Updates from: 07/20/2021 03:12:16
Category Microsoft Docs article Related commit history on GitHub Change details
admin Strong Password https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/strong-password.md
You must also connect to Microsoft 365 with PowerShell.
```powershell Get-MsolUser | Set-MsolUser -StrongPasswordRequired $false
-3. You can turn of strong password requirements for specific users with this command:
+3. You can turn **OFF** strong password requirements for specific users with this command:
```powershell Set-MsolUser ΓÇôUserPrincipalName ΓÇôStrongPasswordRequired $false
admin Compare Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/create-groups/compare-groups.md
description: "Microsoft 365 group members get a group email and shared workspace
In the **Groups** section of the Microsoft 365 admin center, you can create and manage these types of groups: -- **Microsoft 365 groups** (formerly Office 365 groups) are used for collaboration between users, both inside and outside your company.
+- **Microsoft 365 groups** are used for collaboration between users, both inside and outside your company. They include collaboration services such as SharePoint and Planner.
- **Distribution groups** are used for sending email notifications to a group of people. - **Security groups** are used for granting access to resources such as SharePoint sites. - **Mail-enabled security groups** are used for granting access to resources such as SharePoint, and emailing notifications to those users. - **Shared mailboxes** are used when multiple people need access to the same mailbox, such as a company information or support email address.
+Some groups allow dynamic membership or email.
+
+||Microsoft 365 groups|Distribution groups|Security groups|Mail-enabled security groups|Shared mailboxes|
+|:-|:-|:-|:-|:-|:-|
+|**Mail-enabled**|Yes|Yes|No|Yes|Yes|
+|**Dynamic membership in Azure AD**|Yes|No|Yes|No|No|
+
+All of these group types can be used with Power Automate.
+ ## Microsoft 365 groups Microsoft 365 groups are used for collaboration between users, both inside and outside your company. With each Microsoft 365 group, members get a group email and shared workspace for conversations, files, and calendar events, Stream and a Planner.
compliance Advanced Ediscovery Large Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/advanced-ediscovery-large-cases.md
+
+ Title: "Large cases in Advanced eDiscovery"
+f1.keywords:
+- NOCSH
++++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+search.appverid:
+- MOE150
+- MET150
+description: "Use large cases in Advanced eDiscovery so you can add more items to review sets and take advantage of other increased limits."
++
+# Use large cases in Advanced eDiscovery
+
+More organizations are using the Advanced eDiscovery solution in Microsoft 365 for critical eDiscovery processes. This includes responding to regulatory requests, investigations, and litigation. As usage of Advanced eDiscovery increases, a common customer requirement is to expand the total amount of content that can be managed in a single Advanced eDiscovery case. To help accommodate significant increases in case size, both for total data volume and the total number of items, you can now choose a large case format when you create an Advanced eDiscovery case.
+
+## Create a large case
+
+To create a large case:
+
+1. Go to <https://compliance.microsoft.com> and sign in.
+
+2. In the left navigation pane of the Microsoft 365 compliance center, click **eDiscovery > Advanced**.
+
+3. On the **Advanced eDiscovery** page, click the **Cases** tab, and then click **Create a case**.
+
+ The **New eDiscovery case** flyout page is displayed. The **Case format** section provides the option to create a large case. Choose this case type if you need to collect a large amount of content in a short period of time.
+
+ ![Large case option on the New eDiscovery case page](..\media\AeDLargeCases1.png)
+
+4. After naming the case, select the **Large case** option, and then click **Save** to create the large case.
+
+## Benefits of large cases
+
+The new large case format allows you to manage cases that contain over 40 million items. This capability helps you effectively manage large volumes of case data through the entire eDiscovery workflow.
+
+Here's a list of other benefits of large cases in Advanced eDiscovery workflow.
+
+- **Collection**: In the large case format, you can collect up to 1 TB of data for a single collection.
+
+ For each large case, the collection settings will default to collect Cloud Attachments and contextual Teams and Yammer content. These settings help to collect the full picture of digital communications within an investigation. For Teams and Yammer contextual conversations, the large case format will convert time-based snapshots of 1:1, 1: N and Channel conversations into html transcripts to help provide context of conversations and reduce total number of items produced by chat-based content.
+
+- **Review**: Each review set will support up to 1 TB of pre-expansion content. Additional metadata will be available for filters and queries including Team name, channel name and conversation name for Teams content. Each transcript will include time-based content for before and after the responsive item. For Channel conversations, the root post and all replies will be collected for responsive content.
+
+- **Export**: You can export large sets of content in a single export job. The large case format lets you can export 5 million documents or 500 GB, whichever is smaller in an export job.
+
+Additionally, the new large case format includes an updated user interface that displays the total size of each review set in the case. Review set sizes are displayed in a column on the **Review sets** tab and in a flyout pane that persists of every tab in the case.
+
+![Large case statistics in Advanced eDiscovery user interface](..\media\LargeCaseUI.png)
+
+## Frequently asked questions
+
+**If I attempt to collect over 1 TB in a single collection, will it work?**
+
+The performance will be negatively impacted and may cause instability in some instances.
+
+**If cloud attachments are included by default in the large case format; how can I remove that content from my review experience?**
+
+Use review set filters to filter by message kind or to exclude cloud attachments by using the HasAttachment filter. For more information, see [Query and filter content in a review set](review-set-search.md).
+
+**When exporting chat conversation transcripts, will the load file contain all of the expanded metadata and a single item for each transcript?**
+
+All metadata for a conversation is embedded in the HTML transcript file. Many of the common fields are available in the load file. For more information about exported metadata, see [Document metadata fields in Advanced eDiscovery](document-metadata-fields-in-Advanced-eDiscovery.md).
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
You can learn more about these configuration options from the DLP documentation:
Also similarly to DLP policy configuration, you can choose whether a condition must detect all sensitive information types, or just one of them. And to make your conditions more flexible or complex, you can add [groups and use logical operators between the groups](data-loss-prevention-policies.md#grouping-and-logical-operators). > [!NOTE]
-> Auto-labeling policies that are based on custom sensitive information types apply only to newly created or modified content in OneDrive and SharePoint; not to existing content.
+> Auto-labeling based on custom sensitive information types applies only to newly created or modified content in OneDrive and SharePoint; not to existing content. This limitation also applies to auto-labeling polices.
### Configuring trainable classifiers for a label
Make sure you're aware of the prerequisites before you configure auto-labeling p
- At the time the auto-labeling policy runs, the file mustn't be open by another process or user. A file that's checked out for editing falls into this category. - If you plan to use [custom sensitive information types](sensitive-information-type-learn-about.md) rather than the built-in sensitivity types:
- - Custom sensitivity information types apply only to content that is added or modified in SharePoint or OneDrive after the custom sensitivity information types are enforced.
+ - Custom sensitivity information types apply only to content that is added or modified in SharePoint or OneDrive after the custom sensitivity information types are created.
- To test new custom sensitive information types, create them before you create your auto-labeling policy, and then create new documents with sample data for testing. - One or more sensitivity labels [created and published](create-sensitivity-labels.md) (to at least one user) that you can select for your auto-labeling policies. For these labels:
compliance Communication Compliance Feature Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-feature-reference.md
search.appverid:
You create communication compliance policies for Microsoft 365 organizations in the Microsoft 365 compliance center. Communication compliance policies define which communications and users are subject to review in your organization, define which custom conditions the communications must meet, and specify who should do reviews. Users assigned the *Communication Compliance Admin* role can set up policies, and anyone who has this role assigned can access the **Communication compliance** page and global settings in the Microsoft 365 compliance center. If needed, you can export the history of modifications to a policy to a .csv (comma-separated values) file that also includes the status of alerts pending review, escalated items, and resolved items. Policies can't be renamed and can be deleted when no longer needed.
-> [!NOTE]
-> Supervision policies created in the Security & Compliance Center for Office 365 subscriptions cannot migrate to Microsoft 365. If you're migrating from an Office 365 subscription to a Microsoft 365 subscription, you'll need to create new communication compliance polices to replace existing Supervision policies.
- ## Policy templates Policy templates are pre-defined policy settings that you can use to quickly create policies to address common compliance scenarios. Each of these templates has differences in conditions and scope, and all templates use the same types of scanning signals. You can choose from the following policy templates:
Policy templates are pre-defined policy settings that you can use to quickly cre
Communications are scanned every 24 hours from the time policies are created. For example, if you create an offensive language policy at 11:00 AM, the policy will gather communication compliance signals every 24 hours at 11:00 AM daily. Editing a policy doesn't change this time. To view the last scan date and time for a policy, navigate to the *Last policy scan* column on the **Policy** page. After creating a new policy, it may take up to 24 hours to view the first policy scan date and time. The date and time of the last scan are converted to the time zone of your local system.
-## Pausing a policy (preview)
+## Pause a policy (preview)
After you've created a communication compliance policy, the policy may be temporarily paused if needed. Pausing a policy may be used for testing or troubleshooting policy matches, or for optimizing policy conditions. Instead of deleting a policy in these circumstances, pausing a policy also preserves existing policy alerts and messages for ongoing investigations and reviews. Pausing a policy prevents inspection and alert generation for all user message conditions defined in the policy for the time the policy is paused. To pause or restart a policy, users must be a member of the *Communication Compliance Admin* role group.
The policy status for paused policies may indicate several states:
To resume a policy, navigate to the **Policy** page, select a policy, and then select **Resume policy** from the actions toolbar. On the **Resume policy** pane, confirm you'd like to resume the policy by selecting **Resume**. In some cases, it may take up to 24 hours for a policy to be resumed. Once the policy is resumed, alerts for messages matching the policy will be created and will be available for investigation, review, and remediation.
+## Copy a policy (preview)
+
+For organizations with existing communication compliance policies, there may be scenarios when creating a new policy from an existing policy may be helpful. Copying a policy creates an exact duplicate of an existing policy, including all in-scope users, all assigned reviewers, and all policy conditions. Some scenarios may include:
+
+- **Policy storage limit reached**: Active communication compliance policies have message storage limits. When the storage limit for a policy is reached, the policy is automatically deactivated. Organizations that need to continue to detect, capture, and act on inappropriate messages covered by the deactivated policy can quickly create a new policy with an identical configuration.
+- **Detect and review inappropriate messages for different groups of users**: Some organizations may prefer to create multiple policies with the same configuration but include different in-scope users and different reviewers for each policy.
+- **Similar policies with small changes**: For policies with complex configurations or conditions, it may save time to create a new policy from a similar policy.
+
+To copy a policy, users must be a member of the *Communication Compliance* or *Communication Compliance Admin* role groups. After a new policy is created from an existing policy, it may take up to 24 hours to view messages that match the new policy configuration.
+
+To copy a policy and create a new policy, complete the following steps:
+
+1. Select the policy you want to copy.
+2. Select **Copy policy** command bar button on the command bar, or select **Copy policy** from the action menu for the policy.
+3. In the **Copy policy** pane, you can accept the default name for the policy in the **Policy name** field or rename the policy. The policy name for the new policy cannot be the same as an existing active or deactivated policy. Complete the **Description** field as needed.
+4. If you don't need further customization of the policy, select **Copy policy** to complete the process. If you need to update the configuration of the new policy, select **Customize policy**. This starts the policy wizard to help you update and customize the new policy.
+
+## Storage limit notification (preview)
+
+Each communication compliance policy has a storage limit size of 100-GB or 1 million messages, whichever is reached first. As the policy approaches these limits, notification emails are automatically sent to users assigned to the *Communication Compliance* or *Communication Compliance Admin* role groups. Notifications messages are sent when the storage size or message count reach 80, 90, and 95 percent of the limit. When the policy limit is reached, the policy is automatically deactivated, and the policy stops processing messages for alerts.
+
+>[!IMPORTANT]
+>If a policy is deactivated due to reaching the storage and message limits, be sure to evaluate how to manage the deactivated policy. If you delete the policy, all messages, associated attachments, and message alerts will be permanently deleted. If you need to maintain these items for future use, do not delete the deactivated policy.
+
+To manage policies approaching the storage and message limits, consider making a copy of the policy to maintain coverage continuity or take the following actions to help minimize current policy storage size and message counts:
+
+- Consider reducing the number of users assigned to the policy. Removing users from the policy or creating different policies for different groups of users can help slow the growth of policy size and total messages.
+- Examine the policy for excessive false positive alerts. Consider adding exceptions or changes to the policy conditions to ignore common false positive alerts.
+- If a policy has reached the storage or message limits and has been deactivated, make a copy of the policy to continue to detect and take action for the same conditions and users.
+ ## Permissions > [!IMPORTANT]
This example returns activities that match your current communication compliance
Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -Operations SupervisionRuleMatch ```
-Communication compliance policy matches are stored in a supervision mailbox for each policy. In some cases, you may need to check the size of your supervision mailbox for a policy to make sure you aren't approaching the current 50-GB limit. If the mailbox limit is reached, policy matches aren't captured and you'll need to create a new policy (with the same settings) to continue to capture matches for the same activities.
+Communication compliance policy matches are stored in a supervision mailbox for each policy. In some cases, you may need to check the size of your supervision mailbox for a policy to make sure you aren't approaching the current 100-GB storage size or 1 million message limit. If the mailbox limit is reached, policy matches aren't captured and you'll need to create a new policy (with the same settings) to continue to capture matches for the same activities.
To check the size of a supervision mailbox for a policy, complete the following steps:
compliance Create A Litigation Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-litigation-hold.md
Title: "Create a Litigation Hold"
+ Title: "Create a Litigation hold"
f1.keywords: - NOCSH
localization_priority: Normal search.appverid: MET150 ms.assetid: 39db1659-0b12-4243-a21c-2614512dcb44
-description: "Learn how to place a mailbox on Litigation Hold, retaining all the mailbox content during an investigation."
+description: "Learn how to place a mailbox on Litigation hold, retaining all the mailbox content during an investigation."
- seo-marvel-mar2020 - seo-marvel-apr2020
-# Create a Litigation Hold
+# Create a Litigation hold
-You can place a mailbox on Litigation Hold to retain all mailbox content, including deleted items and the original versions of modified items. When you place a user mailbox on Litigation Hold, content in the user's archive mailbox (if it's enabled) is also retained. When you create a hold, you can specify a hold duration (also called a *time-based hold*) so that deleted and modified items are retained for a specified period and then permanently deleted from the mailbox. Or you can just retain content indefinitely (called an *infinite hold*) or until the Litigation Hold is removed. If you do specify a hold duration period, it's calculated from the date a message is received or a mailbox item is created.
+You can place a mailbox on Litigation hold to retain all mailbox content, including deleted items and the original versions of modified items. When you place a user mailbox on Litigation hold, content in the user's archive mailbox (if it's enabled) is also retained. When you create a hold, you can specify a hold duration (also called a *time-based hold*) so that deleted and modified items are retained for a specified period and then permanently deleted from the mailbox. Or you can just retain content indefinitely (called an *infinite hold*) or until the Litigation hold is removed. If you do specify a hold duration period, it's calculated from the date a message is received or a mailbox item is created.
-Here's what happens when you create a Litigation Hold.
+Here's what happens when you create a Litigation hold.
- Items that are permanently deleted by the user are retained in the Recoverable Items folder in the user's mailbox for the duration of the hold.
Here's what happens when you create a Litigation Hold.
## Assign an Exchange Online Plan 2 license
-To place an Exchange Online mailbox on Litigation Hold, it must be assigned an Exchange Online Plan 2 license. If a mailbox is assigned an Exchange Online Plan 1 license, you would have to assign it a separate Exchange Online Archiving license to place it on hold.
+To place an Exchange Online mailbox on Litigation hold, it must be assigned an Exchange Online Plan 2 license. If a mailbox is assigned an Exchange Online Plan 1 license, you would have to assign it a separate Exchange Online Archiving license to place it on hold.
> [!NOTE]
-> For Office 365 Education organizations, Litigation Hold is supported in Office 365 A1 subscriptions, which include an Exchange Online Plan 1 license with supplemental features. For more information, see the "Exchange Online features" section in the [Office 365 Education service description](/office365/servicedescriptions/office-365-platform-service-description/office-365-education#exchange-online-features).
+> For Office 365 Education organizations, Litigation hold is supported in Office 365 A1 subscriptions, which include an Exchange Online Plan 1 license with supplemental features. For more information, see the "Exchange Online features" section in the [Office 365 Education service description](/office365/servicedescriptions/office-365-platform-service-description/office-365-education#exchange-online-features).
-## Place a mailbox on Litigation Hold
+## Place a mailbox on Litigation hold
-Here are the steps to place a mailbox on Litigation Hold using the Exchange admin center.
+Here are the steps to place a mailbox on Litigation hold using the Microsoft 365 admin center.
-1. Go to [https://outlook.office.com/ecp](https://outlook.office.com/ecp) and sign in using your global administrator account.
+1. Go to <https://admin.microsoft.com> and sign in.
-2. Click **Recipients > Mailboxes** in the left navigation pane.
+2. In the navigation pane of the admin center, click **Users > Active users**.
-3. Select the mailbox that you want to place on Litigation Hold, and then click **Edit**.
+3. Select the user that you want to place on Litigation hold.
-4. On the mailbox properties page, click **Mailbox features**.
-
-5. Under **Litigation hold: Disabled**, click **Enable** to place the mailbox on Litigation Hold.
-
-6. On the **Litigation hold** page, enter the following optional information:
-
- - **Litigation hold duration (days)** - Use this box to create a time-based hold and specify how long mailbox items are held when the mailbox is placed on Litigation Hold. The duration is calculated from the date a mailbox item is received or created. When the hold duration expires for a specific item, that item will no longer be preserved. If you leave this box blank, items are preserved indefinitely or until the hold is removed. Use days to specify the duration.
-
- - **Note** - Use this box to inform the user their mailbox is on Litigation Hold. The note will appear on the Account Information page in the user's mailbox if they're using Outlook 2010 or later. To access this page, users can click **File** in Outlook.
-
- - **URL** - Use this box to direct the user to a website for more information about Litigation Hold. This URL appears on the Account Information page in the user's mailbox if they are using Outlook 2010 or later. To access this page, users can click **File** in Outlook..
+4. On the properties flyout page, click the **Mail** tab, and then under **More actions**, click **Manage litigation hold**.
-7. Click **Save** on the **Litigation hold** page, and then click **Save** on the mailbox properties page.
+ ![Click Manage litigation hold on the Mail tab of user properties flyout page](../media/M365AdminCenterLitHold1.png)
-### Create a Litigation Hold using PowerShell
+5. On the **Manage litigation hold** flyout page, select the **Turn on litigation hold** checkbox and then enter the following optional information:
-You can also create a Litigation Hold by running the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
+ 1. **Hold duration (days)**: Use this box to create a time-based hold and specify how long mailbox items are held when the mailbox is placed on Litigation hold. The duration is calculated from the date a mailbox item is received or created. When the hold duration expires for a specific item, that item will no longer be preserved. If you leave this box blank, items are preserved indefinitely or until the hold is removed. Use days to specify the duration.
+
+ 2. **Note visible to the user**: Use this box to inform the user their mailbox is on Litigation hold. The note will appear on the Account Information page in the user's mailbox if they're using Outlook 2010 or later. To access this page, users can click **File** in Outlook.
+
+ 3. **Web page with more information for the user**: Use this box to direct the user to a website for more information about Litigation hold. This URL appears on the Account Information page in the user's mailbox if they are using Outlook 2010 or later. To access this page, users can click **File** in Outlook.
+
+6. Click **Save changes** on the **Litigation hold** flyout page to create the hold.
+
+ The system displays a banner saying it might take up to 60 minutes for the change to take effect.
+
+### Create a Litigation hold using PowerShell
+
+You can also create a Litigation hold by running the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell):
```powershell Set-Mailbox <username> -LitigationHoldEnabled $true
The previous command preserves items indefinitely because the hold duration isn'
Set-Mailbox <username> -LitigationHoldEnabled $true -LitigationHoldDuration <number of days> ```
+You can also run the following command to verify if the mailbox is placed on Litigation hold:
+
+```powershell
+Get-Mailbox <username> | FL LitigationHoldEnabled
+```
+
+A value of *True* indicates that the mailbox is on litigation hold/
+ For more information, see [Set-Mailbox](/powershell/module/exchange/set-mailbox).
-## How does Litigation Hold work?
+## How does Litigation hold work?
In the normal deleted item workflow, a mailbox item is moved to the Deletions subfolder in the Recoverable Items folder when a user permanently deletes it (Shift + Delete) or deletes it from the Deleted Items folder. A deletion policy (which is a retention tag configured with a Delete retention action) also moves items to the Deletions subfolder when the retention period expires. When a user purges an item in the Recoverable Items folder or when the deleted item retention period expires for an item, it's moved to the Purges subfolder in the Recoverable Items folder and marked for permanent deletion. It will be purged from Exchange the next time the mailbox is processed by the Managed Folder Assistant (MFA).
-When a mailbox is placed on Litigation Hold, items in the Purges subfolder are preserved for the hold duration specified by the Litigation Hold. The hold duration is calculated from the original date an item was received or created, and defines how long items in the Purges subfolder are held. When the hold duration expires for an item in the Purges subfolder, the item is marked for permanent deletion and will be purged from Exchange the next time the mailbox is processed by the MFA. If an indefinite hold is placed on a mailbox, items will never be purged from the Purges subfolder.
+When a mailbox is placed on Litigation hold, items in the Purges subfolder are preserved for the hold duration specified by the Litigation hold. The hold duration is calculated from the original date an item was received or created, and defines how long items in the Purges subfolder are held. When the hold duration expires for an item in the Purges subfolder, the item is marked for permanent deletion and will be purged from Exchange the next time the mailbox is processed by the MFA. If an indefinite hold is placed on a mailbox, items will never be purged from the Purges subfolder.
The following illustration shows the subfolders in the Recoverable Items folders and the hold workflow process.
-![Litigation Hold life cycle](../media/LitigationHoldLifeCycle.png)
+![Litigation hold life cycle](../media/LitigationHoldLifeCycle.png)
> [!NOTE] > If a hold associated with an eDiscovery case is placed on a mailbox, purged items are moved from the Deletions subfolder to the DiscoveryHolds subfolder and are preserved until the mailbox is released from the eDiscovery hold.
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
Although a retention policy can support multiple services that are identified as
- Exchange public folders - Teams channel messages - Teams chats
+- Teams private channel messages
- Yammer community messages - Yammer user messages
compliance Document Metadata Fields In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-metadata-fields-in-Advanced-eDiscovery.md
The following table lists the metadata fields for documents in a review set in a
|Compound Path|CompoundPath|Compound_path|Human readable path that describes the source of the item.| |Content*|Content||Extracted text of the item.| |Conversation Body|Conversation Body||Conversation body of the item.|
-|Conversation Topic|Conversation Topic||Conversation topic of the item.|
-|Conversation ID|ConversationId|Conversation_ID|Conversation Id from the message.|
+|Conversation ID|ConversationId|Conversation_ID|Conversation Id from the message. For Teams 1:1 and group chats, all transcript files and their family items within the same conversation share the same Conversation ID. For more information, see [Advanced eDiscovery workflow for content in Microsoft Teams](teams-workflow-in-advanced-ediscovery.md). |
|Conversation Index||Conversation_index|Conversation index from the message.|
+|Conversation Name | |ConversationName|Name of the channel in Teams. The format of the name depends on the type of channel: <br/>Teams channel chats and private channel chats: <Name of team, name of channel> <br/>Teams 1:1 and group chats: Display name and email address of all chat participants<br/>Yammer community: Community name + first 120 chars of a post<br/>Yammer private: Sender name and email address + first 120 chars of a message|
|Conversation Pdf Time|ConversationPdfTime||Date when the PDF version of the conversation was created.| |Conversation Redaction Burn Time|ConversationRedactionBurnTime||Date when the PDF version of the conversation was created for Chat.|
+|Conversation Topic|Conversation Topic||Conversation topic of the item.|
+|Conversation Type| ConversationType|ConversationType| The type of chat conversation. Values are: <br/> Teams 1:1 and group chats and all Yammer conversations: **Group** for<br/>Teams channels and private channels: **Channel**|
+|Contains Edited Message |ContainsEditedMessage|ContainsEditedMessage|Indicates if the Teams chat transcript includes an edited message
|||Converted_file_path|The path of the converted export file. For internal Microsoft use only.|
-|Document date created|CreatedTime|Doc_date_created|Create date from document metadata.|
|Custodian|Custodian|Custodian|Name of the custodian the item was associated with.|
-|Date|Date|Date|Date is a computed field that depends on the file type.<br /><br />Email: Sent date<br />Email attachments: Last modified date of the document;if not available, the parent's Sent date<br />Embedded documents: Last modified date of the document; if not available, the parent's last modified date<br />SPO documents (includes modern attachments): SharePoint Last modified date; if not available, the documents last modified date<br />Non-Office 365 documents: Last modified date<br />Meetings: Meeting start date<br />VoiceMail: Sent date<br />IM: Sent date|
-|Other paths|Dedupedcompoundpath|Deduped_compound_path|List of compound paths of documents that are exact duplicates (email: based on content, documents: based on hash).|
-|Other custodians|DedupedCustodians|Deduped_custodians|List of custodians of documents that are exact duplicates (for email, based on content; for documents, based on hash).|
-|Other file IDs|DedupedFileIds|Deduped_file_IDs|List of file IDs of documents that are exact duplicates (for email, based on content; for documents, based on hash).|
+|Date|Date|Date|Date is a computed field that depends on the file type.<br /><br />Email: Sent date<br />Email attachments: Last modified date of the document;if not available, the parent's Sent date<br />Embedded documents: Last modified date of the document; if not available, the parent's last modified date<br />SPO documents (includes modern attachments): SharePoint Last modified date; if not available, the documents last modified date<br />Non-Office 365 documents: Last modified date<br />Meetings: Meeting start date<br />VoiceMail: Sent date<br />IM: Sent date<br />Teams: Sent date|
|Document comments|DocComments|Doc_comments|Comments from the document metadata.| |Document company||Doc_company|Company from the document metadata.|
+|Document date created|CreatedTime|Doc_date_created|Create date from document metadata.|
|DocIndex*|||The index in the family. **-1** or **0** means it is the root.| |Document keywords||Doc_keywords|Keywords from the document metadata.| |Document modified by||Doc_modified_by|Last modified date by from document metadata.|
The following table lists the metadata fields for documents in a review set in a
|||Extracted_text_path|The path to the extracted text file in the export.| |ExtractedTextLength*||Extracted_text_length|Number of characters in the extracted text.| |FamilyDuplicateSet*||Family_duplicate_set|Numeric identifier for families that are exact duplicates of each other (same content and all the same attachments).|
-|Family ID|FamilyId|Family_ID|Groups together all items for email. This includes the message and all attachments and extracted items.|
+|Family ID|FamilyId|Family_ID|Groups together attachments and extracted items from email and chats with its parent item. This includes the chat or email and all attachments and extracted items.|
|Family Size||Family_size|Number of documents in the family.|
-|File class|FileClass|File_class|For content from SharePoint and OneDrive: **Document**; for content from Exchange: **Email** or **Attachment**.|
+|File class|FileClass|File_class|For content from SharePoint and OneDrive: **Document**. <br/>For content from Exchange: **Email** or **Attachment**. <br/>For content from Teams or Yammer: **Conversations**. |
|File ID|FileId|File_ID|Document identifier unique within the case.| |File system date created||File_system_date_created|Created date from file system (only applies to non-Office 365 data).| |File system date modified||File_system_date_modified|Modified date from file system (only applies to non-Office 365 data).| |File Type|FileType||File type of the item based on file extension.| |Group Id|Group Id|Group_ID|Groups together all items for email and documents. For email, this includes the message and all attachments and extracted items. For documents, this includes the document and any embedded items.|
-|Has attachment|HasAttachment|Email_has_attachment|Indicates whether or not the message has attachments.|
+|Has attachment|EmailHasAttachment|Email_has_attachment|Indicates whether or not the message has attachments.|
|Has attorney|HasAttorney||**True** when at least one of the participants is found in the attorney list; otherwise, the value is **False**.| |HasText*||Has_text|Indicates whether or not the item has text; possible values are **True** and **False**.| |Immutable ID||Immutable_ID|This Id is used to uniquely identify a document within a review set. This field can't be used in a review set search and the Id can't be used to access a document in its native location.|
The following table lists the metadata fields for documents in a review set in a
|O365 date created||O365_date_created|Created date from SharePoint.| |O365 date modified||O365_date_modified|Last modified date from SharePoint.| |O365 modified by||O365_modified_by|Modified by from SharePoint.|
+|Other custodians|DedupedCustodians|Deduped_custodians|List of custodians of documents that are exact duplicates (for email, based on content; for documents, based on hash).|
+|Other file IDs|DedupedFileIds|Deduped_file_IDs|List of file IDs of documents that are exact duplicates (for email, based on content; for documents, based on hash).|
+|Other paths|Dedupedcompoundpath|Deduped_compound_path|List of compound paths of documents that are exact duplicates (email: based on content, documents: based on hash).|
|Parent ID|ParentId|Parent_ID|Id of the item's parent.| |ParentNode||Parent_node|The closest preceding email message in the email thread.| |Participant domains|ParticipantDomains|Email_participant_domains|List of all domains of participants of a message.|
The following table lists the metadata fields for documents in a review set in a
|Sender|Sender|Email_sender|Sender (From) field for message types. Format is **DisplayName \<SmtpAddress>**.| |Sender/Author|SenderAuthor||Calculated field comprised of the sender or author of the item.| |Sender domain|SenderDomain|Email_sender_domain|Domain of the sender.|
-|Sent|Sent|Email_date_sent|Sent date of the message.|
+|Sent|Sent|Email_date_sent|Sent date of the message.<br/>Chats: Beginning date from the transcript|
|Set Order: Inclusive First|SetOrderInclusivesFirst|Set_order_inclusives_first|Sorting field - email and attachments: counter-chronological; documents: pivot first then by descending similarity score.| |Set ID||Set_ID|Documents of similar content (ND_set) or email within the same email thread (Email_set) share the same Set_ID.| |SimilarityPercent||Similarity_percent|Indicates how similar a document is to the pivot of the near duplicate set.|
The following table lists the metadata fields for documents in a review set in a
|Subject|Subject|Email_subject|Subject of the message.| |Subject/Title|SubjectTitle||Calculated field comprised of the subject or title of the item.| |Tags|Tags|Tags|Tags applied in a review set.|
+|Teams Channel Name|TeamsChannel|Channel_Name|Name of the channel in Microsoft Teams.|
|Themes list|ThemesList|Themes_list|Themes list as calculated for analytics.|
-|Title|Title|Doc_title|Title from the document metadata.|
+|Title|Title|Doc_title|Title from the document metadata. Title from the document metadata. For Teams and Yammer content, this is the value from the ConversationName property.|
|To|To|Email_to|To field for message types. Format is **DisplayName\<SmtpAddress>**| |Unique in email set|UniqueInEmailSet||**False** if there's a duplicate of the attachment in its email set.| |Version Group ID||Version_Group_Id|Groups together the different versions of the same document.|
compliance Importing Pst Files To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/importing-pst-files-to-office-365.md
Here are some frequently asked questions about using the Office 365 Import servi
### Using network upload to import PST files
- **What permissions are required to create import jobs in the Office 365 Import Service?**
+#### What permissions are required to create import jobs in the Office 365 Import Service using network upload?
You have to be assigned the Mailbox Import Export role in Exchange Online to import PST files to Microsoft 365 mailboxes. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group. Or you can create a new role group, assign the Mailbox Import Export role, and then add yourself or other users as a member. For more information, see the "Add a role to a role group" or the "Create a role group" sections in [Manage role groups in Exchange Online](/Exchange/permissions-exo/role-groups).
Additionally, to create import jobs in the Security & Compliance Center, one of
> [!TIP] > Consider creating a new role group in Exchange Online that's specifically intended for importing PST files to Office 365. For the minimum level of privileges required to import PST files, assign the Mailbox Import Export and Mail Recipients roles to the new role group, and then add members.
- **Where is network upload available?**
+#### Where is network upload available?
Network upload is currently available in these regions: United States, Canada, Brazil, the United Kingdom, France, Germany, Switzerland, Norway, Europe, India, East Asia, Southeast Asia, Japan, Republic of Korea, Australia, and United Arab Emirates (UAE). Network upload will be available in more regions soon.
- **What is the pricing for importing PST files by using network upload?**
+#### What is the pricing for importing PST files by using network upload?
Using network upload to import PST files is free. This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the Microsoft 365 admin center. Although an import job might still be listed on the **Import data to Office 365** page, the list of PST files might be empty when you view the details of older import jobs.
- **What version of the PST file format is supported for importing to Office 365?**
+#### What version of the PST file format is supported for importing to Office 365?
There are two versions of the PST file format: ANSI and Unicode. We recommend importing files that use the Unicode PST file format. However, files that use the ANSI PST file format, such as those for languages that use a double-byte character set (DBCS), can also be imported to Office 365. For more information about importing ANSI PST files, see Step 4 in [Use network upload to import PST files to Office 365](./use-network-upload-to-import-pst-files.md). Additionally, PST files from Outlook 2007 and later versions can be imported to Office 365.
- **After I upload my PST files to the Azure Storage area, how long are they kept in Azure before they're deleted?**
+#### After I upload my PST files to the Azure Storage area, how long are they kept in Azure before they're deleted?
When you use the network upload method to import PST files, you upload them to an Azure blob container named `ingestiondata`. If there are no import jobs in progress on the **Import PST files** page in the Security & Compliance Center), then all PST files in the `ingestiondata` container in Azure are deleted 30 days after the most recent import job was created in the Security & Compliance Center. That also means you have to create a new import job in the Security & Compliance Center (described in Step 5 in the network upload instructions) within 30 days of uploading PST files to Azure. This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the Security & Compliance Center. Although an import job might still be listed on the **Import PST files** page in the Security & Compliance Center, the list of PST files might be empty when you view the details of older import jobs.
- **How long does it take to import a PST file to a mailbox?**
+#### How long does it take to import a PST file to a mailbox using network upload?
It depends on the capacity of your network, but it typically takes several hours for each terabyte (TB) of data to be uploaded to the Azure Storage area for your organization. After the PST files are copied to the Azure Storage area, a PST file is imported to a Microsoft 365 mailbox at a rate of approximately 24 GB per day<sup>\*</sup>. If this rate doesn't meet your needs, you might consider other methods to get email data into Office 365. For more information, see [Ways to migrate multiple email accounts to Office 365](/Exchange/mailbox-migration/mailbox-migration). <sup>\*</sup> This rate is not guaranteed. Server workload and transient performance issues might decrease this rate.
-If different PST files are imported to different target mailboxes, the import process occurs sequentially (one at a time) and throttling occurs.
+If different PST files are imported to different target mailboxes, the import process occurs in parallel; in other words, each PST/mailbox pair is imported simultaneously. If multiple PST files are imported to the same mailbox, they will be imported sequentially (one at a time), not simultaneously.
- **How does the PST import process handle duplicate email items?**
+#### How does the PST import process handle duplicate email items?
The PST import process checks for duplicate items and doesn't copy the items from a PST file to the mailbox or archive if a matching item exists in the target folder in the target mailbox or target archive. If you reimport the same PST file and specify a different target folder (using the TargetRootFolder property in the PST import mapping file) than the one you specified in a previous import job, all items in the PST file will be reimported.
- **Is there a message size limit when importing PST files?**
+#### Is there a message size limit when importing PST files using network upload?
Yes. If a PST file contains a mailbox item that is larger than 150 MB, the item will be skipped and not imported during the import process. Items larger than 150 MB aren't imported because 150 MB is the message size limit in Exchange Online. For more information, see [Message limits in Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#message-limits).
- **Are message properties, such as when the message was sent or received, the list of recipients and other properties, preserved when PST files are imported to a Microsoft 365 mailbox?**
+#### Are message properties, such as when the message was sent or received, the list of recipients and other properties, preserved when PST files are imported to a Microsoft 365 mailbox using network upload?
Yes. The original message metadata isn't changed during the import process.
- **Is there a limit to the number of levels in a folder hierarchy for a PST file that I want to import to a mailbox?**
+#### Is there a limit to the number of levels in a folder hierarchy for a PST file that I want to import to a mailbox using network upload?
Yes. You can't import a PST file that has 300 or more levels of nested folders.
- **Can I use network upload to import PST files to an inactive mailbox in Office 365?**
+#### Can I use network upload to import PST files to an inactive mailbox in Office 365?
Yes, this capability is now available.
- **Can I use network upload to import PST files to an online archive mailbox in an Exchange hybrid deployment?**
+#### Can I use network upload to import PST files to an online archive mailbox in an Exchange hybrid deployment?
Yes, this capability is now available.
- **Can I use network upload to import PST files to public folders in Exchange Online?**
+#### Can I use network upload to import PST files to public folders in Exchange Online?
No, you can't import PST files to public folders. ### Using drive shipping to import PST files
- **What permissions are required to create import jobs in the Office 365 Import Service?**
+#### What permissions are required to create import jobs in the Office 365 Import Service using drive shipping?
You have to be assigned the Mailbox Import Export role to import PST files to Microsoft 365 mailboxes. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group. Or you can create a new role group, assign the Mailbox Import Export role, and then add yourself or other users as a member. For more information, see the "Add a role to a role group" or the "Create a role group" sections in [Manage role groups in Exchange Online](/Exchange/permissions-exo/role-groups).
Additionally, to create import jobs in the Security & Compliance Center, one of
> [!TIP] > Consider creating a new role group in Exchange Online that's specifically intended for importing PST files to Office 365. For the minimum level of privileges required to import PST files, assign the Mailbox Import Export and Mail Recipients roles to the new role group, and then add members.
- **Where is drive shipping available?**
+#### Where is drive shipping available?
Drive shipping is currently available in the United States, Canada, Brazil, the United Kingdom, Europe, India, East Asia, Southeast Asia, Japan, Republic of Korea, and Australia. Drive shipping will be available in more regions soon. > [!NOTE] > At this time, drive shipping to import PST files is not available in Germany and Switzerland. This FAQ will be updated when drive shipping is available in these countries.
- **What commercial licensing agreements support drive shipping?**
+#### What commercial licensing agreements support drive shipping?
Drive shipping to import PST files to Microsoft 365 is available through a Microsoft Enterprise Agreement (EA). Drive shipping isn't available through a Microsoft Products and Services Agreement (MPSA).
- **What is the pricing for using drive shipping to import PST files to Microsoft 365?**
+#### What is the pricing for using drive shipping to import PST files to Microsoft 365?
The cost to use drive shipping to import PST files to Microsoft 365 mailboxes is $2 USD per GB of data. For example, if you ship a hard drive that contains 1,000 GB (1 TB) of PST files, the cost is $2,000 USD. You can work with a partner to pay the import fee. For information about finding a partner, see [Find your Microsoft partner or reseller](../admin/manage/find-your-partner-or-reseller.md).
- **What kind of hard drives are supported for drive shipping?**
+#### What kind of hard drives are supported for drive shipping?
Only 2.5-inch solid-state drives (SSDs) or 2.5 inch or 3.5 inch SATA II/III internal hard drives are supported for use with the Office 365 Import service. You can use hard drives up to 10 TB. For import jobs, only the first data volume on the hard drive will be processed. The data volume must be formatted with NTFS. When copying data to a hard drive, you can attach it directly using a 2.5 inch SSD or 2.5 inch or 3.5 inch SATA II/III connector or you can attach it externally using an external 2.5 inch SSD or 2.5 inch or 3.5 inch SATA II/III USB adaptor. > [!IMPORTANT] > External hard drives that come with an built-in USB adaptor aren't supported by the Office 365 Import service. Additionally, the disk inside the casing of an external hard drive can't be used. Please don't ship external hard drives.
- **How many hard drives can I ship for a single import job?**
+#### How many hard drives can I ship for a single import job?
You can ship a maximum of 10 hard drives for a single import job.
- **After I ship my hard drive, how long does it take to get to the Microsoft datacenter?**
+#### After I ship my hard drive, how long does it take to get to the Microsoft datacenter?
That depends on a few things, such as your proximity to the Microsoft data center and what kind of shipping option you used to ship your hard drive (such as, next-day delivery, two-day delivery, or ground-delivery). With most shippers, you can use the tracking number to track the status of your delivery.
- **After my hard drive arrives at the Microsoft datacenter, how long does it take to upload my PST files to Azure?**
+#### After my hard drive arrives at the Microsoft datacenter, how long does it take to upload my PST files to Azure?
After your hard drive is received at the Microsoft data center, it will take between 7 to 10 business days to upload the PST files to the Azure Storage location for your organization. The PST files will be uploaded to an Azure blob container named `ingestiondata`.
- **How long does it take to import a PST file to a mailbox?**
+#### How long does it take to import a PST file to a mailbox using drive shipping?
After the PST files are uploaded to the Azure Storage area, Microsoft 365 analyzes the data in the PST files (in a safe and secure manner) to identify the age of the items and the different message types included in the PST files. When this analysis is complete, you'll have the option to import all the data in the PST files or set filters to that control what data gets imported. After you start the import job, a PST file is imported to a Microsoft 365 mailbox at a rate of at least 24 GB per day. If this rate doesn't meet your needs, you might consider other methods to get email data into Microsoft 365. For more information, see [Ways to migrate multiple email accounts to Microsoft 365](/Exchange/mailbox-migration/mailbox-migration).
-If different PST files are imported to different target mailboxes, the import process occurs in parallel; in other words, each PST/mailbox pair is imported simultaneously. Likewise, if multiple PST files are imported to the same mailbox, they will be simultaneously imported.
+If different PST files are imported to different target mailboxes, the import process occurs in parallel; in other words, each PST/mailbox pair is imported simultaneously. If multiple PST files are imported to the same mailbox, they will be imported sequentially (one at a time), not simultaneously.
- **After Microsoft uploads my PST files to Azure, how long are they kept in Azure before they're deleted?**
+#### After Microsoft uploads my PST files to Azure, how long are they kept in Azure before they're deleted?
All PST files in the Azure Storage location for your organization (in blob container named `ingestiondata`), are deleted 30 days after the most recent import job was created on the **Import PST files** page in the Security & Compliance Center. This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the Security & Compliance Center. Although an import job might still be listed on the **Import PST files** page in the Security & Compliance Center, the list of PST files might be empty when you view the details of older import jobs.
- **What version of the PST file format is supported for importing to Microsoft 365?**
+#### What version of the PST file format is supported for importing to Microsoft 365?
There are two versions of the PST file format: ANSI and Unicode. We recommend importing files that use the Unicode PST file format. However, files that use the ANSI PST file format, such as those for languages that use a double-byte character set (DBCS), can also be imported to Microsoft 365. For more information about importing ANSI PST files, see Step 3 in [Use drive shipping to import your organization PST files to Microsoft 365](use-drive-shipping-to-import-pst-files-to-office-365.md#step-3-create-the-pst-import-mapping-file). Additionally, PST files from Outlook 2007 and later versions can be imported to Microsoft 365.
- **Is there a message size limit when importing PST files?**
+#### Is there a message size limit when importing PST files using drive shipping?
Yes. If a PST file contains a mailbox item that is larger than 150 MB, the item will be skipped and not imported during the import process. Items larger than 150 MB aren't imported because 150 MB is the message size limit in Exchange Online. For more information, see [Message limits in Exchange Online](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#message-limits).
- **How does the PST import process handle duplicate email items?**
+ **How does the PST import process handle duplicate email items?
The PST import process checks for duplicate items and doesn't copy the items from a PST file to the mailbox or archive if a matching item exists in the target folder in the target mailbox or target archive. If you reimport the same PST file and specify a different target folder (using the TargetRootFolder property in the PST import mapping file) than the one you specified in a previous import job, all items in the PST file will be reimported.
- **Are message properties, such as when the message was sent or received, the list of recipients and other properties, preserved when PST files are imported to a Microsoft 365 mailbox?**
+#### Are message properties, such as when the message was sent or received, the list of recipients and other properties, preserved when PST files are imported to a Microsoft 365 mailbox using drive shipping?
Yes. The original message metadata isn't changed during the import process
- **Is there a limit to the number of levels in a folder hierarchy for a PST file that I want to import to a mailbox?**
+#### Is there a limit to the number of levels in a folder hierarchy for a PST file that I want to import to a mailbox using drive shipping?
Yes. You can't import a PST file that has 300 or more levels of nested folders.
- **Can I use drive shipping to import PST files to an inactive mailbox in Microsoft 365?**
+#### Can I use drive shipping to import PST files to an inactive mailbox in Microsoft 365?
Yes, this capability is now available.
- **Can I use drive shipping to import PST files to an online archive mailbox in an Exchange hybrid deployment?**
+#### Can I use drive shipping to import PST files to an online archive mailbox in an Exchange hybrid deployment?
Yes, this capability is now available.
- **Can I use drive shipping to import PST files to public folders in Exchange Online?**
+#### Can I use drive shipping to import PST files to public folders in Exchange Online?
No, you can't import PST files to public folders.
- **Can Microsoft wipe my hard drive before they ship it back to me?**
+#### Can Microsoft wipe my hard drive before they ship it back to me?
No, Microsoft can't wipe hard drives before shipping them back to customers. Hard drives are returned to you in the same state they were in when they were received by Microsoft.
- **Can Microsoft shred my hard drive instead of shipping it back to me?**
+#### Can Microsoft shred my hard drive instead of shipping it back to me?
No, Microsoft can't destroy your hard drive. Hard drives are returned to you in the same state they were in when they were received by Microsoft.
- **What courier services are supported for return shipping?**
+#### What courier services are supported for return shipping?
If you're a customer in the United States or Europe, Microsoft uses FedEx to return your hard drive. For all other regions, Microsoft uses DHL.
- **What are the return shipping costs?**
+#### What are the return shipping costs?
Return shipping costs vary, depending on your proximity to the Microsoft data center that you shipped your hard drive to. Microsoft will bill your FedEx or DHL account to return your hard drive. The cost of return shipping is your responsibility.
- **Can I use a custom courier shipping service, such as FedEx Custom Shipping, to ship my hard drive to Microsoft?**
+#### Can I use a custom courier shipping service, such as FedEx Custom Shipping, to ship my hard drive to Microsoft?
Yes.
- **If I have to ship my hard drive to another country, is there anything I need to do?**
+#### If I have to ship my hard drive to another country, is there anything I need to do?
The hard drive that you ship to Microsoft might have to cross international borders. If so, you're responsible for ensuring that the hard drive and the data it contains are imported and/or exported in accordance with the applicable laws. Before shipping a hard drive, check with your advisors to verify that your drive and data can legally be shipped to the specified Microsoft data center. This will help to ensure that it reaches Microsoft in a timely manner.
compliance Privacy Management Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-setup.md
In this article: learn how to set up **access to privacy management** for your o
## Sign up
-Privacy management will be available within the Microsoft 365 compliance center. The public preview of privacy management is available to organizations with E1, E3, and E5 Office 365 and Microsoft 365 enterprise licenses. Upon general availability of privacy management, organizations will need to obtain a new license.
+Privacy management is available within the Microsoft 365 compliance center. The public preview of privacy management is available to organizations with E1, E3, and E5 Office 365 and Microsoft 365 enterprise licenses. Upon general availability of privacy management, organizations will need to obtain a new license.
Note that the public preview of privacy management will not be available to US Government Community (GCC) Moderate, GCC High, or Department of Defense (DoD) customers.
-To get started with the public preview, obtain the preview subscription from the admin center. If you do not yet have the license when you first select privacy management in the compliance center, you will be directed to the admin center to get started. We recommend that the global admin sign in and set user permissions as outlined below when visiting privacy management for the first time. If you donΓÇÖt hold the required role to obtain the subscription or consent to the terms of using privacy management, youΓÇÖll be prompted to contact your global admin for assistance.
+To get started with the public preview, obtain the preview subscription from the admin center. If you do not yet have a subscription when you first select privacy management in the compliance center, you will be directed to the admin center to get started. We recommend that the global admin sign in and set user permissions as outlined below when visiting privacy management for the first time. If you donΓÇÖt hold the required role to obtain the subscription or consent to the terms of using privacy management, youΓÇÖll be prompted to contact your global admin for assistance.
Confirming that you would like to start using privacy management signals that you agree to the terms and the personal data evaluation process. You can review the provided links in full before proceeding.
Role groups can be customized if needed. To avoid accidental loss of access, we
To see the specific roles included in each role group, see the following table.
-| **Role group** | **Roles included** |
+| Role group | Roles included |
|:-- |:--| | Privacy Management | Case Management | | | Data Classification Content Viewer |
compliance Retention Policies Exchange https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-exchange.md
When the retention settings are retain-only, or delete-only, the contents paths
## When a user leaves the organization
-If a user leaves your organization and the user's mailbox is included in a retention policy, the mailbox becomes an inactive mailbox when the user's Microsoft 365 account is deleted. The contents of an inactive mailbox are still subject to any retention policy that was placed on the mailbox before it was made inactive, and the contents are available to an eDiscovery search. For more information, see [Inactive mailboxes in Exchange Online](inactive-mailboxes-in-office-365.md).
+If a user leaves your organization and the user's mailbox is included in a policy for retention, the mailbox becomes an inactive mailbox when the user's Microsoft 365 account is deleted. The contents of an inactive mailbox are still subject to any retention policy that was placed on the mailbox before it was made inactive, and the contents are available to an eDiscovery search. For more information, see [Inactive mailboxes in Exchange Online](inactive-mailboxes-in-office-365.md).
+
+When the retention settings no longer apply because the data is permanently deleted or the retention period has expired, the Exchange admin can now [delete the mailbox](delete-an-inactive-mailbox.md). In this scenario, the inactive mailbox isn't automatically deleted.
## Configuration guidance
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
Retention policies can be applied to the following locations:
- Exchange public folders - Teams channel messages - Teams chats
+- Teams private channel messages
- Yammer community messages - Yammer user messages
compliance Teams Workflow In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/teams-workflow-in-advanced-ediscovery.md
+
+ Title: "Teams workflow in Advanced eDiscovery"
+f1.keywords:
+- NOCSH
++++
+audience: Admin
++
+localization_priority: Normal
+search.appverid:
+- MET150
+
+description: "Learn how to preserve, collect, review, and export content from Microsoft Teams in Advanced eDiscovery."
++
+# Advanced eDiscovery workflow for content in Microsoft Teams using large cases
+
+This article provides a comprehensive set of procedures, guidelines, and best practices for using Advanced eDiscovery to preserve, collect, review, and export content from Microsoft Teams. The goal of this article is to help you optimize your eDiscovery workflow for Teams content.
+
+There are four categories of Teams content that you can collect and process using Advanced eDiscovery:
+
+- **Teams 1:1 chats**. Chat messages, posts, and attachments shared in a Teams conversation between two people. Teams 1:1 chats are also called *conversations*.
+
+- **Teams group chats**. Chat messages, posts, and attachments shared in a Teams conversation between three or more people. Also called *1:N* chats or *group conversations*.
+
+- **Teams channels**. Chat messages, posts, replies, and attachments shared in a Teams channel.
+
+- **Private Teams channels**. Message posts, replies, and attachments shared in a private Teams channel.
+
+## Where Teams content is stored
+
+A prerequisite to managing Teams content in Advanced eDiscovery is to understand the type of Teams content that you can collect, process, and review in Advanced eDiscovery and where that content is stored in Microsoft 365. The following table lists Teams content type and where each is stored.
+
+||Location of chat messages and posts |Location of files and attachments |
+|:|:|:|
+|Teams 1:1 chats |Messages in 1:1 chats are stored in the Exchange Online mailbox of all chat participants. |Files shared in a 1:1 chat are stored in the OneDrive for Business account of the person who shared the file. |
+|Teams group chats |Messages in group chats are stored in the Exchange Online mailbox of all chat participants. |Files shared in group chats chat are stored in the OneDrive for Business account of the person who shared the file. |
+|Teams channels |All channel messages and posts are stored in the Exchange Online mailbox associated with the team.|Files shared in a channel are stored in the SharePoint Online site associated with the team. |
+|Private Teams channels |Messages sent in a private channel are stored in the Exchange Online mailboxes of all members of the private channel.|Files shared in a private Channel are stored in a dedicated SharePoint Online site associated with the private channel.|
+||||
+
+## Create a case for Teams content
+
+The first step to managing Teams content in Advanced eDiscovery is to create a case using the large case format that's optimized for managing Teams content. Here's the benefits of using the large case format for Teams content:
+
+- Support for conversation threading, in which additional messages in the same conversation that include responsive items are automatically collected and added to review sets.
+
+- Teams chat conversations are automatically added to review sets as an HTML transcript file. Cloud attachments that are shared in conversations are also added to the review set. This helps provides context to the conversations with responsive items and reduce total number of items produced by chat-based content.
+
+- Collections up to 1 TB can be added to review sets, which let you collect and amounts large amounts of Teams content in a case.
+
+For more information about the increased case limits for large cases, see [Use large cases in Advanced eDiscovery](advanced-ediscovery-large-cases.md).
+
+To create a large case:
+
+1. Go to <https://compliance.microsoft.com> and sign in.
+
+2. In the left navigation pane of the Microsoft 365 compliance center, click **eDiscovery > Advanced**.
+
+3. On the **Advanced eDiscovery** page, click the **Cases** tab, and then click **Create a case**.
+
+ The **New eDiscovery case** flyout page is displayed. The **Case format** section provides the option to create a large case.
+
+ ![Large case option on the New eDiscovery case page](..\media\AeDLargeCases1.png)
+
+4. After naming the case, select the **Large case** option, and then click **Save** to create the large case.
+
+## Add Teams custodial data sources and preserve Teams content
+
+The next step is to identify the users who are the data custodians in your investigation and add them and their content locations as custodians to the case you created in the previous section. When you add custodians, you can specify their mailbox and OneDrive account as custodial data sources. You can also specify Teams content locations as custodian data sources to quickly place these locations on legal hold to preserve content during your investigation. It also makes it easy to collect content and add it to a review set.
+
+To add custodians to a case and preserve custodial data sources:
+
+1. Go to the Advanced eDiscovery case that you created in the previous section, and then click **Data sources**.
+
+2. On the **Data sources** page, click **Add data source** > **Add new custodians**.
+
+3. In the **New custodian** wizard, add one or more users as custodians to the case by typing the first part of the user's name or alias. After you find the correct person, select their name to add them to the list.
+
+4. Expand each custodian to view the primary data sources that have been automatically associated to the custodian, and to select other locations to associate to the custodian.
+
+ ![Custodian data sources](..\media\TeamsCustodialDataLocations1.png)
+
+5. Follow these guidelines to add custodial data sources for Teams content. Click **Edit** to add a data location.
+
+ - **Mailboxes**. The custodian's mailbox is selected by default. Keep this selected to add (and preserve) 1:1 chats, group chats, and private channel chats as custodial data.
+
+ - **OneDrives**. The custodian's OneDrive account is selected by default. Keep this selected to add (and preserve) files shared in 1:1 chats and group chats as custodial data.
+
+ - **SharePoint**. Add the SharePoint site associated with any private channel the custodian is a member of to add (and preserve) as custodial data the files shared in the private channel. Click **Edit** and then add the URL for the SharePoint site associated with a private channel. To learn how to locate the private channels a user is a member of, see [eDiscovery of private channels](/microsoftteams/ediscovery-investigation#ediscovery-of-private-channels).
+
+ - **Teams**. Add the teams that the custodian is a member of to add (and preserve) as custodial data all channel messages and all files shared to a Teams channel. When you click **Edit**, the mailbox and site associated with each team the custodian is a member of are displayed in a list. Select the teams that you want to associate to the custodian. You have to select both the corresponding mailbox and site for each team.
+
+ > [!NOTE]
+ > You can also add the mailbox and site of Teams that custodians aren't members of as a custodian data location. You do this by clicking **Edit** next to **Exchange** and **SharePoint** and then adding the mailbox and site associate with the team.
+
+6. After you add custodians and configure the custodial data sources, click **Next** to display the **Hold settings** page.
+
+ A list of the custodians is displayed and the checkbox in the **Hold** column is selected by default. This indicated that a hold will be placed on the data sources that you associated with each custodian. Leave these checkboxes selected to preserve this data.
+
+7. On the **Hold settings** page, click **Next** to review the custodians settings. Click **Submit** to add the custodians to the case.
+
+For more information about adding and preserving data sources in an Advanced eDiscovery case, see:
+
+- [Add custodians to an Advanced eDiscovery case](add-custodians-to-case.md)
+
+- [Add non-custodial data sources to an Advanced eDiscovery case](non-custodial-data-sources.md)
+
+## Collect Teams content and add to review set
+
+After adding custodians to the case and preserving content in custodian data sources, the next step in the workflow is to search for Teams content that's relevant to your investigation and add it to a review set for further review and analysis. Though it's typical to collect Teams content together with content from other Microsoft 365 services such as email in Exchange and documents in SharePoint, this section will specifically focus on collecting Teams content in a collection. You can create additional collections that collect non-Teams content to add to a review set.
+
+When you collect Teams content for a case, there are two steps in the workflow:
+
+1. **Create a draft collection**. The first step is to create a *draft collection*, which is an estimate of the items that match your search criteria. You can view information about the results that matched the search query, such as the total number and size of items found, the different data sources where they were found, and statistics about the search query. You can also preview a sample of items that were returned by the collection. Using these statistics, you can change the search query and rerun the draft collection as many times as is necessary to narrow the results until you're satisfied you're collecting the content relevant to your case.
+
+2. **Commit a draft collection to a review set**. Once you're satisfied with the results of a draft collection, you can commit the collection to a review set. When you commit a draft collection, the items returned by the collection are added to a review set for review, analysis, and export.
+
+You also have the option of not running a draft collection and adding the collection results directly to a review set when you create and run the collection.
+
+To create a collection of Teams content:
+
+1. Go to the Advanced eDiscovery case that you added the custodians to in the previous section, and then click **Collections**.
+
+2. On the **Collections** page, select **New collection** > **Standard collection**.
+
+3. Type a name (required) and description (optional) for the collection.
+
+4. On the **Custodial data sources** page, click **Select custodians** to select the custodians that you added to the case.
+
+ The list of the case custodians is displayed on the **Select custodians** flyout page.
+
+5. Select one or more custodians and then click **Add**.
+
+ After you add specific custodians to the collection, a list of specific data sources for each custodian is displayed. These are the data sources that you configured when you added the custodian to the case. All custodian data sources are selected by default. This includes any Teams and private channels that you associated with a custodian.
+
+ We recommend doing the following things when collecting Teams content:
+
+ - Remove custodians' OneDrive accounts from the collection scope (by unselecting the checkbox in the **Custodian's OneDrive** column for each custodian). This prevents the collection of duplicate files that were attached to 1:1 chats and group chats. Cloud attachments are automatically collected from each conversation found in the collection when you commit the draft collection to the review set. By using this method (instead of searching OneDrive accounts as part of the collection), files attached to 1:1 and group chats are grouped in the conversation they were shared in.
+
+ - Unselect the checkbox in the **Additional site** column to remove the SharePoint sites containing files shared in private channels. Doing this eliminates collecting duplicate files that were attached to private channel conversations because cloud attachments attached to private channel conversations are automatically added to the review set when you commit the draft collection and grouped in the conversations that were shared in.
+
+6. If you previously followed the steps to add Teams content as custodian data sources, you can skip this step and select **Next**. Otherwise, on the **Non-custodial data sources** wizard page, you can choose non-custodial data sources that contain Teams content that you may have added to the case to search in the collection.
+
+7. If you previously followed the steps to add Teams content as custodian data sources, you can skip this step and select **Next**. Otherwise, on the **Additional locations** wizard page, you can add other data sources to search in the collection. For example, you could add the mailbox and site for a team that wasn't added as a custodial or non-custodial data source. Otherwise, select **Next** and skip this step.
+
+8. On the **Conditions** wizard page, configure the search query to collect Teams content from the data sources that you specified on the previous wizard pages. You can use various keywords and search conditions to narrow the scope of the collection. For more information, see [Build search queries for collections](building-search-queries.md).
+
+ To help ensure the most comprehensive collection of Teams chat conversations (including 1:1, group, channel, and private chats) use the **Type** condition and select the **Instant messages** option. We also recommend including a date range or several keywords to narrow the scope of the collection to items relevant to your investigation. Here's a screenshot of a sample query using the **Type** and **Date** options:
+
+ ![Query to collect Teams content](..\media\TeamsConditionsQueryType.png)
+
+9. On the **Save draft or collect** wizard page, do one of the following depending on whether you want to create a draft collection or commit the collection to a review set.
+
+ ![Save draft collection or commit collection](..\media\TeamsDraftCommitCollection.png)
+
+ 1. **Save collection as draft**. Choose this option to create a draft collection. As previously explained, a draft collection doesn't add the collection results to a review set. It returns an estimate of the search results that match the search query for the data sources in the collection scope. This gives you the opportunity to view [collection statistics and reports[(collection-statistics-reports.md)] and edit and rerun the draft collection. When you satisfied with the result of a draft collection, you can commit it to a review set. For more information, see [Create a draft collection](create-draft-collection.md).
+
+ 2. **Collect items and add to a review set**. Choose this option to run the collection and then add the results to a review set. You can add the collection to a new or existing review set. The options to collect contextual Teams conversation messages (also called *conversation threading*) and collect cloud attachments are selected by default and can't be unselected. These options are automatically applied because of the large case format that you used when you initially created the new case for Teams content. For more information about committing collections to a review set, see [Commit a draft collection to a review set](commit-draft-collection.md).
+
+10. After you're finished configuring the collection, submit the collection to create a draft collection or collect items and add them to a review set.
+
+ When the process of adding the collection to the review set is completed, the status value for the collection on the **Collections** tab is set to **Committed**.
+
+## Review Teams content in a review set
+
+After you add collections of Teams content to a review set, the next step is to review the content for its relevance to your investigation and cull it if necessary. An important prerequisite to reviewing Teams content is understanding how Advanced eDiscovery processes Teams chat conversations and attachments when adding them to a review set. This processing of Teams content results in the following three things:
+
+- **[Grouping](#grouping)**. How messages, posts, and replies Teams conversations are grouped together and presented in the review set. This also includes attachments in chat conversations are extracted and group within the conversation.
+
+- **[Transcript conversation threading](#transcript-conversation-threading)**. How Advanced eDiscovery determines what additional content from a conversation to collect to provide context around items that matched the collection criteria.
+
+- **[Deduplication](#deduplication-of-teams-content)**. How Advanced eDiscovery handles duplicate Teams content.
+
+- **[Metadata](#metadata-for-teams-content)**. Metadata properties that Advanced eDiscovery adds to Teams content after it's collected and added to a review set.
+
+Understand grouping, conversation threading, deduplication, and Teams metadata will help you optimize the review and analysis of Teams content. This section also has [tips for viewing Teams content in a review set](#tips-for-viewing-teams-content-in-a-review-set).
+
+### Grouping
+
+When content from Teams chat conversations is added to a review set, messages, posts, and replies from conversations are aggregated in HTML transcript files. A single chat conversation can have multiple transcript files. An important function of these transcript files is to present Teams content as continuous conversations and not as individual (or separate) messages. This helps provides context for items that matched the search criteria of your collections in the previous step and reduce the number of items collected into the review set. Transcripts and associated items can be grouped by either *family* or *conversation*. Items in the same family will have the same value for the **FamilyId** metadata property. Items in the same conversation will have the same value for the **ConversationId** metadata property.
+
+The following table describes how the different types of Teams chat content are grouped by family and conversation.
+
+| Teams content type|Group by family |Group by conversation |
+|:|:|:|
+|Teams 1:1 and group chats | A transcript and all of its attachments and extracted items share the same **FamilyId**. Each transcript has a unique **FamilyId**. |All transcript files and their family items within the same conversation share the same **ConversationId**. This includes the following items:<br/><br/> - All extracted items and attachments of all transcripts that share the same **ConversationId**. <br/> - All transcripts for the same chat conversation<br/> - All custodian copies of each transcript<br/> - Transcripts from subsequent collections from the same chat conversation <br/><br/> For Teams 1:1 and group chat conversations, you might have multiple transcript files, each one corresponding to a different time frame within the conversation. Because these transcript files are from the same conversation with the same participants, they share the same **ConversationId**.|
+|Teams channel and private channel chats | Each post and all replies and attachments are saved to its own transcript. This transcript and all of its attachments and extracted items share the same **FamilyId**. |Each post and its attachments and extracted items have a unique **ConversationId**. If there are subsequent collections or new replies from the same post, the delta transcripts resulting from those collections will also have the same **ConversationId**.|
+||||
+
+Use the **Group** control in the command bar of a review set to view Teams content grouped by family or conversation.
+
+![Group control in command bar](..\media\TeamsGroupControl.png)
+
+- Select **Group family attachments** to view Teams content grouped by family. Each transcript file is displayed on a line in the list of review set items. Attachments are nested under the item.
+
+- Select **Group Teams or Yammer conversations** to view Teams content grouped by conversation. Each conversation is displayed on a line in the list of review set items. Transcript files and attachments are nested under the top-level conversation.
+
+> [!NOTE]
+> Cloud attachments are grouped with the conversations they appear in. This grouping is accomplished by assigning the same **FamilyId** as the transcript file of the message the file was attached to and the same **ConversationId** as the conversation the message appeared in. This means multiple copies of cloud attachments may be added to the review set if they were attached to different conversations.
+
+#### Viewing transcript files for conversations
+
+When viewing transcript files in a review set, some of the messages are highlighted in purple. The messages that are highlighted depend on which custodian copy of the transcript you're viewing. For example, in a 1:1 chat between User4 and User2, the messages posted by User4 are highlighted in purple when you view the transcript collected from User4's mailbox. When you view User2's transcript of the same conversation, messages posted by User2 are highlighted in purple. This highlighting behavior is based on the same Teams client experience, where a user's posts are highlighted in purple in the Teams client.
+
+The following screenshots show an example of conversation in the Teams client and the transcript file of the same conversation in the review set. The purple highlighting in the transcript file indicates that the transcript was collected from User2's mailbox.
+
+##### Conversation in Teams client
+
+![Conversation shown in the transcript file in the review set](..\media\TeamsClient1.png)
+
+##### Conversation in transcript file
+
+![Same conversation shown in Teams client](..\media\TeamsTranscript1.png)
+
+### Transcript conversation threading
+
+Conversation threading functionality in the large case format in Advanced eDiscovery helps you identify contextual content related to items that may be relevant to your investigation. This feature produces distinct conversation views that include chat messages that precede and follow the items match the search query during collection. This capability allows you to efficiently and rapidly review complete chat conversations (called *threaded conversations*) in Microsoft Teams. As previous explained, chat conversations are reconstructed in HTML transcript files when Advanced eDiscovery adds Teams content to a review set.
+
+Here's the logic used by Advanced eDiscovery to include additional messages and replies transcript files that provide context around the items match the collection query (called *responsive items*) you used when collecting Teams content. Different threading behaviors are based on the types of chats and the search query used to collect the responsive items. There are two common collection scenarios:
+
+- Queries that use search parameters, such as keywords and property:value pairs
+
+- Queries that only use date ranges
+
+| Teams content type|Queries with search parameters |Queries with date ranges |
+|:|:|:|
+|Teams 1:1 and group chats |Messages that were posted 12 hours before and 12 hours after responsive items are grouped with the responsive item in a single transcript file. |Messages in a 24-hour window are grouped in a single transcript file.|
+|Teams channel and private channel chats |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file. |Each post that contains responsive items and all corresponding replies are grouped in a single transcript file.|
+||||
+
+### Deduplication of Teams content
+
+The following list describes the deduplication (and duplication) behavior when collecting Teams content into a review set.
+
+- Each transcript file added to a review set should be a one-to-one mapping to content stored in data locations. That means Advanced eDiscovery doesn't collect any Teams content that has already been added to the review set. If a chat message is already collected in a review set, Advanced eDiscovery doesn't add the same message from the same data location to the review set in subsequent collections.
+
+- For 1:1 and group chats, copies of messages are stored in the mailbox of each conversation participant. Copies of the same conversation that exist in different participants' mailboxes are collected with different metadata. As a result, each instance of the conversation is treated as unique and brought into the review set in separate transcript files. So if all participants of a 1:1 or group chat are added as custodians in a case and included in the scope of a collection, then copies of each transcript (for the same conservation) are added to the review set and will be grouped together with the same **ConversationId**. Each of these copies is associated with a corresponding custodian. **Tip**: The **Custodian** column in the review set list identifies the custodian for the corresponding transcript file.
+
+- In subsequent collections of items from the same conversation, only the delta content that wasn't previously collected previously is added to the review set and grouped (by sharing the same **ConversationId**) with the previously collected transcripts from the same conversation. Here's an example of this behavior:
+
+ 1. Collection A collects messages in a conversation between User1 and User2 and adds to review set.
+
+ 2. Collection B collects messages from the same conversation, but there are new messages between User1 and User2 since Collection A was run.
+
+ 3. Only the new messages in Collection B are added to the review set. These messages are added to a separate transcript file, but the new transcript is grouped with the transcripts from Collection A by the same **ConversationId**.
+
+ This behavior applies to all the types of Teams chats.
+
+### Metadata for Teams content
+
+In large review sets with thousands or millions of items, it can be difficult to narrow the scope of your review to Teams content. To help you focus your review on Teams content, there are metadata properties that are specific to Teams content. You can use these properties to organize the columns in the review list and [configure filters and queries](review-set-search.md) to optimize the review of Teams content. These metadata properties are also included when you export Teams content from Advanced eDiscovery, to help you organize and view content post-export or in third-party eDiscovery tools.
+
+The following table describes metadata properties for Teams content.
+
+|Metadata property |Description |
+|:|:|
+|ContainsEditedMessage | Indicates whether a transcript file contains an edited message. Edited messages are identified when viewing the transcript file.|
+|ConversationId|A GUID that identifies the conversation that the item is associated with. Transcript files and attachments from the same conversation have the same value for this property.|
+|Conversation name | The name of the conversation the transcript file or attachment is associated with. For Teams 1:1 and group chats, the value of this property is the UPN of all participants of the conversation are concatenated. For example, `User3 <User3@contoso.onmicrosoft.com>,User4 <User4@contoso.onmicrosoft.com>,User2 <User2@contoso.onmicrosoft.com>`. Teams channel and private channel chats use the following format for conversation name: `<Team name>,<Channel name>`.ΓÇ» For example, `eDiscovery vNext, General`. |
+|ConversationType | Indicates the type of Team chat. For Teams 1:1 and group chats, the value for this property is `Group`. For Teams channel and private channel chats, the value is `Channel`.|
+|Date | The time stamp of the first message in the transcript file.|
+|FamilyId|A GUID that identifies the transcript file for a chat conversation. Attachments will have the same value for this property as the transcript file that contains the message the file was attached to.|
+|FileClass |Indicates that type of content. Items from Teams chats have the value `Conversation`. In contrast, Exchange email messages have the value `Email`.| |
+|MessageKind | The message kind property. Teams content has the value `microsoftteams , im`. |
+|Recipients | A list of all users who received a message within the transcript conversation.|
+|TeamsChannelName | The Teams channel name or private channel name of the transcript.|
+|||
+
+For descriptions of other Advanced eDiscovery metadata properties, see [Document metadata fields in Advanced eDiscovery](document-metadata-fields-in-Advanced-eDiscovery.md).
+
+## Export Teams content
+
+After you have reviewed and culled Teams content in a review set, you can export the transcript files that contain content that's responsive to your investigation. There aren't any specific export settings for Teams content. Each transcript file is exported as an HTML message file. This file also contains hidden CDATA tags with all metadata for the individual chat messages. The metadata properties discussed in the previous section are included when Teams content is exported.
+
+Each transcript file is referenced in the load file and can be located using the relative path in the Export_native_path field in the load file. Transcript files are located in the Conversations folder in the root export folder.
+
+## Tips for viewing Teams content in a review set
+
+Here are some tips and best practices for viewing Teams content in a review set.
+
+- Use the **Customize columns** control in the command bar to add and organize columns to optimize the review of Teams content.
+
+ ![Use the Edit column flyout page to add, remove, and organize columns](..\media\EditReviewSetColumns.png)
+
+ You can add and remove columns that are useful for Teams content. You can also sequence the order of columns by dragging and dropping them in the **Edit column** flyout page. You can also sort on columns to group Teams content with similar values for the column you sort on.
+
+- Useful columns that to help you review Teams content include **Custodian**, **Recipients**, and **File type** or **Message kind**.
+
+- Use [filters](review-set-search.md) for Teams-related properties to quickly display Teams content. There are filters for most of the metadata properties described in the previous section.
security Onboard Windows 10 Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/Onboard-Windows-10-multi-session-device.md
Title: "Onboard Windows 10 multi-session devices in Windows Virtual Desktop"
-description: "Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop"
-keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard
+ Title: "Onboard Windows 10 multi-session devices in Azure Virtual Desktop"
+description: "Read more in this article about Onboarding Windows 10 multi-session devices in Azure Virtual Desktop"
+keywords: Azure Virtual Desktop, WVD, microsoft defender, endpoint, onboard
search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: manage
-# Onboard Windows 10 multi-session devices in Windows Virtual Desktop
+# Onboard Windows 10 multi-session devices in Azure Virtual Desktop
6 minutes to read Applies to: -- Windows 10 multi-session running on Windows Virtual Desktop (WVD)
+- Windows 10 multi-session running on Azure Virtual Desktop (AVD)
-Microsoft Defender for Endpoint supports monitoring both VDI and Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
+Microsoft Defender for Endpoint supports monitoring both VDI and Azure Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Azure Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity.
## Before you begin
-Familiarize yourself with the [considerations for non-persistent VDI](/microsoft-365/security/defender-endpoint/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](/azure/virtual-desktop/overview) doesn't provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts.
+Familiarize yourself with the [considerations for non-persistent VDI](/microsoft-365/security/defender-endpoint/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Azure Virtual Desktop](/azure/virtual-desktop/overview) doesn't provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts.
> [!NOTE] > Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either: > - Single entry for each virtual desktop > - Multiple entries for each virtual desktop
-Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and redeploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
+Microsoft recommends onboarding Azure Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and redeploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently.
Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It's executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you're using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy.
If you plan to manage your machines using a management tool, you can onboard dev
For more information, see [Onboard Windows 10 devices using Configuration Manager](configure-endpoints-sccm.md). > [!WARNING]
-> If you plan to use [Attack Surface reduction Rules](attack-surface-reduction.md), note that the rule ΓÇ£[Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used, because that rule is incompatible with management through Microsoft Endpoint Configuration Manager. The rule blocks WMI commands that the Configuration Manager client uses to function correctly.
+> If you plan to use [Attack Surface reduction Rules](attack-surface-reduction-rules.md), note that the rule ΓÇ£[Block process creations originating from PSExec and WMI commands](attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used, because that rule is incompatible with management through Microsoft Endpoint Configuration Manager. The rule blocks WMI commands that the Configuration Manager client uses to function correctly.
> [!TIP] > After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md).
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Deploy]() ###### [Deploy Microsoft Defender for Endpoint on iOS via Intune](ios-install.md)
+###### [Deploy Microsoft Defender for Endpoint on iOS for unenrolled devices](ios-install-unmanaged.md)
##### [Configure]() ###### [Configure iOS features](ios-configure-features.md)
-##### [Troubleshoot]()
-###### [FAQs and Troubleshoot issues](ios-troubleshoot.md)
+##### [FAQs and Troubleshooting](ios-troubleshoot.md)
##### [Privacy](ios-privacy.md)
#### [Overview of attack surface reduction](overview-attack-surface-reduction.md) #### [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) #### [Learn about attack surface reduction rules](attack-surface-reduction.md)
+#### [Attack surface reduction rules](attack-surface-reduction-rules.md)
#### [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) #### [Enable attack surface reduction rules](enable-attack-surface-reduction.md) #### [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts.md
GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_136
], "relatedUser": { "userName": "temp123",
- "domainName": "MIDDLEEAST"
+ "domainName": "DOMAIN"
}, "comments": [ {
GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_136
"registryHive": null, "registryValueType": null, "registryValue": null,
- "accountName": "eranb",
- "domainName": "MIDDLEEAST",
+ "accountName": "name",
+ "domainName": "DOMAIN",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141", "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", "userPrincipalName": "temp123@microsoft.com",
security Attack Surface Reduction Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules.md
+
+ Title: Attack surface reduction rules
+description: Lists details about attack surface reduction rules on a per-rule basis.
+keywords: Attack surface reduction rules, ASR, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit rules, antiexploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules, ASR rule description
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localization_priority: Normal
+audience: ITPro
+++++
+ms.technology: mde
+++
+# Attack surface reduction rules
+
+This article provides information about attack reduction rules:
+
+- [Supported operating system versions](#supported-operating-systems)
+- [Supported configuration management systems](#supported-configuration-management-systems)
+- [Per-rule-descriptions](#per-rule-descriptions)
+ - Rule descriptions
+ - GUIDs
+ - Configuration management system rule names
+
+## Supported operating systems
+
+Links to information about operating system versions referenced in this table are listed below this table.
+
+> [!Note]
+>
+> - Unless otherwise indicated, the minimum Windows&nbsp;10 build is version 1709 (RS3, build 16299) or later; the minimum Windows&nbsp;Server build is version is 1809 or later.
+>
+> - \* All rules support file and folder exclusions, unless stated otherwise.
+
+| Rule name | Windows&nbsp;10 | Windows&nbsp;Server 2019 | Windows&nbsp;Server | Windows&nbsp;Server 2016 | Windows&nbsp;Server 2012 R2 |
+||::|::|::|::|::|
+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> version 1803 (Semi-Annual Channel) or later | | |
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | ![supported](images/checkmark.png) <br><br> version 1809 or later | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) <br><br> | | |
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) <br><br> | | |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) <br><br> \* _File and folder exclusions not supported._ | ![supported](images/checkmark.png) <br><br> version 1903 (build 18362) or later| ![supported](images/checkmark.png) | ![supported](images/checkmark.png) <br><br> version 1903 (build 18362) or later | | |
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
+| **Rule name** | **Windows&nbsp;10** | **Windows&nbsp;Server 2019** | **Windows&nbsp;Server** | **Windows&nbsp;Server 2016** | **Windows&nbsp;Server 2012 R2** |
+
+### Operating system version
+
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows 10 Pro, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows 10 Enterprise, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)
+- [Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809)
+
+- [Windows Server, version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+
+## Supported configuration management systems
+
+Links to information about configuration management system versions referenced in this table are listed below this table.
+
+|Rule name | Intune | Microsoft Endpoint Manager | Microsoft Endpoint Configuration Manager | Group Policy | PowerShell |
+||::|::|::|::|::|
+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> MEM OMA-URI | | | ![supported](images/checkmark.png) <br><br> |
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) | | |
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | | |
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported](images/checkmark.png) | |
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | | |
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | ![supported](images/checkmark.png) <br><br> | | ![supported](images/checkmark.png) <br><br> CB 1710 <br><br> | | |
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | | | | | |
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | ![supported](images/checkmark.png) | | | | |
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 <br><br> | | |
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 <br><br> | | |
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | | |
+| **Rule name** | **Intune** | **Microsoft Endpoint Manager** | **Microsoft Endpoint Configuration Manager** | **Group Policy** | **PowerShell** |
+
+- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)
+- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)
+- [Microsoft Endpoint Manager CB 1710](/configmgr/core/servers/manage/updates)
+- [System Center Configuration Manager (SCCM) CB 1710](/configmgr/core/servers/manage/updates) <br>_SCCM is now Microsoft Endpoint Configuration Manager._
+
+## Per rule descriptions
+
+### Block abuse of exploited vulnerable signed drivers
+
+This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications \- _that have sufficient privileges_ \- to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.
+
+The **Block abuse of exploited vulnerable signed drivers** rule does not block a driver already existing on the system from being loaded.
+
+>[!NOTE]
+>
+> You can configure this rule using MEM OMA-URI. See [MEM OMA-URI](enable-attack-surface-reduction.md#mem) for configuring custom rules.
+>
+> You can also configure this rule using [PowerShell](enable-attack-surface-reduction.md#powershell).
+>
+> To have a driver examined, use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
+
+Intune Name: `Block abuse of exploited vulnerable signed drivers`
+
+GUID: `56a863a9-875e-4185-98a7-b882c64b5ce5`
+
+### Block Adobe Reader from creating child processes
+
+This rule prevents attacks by blocking Adobe Reader from creating processes.
+
+Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
+
+Intune name: `Process creation from Adobe Reader (beta)`
+
+Configuration Manager name: Not yet available
+
+GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
+
+### Block all Office applications from creating child processes
+
+This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
+
+Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.
+
+Intune name: `Office apps launching child processes`
+
+Configuration Manager name: `Block Office application from creating child processes`
+
+GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
+
+### Block credential stealing from the Windows local security authority subsystem
+
+This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).
+
+LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
+
+> [!NOTE]
+> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
+
+Intune name: `Flag credential stealing from the Windows local security authority subsystem`
+
+Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem`
+
+GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
+
+### Block executable content from email client and webmail
+
+This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
+
+- Executable files (such as .exe, .dll, or .scr)
+- Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
+
+Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
+
+Microsoft Endpoint Manager name: `Block executable content from email client and webmail`
+
+GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
+
+> [!NOTE]
+> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use:
+>
+> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
+> - Endpoint
+> - Group Policy: Block executable content from email client and webmail.
+
+### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
+
+This rule blocks executable files, such as .exe, .dll, or .scr, from launching unless any of the following conditions are met:
+
+- Prevalence: The executable files are found on more than 1,000 endpoints
+- Age: The executable files were released more than 24 hours ago
+- Location: The executable files are included in a trusted list or an exclusion list
+
+Launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.
+
+> [!IMPORTANT]
+> You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
+>
+> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
+>
+> You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
+
+Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
+
+Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria`
+
+GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
+
+### Block execution of potentially obfuscated scripts
+
+This rule detects suspicious properties within an obfuscated script.
+
+Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
+
+Intune name: `Obfuscated js/vbs/ps/macro code`
+
+Configuration Manager name: `Block execution of potentially obfuscated scripts`
+
+GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
+
+### Block JavaScript or VBScript from launching downloaded executable content
+
+This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
+
+Although not common, line-of-business applications sometimes use scripts to download and launch installers.
+
+Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)`
+
+Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content`
+
+GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
+
+### Block Office applications from creating executable content
+
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
+
+Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
+
+Intune name: `Office apps/macros creating executable content`
+
+SCCM name: `Block Office applications from creating executable content`
+
+GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
+
+### Block Office applications from injecting code into other processes
+
+This rule blocks code injection attempts from Office apps into other processes.
+
+Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
+
+There are no known legitimate business purposes for using code injection.
+
+This rule applies to Word, Excel, and PowerPoint.
+
+Intune name: `Office apps injecting code into other processes (no exceptions)`
+
+Configuration Manager name: `Block Office applications from injecting code into other processes`
+
+GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
+
+### Block Office communication application from creating child processes
+
+This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
+
+This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
+
+> [!NOTE]
+> This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.
+
+Intune name: `Process creation from Office communication products (beta)`
+
+Configuration Manager name: Not available
+
+GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
+
+### Block persistence through WMI event subscription
+
+This rule prevents malware from abusing WMI to attain persistence on a device.
+
+> [!IMPORTANT]
+> File and folder exclusions don't apply to this attack surface reduction rule.
+
+Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
+
+Intune name: Not available
+
+Configuration Manager name: Not available
+
+GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
+
+### Block process creations originating from PSExec and WMI commands
+
+This rule blocks processes created through [PsExec](/sysinternals/downloads/psexec) and [WMI](/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
+
+> [!WARNING]
+> Only use this rule if you're managing your devices with [Intune](/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
+
+Intune name: `Process creation from PSExec and WMI commands`
+
+Configuration Manager name: Not applicable
+
+GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
+
+### Block untrusted and unsigned processes that run from USB
+
+With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
+
+Intune name: `Untrusted and unsigned processes that run from USB`
+
+Configuration Manager name: `Block untrusted and unsigned processes that run from USB`
+
+GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
+
+### Block Win32 API calls from Office macros
+
+This rule prevents VBA macros from calling Win32 APIs.
+
+Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
+
+Supported operating systems:
+
+- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)
+- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)
+- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)
+
+Intune name: `Win32 imports from Office macro code`
+
+Configuration Manager name: `Block Win32 API calls from Office macros`
+
+GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
+
+### Use advanced protection against ransomware
+
+This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:
+
+- The file has already been found to be unharmful in the Microsoft cloud.
+- The file is a valid signed file.
+- The file is prevalent enough to not be considered as ransomware.
+
+The rule tends to err on the side of caution to prevent ransomware.
+
+> [!NOTE]
+> You must [enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
+
+Intune name: `Advanced ransomware protection`
+
+Configuration Manager name: `Use advanced protection against ransomware`
+
+GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
For more information and to get your updates, see [Update for Microsoft Defender
Warn mode is not supported for three attack surface reduction rules when you configure them in Microsoft Endpoint Manager. (If you use Group Policy to configure your attack surface reduction rules, warn mode is supported.) The three rules that do not support warn mode when you configure them in Microsoft Endpoint Manager are as follows: -- [Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`)-- [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`)-- [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`)
+- [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction-rules.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content) (GUID `d3e037e1-3eb8-44c8-a917-57927947596d`)
+- [Block persistence through WMI event subscription](attack-surface-reduction-rules.md#block-persistence-through-wmi-event-subscription) (GUID `e6db77e5-3df2-4cf1-b95a-636979351e5b`)
+- [Use advanced protection against ransomware](attack-surface-reduction-rules.md#use-advanced-protection-against-ransomware) (GUID `c1db55ab-c21a-4637-bb3f-a12568109d35`)
In addition, warn mode is not supported on devices running older versions of Windows. In those cases, attack surface reduction rules that are configured to run in warn mode will run in block mode.
You can create a custom view that filters events to only show the following even
|1122|Event when rule fires in Audit-mode| The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.-
-## Attack surface reduction rules
-
-The following table and subsections describe each of the 16 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name.
-
-If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs.
-
-|Rule name|GUID|File & folder exclusions|Minimum OS supported|
-||::|||
-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|`56a863a9-875e-4185-98a7-b882c64b5ce5`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater) |
-|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)|`7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes)|`D4F940AB-401B-4EFC-AADC-AD5F3C50688A`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|`9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|`BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)|`01443614-cd74-433a-b99e-2ecdc07bfc25`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)|`5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content)|`D3E037E1-3EB8-44C8-A917-57927947596D`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content)|`3B576869-A4EC-4529-8536-B80A7769E899`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)|`75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|`26190899-1602-49e8-8b27-eb1d0a1ce869`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)|`e6db77e5-3df2-4cf1-b95a-636979351e5b`|Not supported|[Windows 10, version 1903](/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater|
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)|`d1e49aac-8f56-4280-b9ba-993a6d77406c`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)|`b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)|`92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)|`c1db55ab-c21a-4637-bb3f-a12568109d35`|Supported|[Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater|
-
-### Block abuse of exploited vulnerable signed drivers
-
-This rule prevents an application from writing a vulnerable signed driver to disk. In-the-wild, vulnerable signed drivers can be exploited by local applications \- _that have sufficient privileges_ \- to gain access to the kernel. Vulnerable signed drivers enable attackers to disable or circumvent security solutions, eventually leading to system compromise.
-
-The **Block abuse of exploited vulnerable signed drivers** rule does not block a driver already existing on the system from being loaded.
-
->[!NOTE]
->
-> You can configure this rule using [MEM OMA-URI](enable-attack-surface-reduction.md#mem) for MEM OMA-URI custom rules procedural information.
->
-> You can also configure this rule using [PowerShell](enable-attack-surface-reduction.md#powershell).
->
-> To have a driver examined, use this Web site to [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission).
-
-Supported operating systems:
--- [Windows 10 Pro, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later-- [Windows 10 Enterprise, version 1709](/windows/whats-new/whats-new-windows-10-version-1709) or later-- [Windows Server, version 1803 (Semi-Annual Channel)](/windows-server/get-started/whats-new-in-windows-server-1803) or later-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-
-Intune Name: `Block abuse of exploited vulnerable signed drivers`
-
-GUID: `56a863a9-875e-4185-98a7-b882c64b5ce5`
-
-### Block Adobe Reader from creating child processes
-
-This rule prevents attacks by blocking Adobe Reader from creating processes.
-
-Through social engineering or exploits, malware can download and launch payloads, and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
-
-Supported operating systems:
--- [Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-
-Intune name: `Process creation from Adobe Reader (beta)`
-
-Configuration Manager name: Not yet available
-
-GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
-
-### Block all Office applications from creating child processes
-
-This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
-
-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run more payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes; such as spawning a command prompt or using PowerShell to configure registry settings.
-
-Supported operating systems:
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)-
-Intune name: `Office apps launching child processes`
-
-Configuration Manager name: `Block Office application from creating child processes`
-
-GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
-
-### Block credential stealing from the Windows local security authority subsystem
-
-This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).
-
-LSASS authenticates users who sign in on a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
-
-> [!NOTE]
-> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
-Supported operating systems:
--- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)-
-Intune name: `Flag credential stealing from the Windows local security authority subsystem`
-
-Configuration Manager name: `Block credential stealing from the Windows local security authority subsystem`
-
-GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
-
-### Block executable content from email client and webmail
-
-This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
--- Executable files (such as .exe, .dll, or .scr)-- Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)-
-Supported operating systems:
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Microsoft Endpoint Manager CB 1710](/configmgr/core/servers/manage/updates)-
-Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)`
-
-Microsoft Endpoint Manager name: `Block executable content from email client and webmail`
-
-GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
-
-> [!NOTE]
-> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use:
->
-> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions).
-> - Endpoint
-> - Group Policy: Block executable content from email client and webmail.
-
-### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
-This rule blocks executable files, such as .exe, .dll, or .scr, from launching unless any of the following conditions are met:
--- Prevalence: The executable files are found on more than 1,000 endpoints-- Age: The executable files were released more than 24 hours ago-- Location: The executable files are included in a trusted list or an exclusion list-
-Launching untrusted or unknown executable files can be risky, as it might not be initially clear if the files are malicious.
-
-> [!IMPORTANT]
-> You must [enable cloud-delivered protection](/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) to use this rule.
->
-> The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID `01443614-cd74-433a-b99e-2ecdc07bfc25` is owned by Microsoft and is not specified by admins. This rule uses cloud-delivered protection to update its trusted list regularly.
->
-> You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
-
-Supported operating systems:
--- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)-
-Intune name: `Executables that don't meet a prevalence, age, or trusted list criteria`
-
-Configuration Manager name: `Block executable files from running unless they meet a prevalence, age, or trusted list criteria`
-
-GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
-
-### Block execution of potentially obfuscated scripts
-
-This rule detects suspicious properties within an obfuscated script.
-
-Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
-
-Supported operating systems:
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)-
-Intune name: `Obfuscated js/vbs/ps/macro code`
-
-Configuration Manager name: `Block execution of potentially obfuscated scripts`
-
-GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
-
-### Block JavaScript or VBScript from launching downloaded executable content
-
-This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
-
-Although not common, line-of-business applications sometimes use scripts to download and launch installers.
-
-Supported operating systems:
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)-
-Intune name: `js/vbs executing payload downloaded from Internet (no exceptions)`
-
-Configuration Manager name: `Block JavaScript or VBScript from launching downloaded executable content`
-
-GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
-
-### Block Office applications from creating executable content
-
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
-
-Malware that abuses Office as a vector might attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
-
-Supported operating systems:
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [System Center Configuration Manager](/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)-
-Intune name: `Office apps/macros creating executable content`
-
-SCCM name: `Block Office applications from creating executable content`
-
-GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
-
-### Block Office applications from injecting code into other processes
-
-This rule blocks code injection attempts from Office apps into other processes.
-
-Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
-
-There are no known legitimate business purposes for using code injection.
-
-This rule applies to Word, Excel, and PowerPoint.
-
-Supported operating systems:
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)-
-Intune name: `Office apps injecting code into other processes (no exceptions)`
-
-Configuration Manager name: `Block Office applications from injecting code into other processes`
-
-GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
-
-### Block Office communication application from creating child processes
-
-This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
-
-This rule protects against social engineering attacks and prevents exploiting code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
-
-> [!NOTE]
-> This rule blocks DLP policy tips and ToolTips in Outlook. This rule applies to Outlook and Outlook.com only.
-
-Supported operating systems:
--- [Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-
-Intune name: `Process creation from Office communication products (beta)`
-
-Configuration Manager name: Not available
-
-GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
-
-### Block persistence through WMI event subscription
-
-This rule prevents malware from abusing WMI to attain persistence on a device.
-
-> [!IMPORTANT]
-> File and folder exclusions don't apply to this attack surface reduction rule.
-
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
-
-Supported operating systems:
--- [Windows 10, version 1903](/windows/whats-new/whats-new-windows-10-version-1903)-- [Windows Server 1903](/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)-
-Intune name: Not available
-
-Configuration Manager name: Not available
-
-GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
-
-### Block process creations originating from PSExec and WMI commands
-
-This rule blocks processes created through [PsExec](/sysinternals/downloads/psexec) and [WMI](/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
-
-> [!WARNING]
-> Only use this rule if you're managing your devices with [Intune](/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
-
-Supported operating systems:
--- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-
-Intune name: `Process creation from PSExec and WMI commands`
-
-Configuration Manager name: Not applicable
-
-GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
-
-### Block untrusted and unsigned processes that run from USB
-
-With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
-
-Supported operating systems:
--- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)-
-Intune name: `Untrusted and unsigned processes that run from USB`
-
-Configuration Manager name: `Block untrusted and unsigned processes that run from USB`
-
-GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
-
-### Block Win32 API calls from Office macros
-
-This rule prevents VBA macros from calling Win32 APIs.
-
-Office VBA enables Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
-
-Supported operating systems:
--- [Windows 10, version 1709](/windows/whats-new/whats-new-windows-10-version-1709)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates)-
-Intune name: `Win32 imports from Office macro code`
-
-Configuration Manager name: `Block Win32 API calls from Office macros`
-
-GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
-
-### Use advanced protection against ransomware
-
-This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:
--- The file has already been found to be unharmful in the Microsoft cloud.-- The file is a valid signed file.-- The file is prevalent enough to not be considered as ransomware.-
-The rule tends to err on the side of caution to prevent ransomware.
-
-> [!NOTE]
-> You must [enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
-
-Supported operating systems:
--- [Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803)-- [Windows Server, version 1809](/windows-server/get-started/whats-new-in-windows-server-1809)-- [Windows Server 2019](/windows-server/get-started-19/whats-new-19)-- [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)-
-Intune name: `Advanced ransomware protection`
-
-Configuration Manager name: `Use advanced protection against ransomware`
-
-GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
security Deployment Rings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md
The following table shows the supported endpoints and the corresponding tool you
| Endpoint | Deployment tool | |--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.<br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
+| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.<br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
| **macOS** | [Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) | | **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)| | **iOS** | [App-based](ios-install.md) |
security Deployment Strategy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md
The following table lists the supported endpoints and the corresponding deployme
| Endpoint | Deployment tool | |--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
+| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
| **macOS** | [Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) | | **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)| | **iOS** | [App-based](ios-install.md) |
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
The following procedures for enabling ASR rules include instructions for how to
## MEM
-You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rules. The following procedure uses the rule [Block abuse of exploited vulnerable signed drivers](attack-surface-reduction.md#block-abuse-of-exploited-vulnerable-signed-drivers) for the example.
+You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rules. The following procedure uses the rule [Block abuse of exploited vulnerable signed drivers](attack-surface-reduction-rules.md#block-abuse-of-exploited-vulnerable-signed-drivers) for the example.
1. Open the Microsoft Endpoint Manager (MEM) admin center. In the **Home** menu, click **Devices**, select **Configuration profile**, and then click **Create profile**.
You can use Microsoft Endpoint Manager (MEM) OMA-URI to configure custom ASR rul
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
+The following is a sample for reference, using GUID values for [attack surface reduction rules](attack-surface-reduction-rules.md).
`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
security Evaluate Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction.md
To enable an attack surface reduction rule in audit mode, use the following Powe
Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions AuditMode ```
-Where `<rule ID>` is a [GUID value of the attack surface reduction rule](attack-surface-reduction.md#attack-surface-reduction-rules).
+Where `<rule ID>` is a [GUID value of the attack surface reduction rule](attack-surface-reduction-rules.md).
To enable all the added attack surface reduction rules in audit mode, use the following PowerShell cmdlet:
security Exposed Apis Odata Samples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-odata-samples.md
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
], "relatedUser": { "userName": "temp123",
- "domainName": "MIDDLEEAST"
+ "domainName": "DOMAIN"
}, "comments": [ {
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev
"registryHive": null, "registryValueType": null, "registryValue": null,
- "accountName": "eranb",
- "domainName": "MIDDLEEAST",
+ "accountName": "name",
+ "domainName": "DOMAIN",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141", "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", "userPrincipalName": "temp123@microsoft.com",
HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate
], "relatedUser": { "userName": "temp123",
- "domainName": "MIDDLEEAST"
+ "domainName": "DOMAIN"
}, "comments": [ {
security Get Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alerts.md
Here is an example of the response.
], "relatedUser": { "userName": "temp123",
- "domainName": "MIDDLEEAST"
+ "domainName": "DOMAIN"
}, "comments": [ {
Here is an example of the response.
], "relatedUser": { "userName": "temp123",
- "domainName": "MIDDLEEAST"
+ "domainName": "DOMAIN"
}, "comments": [ {
Here is an example of the response.
"registryHive": null, "registryValueType": null, "registryValue": null,
- "accountName": "eranb",
- "domainName": "MIDDLEEAST",
+ "accountName": "name",
+ "domainName": "DOMAIN",
"userSid": "S-1-5-21-11111607-1111760036-109187956-75141", "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", "userPrincipalName": "temp123@microsoft.com",
security Ios Install Unmanaged https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md
+
+ Title: Deploy Microsoft Defender for Endpoint on iOS features
+description: Describes how to deploy Microsoft Defender for Endpoint on iOS features
+keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+localization_priority: Normal
+
+audience: ITPro
+
+ - m365-security-compliance
+
+ms.technology: mde
++
+# Deploy Microsoft Defender for Endpoint on unenrolled iOS devices
++
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
+
+> [!NOTE]
+> Defender for Endpoint on iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+
+## Configure Microsoft Defender for Endpoint risk signals in app protection policy (MAM)
+
+Microsoft Defender for Endpoint can be configured to send threat signals to be used in app protection policies (APP, also known as MAM) on iOS/iPadOS. With this capability, you can use Microsoft Defender for Endpoint to protect access to corporate data from unenrolled devices as well.
+
+Steps to setup app protection policies with Microsoft Defender for Endpoint are as follows:
+
+1. Set up the connection from your Microsoft Endpoint Manager tenant to Microsoft Defender for Endpoint. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant Administration** > **Connectors and tokens** > **Microsoft Defender for Endpoint** (under Cross platform) or **Endpoint Security** > **Microsoft Defender for Endpoint** (under Setup) and turn on the toggles under **App Protection Policy Settings for iOS**.
+1. Select **Save**. You should see **Connection status** is now set to **Enabled**.
+1. Create the app protection policy: After your Microsoft Defender for Endpoint connector setup is complete, navigate to **Apps** > **App protection policies** (under Policy) to create a new policy or update an existing one.
+1. Select the platform, **Apps, Data protection, Access requirements** settings that your organization requires for your policy.
+1. Under **Conditional launch** > **Device conditions**, you will find the setting **Max allowed device threat level**. This needs to be configured to either Low, Medium, High, or Secured. The actions available to you will be **Block access** or **Wipe data**. You may see an informational dialog to make sure you have your connector set up prior to this setting taking effect. If your connector is already set up, you may ignore this dialog.
+1. Finish with Assignments and save your policy.
+
+For more details on MAM or app protection policy, see [iOS app protection policy settings](/mem/intune/apps/app-protection-policy-settings-ios).
+
+## Deploy Microsoft Defender for Endpoint for MAM or on unenrolled devices
+
+Microsoft Defender for Endpoint on iOS enables the app protection policy scenario and is available in the Apple app store.
+
+When app protection policies are configured for apps to include device risk signals from Microsoft Defender for Endpoint, users will be redirected to install Microsoft Defender for Endpoint when using such apps. Alternately, users can also install the latest version of the app directly from the Apple app store.
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Intune allows you to configure the Defender for iOS app through an App Configura
## Next Steps
-[Configure Defender for Endpoint on iOS features](ios-configure-features.md)
+- [Configure app protection policy to include Defender for Endpoint risk signals (MAM)](ios-install-unmanaged.md)
+- [Configure Defender for Endpoint on iOS features](ios-configure-features.md)
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
The following configuration profile contains entries for all settings described
} ], "allowedThreats":[
- "EICAR-Test-File (not a virus)"
+ "<EXAMPLE DO NOT USE>EICAR-Test-File (not a virus)"
], "disallowedThreatActions":[ "allow",
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
You'll need to enable, at least, the minimum Remediation Level for a given Devic
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md). > [!IMPORTANT]
- > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions.
+ > The option to upload a file to the library is only available to users with with "Manage Security Settings" permission.
+ > The button is greyed out for users with only delegated permissions.
+
Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
For more information, see [Deploy Microsoft Defender for Endpoint on iOS](ios-in
- [Deploy Microsoft Defender for Endpoint on iOS](ios-install.md) - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
+- [Configure app protection policy to include Defender for Endpoint risk signals (MAM)](ios-install-unmanaged.md)
+- [Configure Conditional Access policy based on device risk score from Microsoft Defender for Endpoint](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios)
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
Linux
## Microsoft Defender for Endpoint on Android Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
-devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
-and Device Administrator modes are supported. On Android, we offer web
+devices running Android 6.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported. Both Android Enterprise (Work Profile)
+and Device Administrator modes are supported for enrolled devices. On Android, we offer web
protection, which includes anti-phishing, blocking of unsafe connections, and setting of custom indicators. The solution scans for malware and potentially unwanted applications (PUA) and offers additional breach prevention capabilities
Android
## Microsoft Defender for Endpoint on iOS Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices
-running iOS 11.0 and higher. Both Supervised and Unsupervised devices are supported.
-On iOS, we offer web protection which includes anti-phishing, blocking unsafe connections, and
-setting custom indicators. For more information about the key features and benefits,
+running iOS 11.0 and higher. Devices that are registered within a customer's tenant (enrolled or unenrolled) are supported.
+On iOS, we offer web protection, which includes anti-phishing, blocking unsafe connections and
+setting custom indicators, and jailbreak detection. For more information about the key features and benefits,
read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS). For more details on how to get started, visit the Microsoft Defender for Endpoint
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
The following table lists the available tools based on the endpoint that you nee
| Endpoint | Tool options | |--||
-| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
+| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Azure Defender](configure-server-endpoints.md#integration-with-azure-defender) |
| **macOS** | [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) | | **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)| | **iOS** | [App-based](ios-install.md) |
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
- m365solution-symantecmigrate Previously updated : 07/02/2021 Last updated : 07/19/2021
3. [Add Defender for Endpoint to the exclusion list for your existing solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution). 4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus). 5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
## Reinstall/enable Microsoft Defender Antivirus on your endpoints
Now that you're planning to switch to Defender for Endpoint, you might need to t
| Endpoint type | What to do | ||| | Windows clients (such as endpoints running Windows 10) | In general, you do not need to take any action for Windows clients (unless Microsoft Defender Antivirus has been uninstalled). Here's why: <p>Microsoft Defender Antivirus should still be installed, but is most likely disabled at this point of the migration process.<p> When a non-Microsoft antivirus/antimalware solution is installed and the clients are not yet onboarded to Defender for Endpoint, Microsoft Defender Antivirus is disabled automatically. <p>Later, when the client endpoints are onboarded to Defender for Endpoint, if those endpoints are running a non-Microsoft antivirus solution, Microsoft Defender Antivirus goes into passive mode. <p>If the non-Microsoft antivirus solution is uninstalled, Microsoft Defender Antivirus goes into active mode automatically. |
-|Windows servers | On Windows Server, you'll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. Here's why: <p>On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus cannot run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually. <p>To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following taks: <p>- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)<br/>- [Reinstall Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server)<br/>- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) |
+| Windows servers | On Windows Server, you'll need to reinstall Microsoft Defender Antivirus, and set it to passive mode manually. Here's why: <p>On Windows servers, when a non-Microsoft antivirus/antimalware is installed, Microsoft Defender Antivirus cannot run alongside the non-Microsoft antivirus solution. In those cases, Microsoft Defender Antivirus is disabled or uninstalled manually. <p>To reinstall or enable Microsoft Defender Antivirus on Windows Server, perform the following tasks: <p>- [Set DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) (only if necessary)<br/>- [Reinstall Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server)<br/>- [Set Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) |
> [!TIP]
This step of the migration process involves configuring Microsoft Defender Antiv
|Method |What to do | |||
-|[Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p> 3. Select **Properties**, and then select **Configuration settings: Edit**.<p> 4. Expand **Microsoft Defender Antivirus**. <p> 5. Enable **Cloud-delivered protection**.<p> 6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p> 7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p> 8. Select **Review + save**, and then choose **Save**.<p>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) | 1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <p> 2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p> 3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+| [Intune](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/>**NOTE**: Intune is now part of Microsoft Endpoint Manager. | 1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<p> 2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure).<p> 3. Select **Properties**, and then select **Configuration settings: Edit**.<p> 4. Expand **Microsoft Defender Antivirus**. <p> 5. Enable **Cloud-delivered protection**.<p> 6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<p> 7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<p> 8. Select **Review + save**, and then choose **Save**.<p>**TIP**: For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](/intune/device-profiles).|
+| Microsoft Endpoint Configuration Manager | See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).
+| Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](/mem/intune/user-help/turn-on-defender-windows). <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+| [Advanced Group Policy Management](/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) | 1. Go to **Computer configuration** > **Administrative templates** > **Windows components** > **Microsoft Defender Antivirus**. <p> 2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<p> 3. Choose **Edit policy setting**, and make sure that policy is disabled. This action enables Microsoft Defender Antivirus. <p>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
+> [!TIP]
+> You can deploy the policies before your organization's devices are onboarded.
+
## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution This step of the setup process involves adding Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
Device groups, device collections, and organizational units enable your security
| [Device collections](/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.<p>Device collections are created by using [Configuration Manager](/mem/configmgr/). | Follow the steps in [Create a collection](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | | [Organizational units](/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<p> Organizational units are defined in [Azure Active Directory Domain Services](/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](/azure/active-directory-domain-services/create-ou). |
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
--- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md).-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
## Next step
security Learn About Spoof Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
The rest of this article explains how to use the spoof intelligence insight in t
## What do you need to know before you begin? -- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Anti-phishing** page, use <https://security.microsoft.com/antiphishing>. To go directly to the **Spoof intelligence insight** page, use <https://security.microsoft.com/spoofintelligence>.
+- You open the Microsoft 365 Defender portal at <https://security.microsoft.com/>. To go directly to the **Spoofing** tab on the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList?viewid=SpoofItem>. To go directly to the **Spoof intelligence insight** page, use <https://security.microsoft.com/spoofintelligence>.
- To connect to Exchange Online PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell). To connect to standalone EOP PowerShell, see [Connect to Exchange Online Protection PowerShell](/powershell/exchange/connect-to-exchange-online-protection-powershell).
The rest of this article explains how to use the spoof intelligence insight in t
For more information, see [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo). > [!NOTE]
+ >
> - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions _and_ permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md). > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
Only email from that domain/sending infrastructure pair will be allowed to spoof
## Use the spoof intelligence insight in Exchange Online PowerShell or standalone EOP PowerShell
-In PowerShell, you use the **Get-SpoofIntelligenceInsight** cmdlet to **view** allowed and blocked spoofed senders that were detected by spoof intelligence. To manually allow or block the spoofed senders, you need to use the **New-TenantAllowBlockListSpoofItems** cmdlet. For more information, see [Use PowerShell to configure the Tenant Allow/Block List](tenant-allow-block-list.md#use-exchange-online-powershell-or-standalone-eop-powershell-to-configure-the-tenant-allowblock-list).
+In PowerShell, you use the **Get-SpoofIntelligenceInsight** cmdlet to **view** allowed and blocked spoofed senders that were detected by spoof intelligence. To manually allow or block the spoofed senders, you need to use the **New-TenantAllowBlockListSpoofItems** cmdlet. For more information, see [Use PowerShell to manage spoofed sender entries to the Tenant Allow/Block List](tenant-allow-block-list.md).
To view the information in the spoof intelligence insight, run the following command:
security Manage Tenant Allows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-allows.md
+
+ Title: Manage your allows in the Tenant Allow/Block List
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+
+ - M365-security-compliance
+description: Admins can learn how to configure allows in the Tenant Allow/Block List in the Security portal.
+ms.technology: mdo
++
+# Add allows in the Tenant Allow/Block List
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+Allows cannot be added directly to the Tenant Allow/Block List. Use the admin submission process to add URL, file, and/or sender allows to the Tenant Allow/Block List. Microsoft doesn't let admins add allows directly, but determines what was blocked and provides an allow for you. In most cases, the allows are added to give the system some time and allow it naturally if warranted. In some cases, Microsoft manages the allow for you.
+
+## Add allows using the Submissions portal
+
+Allow files, URLs, and senders in the Submissions section of Microsoft 365 Defender.
+
+1. In the Microsoft 365 Defender portal, go to **Email & collaboration** \> **Submissions**.
+
+2. On the **Submissions** page, verify that the **Submitted for analysis** tab is selected, and then click ![Ad icon](../../media/m365-cc-sc-create-icon.png) **Submit to Microsoft for analysis**.
+
+3. Use the **Submit to Microsoft for review** flyout to mark the sender, file, or URL as false positive.
+
+4. In the **Select a reason for submitting to Microsoft** section, select **Should not have been blocked (false positive)**.
+
+5. Turn on **Allow messages like this** option.
+
+6. From the **Remove after** drop-down list, specify how long you want the allow option to work.
+
+7. When you're finished, click the **Submit** button.
+
+> [!div class="mx-imgBorder"]
+> ![False positive submission example](../../media/admin-submission-allow-messages.png)
+
+## Create spoofed sender allow entries using Microsoft 365 Defender
+
+**Notes**:
+
+- Only the _combination_ of the spoofed user _and_ the sending infrastructure as defined in the domain pair is specifically allowed or blocked from spoofing.
+- When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight.
+- Entries for spoofed senders never expire.
+- Spoof supports both allow and block. URL supports only allow.
+
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
+
+2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Add**.
+
+3. In the **Add new domain pairs** flyout that appears, configure the following settings:
+ - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+ - **Spoof type**: Select one of the following values:
+ - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)).
+ - **External**: The spoofed sender is in an external domain.
+ - **Action**: Select **Allow** or **Block**.
+
+4. When you're finished, click **Add**.
+
+## Add spoofed sender allow entries using PowerShell
+
+To add spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+New-TenantAllowBlockListSpoofItems -SpoofedUser <Domain | EmailAddress | *> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal> -Action <Allow | Block>
+```
+
+For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).
+
+## Related articles
+
+- [Admin submissions](admin-submission.md)
+- [Report false positives and false negatives](report-false-positives-and-false-negatives.md)
security Manage Tenant Blocks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-blocks.md
+
+ Title: Manage your blocks in the Tenant Allow/Block List
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+
+ - M365-security-compliance
+description: Admins can learn how to configure blocks in the Tenant Allow/Block List in the Security portal.
+ms.technology: mdo
++
+# Add blocks in the Tenant Allow/Block List
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+## Use the Microsoft 365 Defender portal
+
+### Create block URL entries in the Tenant Allow/Block List
+
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
+
+2. On the **Tenant Allow/Block List** page, verify that the **URLs** tab is selected, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Block**.
+
+3. In the **Block URLs** flyout that appears, configure the following settings:
+ - **Add URLs with wildcards**: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the URL syntax section in [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+ - **Never expire**: Do one of the following steps:
+ - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Remove on** box to specify the expiration date for the entries.
+
+ or
+
+ - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).
+ - **Optional note**: Enter descriptive text for the entries.
+
+4. When you're finished, click **Add**.
+
+### Create block file entries in the Tenant Allow/Block List
+
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
+
+2. On the **Tenant Allow/Block List** page, select the **Files** tab, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Block**.
+
+3. In the **Block files** flyout that appears, configure the following settings:
+ - **Add file hashes**: Enter one SHA256 hash value per line, up to a maximum of 20.
+ - **Never expire**: Do one of the following steps:
+ - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Remove on** box to specify the expiration date for the entries.
+
+ or
+
+ - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).
+ - **Optional note**: Enter descriptive text for the entries.
+
+4. When you're finished, click **Add**.
+
+### Create spoofed sender block entries
+
+**Notes**:
+
+- Only the _combination_ of the spoofed user _and_ the sending infrastructure as defined in the domain pair is specifically allowed or blocked from spoofing.
+- When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight.
+- Entries for spoofed senders never expire.
+- Spoof supports both allow and block. URL supports only allow.
+
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
+
+2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Add**.
+
+3. In the **Add new domain pairs** flyout that appears, configure the following settings:
+ - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see [Manage the Tenant Allow/Block List](tenant-allow-block-list.md).
+ - **Spoof type**: Select one of the following values:
+ - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)).
+ - **External**: The spoofed sender is in an external domain.
+ - **Action**: Select **Allow** or **Block**.
+
+4. When you're finished, click **Add**.
+
+## Use PowerShell
+
+### Add block file or URL entries to the Tenant Allow/Block List
+
+To add block file or URL entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+New-TenantAllowBlockListItems -ListType <FileHash | Url> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]
+```
+
+This example adds a block file entry for the specified files that never expires.
+
+```powershell
+New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
+```
+
+This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com, www.contoso.com, and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.
+
+```powershell
+New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com
+```
+
+For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
+
+### Add spoofed sender block entries
+
+To add spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+New-TenantAllowBlockListSpoofItems -SpoofedUser <Domain | EmailAddress | *> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal> -Action <Allow | Block>
+```
+
+For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).
security Modify Remove Entries Tenant Allow Block https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/modify-remove-entries-tenant-allow-block.md
+
+ Title: Modify and remove entries in the Tenant Allow/Block List
+f1.keywords:
+ - NOCSH
+++ Last updated :
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+ - MET150
+
+ - M365-security-compliance
+description: Admins can learn how to modify and remove entries in the Tenant Allow/Block List in the Security portal.
+ms.technology: mdo
++
+# Modify and remove entries in the Tenant Allow/Block List
++
+**Applies to**
+- [Exchange Online Protection](exchange-online-protection-overview.md)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md)
+- [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
+
+You can use the Microsoft 365 Defender portal or PowerShell to modify and remove entries in the Tenant Allow/Block List.
+
+## Use the Microsoft 365 Defender portal
+
+### Modify entries in the Tenant Allow/Block List
+
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
+
+2. Select the tab that contains the type of entry that you want to modify:
+ - **URLs**
+ - **Files**
+ - **Spoofing**
+
+3. Select the entry that you want to modify, and then click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**. The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:
+ - **URLs**
+ - **Never expire** and/or expiration date.
+ - **Optional note**
+ - **Files**
+ - **Never expire** and/or expiration date.
+ - **Optional note**
+ - **Spoofing**
+ - **Action**: You can change the value to **Allow** or **Block**.
+4. When you're finished, click **Save**.
+
+### Remove entries from the Tenant Allow/Block List
+
+1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
+
+2. Select the tab that contains the type of entry that you want to remove:
+ - **URLs**
+ - **Files**
+ - **Spoofing**
+
+3. Select the entry that you want to remove, and then click ![Delete icon](../../media/m365-cc-sc-delete-icon.png) **Delete**.
+
+4. In the warning dialog that appears, click **Delete**.
+
+## Use PowerShell
+
+### Modify block file and URL entries in the Tenant Allow/Block List
+
+To modify block file and URL entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Set-TenantAllowBlockListItems -ListType <FileHash | Url> -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]
+```
+
+This example changes the expiration date of the specified block URL entry.
+
+```powershell
+Set-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -ExpirationDate "5/30/2020"
+```
+
+For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
+
+### Remove URL or file entries from the Tenant Allow/Block List
+
+To remove file and URL entries from the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Remove-TenantAllowBlockListItems -ListType <FileHash | Url> -Ids <"Id1","Id2",..."IdN">
+```
+
+This example removes the specified block URL entry from the Tenant Allow/Block List.
+
+```powershell
+Remove-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSPAAAA0"
+```
+
+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).
+
+### Modify allow or block spoofed sender entries
+
+To modify allow or block spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Set-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN"> -Action <Allow | Block>
+```
+
+This example changes spoofed sender entry from allow to block.
+
+```powershell
+Set-TenantAllowBlockListItems -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -Action Block
+```
+
+For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems).
+
+### Remove allow or block spoofed sender entries
+
+To remove allow or block spoof sender entries from the Tenant Allow/Block List, use the following syntax:
+
+```powershell
+Remove-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN">
+```
+
+For detailed syntax and parameter information, see [Remove-TenantAllowBlockListSpoofItems](/powershell/module/exchange/remove-tenantallowblocklistspoofitems).
security Tenant Allow Block List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
search.appverid:
- MET150 - M365-security-compliance
-description: Admins can learn how to configure allows and blocks in the Tenant Allow/Block List in the Security portal.
+description: Admins can learn how to manage allows and blocks in the Tenant Allow/Block List in the Security portal.
ms.technology: mdo ms.prod: m365-security
ms.prod: m365-security
> [!NOTE] > > The features described in this article are in Preview, are subject to change, and are not available in all organizations. If your organization does not have the spoof features as described in this article, see the older spoof management experience at [Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP](walkthrough-spoof-intelligence-insight.md).
->
-> You can't **configure** allowed URL or file items in the Tenant Allow/Block List at this time.
+ In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, you might disagree with the EOP filtering verdict. For example, a good message might be marked as bad (a false positive), or a bad message might be allowed through (a false negative).
The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way
- URLs to block. - Files to block. - Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence.
+- URLs to allow.
+- Files to allow.
This article describes how to configure entries in the Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes).
This article describes how to configure entries in the Tenant Allow/Block List i
> > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.
-## Use the Microsoft 365 Defender portal to create block URL entries in the Tenant Allow/Block List
+## Configure the Tenant Allow/Block List
-1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
+### Use the Microsoft 365 Defender portal
-2. On the **Tenant Allow/Block List** page, verify that the **URLs** tab is selected, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Block**.
+In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-3. In the **Block URLs** flyout that appears, configure the following settings:
- - **Add URLs with wildcards**: Enter one URL per line, up to a maximum of 20. For details about the syntax for URL entries, see the [URL syntax for the Tenant Allow/Block List](#url-syntax-for-the-tenant-allowblock-list) section later in this article.
- - **Never expire**: Do one of the following steps:
- - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Remove on** box to specify the expiration date for the entries.
+To add all blocks, see [Add blocks in the Tenant Allow/Block List](manage-tenant-blocks.md).
- or
+To add all allows, see [Add allows in the Tenant Allow/Block List](manage-tenant-allows.md).
- - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).
- - **Optional note**: Enter descriptive text for the entries.
+To modify and remove all blocks and allows, see [Modify and remove entries in the Tenant Allow/Block List](modify-remove-entries-tenant-allow-block.md).
-4. When you're finished, click **Add**.
-
-## Use the Microsoft 365 Defender portal to create block file entries in the Tenant Allow/Block List
-
-1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-
-2. On the **Tenant Allow/Block List** page, select the **Files** tab, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Block**.
-
-3. In the **Block files** flyout that appears, configure the following settings:
- - **Add file hashes**: Enter one SHA256 hash value per line, up to a maximum of 20.
- - **Never expire**: Do one of the following steps:
- - Verify the setting is turned off (![Toggle off](../../media/scc-toggle-off.png)) and use the **Remove on** box to specify the expiration date for the entries.
-
- or
-
- - Move the toggle to the right to configure the entries to never expire: ![Toggle on](../../media/scc-toggle-on.png).
- - **Optional note**: Enter descriptive text for the entries.
-
-4. When you're finished, click **Add**.
+### Use Exchange Online PowerShell or standalone EOP PowerShell
-## Use the Microsoft 365 Defender portal to create allow or block spoofed sender entries in the Tenant Allow/Block List
+To manage all allows and blocks, see [Add blocks in the Tenant Allow/Block List](manage-tenant-blocks.md), [Add allows in the Tenant Allow/Block List](manage-tenant-allows.md), and [Modify and remove entries in the Tenant Allow/Block List](modify-remove-entries-tenant-allow-block.md).
-**Notes**:
--- Only the _combination_ of the spoofed user _and_ the sending infrastructure as defined in the domain pair is specifically allowed or blocked from spoofing.-- When you configure an allow or block entry for a domain pair, messages from that domain pair no longer appear in the spoof intelligence insight.-- Entries for spoofed senders never expire.-
-1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-
-2. On the **Tenant Allow/Block List** page, select the **Spoofing** tab, and then click ![Block icon](../../media/m365-cc-sc-create-icon.png) **Add**.
-
-3. In the **Add new domain pairs** flyout that appears, configure the following settings:
- - **Add new domain pairs with wildcards**: Enter one domain pair per line, up to a maximum of 20. For details about the syntax for spoofed sender entries, see the [Domain pair syntax for spoofed sender entries in the Tenant Allow/Block List](#domain-pair-syntax-for-spoofed-sender-entries-in-the-tenant-allowblock-list) section later in this article.
- - **Spoof type**: Select one of the following values:
- - **Internal**: The spoofed sender is in a domain that belongs to your organization (an [accepted domain](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)).
- - **External**: The spoofed sender is in an external domain.
- - **Action**: Select **Allow** or **Block**.
-
-4. When you're finished, click **Add**.
-
-## Use the Microsoft 365 Defender portal to view entries in the Tenant Allow/Block List
+## View entries in the Tenant Allow/Block List
1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
This article describes how to configure entries in the Tenant Allow/Block List i
When you're finished, click **Apply**. To clear existing filters, click **Filter**, and in the **Filter** flyout that appears, click **Clear filters**.
-## Use the Microsoft 365 Defender portal to modify entries in the Tenant Allow/Block List
-
-1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-
-2. Select the tab that contains the type of entry that you want to modify:
- - **URLs**
- - **Files**
- - **Spoofing**
-
-3. Select the entry that you want to modify, and then click ![Edit icon](../../media/m365-cc-sc-edit-icon.png) **Edit**. The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:
- - **URLs**
- - **Never expire** and/or expiration date.
- - **Optional note**
- - **Files**
- - **Never expire** and/or expiration date.
- - **Optional note**
- - **Spoofing**
- - **Action**: You can change the value to **Allow** or **Block**.
-4. When you're finished, click **Save**.
-
-## Use the Microsoft 365 Defender portal to remove entries from the Tenant Allow/Block List
-
-1. In the Microsoft 365 Defender portal, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**.
-
-2. Select the tab that contains the type of entry that you want to remove:
- - **URLs**
- - **Files**
- - **Spoofing**
-
-3. Select the entry that you want to remove, and then click ![Delete icon](../../media/m365-cc-sc-delete-icon.png) **Delete**.
-
-4. In the warning dialog that appears, click **Delete**.
-
-## Use Exchange Online PowerShell or standalone EOP PowerShell to configure the Tenant Allow/Block List
-
-### Use PowerShell to add block file or URL entries to the Tenant Allow/Block List
-
-To add block file or URL entries in the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-New-TenantAllowBlockListItems -ListType <FileHash | Url> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>]
-```
-
-This example adds a block file entry for the specified files that never expires.
-
-```powershell
-New-TenantAllowBlockListItems -ListType FileHash -Block -Entries "768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3","2c0a35409ff0873cfa28b70b8224e9aca2362241c1f0ed6f622fef8d4722fd9a" -NoExpiration
-```
-
-This example adds a block URL entry for contoso.com and all subdomains (for example, contoso.com, www.contoso.com, and xyz.abc.contoso.com). Because we didn't use the ExpirationDate or NoExpiration parameters, the entry expires after 30 days.
-
-```powershell
-New-TenantAllowBlockListItems -ListType Url -Block -Entries ~contoso.com
-```
-
-For detailed syntax and parameter information, see [New-TenantAllowBlockListItems](/powershell/module/exchange/new-tenantallowblocklistitems).
-
-### Use PowerShell to add allow or block spoofed sender entries to the Tenant Allow/Block List
-
-To add spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-New-TenantAllowBlockListSpoofItems -SpoofedUser <Domain | EmailAddress | *> -SendingInfrastructure <Domain | IPAddress/24> -SpoofType <External | Internal> -Action <Allow | Block>
-```
-
-For detailed syntax and parameter information, see [New-TenantAllowBlockListSpoofItems](/powershell/module/exchange/new-tenantallowblocklistspoofitems).
+4. When you're finished, click **Add**.
-### Use PowerShell to view block file or URL entries in the Tenant Allow/Block List
+## View block file or URL entries in the Tenant Allow/Block List
To view block file or URL entries in the Tenant Allow/Block List, use the following syntax:
Get-TenantAllowBlockListItems -ListType Url -Block
For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems).
-### Use PowerShell to view allow or block spoofed sender entries in the Tenant Allow/Block List
+## View spoofed sender entries
To view spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
Get-TenantAllowBlockListSpoofItems -Action Block -SpoofType External
For detailed syntax and parameter information, see [Get-TenantAllowBlockListSpoofItems](/powershell/module/exchange/get-tenantallowblocklistspoofitems).
-### Use PowerShell to modify block file and URL entries in the Tenant Allow/Block List
-
-To modify block file and URL entries in the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-Set-TenantAllowBlockListItems -ListType <FileHash | Url> -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>]
-```
-
-This example changes the expiration date of the specified block URL entry.
-
-```powershell
-Set-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -ExpirationDate "5/30/2020"
-```
-
-For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems).
-
-### Use PowerShell to modify allow or block spoofed sender entries in the Tenant Allow/Block List
-
-To modify allow or block spoofed sender entries in the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-Set-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN"> -Action <Allow | Block>
-```
-
-This example changes spoofed sender entry from allow to block.
-
-```powershell
-Set-TenantAllowBlockListItems -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSRAAAA" -Action Block
-```
-
-For detailed syntax and parameter information, see [Set-TenantAllowBlockListSpoofItems](/powershell/module/exchange/set-tenantallowblocklistspoofitems).
-
-### Use PowerShell to remove URL or file entries from the Tenant Allow/Block List
-
-To remove file and URL entries from the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-Remove-TenantAllowBlockListItems -ListType <FileHash | Url> -Ids <"Id1","Id2",..."IdN">
-```
-
-This example removes the specified block URL entry from the Tenant Allow/Block List.
-
-```powershell
-Remove-TenantAllowBlockListItems -ListType Url -Ids "RgAAAAAI8gSyI_NmQqzeh-HXJBywBwCqfQNJY8hBTbdlKFkv6BcUAAAl_QCZAACqfQNJY8hBTbdlKFkv6BcUAAAl_oSPAAAA0"
-```
-
-For detailed syntax and parameter information, see [Remove-TenantAllowBlockListItems](/powershell/module/exchange/remove-tenantallowblocklistitems).
-
-### Use PowerShell to remove allow or block spoofed sender entries from the Tenant Allow/Block List
-
-To remove allow or block spoof sender entries from the Tenant Allow/Block List, use the following syntax:
-
-```powershell
-Remove-TenantAllowBlockListSpoofItems -Ids <"Id1","Id2",..."IdN">
-```
-
-For detailed syntax and parameter information, see [Remove-TenantAllowBlockListSpoofItems](/powershell/module/exchange/remove-tenantallowblocklistspoofitems).
- ## URL syntax for the Tenant Allow/Block List - IP4v and IPv6 addresses are allowed, but TCP/UDP ports are not.
solutions Collaborate As Team https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-as-team.md
To set external collaboration settings
2. In the left navigation pane, click **Azure Active Directory**. 3. Click **External identities**. 4. On the **Get started** screen, in the left navigation pane, click **External collaboration settings**.
-5. Ensure that **Admins and users in the guest inviter role can invite** and **Members can invite** are both set to **Yes**.
+5. Ensure that **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions** is selected.
6. If you made changes, click **Save**. Note the settings in the **Collaboration restrictions** section. Make sure that the domains of the guests that you want to collaborate with aren't blocked.
To invite guests to a team
[SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration-preview)
-[Sharing options are greyed out when sharing from SharePoint or OneDrive](/sharepoint/troubleshoot/administration/sharing-options-grayed-out-when-sharing-from-sharepoint-online-or-onedrive)
+[Sharing options are greyed out when sharing from SharePoint or OneDrive](/sharepoint/troubleshoot/administration/sharing-options-grayed-out-when-sharing-from-sharepoint-online-or-onedrive)
test-base Review https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/review.md
f1.keywords: NOCSH
1. On this tab, the service displays your test details and runs a quick completeness check.
- A ```Validation passed``` or ```Validation failed``` message shows whether you can proceed to next steps or not.
+ A **Validation passed** or **Validation failed** message shows whether you can proceed to next steps or not.
-2. Review your test details and if satisfied, click on the ```Create``` button.
+2. Review your test details and if satisfied, click on the **Create** button.
-![View validation](Media/validation.png)
+ :::image type="content" alt-text="View validation." source="Media/validation.png" lightbox="Media/validation.png":::
3. This will onboard your package to the Test Base environment. If your package is successfully created, an automated test which verifys whether your package can be successfully executed on Azure will be triggered.
-![Successful result](Media/successful.png)
+ ![Successful result](Media/successful.png)
+
+ > [!Note]
+ > You will get a notification from the Azure portal to notify you on the success or failure of the package verification.
+ >
+ > Please note that the process can take up to 24 hours, so it is likely your webpage will timeout if you are not active on it and hence, the notification will not inform you of the completion of this on-demand run.
-> [!Note]
-> You will get a notification from the Azure portal to notify you on the success or failure of the package verification.
->
-> Please note that the process can take up to 24 hours, so it is likely your webpage will timeout if you are not active on it and hence, the notification will not inform you of the completion of this on-demand run.
+ - Peradventure this happens, you can view the status of your package on the **Manage packages** tab.
- - Peradventure this happens, you can view the status of your package on the ```Manage packages``` tab.
+ :::image type="content" alt-text="Image for managing packages." source="Media/managepackages.png" lightbox="Media/managepackages.png":::
-![Image for managing packages](Media/managepackages.png)
-
- - For succesful tests, their results can be seen via the ```Test Summary```, ```Security Updates Results``` and ```Feature Updates Results``` pages at scheduled intervals, often starting a few days after your upload.
+ - For succesful tests, their results can be seen via the **Test Summary**, **Security Updates Results** and **Feature Updates Results** pages at scheduled intervals, often starting a few days after your upload.
- - While failed tests, require you to upload a new package.
+ - While failed tests, require you to upload a new package.
- You can download the ```test logs``` for further analysis from the ```Security update results``` and ```Feature updates results``` pages.
+ You can download the **test logs** for further analysis from the **Security update results** and **Feature updates results** pages.
- - If you experience repeated test failures, please reach out to testbasepreview@microsoft.com with details of your error.
+ - If you experience repeated test failures, please reach out to testbasepreview@microsoft.com with details of your error.
## Next steps Discover our Content Guidelines via the link below.+ > [!div class="nextstepaction"] > [Next step](contentguideline.md)
test-base Uploadapplication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/uploadApplication.md
Title: 'Upload your package'
-description: How to upload your appplication, binaries and dependencies onto Test Base
+description: How to upload your application, binaries and dependencies onto Test Base
search.appverid: MET150
f1.keywords: NOCSH
# Step 2: Uploading a Package On the Test Base portal page, navigate to the **Upload new package** option on the left navigation bar as shown below:
-![Upload a new package](Media/Upload-New-Package.png)
+ Once there, follow the steps below to upload a new package. ## Enter details for your package
-On the Test details tab, type in your package's name, version and other details as requested.
+On the Test details tab, type in your package's name, version, and other details as requested.
**Out-of-Box** and **Functional testing** can be done via this dashboard. The steps below provides a guide on how to fill out your package details:
-1. **Enter the name to be given your package in the ```Package name``` field.**
+1. Enter the name to be given your package in the `Package name` field.
-> [!Note]
-> The package name and version combination entered must be unique within your organization. This is validated by the checkmark as shown below.
+ > [!Note]
+ > The package name and version combination entered must be unique within your organization. This is validated by the checkmark as shown below.
- - If you choose to re-use an package's name, then the version number must be unique (i.e. never been used with an package bearing that particular name).
- - If the combination of the package name + version does not pass the uniqueness check, you will see an error message which reads, *ΓÇ£Package with this package version already existsΓÇ¥*.
+ - If you choose to reuse a package's name, then the version number must be unique (that is, never been used with a package bearing that particular name).
+
+ - If the combination of the package name + version doesn't pass the uniqueness check, you'll see an error message that reads, *ΓÇ£Package with this package version already existsΓÇ¥*.
-![Image for uploading package instructions](Media/Instructions.png)
+ :::image type="content" alt-text="Image for uploading package instructions." source="Media/Instructions.png":::
-2. **Enter a version in the ΓÇ£Package versionΓÇ¥ field.**
+2. Enter a version in the ΓÇ£Package versionΓÇ¥ field.
-![Package version](Media/ApplicationVersion.png)
+ :::image type="content" alt-text="Package version." source="Media/ApplicationVersion.png":::
-3. **Select the type of test you want to run on this package**
+3. Select the type of test you want to run on this package.
- An **Out-of-Box (OOB)** test performs an *install*, *launch*, *close* and *uninstall* of your package. After the install, the launch-close routine is repeated 30 times before a single uninstall is run.
+ An **Out-of-Box (OOB)** test performs an *install*, *launch*, *close*, and *uninstall* of your package. After the install, the launch-close routine is repeated 30 times before a single uninstall is run.
This OOB test provides you with standardized telemetry on your package to compare across Windows builds. A **Functional test** would execute your uploaded test script(s) on your package. The scripts are run in upload sequence and a failure in a particular script will stop subsequent scripts from executing.
-> [!Note]
-> **All** scripts run for 80 minutes at the most.
+ > [!Note]
+ > **All** scripts run for 80 minutes at the most.
-4. **Select the OS update type**
+4. Select the OS update type.
- - The ΓÇÿSecurity updatesΓÇÖ enables your package to be tested against incremental churns of Windows pre-release monthly security updates.
- - The ΓÇÿFeature updatesΓÇÖ enables your package to be tested against Windows pre-release bi-annual feature updates builds from the Windows Insider Program.
-<!
-Change to the correct picture
>
-![OS update type](Media/OSUpdateType.png)
+ - The ΓÇÿSecurity updatesΓÇÖ enables your package to be tested against incremental churns of Windows pre-release monthly security updates.
+ - The ΓÇÿFeature updatesΓÇÖ enables your package to be tested against Windows pre-release bi-annual feature updates builds from the Windows Insider Program.
+ <!
+ Change to the correct picture
+ -->
+ :::image type="content" alt-text="OS update type." source="Media/OSUpdateType.png":::
-5. **Select the OS version(s) for Security update tests.**
+5. Select the OS version(s) for Security update tests.
-In the multi-select dropdown, select the OS version(s) of Windows your package will be installed on.
+ In the multi-select dropdown, select the OS version(s) of Windows your package will be installed on.
- - To test your package against Windows Client OSes only, select the applicable Windows 11 OS versions from the menu list.
- - To test your package against Windows Server OSes only, select the applicable Windows Server OS versions from the menu list.
- - To test your package against Windows Client and Server OSes, select all applicable OSes from the menu list.
+ - To test your package only against Windows client operating systems, select the applicable Windows 11 OS versions from the menu list.
+ - To test your package only against Windows Server operating systems, select the applicable Windows Server OS versions from the menu list.
+ - To test your package only against Windows client and Windows Server operating systems, select all applicable operating systems from the menu list.
-> [!Note]
-> If you select to test your package against both Server and Client OSes, please make sure that the package is compatible and can run on both OSes
+ > [!Note]
+ > If you select to test your package against both Server and Client OSes, please make sure that the package is compatible and can run on both OSes
+ :::image type="content" alt-text="Selecting an OS version." source="Media/OSVersion.png":::
+ <!
+ Change to the correct picture
+ -->
-![Selecting an OS version](Media/OSVersion.png)
-<!
-Change to the correct picture
>
-6. **Select options for Feature update tests:**
+6. Select options for Feature update tests:
- - On the option to ΓÇ£Select Insider ChannelΓÇ¥, select the ```Windows Insider Program Channel``` as the build which your packages should be tested against.
+ - On the option to ΓÇ£Select Insider ChannelΓÇ¥, select the `Windows Insider Program Channel` as the build that your packages should be tested against.
- We currently use builds flighted in the Insider Beta Channel.
+ We currently use builds flighted in the Insider Beta Channel.
- - On the option to ΓÇ£Select OS baseline for InsightΓÇ¥, select the Windows OS version to be used as a baseline in comparing your test results.
+ - On the option to ΓÇ£Select OS baseline for InsightΓÇ¥, select the Windows OS version to be used as a baseline in comparing your test results.
-> [!Note]
-> We DO NOT support Feature update testing for Server OSes at this time
-<!
-Note to actual note format for markdown
>
-<!
-Change to the correct picture
>
-![Feature update testing](Media/FeatureUpdate.png)
+ > [!Note]
+ > We DO NOT support Feature update testing for Server OSes at this time
+ <!
+ Note to actual note format for markdown
+ -->
+ <!
+ Change to the correct picture
+ -->
+ :::image type="content" alt-text="Feature update testing." source="Media/FeatureUpdate.png":::
7. A completed Test details page should look like this:
-![Viewing test details](Media/TestDetails.png)
+ :::image type="content" alt-text="Viewing test details." source="Media/TestDetails.png":::
+ ## Next steps
-Our next article covers Uploading your Binaries to our serivce.
+Our next article covers Uploading your Binaries to our service.
+ > [!div class="nextstepaction"] > [Next step](binaries.md)