page, select **Use configuration designer** and add **Disable Sign Out** as the key and **Integer** as the value type.

+ - By default, Disable Sign Out = 1 for Android Enterprise personally owned work profiles, fully managed, company owned personally enabled profiles and 0 for device administrator mode.

+ - Admins need to make Disable Sign Out = 0 to enable the sign-out button in the app. Users will be able to see the sign-out button once the policy is pushed.

+5. Select **Next** and assign this profile to targeted devices and users.

+(<a id="fn1">1</a>) _Block abuse of exploited vulnerable signed drivers_ is now available under **Endpoint Security** > **Attack Surface Reduction**.

+By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence. You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used.

+> [!NOTE]

+> For "Administrative Templates (.admx) for Windows 11 2022 Update (22H2)" and "Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)" templates, set **Configure local administrator merge behavior for lists** to **Enabled** to disable the local administrator merge behavior.

+> Always download the latest installer package from the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) before performing a new installation and ensure prerequisites have been met. After installation, ensure to regularly update using component updates described in the section [Update packages for Microsoft Defender for Endpoint on Windows Server 2012 R2 and 2016](#update-packages-for-microsoft-defender-for-endpoint-on-windows-server-2012-r2-and-2016).

+- Automatic exclusions for **server roles** aren't supported on Windows Server 2012 R2; however, built-in exclusions for operating system files are. For more information about adding exclusions, see [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).

+This article describes exclusions for Windows Server. Because Microsoft Defender Antivirus is built into Windows, [built-in exclusions](#built-in-exclusions) for operating system files happen automatically on all versions of Windows. On Windows Server 2016 and later, [automatic exclusions](#automatic-server-role-exclusions) happen automatically as roles are added. If necessary, you can define custom exclusions or opt out of automatic exclusions.

+- Built-in exclusions and automatic server role exclusions don't appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).

+## Automatic server role exclusions

+On Windows Server 2016 or later, you shouldn't need to define exclusions for server roles. When you install a role on Windows Server 2016 or later, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role.

+Windows Server 2012 R2 does not support the automatic exclusions feature. You'll need to define explicit exclusions for any server role and any software that's added after installing the operating system.

+Automatic exclusions include:

+- [Hyper-V exclusions](#hyper-v-exclusions)

+- [SYSVOL files](#sysvol-files)

+- [Active Directory exclusions](#active-directory-exclusions)

+- [DHCP Server exclusions](#dhcp-server-exclusions)

+- [DNS Server exclusions](#dns-server-exclusions)

+- [File and Storage Services exclusions](#file-and-storage-services-exclusions)

+- [Print Server exclusions](#print-server-exclusions)

+- [Web Server exclusions](#web-server-exclusions)

+- [Windows Server Update Services exclusions](#windows-server-update-services-exclusions)

+### Hyper-V exclusions

+### SYSVOL files

+### Active Directory exclusions

+#### NTDS database files

+#### The AD DS transaction log files

+#### The NTDS working folder

+#### Process exclusions for AD DS and AD DS-related support files

+### DHCP Server exclusions

+### DNS Server exclusions

+#### File and folder exclusions for the DNS Server role

+#### Process exclusions for the DNS Server role

+### File and Storage Services exclusions

+### Print Server exclusions

+#### File type exclusions

+#### Folder exclusions

+#### Process exclusions for the Print Server role

+### Web Server exclusions

+#### Folder exclusions

+#### Process exclusions for the Web Server role

+#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder

+### Windows Server Update Services exclusions

+## Built-in exclusions

+Because Microsoft Defender Antivirus is built into Windows, it doesn't require exclusions for operating system files on any version of Windows.

+Built-in exclusions include:

+- [Windows "temp.edb" files](#windows-tempedb-files)

+- [Windows Update files or Automatic Update files](#windows-update-files-or-automatic-update-files)

+- [Windows Security files](#windows-security-files)

+- [Group Policy files](#group-policy-files)

+- [WINS files](#wins-files)

+- [File Replication Service (FRS) exclusions](#file-replication-service-frs-exclusions)

+- [Process exclusions for built-in operating system files](#process-exclusions-for-built-in-operating-system-files)

+### Windows "temp.edb" files

+- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`

+- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\windows.edb`

+### Windows Update files or Automatic Update files

+- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`

+- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`

+- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`

+- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`

+- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`

+### Windows Security files

+- `%windir%\Security\database\*.chk`

+- `%windir%\Security\database\*.edb`

+- `%windir%\Security\database\*.jrs`

+- `%windir%\Security\database\*.log`

+- `%windir%\Security\database\*.sdb`

+### Group Policy files

+- `%allusersprofile%\NTUser.pol`

+- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`

+- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`

+### WINS files

+- `%systemroot%\System32\Wins\*\*.chk`

+- `%systemroot%\System32\Wins\*\*.log`

+- `%systemroot%\System32\Wins\*\*.mdb`

+- `%systemroot%\System32\LogFiles\`

+- `%systemroot%\SysWow64\LogFiles\`

+### File Replication Service (FRS) exclusions

+- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`

+ - `%windir%\Ntfrs\jet\sys\*\edb.chk`

+ - `%windir%\Ntfrs\jet\*\Ntfrs.jdb`

+ - `%windir%\Ntfrs\jet\log\*\*.log`

+- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`

+ - `%windir%\Ntfrs\*\Edb\*.log`

+- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`

+ - `%systemroot%\Sysvol\*\Ntfrs_cmp*\`

+- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`

+ - `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\`

+- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`

+ > [!NOTE]

+ > For custom locations, see [Opting out of automatic exclusions](#opting-out-of-automatic-exclusions).

+ - `%systemdrive%\System Volume Information\DFSR\$db_normal$`

+ - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`

+ - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`

+ - `%systemdrive%\System Volume Information\DFSR\*.XML`

+ - `%systemdrive%\System Volume Information\DFSR\$db_dirty$`

+ - `%systemdrive%\System Volume Information\DFSR\$db_clean$`

+ - `%systemdrive%\System Volume Information\DFSR\$db_lostl$`

+ - `%systemdrive%\System Volume Information\DFSR\Dfsr.db`

+ - `%systemdrive%\System Volume Information\DFSR\*.frx`

+ - `%systemdrive%\System Volume Information\DFSR\*.log`

+ - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`

+ - `%systemdrive%\System Volume Information\DFSR\Tmp.edb`

+### Process exclusions for built-in operating system files

+- `%systemroot%\System32\dfsr.exe`

+- `%systemroot%\System32\dfsrs.exe`

+In Windows Server 2016 and later, the predefined exclusions delivered by [Security intelligence updates](microsoft-defender-antivirus-updates.md#security-intelligence-updates) only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and later. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.

+> Opting out of automatic exclusions might adversely impact performance, or result in data corruption. Automatic server role exclusions are optimized for Windows Server 2016, Windows Server 2019, and Windows Server 2022.

+> **Defining exclusions reduces the level of protection offered by Defender for Endpoint and Microsoft Defender Antivirus**. Use exclusions as a last resort, and make sure to define only the exclusions that are necessary. Make sure to review your exclusions periodically, and remove the ones you no longer need. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) and [Common mistakes to avoid](common-exclusion-mistakes-microsoft-defender-antivirus.md).

+If you have a file that you think is wrongly detected as malware (a false positive), or a file that you suspect might be malware even though it wasn't detected (a false negative), you can submit the file to Microsoft for analysis. Your submission is scanned immediately, and will then be reviewed by Microsoft security analysts. You're able to check the status of your submission on the [submission history page](https://www.microsoft.com/wdsi/submissionhistory).

+| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Automatic exclusions](#automatic-exclusions) (for active roles on Windows Server 2016 and later)<br/>- [Built-in exclusions](#built-in-exclusions) (for operating system files in Windows)<br/>- [Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions<br/>- [Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats<br/><br/>*The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, you need another license, such as Microsoft Defender for Endpoint for Servers or [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). To learn more, see [Defender for Endpoint onboarding Windows Server](onboard-windows-server.md).*<br/><br/>*If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business.md#how-to-get-microsoft-defender-for-business-servers).* |

+- [Automatic exclusions](#automatic-exclusions) (for server roles on Windows Server 2016 and later)

+- [Built-in exclusions](#built-in-exclusions) (for operating system files in all versions of Windows)

+- [Custom exclusions](#custom-exclusions) (for files and folders that you specify, if necessary)

+- [Custom remediation actions](#custom-remediation-actions) (to determine what happens with detected threats)

+[Automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#automatic-server-role-exclusions) (also referred to as *automatic server role exclusions*) include exclusions for server roles and features in Windows Server. These exclusions aren't scanned by [real-time protection](configure-protection-features-microsoft-defender-antivirus.md) but are still subject to [quick, full, or on-demand antivirus scans](schedule-antivirus-scans.md#comparing-the-quick-scan-full-scan-and-custom-scan).

+Examples include:

+- File Replication Service (FRS)

+- Hyper-V

+- SYSVOL

+- Active Directory

+- DNS Server

+- Print Server

+- Web Server

+- Windows Server Update Services

+- ...and more.

+> [!NOTE]

+> Automatic exclusions for server roles aren't supported on Windows Server 2012 R2. For servers running Windows Server 2012 R2 with the Active Directory Domain Services (AD DS) server role installed, exclusions for domain controllers must be specified manually. See [Active Directory exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#active-directory-exclusions).

+For more information, see [Automatic server role exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#automatic-server-role-exclusions).

+### Built-in exclusions

+[Built-in exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#built-in-exclusions) include certain operating system files that are excluded by Microsoft Defender Antivirus on all versions of Windows (including Windows 10, Windows 11, and Windows Server).

+Examples include:

+- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`

+- `%allusersprofile%\NTUser.pol`

+- Windows Update files

+- Windows Security files

+- ... and more.

+For more information, see [Built-in exclusions](configure-server-exclusions-microsoft-defender-antivirus.md#built-in-exclusions).

+- **Block Execution** ΓÇô IP addresses and URLs/domains with Block Execution indicators are blocked. Users can't access those locations.

+You can specify folders, file extensions in a specific directory, and file names to be excluded from automated investigation and remediation capabilities. Such automation folder exclusions apply to all devices onboarded to Defender for Endpoint. These exclusions are still subject to antivirus scans. See [Manage automation folder exclusions](manage-automation-folder-exclusions.md).

+## Other server workloads and exclusions

+If your organization is using other server workloads, such as Exchange Server, SharePoint Server, or SQL Server, be aware that only built-in server roles (that could be prerequisites for software you install later) on Windows Server are excluded by [automatic exclusions](#automatic-exclusions) feature (and only when using their default installation location). You'll likely need to define antivirus exclusions for these other workloads, or for all workloads if you disable automatic exclusions.

+> **Performance tip** Due to a variety of factors, Microsoft Defender Antivirus, like other antivirus software, can cause performance issues on endpoint devices. In some cases, you might need to tune the performance of Microsoft Defender Antivirus to alleviate those performance issues. Microsoft's **Performance analyzer** is a PowerShell command-line tool that helps determine which files, file paths, processes, and file extensions might be causing performance issues; some examples are:

+Whether taken automatically or upon approval, an automated investigation and remediation can result in one or more of the remediation actions:

+- If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3 or E5, sign up to try the [Defender Vulnerability Management Standalone Trial](#try-defender-vulnerability-management-standalone)

+If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3 or E5, you will sign up to trial the **Defender Vulnerability Management Standalone trial**.

+[Frequently asked questions](frequently-asked-questions.md)

+- [Understand the schema](advanced-hunting-schema-tables.md)

+- [Learn the query language](advanced-hunting-query-language.md)

+- [Apply query best practices](advanced-hunting-best-practices.md)

+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)

+- [Learn how to manage the Log4Shell vulnerability in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/tvm-manage-log4shell-guidance)

+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)

+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)

+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)

+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)

+- [Overview of Microsoft Defender Vulnerability Management](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)

+- [Kusto Query Language overview](/azure/data-explorer/kusto/query/)

+- [Understand the schema](advanced-hunting-schema-tables.md)

+- [Learn the query language](advanced-hunting-query-language.md)

+ - [Extend advanced hunting coverage with the right settings](advanced-hunting-extend-data.md)

+- [Refine your query in guided mode](advanced-hunting-query-builder-details.md)

+- [Apply query best practices](advanced-hunting-best-practices.md)

+- [Apply query best practices](advanced-hunting-best-practices.md)

+- [Investigate alerts](investigate-alerts.md)

+- [Investigate alerts](investigate-alerts.md)

+[Additional information](additional-information-xdr.md)

+After you mitigate the risk and complete the investigation of an incident, you can release the contained assets from the action details pane (e.g., enable a disabled user account or release a device from containment). For more information about the action center, see [Action center](m365d-action-center.md).

+Work with your Commercial Executive to transact the Defender Experts for XDR SKU.

+[Get started with Microsoft Defender Experts for XDR](get-started-xdr.md)

+[Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)

+[Additional information](additional-information-xdr.md)

+Return to the overview for [Evaluate and pilot Microsoft 365 Defender](eval-overview.md)

+[Use the Microsoft Graph security API - Microsoft Graph | Microsoft Learn](/graph/api/resources/security-api-overview)

+-

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RW12hyh]

+### Permissions

+|Training:|Mitigate threats using Microsoft 365 Defender|

+||Analyze threat data across domains and rapidly remediate threats with built-in orchestration and automation in Microsoft 365 Defender. This learning path aligns with exam SC-200: Microsoft Security Operations Analyst.<p> 9 hr 31 min - Learning Path - 11 Modules|

+> [Start >](/training/paths/dsc-200-mitigate-threats-using-microsoft-365-defender/)

+Before you can use the OCR service in Syntex, you must first link an Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). OCR in Syntex is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md).

+You must have Global admin or SharePoint admin permissions to be able to access the Microsoft 365 admin center and set up the OCR service in Syntex.

+description: Learn about the capabilities, services, and features in Microsoft Syntex.

+Microsoft Syntex is a content understanding, processing, and compliance service that uses intelligent document processing, content artificial intelligence (AI), and advanced machine learning to automatically and thoughtfully find, organize, and classify documents in your SharePoint libraries, Microsoft Teams, OneDrive for Business, and Exchange.

+## Explore scenarios and use cases

+ :::column span="":::

+ 

+ :::column-end:::

+[Learn more about scenarios and use case for Microsoft Syntex.](adoption-scenarios.md)

+## Syntex services

+### Content assembly

+ With Syntex, you can automatically generate standard repetitive business documents, such as contracts, statements of work, service agreements, letters of consent, and correspondence.

+ You can do all these tasks quicker, more consistently, and with fewer errors in Syntex.

+ :::column-end:::

+ :::column span="":::

+ 

+You create *modern templates* based on the business documents you use most. You then use those templates to automatically generate new documents using SharePoint lists or user entries as a data source.

+[Learn more about how to generate documents using content assembly.](content-assembly.md)

+### Prebuilt document processing

+ :::column span="":::

+ 

+ :::column-end:::

+ :::column span="3":::

+ Use a [prebuilt model](prebuilt-overview.md) to save time processing and extracting information from [contracts](prebuilt-model-contract.md), [invoices](prebuilt-model-invoice.md), or [receipts](prebuilt-model-receipt.md). Prebuilt models are pretrained to recognize common business documents and the structured information in the documents.

+ :::column-end:::

+Instead of having to create a new document processing model from scratch, you can use a prebuilt model to jumpstart your document project.

+[Learn more about prebuilt models in Microsoft Syntex.](prebuilt-overview.md)

+### Structured and freeform document processing

+ :::column span="":::

+ 

+ :::column-end:::

+ :::column span="3":::

+ Use a [structured model](form-processing-overview.md) to automatically identify field and table values. It works best for structured or semi-structured documents, such as forms and invoices. Use a [freeform model](freeform-document-processing-overview.md) to automatically extract information from unstructured and freeform documents, such as letters and contracts where the information can appear anywhere in the document.

+ :::column-end:::

+Both structured and freeform models use Microsoft Power Apps AI Builder to create and train models within Syntex.

+Learn more about [structured models](form-processing-overview.md) and [freeform models](freeform-document-processing-overview.md) in Microsoft Syntex.

+### Unstructured document processing

+ 

+ Use an [unstructured model](document-understanding-overview.md) to automatically classify documents and extract information from them. It works best for documents that vary in composition, such as letters or contracts. This model type supports the widest range of file types.

+[Learn more about unstructured models in Microsoft Syntex.](document-understanding-overview.md)

+### Optical character recognition

+ The optical character recognition (OCR) service in Syntex lets you extract printed or handwritten text from images. Syntex automatically scans the image files, extracts the relevant text, and makes the text from the images available for search and indexing. This lets you quickly and accurately find the keywords and phrases you're looking for.

+ 

+[Learn more about using the OCR service in Microsoft Syntex.](ocr.md)

+## Other features

+### Annotations

+ 

+### Content query

+ The content query feature in Syntex lets you perform specific metadata-based queries on SharePoint document libraries.

+ You can make faster, more precise queries based on specific metadata column values, rather than just searching for keywords.

+ :::column-end:::

+ :::column span="":::

+ 

+This feature is useful when you have a specific piece of information you want to search for, such as when a document was last modified, a specific person associated with a file, or a specific file type.

+[Learn more about how to search for metadata in document libraries in Microsoft Syntex.](metadata-search.md)

+### Content compliance

+ 

+ :::column-end:::

+ :::column span="3":::

+ Understanding your content allows for better compliance control and increases management and governance options for all your data. When content is properly tagged and labeled, you have better control over your data and can follow regulations more easily. Syntex helps you ensure compliance by using retention labels and sensitivity labels to manage your documents.

+### Content processing

+ Syntex lets you build simple rules-driven actions in document libraries based on metadata. From a document library, you can create rules to automate tasks such as sending a notification when metadata changes in a file, when a new file is created in the library, or when files are moved or copied based on metadata extracted by Syntex models.

+ :::column-end:::

+ :::column span="":::

+ 

+### Premium taxonomy services

+- [Term store reports](term-store-analytics.md), which provides you with insights into published term sets and their use across your organization.

+Before you can use unstructured document processing in Syntex, you must first link an Azure subscription in [Syntex pay-as-you-go](syntex-azure-billing.md). Unstructured document processing in Syntex is billed based on the [type and number of transactions](syntex-pay-as-you-go-services.md).

+After an [Azure subscription is linked to Microsoft Syntex](syntex-azure-billing.md), unstructured document processing will be automatically set up and enabled for all SharePoint sites.