Updates from: 08/10/2021 03:17:07
Category Microsoft Docs article Related commit history on GitHub Change details
admin Choose Between Basic Mobility And Security And Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md
Microsoft Intune and built-in Basic Mobility and Security both give you the abil
|Device compliance|Set and manage security policies, like device level PIN lock and jailbreak detection. |Limitations on Android 9 and later devices. See [details](capabilities.md). |Yes| |Conditional access based on device compliance |Prevent noncompliant devices from accessing corporate email and data from the cloud. |Not supported on Windows 10.<br/>Limited to controlling access to Exchange Online, SharePoint Online, and Outlook. |Yes | |Device configuration |Configure device settings (for example, disabling the camera)|Limited set of settings.|Yes|
-|Device compliance |Set and manage security policies, like device level PIN lock and jailbreak detection. |Limitations on Android 9 and later devices. See [details](capabilities.md). |Yes|
|Email profiles |Provision a native email profile on the device. |Yes|Yes| |WiFi profiles |Provision a native WiFi profile on the device. |No|Yes| |VPN profiles |Provision a native VPN profile on the device. |No|Yes|
With Intune you have the following set of actions:
- [Send custom notifications](/mem/intune/remote-actions/custom-notifications#send-a-custom-notification-to-a-single-device)ΓÇ»(Android, iOS, iPad OS) - [Synchronize device](/mem/intune/remote-actions/device-sync)
-For more information on Intune actions, see [Microsoft Intune documentation](/mem/intune/).
+For more information on Intune actions, see [Microsoft Intune documentation](/mem/intune/).
admin Set Password Expiration Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/set-password-expiration-policy.md
Follow the steps below if you want to set user passwords to expire after a speci
5. Type how often passwords should expire. Choose a number of days from 14 to 730. 6. In the second box type when users are notified that their password will expire, and then select **Save**. Choose a number of days from 1 to 30.+
+> [!NOTE]
+> Password expiration notifications are no longer supported in the Office 365 portal or any Office apps except Outlook.
## Important things you need to know about the password expiration feature
compliance Retention Policies Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-yammer.md
For other workloads, see:
Yammer user messages and community messages can be deleted by using retention policies for Yammer, and in addition to the text in the messages, the following items can be retained for compliance reasons: Hypertext links and links to other Yammer messages.
-User messages include all the names of the people in the chat, and community messages include the community name and the message title (if supplied).
+User messages include all the names of the people in the conversation, and community messages include the community name and the message title (if supplied).
Reactions from others in the form of emoticons are not retained when you use retention policies for Yammer.
compliance Search For And Delete Messages In Your Organization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization.md
description: "Use the search and purge feature in the Microsoft 365 compliance c
**This article is for administrators. Are you trying to find items in your mailbox that you want to delete? See [Find a message or item with Instant Search](https://support.office.com/article/69748862-5976-47b9-98e8-ed179f1b9e4d)**.
-You can use the Content Search feature to search for and delete an email message from all mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email, such as:
+You can use the Content search feature to search for and delete email messages from all mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email, such as:
- Messages that contain dangerous attachments or viruses
You can use the Content Search feature to search for and delete an email message
## Before you begin -- To create and run a Content search, you have to be a member of the **eDiscovery Manager** role group or be assigned the **Compliance Search** role in Security & Compliance Center. To delete messages, you have to be a member of the **Organization Management** role group or be assigned the **Search And Purge** role in Security & Compliance Center. For information about adding users to a role group, see [Assign eDiscovery permissions in the Security & Compliance Center](assign-ediscovery-permissions.md).
+- The search and purge workflow described in this article doesn't delete chat messages or other content from Microsoft Teams. If the Content search that you create in Step 2 returns items from Microsoft Teams, those items won't be deleted when you purge items in Step 3.
+
+- To create and run a Content search, you have to be a member of the **eDiscovery Manager** role group or be assigned the **Compliance Search** role in the Microsoft 365 compliance center. To delete messages, you have to be a member of the **Organization Management** role group or be assigned the **Search And Purge** role in the compliance center For information about adding users to a role group, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
> [!NOTE]
- > The **Organization Management** role group exists in both Exchange Online and Security & Compliance Center. These are separate role groups that give different permissions. Being a member of **Organization Management** in Exchange Online does not grant the required permissions to delete email messages. If you aren't assigned the **Search And Purge** role in Security & Compliance Center (either directly or through a role group such as **Organization Management**), you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet with the message "A parameter cannot be found that matches parameter name 'Purge'".
+ > The **Organization Management** role group exists in both Exchange Online and in the Microsoft 365 compliance center. These are separate role groups that give different permissions. Being a member of **Organization Management** in Exchange Online does not grant the required permissions to delete email messages. If you aren't assigned the **Search And Purge** role in the compliance center (either directly or through a role group such as **Organization Management**), you'll receive an error in Step 3 when you run the **New-ComplianceSearchAction** cmdlet with the message "A parameter cannot be found that matches parameter name 'Purge'".
- You have to use Security & Compliance Center PowerShell to delete messages. See [Step 1](#step-1-connect-to-security--compliance-center-powershell) for instructions about how to connect.
Start-ComplianceSearch -Identity $Search.Identity
## Step 3: Delete the message
-After you've created and refined a Content search to return the message that you want to remove and are connected to Security & Compliance Center PowerShell, the final step is to run the **New-ComplianceSearchAction** cmdlet to delete the message. You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.
+After you've created and refined a Content search to return the messages that you want to remove, the final step is to run the **New-ComplianceSearchAction -Purge** command in Security & Compliance PowerShell to delete the message. You can soft- or hard-delete the message. A soft-deleted message is moved to a user's Recoverable Items folder and retained until the deleted item retention period expires. Hard-deleted messages are marked for permanent removal from the mailbox and will be permanently removed the next time the mailbox is processed by the Managed Folder Assistant. If single item recovery is enabled for the mailbox, hard-deleted items will be permanently removed after the deleted item retention period expires. If a mailbox is placed on hold, deleted messages are preserved until the hold duration for the item expires or until the hold is removed from the mailbox.
+
+> [!NOTE]
+> As previously stated, items from Microsoft Teams that are returned by Content search are not deleted when you run the the **New-ComplianceSearchAction -Purge** command.
+
+To run the following commands to delete messages, be sure that you're [connected to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
+
+### Soft-delete messages
In the following example, the command soft-deletes the search results returned by a Content search named "Remove Phishing Message".
In the following example, the command soft-deletes the search results returned b
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete ```
+### Hard-delete messages
+ To hard-delete the items returned by the "Remove Phishing Message" content search, you would run this command: ```powershell New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType HardDelete ```
-When you run the previous command to soft- or hard-delete messages, the search specified by the *SearchName* parameter is the Content Search that you created in Step 1.
+When you run the previous commands to soft- or hard-delete messages, the search specified by the *SearchName* parameter is the Content search that you created in Step 1.
For more information, see [New-ComplianceSearchAction](/powershell/module/exchange/New-ComplianceSearchAction).
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
For each capability, the following tables list the minimum Office version that y
New versions of Office apps are made available at different times for different update channels. For more information, including how to configure your update channel so that you can test a new labeling capability that you're interested in, see [Overview of update channels for Microsoft 365 Apps](/DeployOffice/overview-update-channels). New capabilities that are in private preview are not included in the table but you might be able to join these previews by nominating your organization for the [Microsoft Information Protection private preview program](https://aka.ms/mip-preview). > [!NOTE]
-> The names of the update channels for Office apps have recently changed. For example, Monthly Channel is now Current Channel, and Office Insider is now Beta Channel. For more information, see [Changes to update channels for Microsoft 365 Apps](/deployoffice/update-channels-changes).
+> The names of the update channels for Office apps changed in May 2020. For example, Monthly Channel is now Current Channel, and Office Insider is now Beta Channel. For more information, see [Changes to update channels for Microsoft 365 Apps](/deployoffice/update-channels-changes).
Office for iOS and Office for Android: Sensitivity labels are built into the [Office app](https://www.microsoft.com/en-us/microsoft-365/blog/2020/02/19/new-office-app-android-ios-available/). Additional capabilities are available when you install the Azure Information Protection unified labeling client, which runs on Windows computers only. For these details, see [Compare the labeling clients for Windows computers](/azure/information-protection/rms-client/use-client#compare-the-labeling-clients-for-windows-computers).
+> [!TIP]
+> When you compare the minimum versions in the tables with the versions you have, remember the common practice of release versions to omit leading zeros.
+>
+> For example, you have version 4.2128.0 and read that 4.7.1+ is the minimum version. For easier comparison, read 4.7.1 (no leading zeros) as 4.**0007**.1 (and not 4.**7000**.1). Your version of 4.2128.0 is higher than 4.0007.1, so your version is supported.
+ ### Sensitivity label capabilities in Word, Excel, and PowerPoint The numbers listed are the minimum Office application version required for each capability.
compliance Tagging Documents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tagging-documents.md
You can further organize tags by nesting them within a section. For example, if
![Nested tags within a tag section](../media/NestingTags.png)
-## Create tags
+## Creating and applying tags
-Before applying tags to documents in the review set, you need to create a tag structure.
+Tagging items in review sets is a two-step process. The first step is to create the tags that are then applied to review set items. After you create tags, you and other reviewers can apply them to items in a review set. As previously explained, an Advanced eDiscovery case can only have one set of tags that reviewers can use to tag review set items.
-1. Open a review set and navigate to the command bar and select **Tag by query**.
+### Create tags
-2. In the tagging panel, select **Manage tag options**
+Before applying tags to items in a review set, you need to create a tag structure.
-3. Select **Add tag section**.
+1. Open a review set, go to the command bar, and select **Tag files**.
+
+2. On the **Tag files** flyout page, click **Create/edit tags**.
+
+ ![Click Create/edit tags on the flyout page](../media/CreateAeDTags1.png)
+
+3. On the **Tags** page, select **Add section**.
4. Type a tag group title and an optional description, and then click**Save**.
Before applying tags to documents in the review set, you need to create a tag st
6. Type a name and description for the checkbox or option button.
-7. Repeat this process to create new tag sections, tag options, and checkboxes.
+7. Repeat this process to create new tag sections, tag options, and checkboxes. For example, the following screenshot shows a tag group named **Review**, which consists of **Responsive** and **Not-responsive** checkboxes.
![Configure tag structure](../media/ManageTagOptions3.png)
-## Applying tags
-
-With the tag structure in place, reviewers can apply tags to documents in a review set. There are two different ways to apply tags:
+### Apply tags
-- Tag files
+With the tag structure in place, reviewers can apply tags to items in a review set by configuring tagging settings.
-- Tag by query
+1. In the review set command bar, select **Tag files** to display the **Tag files** flyout page (also called the *tagging panel*).
-### Tag files
+ ![Click Tag files in the command bar to open the tagging panel](../media/TagFilesFlyoutPage.png)
-Whether you select a single item or several items in a review set, you can apply tags to their selection by clicking **Tag files** in the command bar. In the tagging panel, you can select a tag and it is automatically applied to the selected documents.
+2. On the **Tag files** flyout page, you can set the following options to configure how to tag items displayed in the review set. The filters or filter queries currently applied to the review set determine which items are displayed and therefore the items that you can apply tags to. For more information, see [Query and filter content in a review set](review-set-search.md).
-![Tag selected files](../media/TagFile2.png)
+ - **Choose selection**. Choose one the following options to determine the scope of items to apply tags to.
-> [!NOTE]
-> Tags will be applied only to selected items in the list of items.
-
-### Tag by query
+ - **Tag selected items**: This option applies tags to the items that you select. You can select items before or after launching the tagging panel. This option displays (in real time) the number of selected items that will be tagged.
-Tagging by query lets you apply tags to all items displayed by a filter query that's currently applied in the review set.
+ - **Tag all items in list**: This option applies tags to all items displayed in the review set. This option displays the total number of items that will be tagged.
-1. Unselect all items in the review set and go to the command bar and select **Tag by query**.
+ - **Expand selection**: Use the following options to tag additional items that are related to tagged items in the review set.
-2. In the tagging panel, select the tag that you want to apply.
+ - **Include associated family items**: This option applies the same tag to the associated family items of items that are tagged. *Family items* are items that share the same **FamilyId** metadata property value. For example, a document that's attached to an email message shares the same **FamilyId** as the email message. So if this option is selected for this example, the email message and the document are tagged, even though the document might not be included in the list of review set items.
-3. Under the **Tag selection** dropdown, there are three options that dictate which items to apply the tag to.
+ - **Include associated conversation items**: This option applies the same tag to all items that are in the same Teams or Yammer conversation as the items that are tagged. *Conversation items* are items that share the same **ConversationId** metadata property value. All messages, posts, and corresponding transcript file of a conversation share the same **ConversationId**. If this option is selected, then all items in the same conversation (and transcript file) are tagged, even though some of those conversation items might not be included in the list of review set items. For more information about conversation items, see the "Grouping" section in [Advanced eDiscovery workflow for content in Microsoft Teams](teams-workflow-in-advanced-ediscovery.md#grouping).
- - **Items that match applied query**: Applies tags to specific items that match the filter query conditions.
+ - **None**: This option doesn't apply tags to family items or conversation items. It only applies tags to the items that are selected or to all items in the review set list.
- - **Include associated family items**: Applies tags to specific items that match the filter query conditions and their associated family items. *Family items* are items that share the same FamilyId metadata value.
+ > [!NOTE]
+ > Including associated family or conversation items will not change the count of items shown in the **Tag selected items** or **Tag all items in list** options. In other words, the number of associated items that will be tagged is not displayed.
- - **Include associated conversation items**: Applies tags to items that match the filter query conditions and their associated conversation items. *Conversation items* are items that share the same ConversationId metadata values.
+ - **Assign tags**: This section displays the tags (organized by tag groups) that you can apply to documents. You can only apply one single-choice tag (identified by a radio button) per tag group. However, you can apply multiple multi-choice tags (which are identified by a checkbox).
- ![Tag selection](../media/TagByQuery2.png)
+3. Click **Apply tags** to apply the tags based on your settings.
-4. Click **Start tagging job** to trigger the tagging job.
+ The **Applying tags** status message is displayed for each tag group on the tagging panel to indicate a tagging job has been started. Tags for each tag group in the **Assign tags** section are greyed out until the job is completed.
-## Tag filter
+> [!TIP]
+> If you're in the process of configuring the settings on the tagging panel, but want to start over, click **Reset tag assignment** to clear the current setting. This control doesn't apply to items that are already tagged, and it doesn't change or remove tags from previously tagged items.
-Use the tag filter in review set to quickly find or exclude items from the query results based on how an item is tagged.
+#### Monitor tagging jobs
-1. Select **Filters** to expand the filter panel.
+When you tag a large number of items (or select the **Tag all items in list**) option, a **Tagging documents** job is created. You view the status of this job on the **Jobs** tab in the case. This helps you track large tagging jobs that may take a long time to complete. In some cases, a tagging job might be complete, but the **Applying tags** status message in the tagging panel is still displayed. To update the status of tagging jobs, click **Refresh** in the review set command bar.
-2. Select and expand **Item properties**.
+## Removing tags
-3. Scroll down to find the filter named **Tag**, select the checkbox, and then click **Done**.
+You can remove tags from items in a review set. However, you can't remove a single-choice tag that's been applied to a review set item. You can only change a single-choice tag to another single-choice tag within the same tag group.
-4. To include or exclude items with a specific tag from a query, do one of the following:
+To remove a tag:
- - **Include items**: Select the tag value and select **Equal any of** in the dropdown menu.
+1. Select the items the you want to remove the tag from.
- Or
+2. Click **Tag files** to display the tagging panel.
- - **Exclude items**: Select the tag value and select **Equals none of** in dropdown menu.
+3. Under **Assign tags**, unselect the tag, and then click **Apply tags**.
- ![Tag filter exclude items](../media/TagFilterExclude.png)
-
-> [!NOTE]
-> Be sure to refresh the page to ensure that the tag filter displays the latest changes to the tag structure.
+You can also use the previous procedure to change the tag applied to selected items. After unselecting the current tag, you can select a different one.
lti Teams Meetings With Canvas https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-meetings-with-canvas.md
description: "Integrate Microsoft Teams meetings with Canvas"
Microsoft Teams meetings is a Learning Tools Interoperability (LTI) app that helps educators and students easily navigate between their Learning Management System (LMS) and Teams. Users can access their class teams associated with their course directly from within their LMS.
+## Prerequisites Before Deployment
+
+> [!NOTE]
+> The current Teams Meetings LTI only supports syncing Canvas users with Microsoft Azure Active Directory (AAD) in a limited scope.
+> - Your tenant must have an Microsoft Education license.
+> - Only a single Microsoft tenant can be used for mapping users between Canvas and Microsoft.
+> - You will have to turn off SDS before using the Class Teams LTI in order to avoid duplication of groups.
+ ## Microsoft Office 365 Admin Before managing the Microsoft Teams integration within Instructure Canvas, it is important to have CanvasΓÇÖs **Microsoft-Teams-Sync-for-Canvas** Azure app approved by your institutionΓÇÖs Microsoft Office 365 admin in your Microsoft Azure tenant before completing the Canvas admin setup.
Before managing the Microsoft Teams integration within Instructure Canvas, it is
3. In the admin navigation, select the **Settings** link, and then the **Integrations** tab.
-4. Enter your Microsoft tenant name and login attribute.
+![Canvas Teams Sync Updated png](https://user-images.githubusercontent.com/87142492/128552407-78cb28e9-47cf-4026-954d-12dc3553af6f.png)
- The login attribute will be used for associating the Canvas user with an Azure Active Directory user.
+4. Enter your Microsoft tenant name, login attribute, domain suffix, and AAD lookup attribute. These fields will be used for matching users in Canvas with users in Microsoft Azure Active Directory.
+ * The Login Attribute is the Canvas user attribute utilized for matching.
+ * The Suffix field is optional and lets you specify a domain when there isn't an exact mapping between Canvas attributes and Microsoft AAD fields. For example, if your Canvas email is 'name@example.edu' while the UPN in Microsoft AAD is 'name', you can match users by entering 'example.edu' in the suffix field.
+ * The Active Directory Lookup Attribute is the field on the Microsoft side which Canvas attributes are matched to. Select in between UPN, primary email address, or the email alias.
5. Select **Update Settings** once done.
Before managing the Microsoft Teams integration within Instructure Canvas, it is
![permissions](media/permissions.png)
-7. Select **Accept**.
+7. Select **Accept**.
+
+> [!NOTE]
+> Sync is a functionality that is managed by LMS partner and is used to sync membership at a course level to the Teams team using Microsoft graph APIs. This is primarily a functionality that an educator switches on as true at a course level. Subsequently any membership change done on LMS side for the addition or deletion of the members gets reflected using the Sync implemented by the LMS partner. Even before this process is enabled for an Educator the M365 education institute admin allows their educators to access sync using the Sync permission modal found below. These permissions are granted to the LMS partner to enable educators to sync membership between the LMS course and Teams Class teams.
8. Enable the Microsoft Teams sync by turning the toggle on.
As a Canvas Admin, you'll need to add the Microsoft Teams meetings LTI app withi
5. Select **Install**. The Microsoft Teams meetings LTI app will be added to the list of external apps.+
+6. Enable the app by navigating to the developer keys in the Canvas admin account, selecting inherited, and turning the toggle "on" for Microsoft Teams Meetings.
## Enable for Canvas Courses
managed-desktop Change History Managed Desktop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/change-history-managed-desktop.md
ms.localizationpriority: normal
This article lists new and updated articles in the [Microsoft Managed Desktop documentation](index.yml). "Updated" articles have had material additions or corrections--minor fixes such as correction of typos, style, or formatting issues are not listed. You can always view the history of specific commits (including details of any changes) by visiting the [repo on GitHub](https://github.com/MicrosoftDocs/microsoft-365-docs/tree/public/microsoft-365/managed-desktop). +
+## July 2021
+New or changed article | Description
+ |
+[Device images](service-description/device-images.md)| Updated article
+[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article
+[Microsoft Managed Desktop roles and responsibilities](intro/roles-and-responsibilities.md) | Updated article
+[Enable user support features](get-started/enable-support.md) | New article
+[Enable Enterprise State Roaming](get-started/enterprise-state-roaming.md) | Updated article
+[Microsoft Managed Desktop and Windows 11](intro/win11-overview.md) | New article
+[Preview and test Windows 11 with Microsoft Managed Desktop](working-with-managed-desktop/test-win11-mmd.md) | New article
+[Steps for Partners to register devices](get-started/register-devices-partner.md) | Updated article
+[Register new devices yourself](get-started/register-devices-self.md) |Updated article
+[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article
+[First-run experience with Autopilot and the Enrollment Status Page](get-started/esp-first-run.md) | Updated article
+[Microsoft Managed Desktop operations and monitoring](service-description/operations-and-monitoring.md) | Updated article
+[Getting help for users](working-with-managed-desktop/end-user-support.md) | Updated article
+
+## June 2021
+New or changed article | Description
+ |
+[Work with reports](working-with-managed-desktop/reports.md) | Updated article
+[Overview](service-description/privacy-personal-data.md) | Updated article
+[Admin support for Microsoft Managed Desktop](working-with-managed-desktop/admin-support.md) | Updated article
+[Fix issues found by the readiness assessment tool](get-ready/readiness-assessment-fix.md) | Updated article
+[Prerequisites for Microsoft Managed Desktop](get-ready/prerequisites.md) | Updated article
+[Enable Enterprise State Roaming](get-started/enterprise-state-roaming.md) | Updated article
+ ## May 2021 New or changed article | Description |
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
background."
Enable the required permission on Xiaomi devices. - Display pop-up windows while running in the background.++
+## Unable to allow permission for 'Permanent protection' during onboarding on some OEM devices
+
+**Applies to:** Specific OEM devices only.
+
+- **Xiaomi with Android 11**
+
+Defender App asks for Battery Optimization/Permanent Protection permission on devices as part of app onboarding, and selecting **Allow** returns an error that the permission couldn't be set. It only affects the last permission called "Permanent Protection."
+
+**Cause:**
+Xiomi changed the battery optimization permissions in Android 11. Defender is not allowed to configure this setting to ignore battery optimizations.
+
+**Solution:**
+We are working with OEM to find a solution to enable this permission from the app onboarding screen. We will update the documentation when this is resolved.
+Users can follow these steps to enable the same permissions from the device settings:
+
+1. Go to **Settings** on your device.
+2. Search for and select **Battery Optimization**.
+3. In **Special app access**, select **Battery Optimization**.
+4. Change the Dropdown to show **All Apps**.
+5. Locate ΓÇ£Microsoft Defender EndpointΓÇ¥ and select **DonΓÇÖt Optimize**.
+
+Return to the Microsoft Defender Endpoint onboarding screen, select **Allow**, and you will be redirected to the dashboard screen.
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
Configuring Sample Submission raises questions about how it works; for example,
- ΓÇ£Send all samples automatically,ΓÇ¥ - ΓÇ£Do not send samples.ΓÇ¥
-For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud-delivered protection in Microsoft Defender Antivirus](/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus).
+For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud-delivered protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).
## Customer data, cloud protection, and sample submission
-When onboarding to Defender for Endpoint, Defender for Endpoint treats all file samples as customer data, honoring both the geo and data retention choices the customer selected. Geo and data retention choices are described here: [Microsoft Defender for Endpoint data storage and privacy](/security/defender-endpoint/data-storage-privacy#data-storage-location).
+When onboarding to Defender for Endpoint, Defender for Endpoint treats all file samples as customer data, honoring both the geo and data retention choices the customer selected. Geo and data retention choices are described here: [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md#data-storage-location).
The product has received multiple compliance certifications, demonstrating continued adherence to a sophisticated set of compliance controls: - ISO 27001
The product has received multiple compliance certifications, demonstrating conti
- SOC I, II, III - and PCI
-[Azure Compliance Offerings](/azure/compliance/#compliance-offerings) provides more information on these certifications. All certification artifacts for Microsoft Defender for Endpoint can be found on MicrosoftΓÇÖs [Service Trust Portal](https://servicetrust.microsoft.com/) within each of the associated Azure Certification Reports.
+[Azure Compliance Offerings](/azure/storage/common/storage-compliance-offerings) provides more information on these certifications. All certification artifacts for Microsoft Defender for Endpoint can be found on MicrosoftΓÇÖs [Service Trust Portal](https://servicetrust.microsoft.com/) within each of the associated Azure Certification Reports.
## Cloud Protection Mechanisms
_Figure 3. Cloud-delivered protection and layered machine learning_
## Cloud Delivered Protection Levels
-Malware detection requires striking a balance between providing the strongest possible protection, while minimizing the number of false positives. Different environments may have tolerance for protection versus risk of false positive. Cloud-delivered protection levels allow the customer to define the tolerance level appropriate for the specific environment. When you enable Cloud Delivered Protection, the protection level is automatically configured to provide strong detection without increasing the risk of detecting legitimate files. If you want to configure a different protection level, see [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus).
+Malware detection requires striking a balance between providing the strongest possible protection, while minimizing the number of false positives. Different environments may have tolerance for protection versus risk of false positive. Cloud-delivered protection levels allow the customer to define the tolerance level appropriate for the specific environment. When you enable Cloud Delivered Protection, the protection level is automatically configured to provide strong detection without increasing the risk of detecting legitimate files. If you want to configure a different protection level, see [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](specify-cloud-protection-level-microsoft-defender-antivirus.md).
> [!Note] > > Changing the protection level can result in a higher level of false positives and should be carefully evaluated before changing.
+>
## Other File Sample Submission Scenarios
There are two more scenarios where Defender for Endpoint may request a file samp
When onboarding devices to Microsoft Defender for Endpoint EDR there is a setting to enable sample collections from the device, which can be confused with the settings discussed above. This setting controls file sample collection from devices when requested through the Defender for Endpoint administrative portal; it is subject to the roles and permissions already established. This setting can allow or block file collection from the endpoint for features such as deep analysis in the Defender for Endpoint portal. If this setting is not configured, the default is to enable sample collection.
-[Additional Defender for Endpoint Configuration Settings](/configure-endpoints#additional-defender-for-endpoint-configuration-settings)
+Learn about Defender for Endpoint configuration settings, see: [Onboarding tools and methods for Windows 10 devices in Defender for Endpoint](configure-endpoints.md)
### Automated Investigation and Response Content Analysis When Automated Investigations are running on devices (when configured to run automatically in response to an alert or manually run), files that are identified as suspicious can be collected from the endpoints for further inspection. The file content analysis feature for Automated Investigations can be disabled in the Defender for Endpoint portal. The file extension names can also be modified to add or remove extensions for other file types that will be automatically submitted during an automated investigation.
-[Manage automation file uploads](/manage-automation-file-uploads)
+[Manage automation file uploads](manage-automation-file-uploads.md)
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
In addition, a notification is shown on the iOS device. Tapping on the notificat
After onboarding, it takes few hours for device to show up in the Device inventory in the Defender for Endpoint security console. Also, ensure that device is registered correctly with Azure Active Directory and device has internet connectivity. For successful onboarding, the device has to be registered via Microsoft Authenticator or Intune Company Portal and the user needs to sign-in using the same account with which device is registered with Azure AD.
+> [!NOTE]
+> Sometimes, the device name is not consistent with that in Microsoft Endpoint Manager (Intune) console. The device name in Defender for Endpoint console is of the format <username_iPhone/iPad model>. You can also use Azure AD device ID to identify the device in the Defender for Endpoint console.
+ ## Data and Privacy For details about data collected and privacy, see [Privacy Information - Microsoft Defender for Endpoint on iOS](ios-privacy.md).
security Tvm Hunt Exposed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tvm-hunt-exposed-devices.md
Advanced hunting is a query-based threat-hunting tool that lets you explore up t
```kusto // Search for devices with High active alerts or Critical CVE public exploit
-DeviceTvmSoftwareVulnerabilities
+let DeviceWithHighAlerts = AlertInfo
+| where Severity == "High"
+| project Timestamp, AlertId, Title, ServiceSource, Severity
+| join kind=inner (AlertEvidence | where EntityType == "Machine" | project AlertId, DeviceId, DeviceName) on AlertId
+| summarize HighSevAlerts = dcount(AlertId) by DeviceId;
+let DeviceWithCriticalCve = DeviceTvmSoftwareVulnerabilities
| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId | where IsExploitAvailable == 1 and CvssScore >= 7 | summarize NumOfVulnerabilities=dcount(CveId),
-DeviceName=any(DeviceName) by DeviceId
-| join kind =inner(DeviceAlertEvents) on DeviceId
-| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
-DeviceName=any(DeviceName) by DeviceId, AlertId
-| project DeviceName, NumOfVulnerabilities, AlertId
-| order by NumOfVulnerabilities desc
+DeviceName=any(DeviceName) by DeviceId;
+DeviceWithCriticalCve
+| join kind=inner DeviceWithHighAlerts on DeviceId
+| project DeviceId, DeviceName, NumOfVulnerabilities, HighSevAlerts
``` ## Related topics
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
Before trying out this feature, make sure you meet the following requirements:
## User experience
-The blocking experience for third-party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. For a more user-friendly, in-browser experience, consider using Microsoft Edge.
+The blocking experience for third-party supported browsers is provided by Network Protection, which provides a system-level message notifying the user of a blocked connection. For a more user-friendly, in-browser experience, consider using Microsoft Edge.
## Data handling
A panel will open where you can select the priority and add additional details s
### URL category lookup
-To determine the category of a website, you can use the URL search function available on the Microsoft 365 Defender portal (https://security.microsoft.com). In the URL search results, the web content filtering category appears under **URL/Domain details**. Administrators can also dispute the category of the domain directly from this page, as shown in the image below. If the category result is not shown, the URL is not currently assigned to an existing web content filtering category.
+To determine the category of a website, you can use the URL search function available on the Microsoft 365 Defender portal (https://security.microsoft.com) under **Endpoints** > **Search**. In the URL search results, the web content filtering category appears under **URL/Domain details**. Administrators can also dispute the category of the domain directly from this page, as shown in the following image. If the category result is not shown, the URL is not currently assigned to an existing web content filtering category.
![Image of web content filtering category lookup results](../../media/web-content-filtering-category-lookup.png)
Use the time range filter at the top left of the page to select a time period. Y
- [Monitor web security](web-protection-monitoring.md) - [Respond to web threats](web-protection-response.md) - [Requirements for Network Protection](web-content-filtering.md)-
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
An alert page is composed of these sections:
- Alert story, which is the chain of events and alerts related to this alert in chronological order - Summary details - Throughout an alert page, you can select the ellipses (**...**) beside any entity to see available actions, such as opening the alert page or linking the alert to another incident. ### Alert sources
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
You can also open the main page for an incident by selecting the incident name f
The **Summary** page gives you a snapshot glance at the top things to notice about the incident.
-The attack categories give you a visual and numeric view of how advanced the attack has progressed against the kill chain. As with other Microsoft security products, Microsoft 365 Defender is aligned to the [MITRE ATT&CK&trade;](https://attack.mitre.org/) framework.
+Information is organized in these sections.
-The scope section gives you a list of top impacted assets that are part of this incident. If there is specific information regarding this asset, such as risk level, investigation priority as well as any tagging on the assets this will also surface in this section.
+| Section | Description |
+|:-|:--|
+| Alerts and categories | A visual and numeric view of how advanced the attack has progressed against the kill chain. As with other Microsoft security products, Microsoft 365 Defender is aligned to the [MITRE ATT&CK&trade;](https://attack.mitre.org/) framework. The alerts timeline shows the chronological order in which the alerts occurred and for each, their status and name. |
+| Scope | Displays the number of impacted devices, users, and mailboxes and lists the entities in order of risk level and investigation priority. |
+| Evidence | Displays the number of entities affected by the incident. |
+| Incident information | Displays the properties of the incident, such as tags, status, and severity. |
+|||
-The alerts timeline provides a sneak peek into the chronological order in which the alerts occurred, as well as the reasons that these alerts are linked to this incident.
-
-And last - the evidence section provides a summary of how many different artifacts were included in the incident and their remediation status, so you can immediately identify if any action is needed by you.
-
-This overview can assist in the initial triage of the incident by providing insight into the top characteristics of the incident that you should be aware of.
+Use the **Summary** page to assess the relative importance of the incident and quickly access the associated alerts and impacted entities.
## Alerts
-On the **Alert** tab, you can view the alert queue for alerts related to the incident and other information about them such as:
+On the **Alerts** tab, you can view the alert queue for alerts related to the incident and other information about them such as:
- Severity. - The entities that were involved in the alert.
Here's an example.
:::image type="content" source="../../media/investigate-incidents/incident-alerts.png" alt-text="Example of an Alerts page for an incident":::
-By default, the alerts are ordered chronologically to allow you to see how the incident played out over time.
-When you select an alert within an incident, Microsoft 365 Defender displays the alert information specific to the context of the overall incident.
+By default, the alerts are ordered chronologically to allow you to see how the attack played out over time. When you select an alert within an incident, Microsoft 365 Defender displays the alert information specific to the context of the overall incident.
-You can see the events of the alert, which other triggered alerts caused the current alert, and all the affected entities and activities involved in the attack, including files, users, and mailboxes.
+You can see the events of the alert, which other triggered alerts caused the current alert, and all the affected entities and activities involved in the attack, including devices, files, users, and mailboxes.
Here's an example. :::image type="content" source="../../media/investigate-incidents/incident-alert-example.png" alt-text="Example of an alert details page within an incident":::
-This incident alert page is composed of these sections:
+The incident alert page has these sections:
+
+- Alert story, which includes:
+
+ - What happened
+
+ - Actions taken
+
+ - Related events
+
+- Alert properties in the right pane (state, details, description, and others)
-- Alert story, which includes a summary of what happened-- Related events and alerts-- Summary details
+Not every alert will have all of the listed subsections in the **Alert story** section.
Learn how to use the alert queue and alert pages in [investigate alerts](investigate-alerts.md).
The **Devices** tab lists all the devices related to the incident. Here's an exa
:::image type="content" source="../../media/investigate-incidents/incident-devices.png" alt-text="Example of a Devices page for an incident":::
-You can select the check mark for a device to see details of the device, directory data, active alerts, and logged on users. Select the name of the device to see device details in the Microsoft Defender for Endpoints device inventory.
+You can select the check mark for a device to see details of the device, directory data, active alerts, and logged on users. Select the name of the device to see device details in the Microsoft Defender for Endpoints device inventory. Here's an example.
:::image type="content" source="../../media/investigate-incidents/incident-devices-details.png" alt-text="Example of a devices page for Microsoft Defender for Endpoints"::: From the device page, you can gather additional information about the device, such as all of its alerts, a timeline, and security recommendations. For example, from the **Timeline** tab, you can scroll through the machine timeline and view all events and behaviors observed on the machine in chronological order, interspersed with the alerts raised. > [!TIP]
-> You can do on-demand scans on a device page. In the Microsoft 365 security center, choose **Endpoints > Device inventory**. Select a device that has alerts, and then run an antivirus scan. Actions, such as antivirus scans, are tracked and are visible on the **Device inventory** page. To learn more, see [Run Microsoft Defender Antivirus scan on devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices).
+> You can do on-demand scans on a device page. In the Microsoft 365 Defender portal, choose **Endpoints > Device inventory**. Select a device that has alerts, and then run an antivirus scan. Actions, such as antivirus scans, are tracked and are visible on the **Device inventory** page. To learn more, see [Run Microsoft Defender Antivirus scan on devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#run-microsoft-defender-antivirus-scan-on-devices).
## Users
You can select the check mark for a mailbox to see a list of active alerts. Sele
## Investigations
-The **Investigations** tab lists all the [automated investigations](m365d-autoir.md) triggered by alerts in this incident. The investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Microsoft Defender for Endpoint and Defender for Office 365.
+The **Investigations** tab lists all the [automated investigations](m365d-autoir.md) triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Microsoft Defender for Endpoint and Defender for Office 365.
:::image type="content" source="../../media/investigate-incidents/incident-investigations.png" alt-text="Example of an Investigations page for an incident":::
security User Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags.md
After you apply system tags or custom tags to users, you can use those tags as f
- [Email entity page](mdo-email-entity-page.md#other-innovations) - [Threat protection status report](view-email-security-reports.md#threat-protection-status-report) - [Campaign Views](campaigns.md)
+- [Admin and user submissions](admin-submission.md)
- For priority accounts, you can use the [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report) in the Exchange admin center (EAC). This article explains how to configure user tags in the Microsoft 365 Defender portal. There are no cmdlets in Microsoft 365 Defender portal to manage user tags.