| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| threat-intelligence | Index Backup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/index-backup.md | + + Title: 'What is Microsoft Defender Threat Intelligence (Defender TI)?' +description: 'In this overview article, learn about the main features that come with Microsoft Defender Threat Intelligence (Defender TI).' ++++ Last updated : 08/02/2022++++# What is Microsoft Defender Threat Intelligence (Defender TI)? ++Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. Analysts spend a significant amount of time on data discovery, collection, and parsing, instead of focusing on what actually helps their organization defend themselves--deriving insights about the actors through analysis and correlation.? ++Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and donΓÇÖt always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure. ++Interacting with these data sets can be cumbersome and pivoting between these repositories is time-consuming, draining the resources of security operations groups that constantly need to re-prioritize their response efforts. ++Cyber Threat Intelligence Analysts struggle with balancing a breadth of threat intelligence ingestion with the analysis of which threat intelligence poses the biggest threats to their organization and/or industry. ++In the same breadth, Vulnerability Intelligence Analysts battle correlating their asset inventory with CVE information to prioritize the investigation and remediation of the most critical vulnerabilities associated with their organization. ++MicrosoftΓÇÖs goal is to re-imagine the analyst workflow by developing a platform, Defender TI, that aggregates and enriches critical data sources and displays data in an innovative, easy to use interface to correlate when indicators are linked to articles and vulnerabilities, infrastructure chain together indicators of compromise (IOCs), and collaborate on investigations with fellow Defender TI licensed users within their tenant. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a Threat Analysis & Intelligence Platform that allows for accurate and timely assessments of alerting is important. ++Below is a screenshot of Defender TIΓÇÖs Threat Intelligence Home Page. Analysts can quickly scan new featured articles as well as begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, artifact or CVE-ID search. ++ ++## Defender TI articles +Articles are narratives by Microsoft that provide insight into threat actors, tooling, attacks, and vulnerabilities. Defender TI featured and articles are not blog posts about threat intelligence; while they summarize different threats, they also link to actionable content and key indicators of compromise to help users take action. By including this technical information in the threat summaries, we enable users to continually track threat actors, tooling, attacks, and vulnerabilities as they change. ++## Featured articles ++The featured article section of the Defender TI Threat Intelligence Home Page (right below the search bar) shows you the featured Microsoft content: ++ ++Clicking the article takes you to the underlying article content. The article synopsis gives the user a quick understanding of the article. The Indicators call-out shows how many Public and Defender TI indicators are associated with the article. ++ ++## Articles ++All articles (including featured articles) are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by their creation date (descending): ++ ++## Article descriptions ++The description section of the article detail screen contains information about the attack or attacker profiled. The content can range from very short (in the case of OSINT bulletins) or quite long (for long-form reporting ΓÇô especially when Microsoft has augmented the report with content). The longer descriptions may contain images, links to the underlying content, links to searches within Defender TI, attacker code snippets, and firewall rules to block the attack: ++ ++## Public indicators ++The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources (e.g., VirusTotal for hashes). ++ ++## Defender TI indicators ++The Defender TI indicators section covers the indicators that Defender TIΓÇÖs research team has found and added to the articles. ++These links also pivot into the relevant Defender TI data or the corresponding external source. ++ ++## Vulnerability articles ++Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles. ++Vulnerability Articles provide key context behind CVEs of interest. Each article contains a description of the CVE, a list of affected components, tailored mitigation procedures and strategies, related intelligence articles, references in Deep & Dark Web chatter, and other key observations. These articles provide deeper context and actionable insights behind each CVE, enabling users to more quickly understand these vulnerabilities and quickly mitigate them. ++Vulnerability Articles also include a Defender TI Priority Score and severity indicator. The Defender TI Priority Score is a unique algorithm which reflects the priority of a CVE based on the CVSS score, exploits, chatter, and linkage to malware. Furthermore, the Defender TI Priority Score evaluates the recency of these components so users can understand which CVEs should be remediated first. ++## Reputation scoring ++Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities, such as First and Last Seen timestamps, ASN, country, associated infrastructure, and a list of rules that impact the reputation score when applicable. ++ ++IP reputation data is important to understanding the trustworthiness of your own attack surface and is also useful when assessing unknown hosts, domains or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity, or other known indicators of compromise that should be considered. ++For more information, see [Reputation scoring](reputation-scoring.md). ++## Analyst insights ++Analyst insights distill MicrosoftΓÇÖs vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels. ++Insights are meant to be small facts or observations about a domain or IP address and provide Defender TI users with the ability to make an assessment about the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign. ++For more information, see [Analyst insights](analyst-insights.md). ++ ++## Data sets +Microsoft centralizes numerous data sets into a single platform, Defender TI, making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases. ++Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data. ++This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history. ++For more information, see: ++- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md) +- [Data sets](data-sets.md) ++ ++## Tags ++Defender TI tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis. ++The Defender TI platform offers two types of tags: system tags and custom tags. ++For more information, see [Using tags](using-tags.md). ++ ++## Projects ++MicrosoftΓÇÖs Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, and collaborators. ++When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can see a link to the project from the Projects sections in the Summary tab as well as Data tab. From here, the user can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. This helps analysts to avoid reinventing the wheel of an investigation one of their Defender TI tenant users may have already started or add onto that investigation by adding new artifacts (indicators of compromise) related to that project (if they have been added as a collaborator to the project). ++For more information, see [Using projects](using-projects.md). ++ ++## Data residency, availability, and privacy ++Microsoft Defender Threat Intelligence contains both global data and customer-specific data. The underlying internet data is global Microsoft data; labels applied by customers are considered customer data. All customer data is stored in the region of the customerΓÇÖs choosing. ++For security purposes, Microsoft collects users' IP addresses when they log in. This data is stored for up to 30 days but may be stored longer if needed to investigate potential fraudulent or malicious use of the product. ++In the case of a region down scenario, customers should see no downtime as Defender TI uses technologies that replicate data to a backup regions. ++Defender TI processes customer data. By default, customer data is replicated to the paired region. ++## Next steps ++For more information, see: ++- [Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations in your portal](learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md) +- [Data sets](data-sets.md) +- [Searching and pivoting](searching-and-pivoting.md) +- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md) +- [Infrastructure chaining](infrastructure-chaining.md) +- [Reputation scoring](reputation-scoring.md) +- [Analyst insights](analyst-insights.md) +- [Using projects](using-projects.md) +- [Using tags](using-tags.md) |
| threat-intelligence | What Is Microsoft Defender Threat Intelligence Defender Ti | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md | + + Title: 'What is Microsoft Defender Threat Intelligence (Defender TI)?' +description: 'In this overview article, learn about the main features that come with Microsoft Defender Threat Intelligence (Defender TI).' ++++ Last updated : 08/02/2022++++# What is Microsoft Defender Threat Intelligence (Defender TI)? ++Microsoft Defender Threat Intelligence (Defender TI) is a platform that streamlines triage, incident response, threat hunting, vulnerability management, and cyber threat intelligence analyst workflows when conducting threat infrastructure analysis and gathering threat intelligence. Analysts spend a significant amount of time on data discovery, collection, and parsing, instead of focusing on what actually helps their organization defend themselves--deriving insights about the actors through analysis and correlation.? ++Often, analysts must go to multiple repositories to obtain the critical data sets they need to assess a suspicious domain, host, or IP address. DNS data, WHOIS information, malware, and SSL certificates provide important context to indicators of compromise (IOCs), but these repositories are widely distributed and donΓÇÖt always share a common data structure, making it difficult to ensure analysts have all relevant data needed to make a proper and timely assessment of suspicious infrastructure. ++Interacting with these data sets can be cumbersome and pivoting between these repositories is time-consuming, draining the resources of security operations groups that constantly need to re-prioritize their response efforts. ++Cyber Threat Intelligence Analysts struggle with balancing a breadth of threat intelligence ingestion with the analysis of which threat intelligence poses the biggest threats to their organization and/or industry. ++In the same breadth, Vulnerability Intelligence Analysts battle correlating their asset inventory with CVE information to prioritize the investigation and remediation of the most critical vulnerabilities associated with their organization. ++MicrosoftΓÇÖs goal is to re-imagine the analyst workflow by developing a platform, Defender TI, that aggregates and enriches critical data sources and displays data in an innovative, easy to use interface to correlate when indicators are linked to articles and vulnerabilities, infrastructure chain together indicators of compromise (IOCs), and collaborate on investigations with fellow Defender TI licensed users within their tenant. With security organizations actioning an ever-increasing amount of intelligence and alerts within their environment, having a Threat Analysis & Intelligence Platform that allows for accurate and timely assessments of alerting is important. ++Below is a screenshot of Defender TIΓÇÖs Threat Intelligence Home Page. Analysts can quickly scan new featured articles as well as begin their intelligence gathering, triage, incident response, and hunting efforts by performing a keyword, artifact or CVE-ID search. ++ ++## Defender TI articles +Articles are narratives by Microsoft that provide insight into threat actors, tooling, attacks, and vulnerabilities. Defender TI featured and articles are not blog posts about threat intelligence; while they summarize different threats, they also link to actionable content and key indicators of compromise to help users take action. By including this technical information in the threat summaries, we enable users to continually track threat actors, tooling, attacks, and vulnerabilities as they change. ++## Featured articles ++The featured article section of the Defender TI Threat Intelligence Home Page (right below the search bar) shows you the featured Microsoft content: ++ ++Clicking the article takes you to the underlying article content. The article synopsis gives the user a quick understanding of the article. The Indicators call-out shows how many Public and Defender TI indicators are associated with the article. ++ ++## Articles ++All articles (including featured articles) are listed under the Microsoft Defender TI Threat Intelligence Home Page articles section, ordered by their creation date (descending): ++ ++## Article descriptions ++The description section of the article detail screen contains information about the attack or attacker profiled. The content can range from very short (in the case of OSINT bulletins) or quite long (for long-form reporting ΓÇô especially when Microsoft has augmented the report with content). The longer descriptions may contain images, links to the underlying content, links to searches within Defender TI, attacker code snippets, and firewall rules to block the attack: ++ ++## Public indicators ++The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources (e.g., VirusTotal for hashes). ++ ++## Defender TI indicators ++The Defender TI indicators section covers the indicators that Defender TIΓÇÖs research team has found and added to the articles. ++These links also pivot into the relevant Defender TI data or the corresponding external source. ++ ++## Vulnerability articles ++Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles. ++Vulnerability Articles provide key context behind CVEs of interest. Each article contains a description of the CVE, a list of affected components, tailored mitigation procedures and strategies, related intelligence articles, references in Deep & Dark Web chatter, and other key observations. These articles provide deeper context and actionable insights behind each CVE, enabling users to more quickly understand these vulnerabilities and quickly mitigate them. ++Vulnerability Articles also include a Defender TI Priority Score and severity indicator. The Defender TI Priority Score is a unique algorithm which reflects the priority of a CVE based on the CVSS score, exploits, chatter, and linkage to malware. Furthermore, the Defender TI Priority Score evaluates the recency of these components so users can understand which CVEs should be remediated first. ++## Reputation scoring ++Defender TI provides proprietary reputation scores for any Host, Domain, or IP Address. Whether validating the reputation of a known or unknown entity, this score helps users quickly understand any detected ties to malicious or suspicious infrastructure. The platform provides quick information about the activity of these entities, such as First and Last Seen timestamps, ASN, country, associated infrastructure, and a list of rules that impact the reputation score when applicable. ++ ++IP reputation data is important to understanding the trustworthiness of your own attack surface and is also useful when assessing unknown hosts, domains or IP addresses that appear in investigations. These scores will uncover any prior malicious or suspicious activity that impacted the entity, or other known indicators of compromise that should be considered. ++For more information, see [Reputation scoring](reputation-scoring.md). ++## Analyst insights ++Analyst insights distill MicrosoftΓÇÖs vast data set into a handful of observations that simplify the investigation and make it more approachable to analysts of all levels. ++Insights are meant to be small facts or observations about a domain or IP address and provide Defender TI users with the ability to make an assessment about the artifact queried and improve a user's ability to determine if an indicator being investigated is malicious, suspicious, or benign. ++For more information, see [Analyst insights](analyst-insights.md). ++ ++## Data sets +Microsoft centralizes numerous data sets into a single platform, Defender TI, making it easier for MicrosoftΓÇÖs community and customers to conduct infrastructure analysis. MicrosoftΓÇÖs primary focus is to provide as much data as possible about Internet infrastructure to support a variety of security use cases. ++Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data. ++This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history. ++For more information, see: ++- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md) +- [Data sets](data-sets.md) ++ ++## Tags ++Defender TI tags are used to provide quick insight about an artifact, whether derived by the system or generated by other users. Tags aid analysts in connecting the dots between current incidents and investigations and their historical context for improved analysis. ++The Defender TI platform offers two types of tags: system tags and custom tags. ++For more information, see [Using tags](using-tags.md). ++ ++## Projects ++MicrosoftΓÇÖs Defender TI platform allows users to develop multiple project types for organizing indicators of interest and indicators of compromise from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, and collaborators. ++When a user searches an IP address, domain, or host in Defender TI, if that indicator is listed within a project the user has access to, the user can see a link to the project from the Projects sections in the Summary tab as well as Data tab. From here, the user can navigate to the details of the project for more context about the indicator before reviewing the other data sets for more information. This helps analysts to avoid reinventing the wheel of an investigation one of their Defender TI tenant users may have already started or add onto that investigation by adding new artifacts (indicators of compromise) related to that project (if they have been added as a collaborator to the project). ++For more information, see [Using projects](using-projects.md). ++ ++## Data residency, availability, and privacy ++Microsoft Defender Threat Intelligence contains both global data and customer-specific data. The underlying internet data is global Microsoft data; labels applied by customers are considered customer data. All customer data is stored in the region of the customerΓÇÖs choosing. ++For security purposes, Microsoft collects users' IP addresses when they log in. This data is stored for up to 30 days but may be stored longer if needed to investigate potential fraudulent or malicious use of the product. ++In the case of a region down scenario, customers should see no downtime as Defender TI uses technologies that replicate data to a backup regions. ++Defender TI processes customer data. By default, customer data is replicated to the paired region. ++## Next steps ++For more information, see: ++- [Quickstart: Learn how to access Microsoft Defender Threat Intelligence and make customizations in your portal](learn-how-to-access-microsoft-defender-threat-intelligence-and-make-customizations-in-your-portal.md) +- [Data sets](data-sets.md) +- [Searching and pivoting](searching-and-pivoting.md) +- [Sorting, filtering, and downloading data](sorting-filtering-and-downloading-data.md) +- [Infrastructure chaining](infrastructure-chaining.md) +- [Reputation scoring](reputation-scoring.md) +- [Analyst insights](analyst-insights.md) +- [Using projects](using-projects.md) +- [Using tags](using-tags.md) |
| admin | About Guest Users | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/add-users/about-guest-users.md | You must be a global administrator to perform this task. ## Understanding guest accounts in Microsoft 365 Being able to easily share files and documents with the right people while preventing oversharing requires planning. The following resources provide more background to help you create a secure guest sharing environment in Microsoft 365.-- Plan external collaboration-- Create a secure guest sharing environment-- Set up secure file and document sharing and collaboration with Teams in Microsoft 365-- Guest access in Microsoft Teams+- [Plan external collaboration](../../solutions/plan-external-collaboration.md) +- [Create a secure guest sharing environment](../../solutions/create-secure-guest-sharing-environment.md) +- [Set up secure file and document sharing and collaboration with Teams in Microsoft 365](../../solutions/setup-secure-collaboration-with-teams.md) +- [Guest access in Microsoft Teams](/microsoftteams/guest-access) In addition to Microsoft Teams and SharePoint, Microsoft 365 also supports guest access in other applications. The following Microsoft 365 products support guest access. -- Power Apps (Canvas apps) - Share a canvas app with guest users.-- Lists - External or guest sharing in OneDrive, SharePoint, and Lists.-- OneDrive - External or guest sharing in OneDrive, SharePoint, and Lists.-- Planner ΓÇô Applies to Web and mobile platforms. Guest access in Microsoft Planner.-- Microsoft 365 groups - Manage guest access in Microsoft 365 groups.-- Yammer - Work with external groups in Yammer networks not aligned to native mode.+- Power Apps (Canvas apps) - [Share a canvas app with guest users](/power-apps/maker/canvas-apps/share-app-guests). +- Lists - [External or guest sharing in OneDrive, SharePoint, and Lists](https://support.microsoft.com/office/external-or-guest-sharing-in-onedrive-sharepoint-and-lists-7aa070b8-d094-4921-9dd9-86392f2a79e7). +- OneDrive - [External or guest sharing in OneDrive, SharePoint, and Lists](https://support.microsoft.com/office/external-or-guest-sharing-in-onedrive-sharepoint-and-lists-7aa070b8-d094-4921-9dd9-86392f2a79e7). +- Planner ΓÇô Applies to Web and mobile platforms. [Guest access in Microsoft Planner](https://support.microsoft.com/office/guest-access-in-microsoft-planner-cc5d7f96-dced-4da4-ab62-08c72d9759c6). +- Microsoft 365 groups - [Manage guest access in Microsoft 365 groups](../create-groups/manage-guest-access-in-groups.md). +- Yammer - [Work with external groups in Yammer networks not aligned to native mode](/yammer/work-with-external-users/create-and-manage-external-groups). For Microsoft Office applications like Microsoft Word and Excel, guest access is controlled by the location of the output file, for example, Microsoft SharePoint, Teams, and OneDrive. See [add guests in bulk](/azure/active-directory/b2b/tutorial-bulk-invite) to in ## Related content -[Manage guest access in Microsoft 365 groups](../create-groups/manage-guest-access-in-groups.md)\ -[Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams](../../solutions/per-group-guest-access.md)\ +[Manage guest access in Microsoft 365 groups](../create-groups/manage-guest-access-in-groups.md) (article)\ +[Prevent guests from being added to a specific Microsoft 365 group or Microsoft Teams](../../solutions/per-group-guest-access.md) (article)\ [Organization switcher in the Microsoft 365 admin center](https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-organization-switcher-in-the-microsoft-365-admin-center/ba-p/1165543) (article) |
| business-premium | M365bp Collaborate Share Securely | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-collaborate-share-securely.md | audience: Admin ms.localizationpriority: high Previously updated : 08/05/2022 Last updated : 08/11/2022 - M365-Campaigns - m365solution-smb description: "An overview on how to collaborate and share files and communicate :::image type="content" source="media/mission5.png" alt-text="Collaborate and share securely using Microsoft Teams SharePoint and OneDrive."::: -Now that you're protected by the Microsoft 365 Business Premium Office apps, your next mission is to set up secure file sharing and communication. The best way to do collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it. Your organization depends on protecting your data and information, which means that you want to protect your files by all means possible. +Now that you're protected by the Microsoft 365 Business Premium Office apps, your next mission is to set up secure file sharing and communication. The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it. Your organization depends on protecting your data and information, which means that you want to protect your files by all means possible. Your objectives are to: |
| commerce | Allowselfservicepurchase Powershell | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md | search.appverid: - MET150 description: "Learn how to use the AllowSelfServicePurchase PowerShell cmdlet to turn self-service purchase on or off." Previously updated : 08/09/2022 Last updated : 4/7/2022 # Use AllowSelfServicePurchase for the MSCommerce PowerShell module The **MSCommerce** PowerShell module is now available on [PowerShell Gallery](ht You can use the **MSCommerce** PowerShell module to: -- View the default state of the **AllowSelfServicePurchase** parameter valueΓÇöwhether it's enabled, disabled, or allows trials without a payment method-- View a list of applicable products and whether self-service purchase is enabled, disabled, or allows trials without a payment method+- View the default state of the **AllowSelfServicePurchase** parameter value ΓÇö whether it's enabled or disabled +- View a list of applicable products and whether self-service purchase is enabled or disabled - View or modify the current setting for a specific product to either enable or disable it-- View or modify the setting for trials without payment methods ## Requirements The following table lists the available products and their **ProductId**. ## View or set the status for AllowSelfServicePurchase -You can set the **Value** parameter for **AllowSelfServicePurchase** to allow or prevent users from making a self-service purchase. You can also use the **OnlyTrialsWithoutPaymentMethod** value to allow users to try products from the approved list of products. Users can only buy the product after the trial is over if **AllowSelfServicePurchase** is enabled. --The **OnlyTrialsWithoutPaymentMethod** value allows temporary trials while still blocking purchases. --The following table describes the settings for the **Value** parameter. --| **Setting** | **Impact** | -||| -| Enabled | Users can make self-service purchases and acquire trials for the product. | -| OnlyTrialsWithoutPaymentMethod | Users cannot make self-service purchases but can acquire trials for the product. They can't purchase the full version after the trial expires. | -| Disabled | Users can't make self-service purchases or acquire trials for the product. | +After you view the list of products available for self-service purchase, you can view or modify the setting for a specific product. To get the policy setting for a specific product, run the following command: Get-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TT To enable the policy setting for a specific product, run the following command: ```powershell-Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Value "Enabled" +Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $True ``` To disable the policy setting for a specific product, run the following command: ```powershell-Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Value "Disabled" -``` --To allow users to try a specific product without a payment method, run the following command: --```powershell -Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Value "OnlyTrialsWithoutPaymentMethod" +Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId CFQ7TTC0KP0N -Enabled $False ``` ## Example script to disable AllowSelfServicePurchase The following example walks you through how to import the **MSCommerce** module, Import-Module -Name MSCommerce Connect-MSCommerce #sign-in with your global or billing administrator account when prompted $product = Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | where {$_.ProductName -match 'Power Automate per user'}-Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product.ProductID -Value "Disabled" +Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product.ProductID -Enabled $false ``` If there are multiple values for the product, you can run the command individually for each value as shown in the following example: ```powershell-Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product[0].ProductID -Value "Disabled" -Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product[1].ProductID -Value "Disabled" +Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product[0].ProductID -Enabled $false +Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product[1].ProductID -Enabled $false ``` + ## Troubleshooting ### Problem Uninstall-Module -Name MSCommerce ## Related content -[Manage self-service purchases (Admin)](manage-self-service-purchases-admins.md) (article)\ +[Manage self-service purchases (Admin)](manage-self-service-purchases-admins.md) (article) + [Self-service purchase FAQ](self-service-purchase-faq.yml) (article) |
| compliance | Sit Defn Eu Debit Card Number | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-defn-eu-debit-card-number.md | description: "EU debit card number sensitive information type entity definition. ## Format -16 digits +16 to 19 digits ## Pattern -Complex and robust pattern +16 to 19 formatted or unformatted digits ## Checksum A DLP policy has high confidence that it's detected this type of sensitive infor - The function `Func_expiration_date` finds a date in the right date format. - The checksum passes. +A DLP policy has low confidence that it's detected this type of sensitive information if, within a proximity of 300 characters: ++- The function Func_eu_debit_card finds content that matches the pattern. +- The checksum passes. + ```xml <!-- EU Debit Card Number -->- <Entity id="0e9b3178-9678-47dd-a509-37222ca96b42" patternsProximity="300" recommendedConfidence="85"> + <Entity id="0e9b3178-9678-47dd-a509-37222ca96b42" patternsProximity="300" recommendedConfidence="85" relaxProximity="true"> <Pattern confidenceLevel="85"> <IdMatch idRef="Func_eu_debit_card" /> <Any minMatches="1"> A DLP policy has high confidence that it's detected this type of sensitive infor <Match idRef="Func_expiration_date" /> </Any> </Pattern>+ + <Pattern confidenceLevel="65"> + <IdMatch idRef="Func_eu_debit_card" /> + </Pattern> </Entity> ``` A DLP policy has high confidence that it's detected this type of sensitive infor - vervaldag - vervaldatum - vto-- válido hasta+- válido hasta |
| compliance | Sit Defn International Banking Account Number | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-defn-international-banking-account-number.md | Pattern must include all of the following: - 1-7 groups of four letters or digits (can be separated by spaces) - 1-3 letters or digits -The format for each country is slightly different. The IBAN sensitive information type covers these 60 countries: +The format for each country is slightly different. The IBAN sensitive information type covers these 68 countries: - ad - ae The format for each country is slightly different. The IBAN sensitive informatio - be - bg - bh+- br - ch - cr - cy The format for each country is slightly different. The IBAN sensitive informatio - gi - gl - gr+- gt - hr - hu - ie - il - is - it+- jo - kw - kz - lb The format for each country is slightly different. The IBAN sensitive informatio - mu - nl - no+- pk - pl+- ps - pt+- qa - ro - rs - sa The format for each country is slightly different. The IBAN sensitive informatio - si - sk - sm+- tl - tn - tr - vg+- xk + ## Checksum A DLP policy has high confidence that it's detected this type of sensitive infor ## Keywords -None +None |
| compliance | Sit Defn Poland Drivers License Number | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-defn-poland-drivers-license-number.md | description: "Poland driver's license number sensitive information type entity d ## Format -14 digits containing two forward slashes +11 or 14 digits containing two forward slashes ## Pattern -14 digits and two forward slashes: +11 or 14 digits containing two forward slashes - five digits - a forward slash - two digits - a forward slash-- seven digits+- four or seven digits ## Checksum A DLP policy has medium confidence that it's detected this type of sensitive inf ### Keywords_poland_eu_driver's_license_number - prawo jazdy-- prawa jazdy+- prawa jazdy |
| enterprise | Modern Desktop Deployment And Management Lab | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md | There are two versions of the lab available for free download: |Windows 10 Lab|Windows 11 Lab| |||-|[Win 10 lab environment](https://download.microsoft.com/download/8/5/e/85e007b0-1f3e-460c-bd0a-5a8c6ec490b5/Win10_21H2_lab.zip)|[Win 11 lab environment](https://download.microsoft.com/download/9/d/9/9d9e278e-a1ea-4704-85e1-cb24f3806f45/Win11_Lab_05.09.zip)| -|[Win 10 lab guides](https://download.microsoft.com/download/8/5/e/85e007b0-1f3e-460c-bd0a-5a8c6ec490b5/Win10_21H2_guides.zip)|[Win 11 lab guides](https://download.microsoft.com/download/9/d/9/9d9e278e-a1ea-4704-85e1-cb24f3806f45/Win11_Lab_Guides_05.09.zip)| +|[Win 10 lab environment](https://download.microsoft.com/download/8/5/e/85e007b0-1f3e-460c-bd0a-5a8c6ec490b5/Win10_21H2_lab.zip)|[Win 11 lab environment](https://download.microsoft.com/download/5/0/b/50bbe36a-9291-4339-9dcc-2a444fcd1659/Microsoft365DeviceLabKit.zip)| +|[Win 10 lab guides](https://download.microsoft.com/download/8/5/e/85e007b0-1f3e-460c-bd0a-5a8c6ec490b5/Win10_21H2_guides.zip)|[Win 11 lab guides](https://download.microsoft.com/download/5/0/b/50bbe36a-9291-4339-9dcc-2a444fcd1659/Win11_SetUp_Guide_08.05.zip)| ## A complete lab environment The lab provides you with an automatically provisioned virtual lab environment, |Windows 10 Lab|Windows 11 Lab| ||| |Windows 10 Enterprise, Version 21H2|Windows 11 Enterprise|-|Microsoft Endpoint Configuration Manager, Version 2203|Microsoft Endpoint Configuration Manager, Version 2203| +|Microsoft Endpoint Configuration Manager, Version 2103|Microsoft Endpoint Configuration Manager, Version 2203| |Windows Assessment and Deployment Kit for Windows 10|Windows Assessment and Deployment Kit for Windows 11| |Windows Server 2019|Windows Server 2022| Detailed lab guides take you through multiple deployment and management scenario > [!NOTE]-> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The virtual clients expire 90 days after activation of the lab. The virtual servers expire on September 11, 2022. New versions of the labs will be published prior to expiration. +> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows client virtual machines expire 90 days after activation of the lab. New versions of the labs will be published prior to expiration. ## Additional guidance |
| lighthouse | M365 Lighthouse Review Audit Logs | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-review-audit-logs.md | The following table lists activities captured within Lighthouse audit logs. The | **apply** or **deploy** | Tenants | Apply a deployment plan | Azure AD, Microsoft Endpoint Manager (MEM) | | **assignTag** | Tenants | Apply a tag from a customer | Lighthouse | | **changeDeploymentStatus** or **assign** | Tenants | Update action plan status for deployment plan | Lighthouse |-| **managedTenantOperations** | Tenants | View information on a deployment plan | Azure AD | | **offboardTenant** | Tenants | Inactivate a customer | Lighthouse | | **resetTenantOnboardingStatus** | Tenants | Reactive a customer | Lighthouse | | **tenantTags** | Tenants | Create or delete a tag | Lighthouse | The following table lists activities captured within Lighthouse audit logs. The | **confirmUsersCompromised** | Users | Confirm a user is compromised | Azure AD | | **dismissUsersRisk** | Users | Dismiss user risk | Azure AD | | **resetUserPassword** | Users | Reset password | Azure AD |-| **getConditionalAccessPolicies** | Users | View CA policies requiring MFA | Azure AD | -| **getTenantIDToTenantNameMap** | Users | Search for IDs | Azure AD | -| **getUsers** | Users | Search for users | Azure AD | -| **getUsersWithoutMfa** | Users | View users not registered for MFA | Azure AD | -| **getSsprEnabledButNotRegisteredUsers** | Users | View users not registered for SSPR | Azure AD | | **setCustomerSecurityDefaultsEnabledStatus** | Users | Enable multifactor authentication (MFA) with security defaults | Azure AD |-|**getCompliancePolicyInfo** | Devices | View a policy | MEM -|**getDeviceCompliancePolicyStates** | Devices | View policy states | MEM -|**getDeviceCompliancePolicySettingStates** | Devices | View non-compliant settings | MEM -|**getDeviceCompliancePolicySettingStateSummaries** | Devices | View non-compliant devices | MEM -|**getTenantsDeviceCompliancePolicies** | Devices | Compare policies | MEM | **restartDevice** | Devices | Restart | MEM | | **syncDevice** | Devices | Sync | MEM | | **rebootNow** | Threat management | Reboot | MEM | | **reprovision** | Windows 365 | Retry provisioning | Windows 365 |-| **getDeviceUserInfo** | Threat management | View managed device user information | MEM | -| **getManagedDevice**, **remoteActionAudits**, or **deviceActionResults** | Threat management | View managed device information | MEM | | **windowsDefenderScanFull** | Threat management | Full scan | MEM | | **windowsDefenderScan** | Threat management | Quick scan | MEM | | **windowsDefenderUpdateSignatures** | Threat management | Update antivirus | MEM | |
| security | Get Defender Business Servers | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business-servers.md | +Microsoft Defender for Business servers (preview) enables you to onboard a device running Windows Server or Linux Server to Defender for Business or Microsoft 365 Business Premium. When the Microsoft Defender for Business servers license becomes generally available, you'll need one license for each server instance. ++Here's how to get Microsoft Defender for Business servers (preview): + 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in. 2. Turn on preview settings. |
| security | Get Defender Business | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business.md | When you're ready to get started, you'll work with two main portals: the Microso |Portal |Description | |||-| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to activate your trial and sign in for the first time.<p> You'll also use the Microsoft 365 admin center to: <ul><li>Add or remove users.</li><li>Assign user licenses.</li><li>View your products and services.</li><li>Complete setup tasks for your Microsoft 365 subscription.</li></ul><p>To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). | -| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business.<p>You'll use the Microsoft 365 Defender portal to: <ul><li>View your devices and device protection policies.</li><li>View detected threats and take action.</li><li>View security recommendations and manage your security settings.</li></ul><p>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). | +| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to activate your trial and sign in for the first time.<p> You'll also use the Microsoft 365 admin center to: <ul><li>Add or remove users.</li><li>Assign user licenses.</li><li>View your products and services.</li><li>Complete setup tasks for your Microsoft 365 subscription.</li></ul>To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). | +| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business.<p>You'll use the Microsoft 365 Defender portal to: <ul><li>View your devices and device protection policies.</li><li>View detected threats and take action.</li><li>View security recommendations and manage your security settings.</li></ul>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). | > [!TIP] > You can use the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)) to onboard devices, and to configure security settings. To learn more about Intune, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune). |
| security | Mdb Configure Security Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md | The following table can help you choose where to manage your security policies a | **Use the Microsoft Endpoint Manager admin center** | If your company is already using Intune to manage security policies, you can continue using the Endpoint Manager admin center to manage your devices and security policies. To learn more, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). <br/><br/>If you decide to switch to the [simplified configuration process in Defender for Business](mdb-simplified-configuration.md), you'll be prompted to delete any existing security policies in Intune to avoid [policy conflicts](mdb-troubleshooting.yml) later. | > [!IMPORTANT]-> If you're managing security policies in the Microsoft 365 Defender portal, you can *view* those policies in the Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), where they're listed as **Antivirus** or **Firewall** policies. When you view your firewall policies in the admin center, you'll see two policies listed: one policy for firewall protection and another for custom rules. +> If you're managing security policies in the Microsoft 365 Defender portal, you can *view* those policies in the Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), where they're listed as **Antivirus** or **Firewall** policies. When you view your firewall policies in the Endpoint Manager admin center, you'll see two policies listed: one policy for firewall protection and another for custom rules. ## View or edit your next-generation protection policies The following table describes advanced feature settings. | Setting | Description | |:|:| | **Automated Investigation** <br/>(turned on by default) | As alerts are generated, automated investigations can occur. Each automated investigation determines whether a detected threat requires action and then takes or recommends remediation actions, such as sending a file to quarantine, stopping a process, isolating a device, or blocking a URL. While an investigation is running, any related alerts that arise are added to the investigation until it's completed. If an affected entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.<br/><br/>You can view investigations on the **Incidents** page. Select an incident, and then select the **Investigations** tab.<br/><br/>By default, automated investigation and response capabilities are turned on, tenant wide. **We recommend keeping automated investigation turned on**. If you turn it off, real-time protection in Microsoft Defender Antivirus will be affected, and your overall level of protection will be reduced. <br/><br/>[Learn more about automated investigations](../defender-endpoint/automated-investigations.md). |-| **Live Response** | Defender for Business includes the following types of manual response actions: <ul><li>Run antivirus scan</li><li>Isolate device</li><li>Stop and quarantine a file</li><li>Add an indicator to block or allow a file</li></ul> <br/><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). | +| **Live Response** | Defender for Business includes the following types of manual response actions: <ul><li>Run antivirus scan</li><li>Isolate device</li><li>Stop and quarantine a file</li><li>Add an indicator to block or allow a file</li></ul><br/>[Learn more about response actions](../defender-endpoint/respond-machine-alerts.md). | | **Live Response for Servers** | (This setting is currently not available in Defender for Business.) | | **Live Response unsigned script execution** | (This setting is currently not available in Defender for Business.) | -| **Enable EDR in block mode**<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode on a device. Endpoint detection and response (EDR) in block mode works behind the scenes to remediate malicious artifacts detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product.<br/><br/>[Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). | +| **Enable EDR in block mode**<br/>(turned on by default) | Provides added protection from malicious artifacts when Microsoft Defender Antivirus isn't the primary antivirus product and is running in passive mode on a device. Endpoint detection and response (EDR) in block mode works behind the scenes to remediate malicious artifacts detected by EDR capabilities. Such artifacts might have been missed by the primary, non-Microsoft antivirus product. [Learn more about EDR in block mode](../defender-endpoint/edr-in-block-mode.md). | | **Allow or block a file** <br/>(turned on by default) | Enables you to allow or block a file by using [indicators](../defender-endpoint/indicator-file.md). This capability requires Microsoft Defender Antivirus to be in active mode and [cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md) turned on.<br/><br/>Blocking a file prevents it from being read, written, or executed on devices in your organization. <br/><br/>[Learn more about indicators for files](../defender-endpoint/indicator-file.md). | | **Custom network indicators**<br/>(turned on by default) | Enables you to allow or block an IP address, URL, or domain by using [network indicators](../defender-endpoint/indicator-ip-domain.md). This capability requires Microsoft Defender Antivirus to be in active mode and [network protection](../defender-endpoint/enable-network-protection.md) turned on.<br/><br/>You can allow or block IPs, URLs, or domains based on your threat intelligence. You can also prompt users if they open a risky app, but the prompt won't stop them from using the app.<br/><br/>[Learn more about network protection](../defender-endpoint/network-protection.md). |-| **Tamper protection**<br/>(we recommend you turn on this setting) | Tamper protection prevents malicious apps from doing actions such as:<ul><li>Disable virus and threat protection</li><li>Disable real-time protection</li><li>Turn off behavior monitoring</li><li>Disable cloud protection</li><li>Remove security intelligence updates</li><li>Disable automatic actions on detected threats</li></ul><br/><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values and prevents your security settings from being changed by apps and unauthorized methods. <br/><br/>[Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). | -| **Show user details**<br/>(turned on by default) | Enables people in your organization to see details, such as employees' pictures, names, titles, and departments. These details are stored in Azure Active Directory (Azure AD).<br/><br/>[Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). | -| **Skype for Business integration**<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). <br/><br/>Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. | +| **Tamper protection**<br/>(we recommend you turn on this setting) | Tamper protection prevents malicious apps from doing actions such as:<ul><li>Disable virus and threat protection</li><li>Disable real-time protection</li><li>Turn off behavior monitoring</li><li>Disable cloud protection</li><li>Remove security intelligence updates</li><li>Disable automatic actions on detected threats</li></ul><br/>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values and prevents your security settings from being changed by apps and unauthorized methods. [Learn more about tamper protection](../defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md). | +| **Show user details**<br/>(turned on by default) | Enables people in your organization to see details, such as employees' pictures, names, titles, and departments. These details are stored in Azure Active Directory (Azure AD). [Learn more about user profiles in Azure AD](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal). | +| **Skype for Business integration**<br/>(turned on by default) | Skype for Business was retired in July 2021. If you haven't already moved to Microsoft Teams, see [Set up Microsoft Teams in your small business](/microsoftteams/deploy-small-business). Integration with Microsoft Teams (or the former Skype for Business) enables one-click communication between people in your business. | | **Web content filtering**<br/>(turned on by default) | Blocks access to websites that contain unwanted content and tracks web activity across all domains. See [Set up web content filtering](#set-up-web-content-filtering). | | **Microsoft Intune connection**<br/>(we recommend you turn on this setting if you have Intune) | If your organization's subscription includes Microsoft Intune, this setting enables Defender for Business to share information about devices with Intune. |-| **Device discovery**<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network, whether it's an unpatched printer, a network device with a weak security configuration, or a server with no security controls.<br/><br/>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. <br/><br/>[Learn more about device discovery](../defender-endpoint/device-discovery.md). | -| **Preview features** | Microsoft is continually updating services such as Defender for Business to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. <br/><br/>[Learn more about preview features](../defender-endpoint/preview.md). | +| **Device discovery**<br/>(turned on by default) | Enables your security team to find unmanaged devices that are connected to your company network. Unknown and unmanaged devices introduce significant risks to your network, whether it's an unpatched printer, a network device with a weak security configuration, or a server with no security controls.<br/><br/>Device discovery uses onboarded devices to discover unmanaged devices, so your security team can onboard the unmanaged devices and reduce your vulnerability. [Learn more about device discovery](../defender-endpoint/device-discovery.md). | +| **Preview features** | Microsoft is continually updating services such as Defender for Business to include new feature enhancements and capabilities. If you opt in to receive preview features, you'll be among the first to try upcoming features in the preview experience. [Learn more about preview features](../defender-endpoint/preview.md). | ## View and edit other settings in the Microsoft 365 Defender portal |
| security | Mdb Email Notifications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-email-notifications.md | You can set up email notifications for your security team. Then, as alerts are g 2. [View and edit email notification settings](#view-and-edit-email-notifications). 3. [Proceed to your next steps](#next-steps). -- ## Types of email notifications When you set up email notifications, you can choose from two types, as described in the following table: |
| security | Mdb Firewall | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-firewall.md | |
| security | Mdb Get Help | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-help.md | description: Get help or contact support if you have any issues with Defender fo ## Get help and support -If you need help with Defender for Business, select the Help icon (?) in the upper right corner of the screen. Type your question or issue. Several options, such as quick answers or help articles, will be listed. +1. If you need help with Defender for Business, select the Help icon (?) in the upper right corner of the screen. -If you don't see the answer to your question, you can open a support ticket. See [Get support](../../admin/get-help-support.md) +2. Type your question or issue, and then select the blue arrow, as shown in the following screenshot: ++ :::image type="content" source="media/help-pane.png" alt-text="Screenshot of help pane with a question about how to add devices."::: ++ Several options, such as quick answers or help articles, will be listed. ++3. Select an item in the list of results. If you don't see the answer to your question, select **Contact Support** at the bottom of the flyout pane. For more information, see [Get support](../../admin/get-help-support.md) ## See also |
| security | Mdb Get Started | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-started.md | Use the navigation bar on the left side of the screen to access your incidents, | Item | Description | |:|:|-| **Home** | Takes you to your home page in the Microsoft 365 Defender portal. The home page highlights any active threats that are detected, along with recommendations to help secure your company's data and devices. <br/><br/>Recommendations are included in Defender for Business to save your security team time and effort. The recommendations are based on industry best practices. To learn more, see [Security recommendations - threat and vulnerability management](../defender-endpoint/tvm-security-recommendation.md). | -| **Incidents** | Takes you to your list of recent incidents. As alerts are triggered, incidents are created. An incident can include multiple alerts. Make sure to review your incidents regularly. <br/><br/>To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).| -| **Actions & submissions** > **Action center** | Takes you to your list of response actions, including completed and pending actions.<ul><li>Select the **History** tab to see the actions that were taken. Some actions are taken automatically; others are taken manually or complete after they're approved.</li><li>Select the **Pending** tab to view actions that require approval to proceed.</li></ul><br/><br/>To learn more, see [Review remediation actions in the Action center](mdb-review-remediation-actions.md). | +| **Home** | Takes you to your home page in the Microsoft 365 Defender portal. The home page highlights any active threats that are detected, along with recommendations to help secure your company's data and devices. Recommendations are included in Defender for Business to save your security team time and effort. The recommendations are based on industry best practices. To learn more, see [Security recommendations - threat and vulnerability management](../defender-endpoint/tvm-security-recommendation.md). | +| **Incidents** | Takes you to your list of recent incidents. As alerts are triggered, incidents are created. An incident can include multiple alerts. Make sure to review your incidents regularly. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md).| +| **Actions & submissions** > **Action center** | Takes you to your list of response actions, including completed and pending actions.<ul><li>Select the **History** tab to see the actions that were taken. Some actions are taken automatically; others are taken manually or complete after they're approved.</li><li>Select the **Pending** tab to view actions that require approval to proceed.</li></ul><br/>To learn more, see [Review remediation actions in the Action center](mdb-review-remediation-actions.md). | | **Actions & submissions** > **Submissions** | Takes you to the unified submissions portal, where you can submit files to Microsoft for analysis. To learn more, see [Submit files in Microsoft Defender for Endpoint](../defender-endpoint/admin-submissions-mde.md) (the process is similar for Defender for Business). |-| **Threat analytics** | Takes you to a view of current threats, and provides an at-a-glance view of your threat landscape. Threat analytics also includes reports and information from Microsoft security researchers. <br/><br/>To learn more, see [Track and respond to emerging threats through threat analytics](../defender-endpoint/threat-analytics.md). | -| **Secure score** | Provides a representation of your company's security position and offers suggestions to improve it.<br/><br/>To learn more, see [Microsoft Secure Score for Devices](../defender-endpoint/tvm-microsoft-secure-score-devices.md). | +| **Threat analytics** | Takes you to a view of current threats, and provides an at-a-glance view of your threat landscape. Threat analytics also includes reports and information from Microsoft security researchers. To learn more, see [Track and respond to emerging threats through threat analytics](../defender-endpoint/threat-analytics.md). | +| **Secure score** | Provides a representation of your company's security position and offers suggestions to improve it. To learn more, see [Microsoft Secure Score for Devices](../defender-endpoint/tvm-microsoft-secure-score-devices.md). | | **Learning hub** | Provides access to security training and other resources through learning paths that are included with your subscription. You can filter by product, skill level, role, and more. The Learning hub can help your security team ramp up on security features and capabilities in Defender for Business and more Microsoft offerings, such as [Microsoft Defender for Endpoint](../defender-endpoint/microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](../office-365-security/defender-for-office-365.md). | | **Trials** | Try additional security and compliance capabilities by adding on a trial subscription. | | **Endpoints** > **Device inventory** | Enables you to search for one or more devices that were onboarded to Defender for Business. | | **Endpoints** > **Vulnerability management** | Provides a dashboard, recommendations, remediation activities, a software inventory, and a list of potential weaknesses within your company. |-| **Endpoints** > **Tutorials** | Provides access to walkthroughs and simulations to help you learn more about how your threat protection features work. <br/><br/>Select the **Read the walkthrough** link before attempting to get the simulation file for each tutorial. Some simulations require Office apps, such as Microsoft Word, to read the walkthrough. | -| **Endpoints** > **Configuration management** > **Device configuration** | Lists your security policies by operating system and by type. <br/><br/>To learn more about your security policies, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md). | +| **Endpoints** > **Tutorials** | Provides access to walkthroughs and simulations to help you learn more about how your threat protection features work. Select the **Read the walkthrough** link before attempting to get the simulation file for each tutorial. Some simulations require Office apps, such as Microsoft Word, to read the walkthrough. | +| **Endpoints** > **Configuration management** > **Device configuration** | Lists your security policies by operating system and by type. To learn more about your security policies, see [View or edit policies in Defender for Business](mdb-view-edit-policies.md). | | **Endpoints** > **Configuration management** > **Device management reporting** | Lists devices that are onboarded to Defender for Business, along with their operating system version, sensor health state, and when they were last updated. | | **Reports** | Lists available security reports. These reports enable you to see your security trends, view details about threat detections and alerts, and learn more about your company's vulnerable devices. | | **Health** | Enables you to view your service health status and plan for upcoming changes. <ul><li>Select **Service health** to view the health status of the Microsoft 365 services that are included in your company's subscription.</li><li>Select **Message center** to learn about planned changes and what to expect.</li></ul> | |
| security | Mdb Lighthouse Integration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-lighthouse-integration.md | |
| security | Mdb Manage Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md | |
| security | Mdb Next Gen Configuration Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-next-gen-configuration-settings.md | The following table lists settings and options. | Setting | Description | |:|:| | **Real-time protection** | |-| **Turn on real-time protection** | Enabled by default, real-time protection locates and stops malware from running on devices. *We recommend keeping real-time protection turned on.*<p>When real-time protection is turned on, it configures the following settings:<ul><li>Behavior monitoring is turned on ([AllowBehaviorMonitoring](/windows/client-management/mdm/policy-csp-defender#defender-allowbehaviormonitoring)).</li><li>All downloaded files and attachments are scanned ([AllowIOAVProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowioavprotection)).</li><li>Scripts that are used in Microsoft browsers are scanned ([AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowscriptscanning)).</li></ul> | -| **Block at first sight** | Enabled by default, block at first sight blocks malware within seconds of detection, increases the time (in seconds) allowed to submit sample files for analysis, and sets your detection level to High. *We recommend keeping block at first sight turned on.*<p>When block at first sight is turned on, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Blocking and scanning of suspicious files is set to the High blocking level ([CloudBlockLevel](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)).</li><li>The number of seconds for a file to be blocked and checked is set to 50 seconds ([CloudExtendedTimeout](/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout)).</li></ul> <p>**Important** If block at first sight is turned off, it affects `CloudBlockLevel` and `CloudExtendedTimeout` for Microsoft Defender Antivirus. | -| **Turn on network protection** | When turned on, network protection helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. It also prevents users from turning network protection off.<p>Network protection can be set to the following modes:<ul><li>**Block mode** is the default setting. It prevents users from visiting sites that are considered unsafe. *We recommend keeping network protection set to Block mode.*</li><li>**Audit mode** allows users to visit sites that might be unsafe and tracks network activity to/from such sites.</li><li>**Disabled mode** neither blocks users from visiting sites that might be unsafe nor tracks network activity to/from such sites.</li></ul> | +| **Turn on real-time protection** | Enabled by default, real-time protection locates and stops malware from running on devices. *We recommend keeping real-time protection turned on.* When real-time protection is turned on, it configures the following settings:<ul><li>Behavior monitoring is turned on ([AllowBehaviorMonitoring](/windows/client-management/mdm/policy-csp-defender#defender-allowbehaviormonitoring)).</li><li>All downloaded files and attachments are scanned ([AllowIOAVProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowioavprotection)).</li><li>Scripts that are used in Microsoft browsers are scanned ([AllowScriptScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowscriptscanning)).</li></ul> | +| **Block at first sight** | Enabled by default, block at first sight blocks malware within seconds of detection, increases the time (in seconds) allowed to submit sample files for analysis, and sets your detection level to High. *We recommend keeping block at first sight turned on.*<br/><br/>When block at first sight is turned on, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Blocking and scanning of suspicious files is set to the High blocking level ([CloudBlockLevel](/windows/client-management/mdm/policy-csp-defender#defender-cloudblocklevel)).</li><li>The number of seconds for a file to be blocked and checked is set to 50 seconds ([CloudExtendedTimeout](/windows/client-management/mdm/policy-csp-defender#defender-cloudextendedtimeout)).</li></ul> <br/>**Important** If block at first sight is turned off, it affects `CloudBlockLevel` and `CloudExtendedTimeout` for Microsoft Defender Antivirus. | +| **Turn on network protection** | When turned on, network protection helps protect against phishing scams, exploit-hosting sites, and malicious content on the internet. It also prevents users from turning network protection off.<br/><br/>Network protection can be set to the following modes:<ul><li>**Block mode** is the default setting. It prevents users from visiting sites that are considered unsafe. *We recommend keeping network protection set to Block mode.*</li><li>**Audit mode** allows users to visit sites that might be unsafe and tracks network activity to/from such sites.</li><li>**Disabled mode** neither blocks users from visiting sites that might be unsafe nor tracks network activity to/from such sites.</li></ul> | | **Remediation** | |-| **Action to take on potentially unwanted apps (PUA)** | PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance.<p>PUA protection blocks items that are detected as PUA. You can set PUA protection to the following:<ul><li>**Enabled** is the default setting. It blocks items detected as PUA on devices. *We recommend keeping PUA protection enabled.*</li><li>**Audit mode** takes no action on items detected as PUA.</li><li>**Disabled** doesn't detect or take action on items that might be PUA.</li></ul> | +| **Action to take on potentially unwanted apps (PUA)** | PUA can include advertising software; bundling software that offers to install other, unsigned software; and evasion software that attempts to evade security features. Although PUA isn't necessarily a virus, malware, or other type of threat, it can affect device performance. PUA protection blocks items that are detected as PUA. You can set PUA protection to the following:<ul><li>**Enabled** is the default setting. It blocks items detected as PUA on devices. *We recommend keeping PUA protection enabled.*</li><li>**Audit mode** takes no action on items detected as PUA.</li><li>**Disabled** doesn't detect or take action on items that might be PUA.</li></ul> | | **Scan** | |-| **Scheduled scan type** | Consider running a weekly antivirus scan on your devices. You can choose from the following scan type options:<ul><li>**Quickscan** checks locations, such as registry keys and startup folders, where malware could be registered to start along with a device. *We recommend using the quickscan option.*</li><li>**Fullscan** checks all files and folders on a device.</li><li>**Disabled** means no scheduled scans will take place. Users can still run scans on their own devices. (In general, we don't recommend disabling scheduled scans.)</li></ul><p> [Learn more about scan types](../defender-endpoint/schedule-antivirus-scans.md). | +| **Scheduled scan type** | Consider running a weekly antivirus scan on your devices. You can choose from the following scan type options:<ul><li>**Quickscan** checks locations, such as registry keys and startup folders, where malware could be registered to start along with a device. *We recommend using the quickscan option.*</li><li>**Fullscan** checks all files and folders on a device.</li><li>**Disabled** means no scheduled scans will take place. Users can still run scans on their own devices. (In general, we don't recommend disabling scheduled scans.)</li></ul><br/> [Learn more about scan types](../defender-endpoint/schedule-antivirus-scans.md). | | **Day of week to run a scheduled scan** | Select a day for your regular, weekly antivirus scans to run. | | **Time of day to run a scheduled scan** | Select a time to run your regularly scheduled antivirus scans to run. |-| **Use low performance** | This setting is turned off by default. *We recommend keeping this setting turned off.* However, you can turn on this setting to limit the device memory and resources that are used during scheduled scans. <p>**Important** If you turn on **Use low performance**, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Archive files aren't scanned ([AllowArchiveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowarchivescanning)).</li><li>Scans are assigned a low CPU priority ([EnableLowCPUPriority](/windows/client-management/mdm/policy-csp-defender#defender-enablelowcpupriority)).</li><li>If a full antivirus scan is missed, no catch-up scan will run ([DisableCatchupFullScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan)).</li><li>If a quick antivirus scan is missed, no catch-up scan will run ([DisableCatchupQuickScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan)).</li><li>Reduces the average CPU load factor during an antivirus scan from 50 percent to 20 percent ([AvgCPULoadFactor](/windows/client-management/mdm/policy-csp-defender#defender-avgcpuloadfactor)).</li></ul> | +| **Use low performance** | This setting is turned off by default. *We recommend keeping this setting turned off.* However, you can turn on this setting to limit the device memory and resources that are used during scheduled scans. **Important** If you turn on **Use low performance**, it configures the following settings for Microsoft Defender Antivirus:<ul><li>Archive files aren't scanned ([AllowArchiveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowarchivescanning)).</li><li>Scans are assigned a low CPU priority ([EnableLowCPUPriority](/windows/client-management/mdm/policy-csp-defender#defender-enablelowcpupriority)).</li><li>If a full antivirus scan is missed, no catch-up scan will run ([DisableCatchupFullScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan)).</li><li>If a quick antivirus scan is missed, no catch-up scan will run ([DisableCatchupQuickScan](/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan)).</li><li>Reduces the average CPU load factor during an antivirus scan from 50 percent to 20 percent ([AvgCPULoadFactor](/windows/client-management/mdm/policy-csp-defender#defender-avgcpuloadfactor)).</li></ul> | | **User experience** | | | **Allow users to access the Windows Security app** | Turn on this setting to enable users to open the Windows Security app on their devices. Users won't be able to override settings that you configure in Defender for Business, but they'll be able to run a quick scan or view any detected threats. |-| **Antivirus exclusions** | Exclusions are processes, files, or folders that are skipped by Microsoft Defender Antivirus scans. *In general, you shouldn't need to define exclusions.* Microsoft Defender Antivirus includes many automatic exclusions that are based on known operating system behavior and typical management files.<p>[Learn more about exclusions](../defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md). | -| **Process exclusions** | Process exclusions prevent files that are opened by specific processes from being scanned by Microsoft Defender Antivirus. <p>[Learn more about process exclusions](../defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). | -| **File extension exclusions** | File extension exclusions prevent files with specific extensions from being scanned by Microsoft Defender Antivirus.<p>[Learn more about file extension exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). | -| **File and folder exclusions** | File and folder exclusions prevent files that are in specific folders from being scanned by Microsoft Defender Antivirus. <p>[Learn more about file and folder exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). | +| **Antivirus exclusions** | Exclusions are processes, files, or folders that are skipped by Microsoft Defender Antivirus scans. *In general, you shouldn't need to define exclusions.* Microsoft Defender Antivirus includes many automatic exclusions that are based on known operating system behavior and typical management files. [Learn more about exclusions](../defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md). | +| **Process exclusions** | Process exclusions prevent files that are opened by specific processes from being scanned by Microsoft Defender Antivirus. [Learn more about process exclusions](../defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). | +| **File extension exclusions** | File extension exclusions prevent files with specific extensions from being scanned by Microsoft Defender Antivirus. [Learn more about file extension exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). | +| **File and folder exclusions** | File and folder exclusions prevent files that are in specific folders from being scanned by Microsoft Defender Antivirus. [Learn more about file and folder exclusions](../defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md). | ## Other preconfigured settings in Defender for Business The following table describes settings that are preconfigured for Defender for B | Setting | Description | |||-| [Cloud protection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Sometimes referred to as cloud-delivered protection or Microsoft Advanced Protection Service (MAPS), cloud protection works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected. By default, [AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) is turned on. <p>[Learn more about cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md). | +| [Cloud protection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) | Sometimes referred to as cloud-delivered protection or Microsoft Advanced Protection Service (MAPS), cloud protection works with Microsoft Defender Antivirus and the Microsoft cloud to identify new threats, sometimes even before a single device is affected. By default, [AllowCloudProtection](/windows/client-management/mdm/policy-csp-defender#defender-allowcloudprotection) is turned on. [Learn more about cloud protection](../defender-endpoint/cloud-protection-microsoft-defender-antivirus.md). | | [Monitoring for incoming and outgoing files](/windows/client-management/mdm/policy-csp-defender#defender-realtimescandirection) | To monitor incoming and outgoing files, [RealTimeScanDirection](/windows/client-management/mdm/policy-csp-defender#defender-realtimescandirection) is set to monitor all files. | | [Scan network files](/windows/client-management/mdm/policy-csp-defender#defender-allowscanningnetworkfiles) | By default, [AllowScanningNetworkFiles](/windows/client-management/mdm/policy-csp-defender#defender-allowscanningnetworkfiles) isn't enabled, and network files aren't scanned. | | [Scan email messages](/windows/client-management/mdm/policy-csp-defender#defender-allowemailscanning) | By default, [AllowEmailScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowemailscanning) isn't enabled, and email messages aren't scanned. | | [Number of days (0-90) to keep quarantined malware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) | By default, the [DaysToRetainCleanedMalware](/windows/client-management/mdm/policy-csp-defender#defender-daystoretaincleanedmalware) setting is set to zero (0) days. Artifacts that are in quarantine aren't removed automatically. |-| [Submit samples consent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | By default, [SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) is set to send safe samples automatically. Examples of safe samples include `.bat`, `.scr`, `.dll`, and `.exe` files that don't contain personally identifiable information (PII). If a file does contain PII, the user receives a request to allow the sample submission to proceed.<p>[Learn more about cloud protection and sample submission](../defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md). | -| [Scan removable drives](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) | By default, [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) is configured to scan removable drives, such as USB thumb drives on devices.<p>[Learn more about antimalware policy settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#list-of-antimalware-policy-settings). | -| [Run daily quick scan time](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) | By default, [ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) is set to 2:00 AM.<p>[Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings). | -| [Check for signature updates before running scan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) | By default, [CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) is configured to check for security intelligence updates prior to running antivirus/antimalware scans.<p>[Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md#security-intelligence-updates). | -| [How often (0-24 hours) to check for security intelligence updates](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) | By default, [SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) is configured to check for security intelligence updates every four hours.<p>[Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md#security-intelligence-updates). | +| [Submit samples consent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | By default, [SubmitSamplesConsent](/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) is set to send safe samples automatically. Examples of safe samples include `.bat`, `.scr`, `.dll`, and `.exe` files that don't contain personally identifiable information (PII). If a file does contain PII, the user receives a request to allow the sample submission to proceed. [Learn more about cloud protection and sample submission](../defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md). | +| [Scan removable drives](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) | By default, [AllowFullScanRemovableDriveScanning](/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) is configured to scan removable drives, such as USB thumb drives on devices. [Learn more about antimalware policy settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#list-of-antimalware-policy-settings). | +| [Run daily quick scan time](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) | By default, [ScheduleQuickScanTime](/windows/client-management/mdm/policy-csp-defender#defender-schedulequickscantime) is set to 2:00 AM. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings). | +| [Check for signature updates before running scan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) | By default, [CheckForSignaturesBeforeRunningScan](/windows/client-management/mdm/policy-csp-defender#defender-checkforsignaturesbeforerunningscan) is configured to check for security intelligence updates prior to running antivirus/antimalware scans. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md#security-intelligence-updates). | +| [How often (0-24 hours) to check for security intelligence updates](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) | By default, [SignatureUpdateInterval](/windows/client-management/mdm/policy-csp-defender#defender-signatureupdateinterval) is configured to check for security intelligence updates every four hours. [Learn more about scan settings](/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) and [Security intelligence updates](../defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md#security-intelligence-updates). | ## Next steps |
| security | Mdb Offboard Devices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-offboard-devices.md | |
| security | Mdb Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md | |
| security | Mdb Policy Order | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-policy-order.md | As policies are added, you'll notice that an order of priority is assigned. You **The important thing to remember about multiple policies is that devices will receive the first applied policy only.** Referring to our earlier example of three next-generation policies, suppose that you have devices that are targeted by all three policies. In this case, those devices will receive policy number 1, but won't receive policies numbered 2 and 3. - ## Key points to remember about policy order - Policies are assigned an order of priority. |
| security | Mdb Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-reports.md | Several reports are available in the Microsoft 365 Defender portal ([https://sec |Report |Description | |||-| **Security report** | The security report provides information about your company's identities, devices, and apps. To access this report, in the navigation pane, choose **Reports** > **General** > **Security report**. <br/><br/>**TIP** You can view similar information on the home page of your Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). | -| **Threat protection** | The threat protection report provides information about alerts and alert trends. Use the **Alert trends** column to view information about alerts that were triggered over the last 30 days. Use the **Alert status** column to view current snapshot information about alerts, such as categories of unresolved alerts and their classification. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Threat protection**. <br/><br/>**TIP**: You can also use the **Incidents** list to view information about alerts. In the navigation pane, choose **Incidents** to view and manage current incidents. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md). | -| **Device health and compliance** | The device health and compliance report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health and compliance**. <br/><br/>**TIP**: You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). | +| **Security report** | The security report provides information about your company's identities, devices, and apps. To access this report, in the navigation pane, choose **Reports** > **General** > **Security report**. <br/><br/>You can view similar information on the home page of your Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). | +| **Threat protection** | The threat protection report provides information about alerts and alert trends. Use the **Alert trends** column to view information about alerts that were triggered over the last 30 days. Use the **Alert status** column to view current snapshot information about alerts, such as categories of unresolved alerts and their classification. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Threat protection**. <br/><br/>You can also use the **Incidents** list to view information about alerts. In the navigation pane, choose **Incidents** to view and manage current incidents. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md). | +| **Device health and compliance** | The device health and compliance report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health and compliance**. <br/><br/>You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). | | **Vulnerable devices** | The vulnerable devices report provides information about devices and trends. Use the **Trends** column to view information about devices that had alerts over the last 30 days. Use the **Status** column to view current snapshot information about devices that have alerts. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Vulnerable devices**.<br/><br/>**TIP**: You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). | | **Web protection** | The web protection report shows attempts to access phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that are explicitly blocked. Categories of blocked sites include adult content, leisure sites, legal liability sites, and more. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Web protection**.<br/><br/>If you haven't yet configured web protection for your company, choose the **Settings** button in a report view. Then, under **Rules**, choose **Web content filtering**. To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md). | | **Firewall** | The firewall report shows blocked inbound, outbound, and app connections. This report also shows remote IPs connected by multiple devices, and remote IPs with the most connection attempts. <br/><br/>If you haven't yet configured your firewall protection, in the navigation pane, choose **Endpoints** > **Configuration management** > **Device configuration**. To learn more, see [Firewall in Defender for Business](mdb-firewall.md). | |
| security | Mdb Respond Mitigate Threats | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-respond-mitigate-threats.md | |
| security | Mdb Review Remediation Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-review-remediation-actions.md | |
| security | Mdb Simplified Configuration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-simplified-configuration.md | To onboard devices and configure security settings for your company's devices, y 1. [Review your setup and configuration options](#review-your-setup-and-configuration-options). 2. [Proceed to your next steps](#next-steps). - ## Review your setup and configuration options The following table describes each experience. |
| security | Mdb Tutorials | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-tutorials.md | The following table summarizes several scenarios to try with Defender for Busine | Run a simulated attack | Several tutorials and simulations are available in Defender for Business. These tutorials and simulations show how the threat-protection features of Defender for Business can work for your company. You can also use a simulated attack as a training exercise for your team. To try the tutorials, see [Recommended tutorials for Defender for Business](#recommended-tutorials-for-defender-for-business). | | View incidents in Microsoft 365 Lighthouse | If you're a [Microsoft Cloud Solution Provider](/partner-center/enrolling-in-the-csp-program) using Microsoft 365 Lighthouse, you can view incidents across your customers' tenants in your Microsoft 365 Lighthouse portal. To learn more, see [Microsoft 365 Lighthouse and Defender for Business](mdb-lighthouse-integration.md). | - ## Recommended tutorials for Defender for Business The following table describes the recommended tutorials for Defender for Business customers. | Tutorial | Description | |||-| **Document Drops Backdoor** | Simulate an attack that introduces file-based malware on a test device. The tutorial describes how to use the simulation file and what to watch for in the Microsoft 365 Defender portal. <p>This tutorial requires that Microsoft Word is installed on your test device. | +| **Document Drops Backdoor** | Simulate an attack that introduces file-based malware on a test device. The tutorial describes how to use the simulation file and what to watch for in the Microsoft 365 Defender portal. This tutorial requires that Microsoft Word is installed on your test device. | | **Live Response** | Learn how to use basic and advanced commands with Live Response. Learn how to locate a suspicious file, remediate the file, and gather information on a device. |-| **Threat & Vulnerability Management (core scenarios)** | Learn about threat and vulnerability management through three scenarios:<ol><li>Reduce your company's threat and vulnerability exposure.</li><li>Request a remediation.</li><li>Create an exception for security recommendations.</li></ol> <p> Threat & Vulnerability Management uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. | +| **Threat & Vulnerability Management (core scenarios)** | Learn about threat and vulnerability management through three scenarios:<ol><li>Reduce your company's threat and vulnerability exposure.</li><li>Request a remediation.</li><li>Create an exception for security recommendations.</li></ol> <br/> Threat & Vulnerability Management uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. | Each tutorial includes a walkthrough document that explains the scenario, how it works, and what to do. |
| security | Mdb Use Wizard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-use-wizard.md | The setup wizard is designed to help you set up and configure Defender for Busin 2. **Set up email notifications**. In this step, you can set up email notifications for your security team. Then, when an alert is generated or a new vulnerability is discovered, your security team won't miss it even if they're away from their desk. [Learn more about email notifications](mdb-email-notifications.md). -3. **Onboard and configure Windows devices**. In this step, you can onboard your company's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one. +3. **Onboard and configure Windows devices**. In this step, you can onboard your company's Windows devices to Defender for Business quickly. Onboarding devices right away helps to protect those devices from day one. [Learn more about onboarding devices to Defender for Business](mdb-onboard-devices.md). - - **If you're already using Microsoft Intune**, and your company has devices enrolled in Intune, you can continue using Intune. - **If you're not using Intune**, you can onboard devices in the Microsoft 365 Defender portal. + - **If you're already using Microsoft Intune**, and your company has devices enrolled in Intune, you can continue using Intune. See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). - [Learn more about onboarding devices to Defender for Business](mdb-onboard-devices.md). - -4. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can also create your own security policies. +4. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your company's devices. These default policies use recommended settings and are designed to provide strong protection for your devices. You can also create your own security policies. See [View and edit your security policies and settings](mdb-configure-security-settings.md). - If you're already using Intune to manage your devices and security policies, you can continue using the Microsoft Endpoint Manager admin center. + > [!NOTE] + > If you're already using Intune to manage your devices and security policies, you can continue using the Microsoft Endpoint Manager admin center. See [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). - [View and edit your security policies and settings](mdb-configure-security-settings.md). ## What is automatic onboarding? |
| security | Mdb View Edit Create Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-edit-create-policies.md | In Defender for Business, security settings are configured through policies that - [Edit an existing policy](#edit-an-existing-policy) - [Create a new policy](#create-a-new-policy) +> [!NOTE] +> The procedures in this article describe how to view, edit, and create security policies in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). If you're using Microsoft Intune, see [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). ## Default policies in Defender for Business In Defender for Business, there are two main types of policies to protect your c - **Next-generation protection policies**, which determine how Microsoft Defender Antivirus and other threat protection features are configured - **Firewall policies**, which determine what network traffic is permitted to flow to and from your company's devices - ## View your existing policies 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in. |
| security | Mdb View Manage Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-manage-incidents.md | When Microsoft Defender Antivirus assigns an alert severity based on the absolut | Scenario | Alert severity and reason | |:|:|-| Microsoft Defender Antivirus detects and stops a threat before it does any damage. | Informational <br/><br/>The threat was stopped before any damage was done. | -| Microsoft Defender Antivirus detects malware that was executing within your company. The malware is stopped and remediated. | Low <br/><br/>Although some damage might have been done to an individual endpoint, the malware now poses no threat to your company. | -| Malware that is executing is detected by Defender for Business. The malware is blocked almost immediately. | Medium or High <br/><br/>The malware poses a threat to individual endpoints and to your company. | -| Suspicious behavior is detected but no remediation actions are taken yet. | Low, Medium, or High <br/><br/>The severity depends on the degree to which the behavior poses a threat to your company. | +| Microsoft Defender Antivirus detects and stops a threat before it does any damage. | **Informational**. The threat was stopped before any damage was done. | +| Microsoft Defender Antivirus detects malware that was executing within your company. The malware is stopped and remediated. | **Low**. Although some damage might have been done to an individual endpoint, the malware now poses no threat to your company. | +| Malware that is executing is detected by Defender for Business. The malware is blocked almost immediately. | **Medium** or **High**. The malware poses a threat to individual endpoints and to your company. | +| Suspicious behavior is detected but no remediation actions are taken yet. | **Low**, **Medium**, or **High**. The severity depends on the degree to which the behavior poses a threat to your company. | ## Next steps |
| security | Trial Playbook Defender Business | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/trial-playbook-defender-business.md | If you used the setup wizard but you need to onboard more devices, such as non-W | Device type | Onboarding methods | |:|:| | [Windows clients](mdb-onboard-devices.md) | Choose one of the following options to onboard Windows client devices to Defender for Business:<ul><li>Local script (for onboarding devices manually in the Microsoft 365 Defender portal)</li><li>Group Policy (if you're already using Group Policy and prefer this method)</li><li>Microsoft Intune (if you're already using Intune and prefer to continue using it)</li></ul> |- | [Mac](mdb-onboard-devices.md) | Choose one of the following options to onboard Mac:<ul><li>Local script for Mac (*recommended*)</li><li>Microsoft Intune for Mac </li></ul><p>We recommend you use a local script to onboard Mac. Although you can [set up enrollment for Mac devices in Intune](/mem/intune/enrollment/macos-enroll), the local script is the simplest method for onboarding Mac to Defender for Business. | + | [Mac](mdb-onboard-devices.md) | Choose one of the following options to onboard Mac:<ul><li>Local script for Mac (*recommended*)</li><li>Microsoft Intune for Mac </li></ul><br/>We recommend you use a local script to onboard Mac. Although you can [set up enrollment for Mac devices in Intune](/mem/intune/enrollment/macos-enroll), the local script is the simplest method for onboarding Mac to Defender for Business. | | Windows Server and Linux servers | *The ability to onboard an instance of Windows Server or Linux Server is currently in preview and requires an additional license*. See the following articles to learn more: <ul><li>[Defender for Business requirements](mdb-requirements.md)</li><li>[Onboard devices to Defender for Business](mdb-onboard-devices.md)</li></ul> | | [Mobile devices](mdb-onboard-devices.md) | Use Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS devices. See the following resources to get help enrolling these devices into Intune:<ul><li>[Enroll Android devices](/mem/intune/enrollment/android-enroll)</li><li>[Enroll iOS or iPadOS devices](/mem/intune/enrollment/ios-enroll)</li></ul> | |
| security | Linux Preferences | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md | ms.pagetype: security ms.localizationpriority: medium Last updated : 08/10/2022 audience: ITPro The following configuration profile contains entries for all settings described { "$type":"excludedPath", "isDirectory":false,- "path":"/var/log/system.log" + "path":"/var/log/system.log<EXAMPLE DO NOT USE>" }, { "$type":"excludedPath", "isDirectory":true,- "path":"/run" + "path":"/run<EXAMPLE DO NOT USE>" }, { "$type":"excludedPath", "isDirectory":true,- "path":"/home/*/git" + "path":"/home/*/git<EXAMPLE DO NOT USE>" }, { "$type":"excludedFileExtension",- "extension":".pdf" + "extension":".pdf<EXAMPLE DO NOT USE>" }, { "$type":"excludedFileName",- "name":"cat" + "name":"cat<EXAMPLE DO NOT USE>" } ], "allowedThreats":[ |
| security | Mde Device Control Device Installation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-device-control-device-installation.md | ms.pagetype: security ms.localizationpriority: medium Previously updated : 08/09/2022 Last updated : 08/11/2022 audience: ITPro ms.technology: mde > [!NOTE]-> If you are manage removable storage, See [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control). +> If you want to manage removable storage, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control). Microsoft Defender for Endpoint Device Control Device Installation enables you to do the following task: |
| security | Migrating Mde Server To Cloud | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud.md | To enable Defender for Servers for Azure VMs and non-Azure machines connected th :::image type="content" source="images/mde-integration.png" alt-text="Screenshot that shows how to enable MDE integration." lightbox="images/mde-integration.png"::: - If you have any of these buttons in your environment, make sure to enable integration for both. On new subscriptions, both options will be enabled by default. + If you have any of these buttons in your environment, make sure to enable integration for both. On new subscriptions, both options will be enabled by default. In this case, you will not see these buttons in your environment. 5. Make sure the connectivity requirements for Azure Arc are met. Microsoft Defender for Cloud requires all on-premises and non-Azure machines to be connected via the Azure Arc agent. In addition, Azure Arc doesn't support all MDE supported operating systems. So, learn how to plan for [Azure Arc deployments here](/azure/azure-arc/servers/plan-at-scale-deployment). For Azure VMs, no extra steps are required, these are automatically onboarded to ## How do I migrate on-premises machines to Microsoft Defender for Servers? -[Connect](/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc) your on-premises machines via Azure Arc-connected servers. +Once all prerequisites are met, [connect](/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc) your on-premises machines via Azure Arc-connected servers. ## How do I migrate VMs from AWS or GCP environments? |
| security | Whats New In Microsoft Defender Vulnerability Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management.md | + + Title: What's new in Microsoft Defender Vulnerability Management Public Preview +description: See what features are available in the latest release of Microsoft Defender for Vulnerability Management public preview. +keywords: what's new in Microsoft Defender for Endpoint, ga, generally available, capabilities, available, new +search.appverid: met150 +ms.mktglfcycl: secure +ms.sitesec: library +ms.pagetype: security +++ms.localizationpriority: medium ++audience: ITPro ++ - m365-security-compliance ++ms.technology: mdvm +++# What's new in Microsoft Defender Vulnerability Management Public Preview +++**Applies to:** ++- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) +- [Microsoft Defender Vulnerability Management](index.yml) +- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +++>[!Note] +> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md). ++This article provides information about new features and important product updates for the latest release of Microsoft Defender Vulnerability Management public preview. ++## May 2022 ++- **[Security baselines assessment](tvm-security-baselines.md)**: Create and manage baseline profiles to monitor the posture of your devices against their desired security state. +- **[Blocking vulnerable applicationsΓÇ»(beta)](tvm-block-vuln-apps.md)**: Give security admins the ability to block all currently known vulnerable versions of an application. +- **[Browser extensions assessment](tvm-browser-extensions.md)**: View all browser extensions installed on devices in your organization, including installed versions, permissions requested, and associated risk. +- **[Digital certificates assessment](tvm-certificate-inventory.md)**: View certificate details on devices in your organization, including expiration date, algorithm used, and key size. +- **[Network shares analysis](tvm-network-share-assessment.md)**: View information about exposed network shares and the recommendations that can help protect against vulnerabilities that could be exploited by attackers. ++For more information on what's new with other Microsoft Defender security products, see: ++- [What's new in Microsoft Defender for Endpoint](../defender-endpoint/whats-new-in-microsoft-defender-endpoint.md) +- [What's new in Microsoft 365 Defender](../defender/whats-new.md) +- [What's new in Microsoft Defender for Office 365](../office-365-security/whats-new-in-defender-for-office-365.md) +- [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new) +- [What's new in Microsoft Cloud App Security](/cloud-app-security/release-notes) |
| security | Configure Event Hub | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-event-hub.md | You can verify that events are being sent to the Event Hubs by running a basic A ```console EmailEvents-|joinkind=fullouterEmailAttachmentInfoonNetworkMessageId -|joinkind=fullouterEmailUrlInfoonNetworkMessageId -|joinkind=fullouterEmailPostDeliveryEventsonNetworkMessageId -|whereTimestamp\>ago(1h) +|join kind=fullouter EmailAttachmentInfo on NetworkMessageId +|join kind=fullouter EmailUrlInfo on NetworkMessageId +|join kind=fullouter EmailPostDeliveryEvents on NetworkMessageId +|where Timestamp > ago(1h) |count ``` |
| security | Investigate Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md | The **Manage alert** pane allows you to view or specify: - **Not Set** (default). - **True positive** with a type of threat. Use this classification for alerts that accurately indicate a real threat. Specifying this threat type alerts your security team see threat patterns and act to defend your organization from them. - **Informational, expected activity** with a type of activity. Use this option for alerts that are technically accurate, but represent normal behavior or simulated threat activity. You generally want to ignore these alerts but expect them for similar activities in the future where the activities are triggered by actual attackers or malware. Use the options in this category to classify alerts for security tests, red team activity, and expected unusual behavior from trusted apps and users.- - **False positive** for types of alerts that were created even when there is no malicious activity or for a false alarm. Use the options in this category to classify alerts that are mistakenly identified as normal events or activities as malicious or suspicious. Unlike alerts for 'Informational, expected activity', which can also be useful for catching real threats, you generally don't want to see these alerts again. Classifying alerts as false positive helps Microsoft 365 Defender improve its detection quality. + - **False positive** for types of alerts that were created even when there's no malicious activity or for a false alarm. Use the options in this category to classify alerts that are mistakenly identified as normal events or activities as malicious or suspicious. Unlike alerts for 'Informational, expected activity', which can also be useful for catching real threats, you generally don't want to see these alerts again. Classifying alerts as false positive helps Microsoft 365 Defender improve its detection quality. - A comment on the alert. >[!NOTE] To create a suppression rule for alerts: However, to apply the rule on any alert type that meets rule conditions select **Any alert type based on IOC conditions**. IOCs are indicators such as files, processes, scheduled tasks, and other evidence types that trigger the alert.+ + > [!NOTE] + > You can no longer suppress an alert triggered by 'custom detection' source. You can't create a suppression rule for this alert. 3. In the **IOCs** section, select **Any IOC** to suppress the alert no matter what 'evidence' has caused the alert. To create a suppression rule for alerts: 4. Other than files and processes, AMSI script, WMI event, and scheduled tasks are some of the newly added evidence types that you can select from the evidence types drop-down list. :::image type="content" source="../../media/investigate-alerts/other-evidence-types.png" alt-text="Screenshot of other types of evidence." lightbox="../../media/investigate-alerts/other-evidence-types.png":::-+ 5. To add another IOC, click **Add filter**. > [!NOTE] > Adding at least one IOC to the rule condition is required to suppress any alert type. IOCs that were selected in the suppression conditions will be selected by defaul :::image type="content" source="../../media/investigate-alerts/suppression-2-choose-iocs.png" lightbox="../../media/investigate-alerts/suppression-2-choose-iocs.png" alt-text="Screenshot of successful suppression rule creation. "::: 8. The new suppression alert functionality is available by default. <br> However, you can switch back to the previous experience in Microsoft 365 Defender portal by navigating to **Settings > Endpoints > Alert suppression**, then switch off the **New suppression rules creation enabled** toggle. + :::image type="content" source="../../media/investigate-alerts/suppression-toggle.png" lightbox="../../media/investigate-alerts/suppression-toggle.png" alt-text="Screenshot of toggle for turning on/off the suppression rule creation feature.":::+ > [!NOTE] + > Soon, only the new alert suppression experience will be available. You will not be able to go back to the previous experience. 9. **Edit existing rules:** <br> You can always add or change rule conditions and scope of new or existing rules in Microsoft Defender portal, by selecting the relevant rule and clicking **Edit rule**. To edit existing rules, ensure that the **New suppression rules creation enabled** toggle is enabled. |
| security | Allow Block Email Spoof | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/allow-block-email-spoof.md | ms.prod: m365-security You can use the Microsoft 365 Defender portal or PowerShell to allow or block emails (including spoofing emails) using the Tenant Allow/Block List. -## Create block sender entries +## Create block for domains or email addresses entries ### Use the Microsoft 365 Defender portal You can use the Microsoft 365 Defender portal or PowerShell to allow or block em 4. When you're finished, click **Add**. > [!NOTE]-> The emails from these senders will be blocked as _high confidence spam_ (SCL = 9). +> The emails from these addresses or domains will be blocked as _high confidence spam_ (SCL = 9). > Users in the organization won't be able to send emails to these blocked domains and addresses. They will receive a non-delivery report which will state the following: "5.7.1 Your message can't be delivered because one or more recipients are blocked by your organizationΓÇÖs tenant allow/block list policy." ### Use PowerShell -To add block sender entries in the Tenant Allow/Block List, use the following syntax: +To add domains or email addresses block entries in the Tenant Allow/Block List, use the following syntax: ```powershell New-TenantAllowBlockListItems -ListType <Sender> -Block -Entries "Value1","Value2",..."ValueN" <-ExpirationDate Date | -NoExpiration> [-Notes <String>] ``` -This example adds a block sender entry for the specified sender that expires on a specific date. +This example adds a block for the specified email address or domain that expires on a specific date. ```powershell New-TenantAllowBlockListItems -ListType Sender -Block -Entries "test@badattackerdomain.com", "test2@anotherattackerdomain.com" -ExpirationDate 8/20/2021 For detailed syntax and parameter information, see [New-TenantAllowBlockListItem ### Use Microsoft 365 Defender -Allow senders (or domains) on the **Submissions** page in Microsoft 365 Defender. +Allow senders email addresses (or domains) on the **Submissions** page in Microsoft 365 Defender. -You can't directly modify the Tenant Allow/Block List to add allow entries. Instead, use [admin submissions](admin-submission.md) to submit the blocked message. This action will add the corresponding URL, file, spoofed sender domain pair, impersonated domain (or user) and/or sender to the Tenant Allow/Block List. If the item has not been blocked, then the allow won't be created. In most cases where the message was determined to be a false positive that was incorrectly blocked, the allow entry will be removed on the specified expiration date. +You can't directly modify the Tenant Allow/Block List to add allow entries. Instead, use [admin submissions](admin-submission.md) to submit the blocked message. This action will add the corresponding URL, file, spoofed sender domain pair, impersonated domain (or user) and/or domains or email addresses to the Tenant Allow/Block List. If the item has not been blocked, then the allow won't be created. In most cases where the message was determined to be a false positive that was incorrectly blocked, the allow entry will be removed on the specified expiration date. > [!IMPORTANT]-> - Because Microsoft manages the allow entries for you, unneeded sender, URL, or file allow entries that aren't needed will be removed. This behavior protects your organization and helps prevent misconfigured allow entries. If you disagree with the verdict, you might need to open a support case to help determine why a message is still considered bad. +> - Because Microsoft manages the allow entries for you, unneeded domains or email addresses, URL, or file allow entries that aren't needed will be removed. This behavior protects your organization and helps prevent misconfigured allow entries. If you disagree with the verdict, you might need to open a support case to help determine why a message is still considered bad. 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Actions & submissions** \> **Submissions**. Or, to go directly to the **Submissions** page, use <https://security.microsoft.com/reportsubmission>. You can't directly modify the Tenant Allow/Block List to add allow entries. Inst > [!NOTE] > > - During mail flow, Based on which filters determined the mail to be malicious, the allows are added. For example, the sender and URL are determined to be bad, an allow will be added for each.-> - When that entity (sender, domain, URL, file) is encountered again, all filters associated with that entity are skipped. +> - When that entity (domain or email address, URL, file) is encountered again, all filters associated with that entity are skipped. > - During mail flow, if the rest of the filters find the email containing this entity to be clean, the email will be delivered. For example, a sender allow (when authentication passes) will bypass all verdicts except malware and high confidence phishing associated with an attachment or URL. -## View sender entries +## View domain or email addresses entries -To view block sender entries in the Tenant Allow/Block List, use the following syntax: +To view blocked domains or email addresses entries in the Tenant Allow/Block List, use the following syntax: ```powershell Get-TenantAllowBlockListItems -ListType <Sender> [-Entry <SenderValue | FileHashValue | URLValue>] [<-ExpirationDate Date | -NoExpiration>] ``` For detailed syntax and parameter information, see [Get-TenantAllowBlockListItems](/powershell/module/exchange/get-tenantallowblocklistitems). -## Modify sender entries +## Modify domain or email addresses entries -To modify allow or block sender entries in the Tenant Allow/Block List, use the following syntax: +To modify allowed or blocked domains or email addresses entries in the Tenant Allow/Block List, use the following syntax: ```powershell Set-TenantAllowBlockListItems -ListType <Sender> -Ids <"Id1","Id2",..."IdN"> [<-ExpirationDate Date | -NoExpiration>] [-Notes <String>] Set-TenantAllowBlockListItems -ListType <Sender> -Ids <"Id1","Id2",..."IdN"> [<- For detailed syntax and parameter information, see [Set-TenantAllowBlockListItems](/powershell/module/exchange/set-tenantallowblocklistitems). -## Remove sender entries +## Remove domain or email addresses entries -To remove allow or block sender entries from the Tenant Allow/Block List, use the following syntax: +To remove allowed or blocked domains or email addresses entries from the Tenant Allow/Block List, use the following syntax: ```powershell Remove-TenantAllowBlockListItems -ListType <Sender> -Ids <"Id1","Id2",..."IdN"> |
| security | Manage Tenant Allow Block List | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-tenant-allow-block-list.md | f1.keywords: Previously updated : audience: ITPro ms.localizationpriority: medium Last updated : 08/11/2022 search.appverid:- - MET150 +- MET150 - - M365-security-compliance +- M365-security-compliance description: Learn how to manage allows and blocks in the Tenant Allow/Block List in the Security portal. ms.technology: mdo The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way - URLs to block. - Files to block.-- Sender emails or domains to block.+- Domains or email addresses to block - both sending and receiving. - Spoofed senders to allow or block. If you override the allow or block verdict in the [spoof intelligence insight](learn-about-spoof-intelligence.md), the spoofed sender becomes a manual allow or block entry that only appears on the **Spoof** tab in the Tenant Allow/Block List. You can also manually create allow or block entries for spoofed senders here before they're detected by spoof intelligence. - URLs to allow. - Files to allow.-- Sender emails or domains to allow.+- Domains or email addresses to allow - both sending and receiving. This article describes how to configure entries in the Tenant Allow/Block List in the Microsoft 365 Defender portal or in PowerShell (Exchange Online PowerShell for Microsoft 365 organizations with mailboxes in Exchange Online; standalone EOP PowerShell for organizations without Exchange Online mailboxes). This article describes how to configure entries in the Tenant Allow/Block List i An example value is `768a813668695ef2483b2bde7cf5d1b2db0423a0d3e63e498f3ab6f2eb13ea3a`. Perceptual hash (pHash) values are not supported. -- For senders, URLs, and file hashes, the Tenant Allow/Block List allows 500 entries each for both allows and blocks, making it a total of 1000 entries. For spoofing (spoofed senders), the total number of entries allowed is 1024.+- For domains or email addresses, URLs, and file hashes, the Tenant Allow/Block List allows 500 entries each for both allows and blocks, making it a total of 1000 entries. For spoofed senders(spoofing), the total number of entries allowed is 1024. - The maximum number of characters for each entry is: - File hashes = 64 We recommend letting entries automatically expire after 30 days to see if the sy 2. Select the tab you want. The columns that are available depend on the tab you selected: - - **Senders**: - - **Value**: The sender domain or email address. + - **Domains & addresses**: + - **Value**: The domain or email address. - **Action**: The value **Allow** or **Block**. - **Modified by** - **Last updated** - **Remove on** - **Notes**- - **Spoofing** + - **Spoofed senders** - **Spoofed user** - **Sending infrastructure** - **Spoof type**: The value **Internal** or **External**. We recommend letting entries automatically expire after 30 days to see if the sy You can click **Group** to group the results. The values that are available depend on the tab you selected: - - **Senders**: You can group the results by **Action**. - - **Spoofing**: You can group the results by **Action** or **Spoof type**. + - **Domains & addresses**: You can group the results by **Action**. + - **Spoofed sender**: You can group the results by **Action** or **Spoof type**. - **URLs**: You can group the results by **Action**. - **Files**: You can group the results by **Action**. We recommend letting entries automatically expire after 30 days to see if the sy Click **Filter** to filter the results. The values that are available in **Filter** flyout that appears depend on the tab you selected: - - **Senders** + - **Domains & addresses** - **Action** - **Never expire** - **Last updated date** - **Remove on**- - **Spoofing** + - **Spoofed senders** - **Action** - **Spoof type** - **URLs** We recommend letting entries automatically expire after 30 days to see if the sy 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the tab that contains the type of entry that you want to modify:- - **Senders** - - **Spoofing** + - **Domains or email addresses** + - **Spoofed senders** - **URLs** - **Files** 3. Select the entry that you want to modify, and then click  **Edit**. The values that you are able to modify in the flyout that appears depend on the tab you selected in the previous step:- - **Senders** + - **Domains & addresses** - **Never expire** and/or expiration date. - **Optional note**- - **Spoofing** + - **Spoofed senders** - **Action**: You can change the value to **Allow** or **Block**. - **URLs** - **Never expire** and/or expiration date. We recommend letting entries automatically expire after 30 days to see if the sy - **Never expire** and/or expiration date. - **Optional note** - Note that the values for senders, URLs, and files never expire for blocked entries only. + Note that the values for domains or email addresses, URLs, and files never expire for blocked entries only. 4. When you're finished, click **Save**. We recommend letting entries automatically expire after 30 days to see if the sy 1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to **Policies & rules** \> **Threat Policies** \> **Rules** section \> **Tenant Allow/Block Lists**. Or, to go directly to the **Tenant Allow/Block List** page, use <https://security.microsoft.com/tenantAllowBlockList>. 2. Select the tab that contains the type of entry that you want to remove:- - **Senders** - - **Spoofing** + - **Domains & addresses** + - **Spoofed senders** - **URLs** - **Files** |
| security | Stay Informed With Message Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/stay-informed-with-message-center.md | Title: Stay informed of upcoming changes to Microsoft Defender for Office 365 using the message center + Title: Set up weekly digest notifications of changes to Microsoft Defender for Office 365 with message center description: The steps to setup a weekly digest of message center activity to stay informed of changes to Microsoft Defender for Office 365. search.product: search.appverid: |
| security | Whats New In Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md | f1.keywords: NOCSH ms.localizationpriority: medium Last updated : 08/11/2022 audience: ITPro For more information on what's new with other Microsoft Defender security produc - [What's new in Microsoft Defender for Identity](/defender-for-identity/whats-new) - [What's new in Microsoft Cloud App Security](/cloud-app-security/release-notes) +## July 2022 +- [Introducing actions into the email entity page](mdo-email-entity-page.md): Admins can take preventative, remediation and submission actions from emial entity page. ## June 2022 |
| test-base | Accesslevel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/accesslevel.md | |
| test-base | Binaries | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/binaries.md | Title: Upload Application Binaries -description: How to get started using Test Base for M365 #Required; article description that is displayed in search results. +description: How to get started using Test Base for Microsoft 365 #Required; article description that is displayed in search results. search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Step 3: Upload your binaries, dependencies, and scripts -On this tab, you will upload a single zip package containing your binaries, dependencies and scripts used to run your test suite. +On this tab, you'll upload a single zip package containing your binaries, dependencies and scripts used to run your test suite. > [!NOTE] > The size of the zip package should be between a minimum of 10 MB and a maximum of 2 GB. On this tab, you will upload a single zip package containing your binaries, depe :::image type="content" alt-text="Upload your binaries." source="Media/AddBinaries.png"::: - Uploaded dependencies can include test frameworks, scripting engines or data that will be accessed to run your application or test cases. For example, you can upload Selenium and a web driver installer to help run browser-based tests.- - It is best practice to ensure your script activities are kept modular i.e. + - It's best practice to ensure your script activities are kept modular that is. - The `Install` script only performs install operations. - The `Launch` script only launches the application. - The `Close` script only closes the application. |
| test-base | Buildpackage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/buildpackage.md | |
| test-base | Clonepackage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/clonepackage.md | |
| test-base | Contentguideline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/contentguideline.md | Title: 'Test package guidelines' description: Review the guidelines around test package search.appverid: MET150 -+ audience: Software-Vendor Last updated 02/04/2022-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Test package guidelines |
| test-base | Cpu | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/cpu.md | Title: 'CPU regression analysis' description: Understanding regression results and metrics for CPU consumption search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Intelligent CPU regression analysis |
| test-base | Createaccount | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/createaccount.md | |
| test-base | Faq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/faq.md | |
| test-base | Feature | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/feature.md | Title: 'Feature update validation' description: Details on how to upload your application for feature update validation search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Windows Feature update validation |
| test-base | Functional | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/functional.md | Title: 'Functional testing on Test Base' description: Details on how to test your application with your existing automated functional tests search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium-+ -+ f1.keywords: NOCSH # Functional testing -As a software vendor, you can now perform custom functional tests, using the test framework of your choice - via the self-serve Test Base for M365 portal. +As a software publisher, you can now perform custom functional tests, using the test framework of your choice - via the self-serve Test Base for Microsoft 365 portal. -When we initially launched the service, we offered the Out-of-box tests, which is a pre-defined set of tests driven through standardized scripting. This, however, could not achieve full test coverage for many Independent Software Vendors (ISVs). +When we initially launched the service, we offered the Out-of-box tests, which is a pre-defined set of tests driven through standardized scripting. However, this couldn't achieve full test coverage for many Independent Software Vendors (ISVs). -Hence, in response to your feedback, we are providing our ISVs with the ability to upload automated functional tests. +Hence, in response to your feedback, we're providing our ISVs with the ability to upload automated functional tests. To use this feature, follow the steps below: To get started, navigate to the Upload page, select Upload new application under Tab 1 - Enter basic information. Provide the name and version of your application. In the Type of test option, select ```Functional tests```. -*Note that the Out-of-Box (OOB) option is required by default.* +*The Out-of-Box (OOB) option is required by default.*  Tab 2 - Upload the components of your package by uploading a zip file with your entire test (binaries, dependencies, scripts etc). -See aka.ms/usl-package-outline for details. (Note: Both the Out-of-Box test scripts and the Functional test contents should be placed into the same zip file). Currently, the file size is limited to 2GB. +See aka.ms/usl-package-outline for details. (Note: Both the Out-of-Box test scripts and the Functional test contents should be placed into the same zip file). Currently, the file size is limited to 2 GB. -Tab 3 - Configure the Out-of-Box and Functional test tasks. Here, choose the path(s) to the PowerShell scripts that will install, launch, close, and uninstall your application (for Out-of-Box) as well as the path(s) to all your custom scripts to perform your functional test. **(Note: A script to uninstall your application is optional).** +Tab 3 - Configure the Out-of-Box and Functional test tasks. Here, choose the path(s) to the PowerShell scripts that will install, launch, close, and uninstall your application (for Out-of-Box) and the path(s) to all your custom scripts to perform your functional test. **(Note: A script to uninstall your application is optional).** -Currently, you can upload between 1 and 8 scripts for your functional tests. (Kindly comment on this post if you need more scripts!) +Currently, you can upload 1 to 8 scripts for your functional tests. (Kindly comment on this post if you need more scripts!)  -(Optional) Configure a restart after installation. Some applications require a restart after installation. +(Optional) You can configure a restart after installation. Some applications require a restart after installation. Select ```Reboot After Execution``` for the specific Script in the Tasks tab if you would like a restart to be conducted after the execution of that script. -Tab 4 - Choose when the Windows update gets installed: The application of the Windows Update patch is done before any script of your choice. It is recommended that you install a Windows update after the application's installation to closely mimic your real-world application use scenarios. +Tab 4 - Choose when the Windows update gets installed: The application of the Windows Update patch is done before any script of your choice. It's recommended that you install a Windows update after the application's installation to closely mimic your real-world application use scenarios.  Tab 5 - Review and create the package. Once you have completed the steps listed Once your package has been created, you can check the verification status of your package. -We run an initial test to install, launch, close, and uninstall your application. This allows us to verify that your package can install on our service error-free. +We run an initial test to install, launch, close, and uninstall your application. It allows us to verify that your package can install on our service error-free. The verification process could take up to 24 hours. Once verification is complete, you can see the status in the ```Manage packages``` menu, which would be one of two entries: 1. Verification succeeds: The package will be automatically tested against pre-release Windows updates for the OS builds you selected. or-2. Verification fails: You will need to investigate the reasons for the failure, fix the issue, and re-upload your package. +2. Verification fails: You'll need to investigate the reasons for the failure, fix the issue, and reupload your package. -You will also be notified of either outcome via the notification icon in the Azure portal. +You'll also be notified of either outcome via the notification icon in the Azure portal. |
| test-base | Getsupport | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/getsupport.md | Title: 'For additional support' description: Details on how to reach out to the Test Base team search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Additional support |
| test-base | Memory | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/memory.md | Title: 'Memory regression analysis' description: How to infer memory regression search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium-+ -+ f1.keywords: NOCSH f1.keywords: NOCSH Test Base helps you more clearly notice significant memory usage increases in the test VMs running your apps. Performance metrics, such as memory usage, can be indicative of overall application health and we believe this addition will greatly help keep your apps performing optimally. -Read on for more details or watch this video for a quick walk through of the latest improvements. +Read on for more details or watch this video for a quick walk-through of the latest improvements. -For more information on Test Base for M365's ability to help with regression analysis, see Regression results based on process reliability. +For more information on Test Base for Microsoft 365's ability to help with regression analysis, see Regression results based on process reliability. <b>Looking closer at memory regressions</b> -The Test Base for M365 dashboard shows the memory consumed by your application on a new pre-released Windows update and compares it with the memory used by the last released Windows update. +The Test Base for Microsoft 365 dashboard shows the memory consumed by your application on a new pre-released Windows update and compares it with the memory used by the last released Windows update. With this monthΓÇÖs enhancements, memory regression analysis is now featured in your favorited processes. Applications can contain multiple processes and you can manually select your favorite processes through the Reliability tab. Our service will then identify memory regressions in these favorited processes while comparing test runs across different Windows update releases. If a regression is detected, details about the regression are easily available. Now let's look at this feature in detail and discuss how you can troubleshoot memory regressions using Windows Performance Analyzer. -The failure signal caused by a memory regression is shown in the Test Base for M365 dashboard on the Test results page under Memory Utilization: +The failure signal caused by a memory regression is shown in the Test Base for Microsoft 365 dashboard on the Test results page under Memory Utilization:  Failure for the application due to higher memory consumption, will also be displ  -By providing these failure signals upfront, our goal is to clearly flag potential issues that can disrupt and impact the end user experience for your application. +By providing the failure signals upfront, our goal is to clearly flag potential issues that can disrupt and impact the end user experience for your application. -You can then download the log files and use the Windows Performance Analyzer, or your preferred toolkit, to investigate further. You can also work jointly with the Test Base for M365 team on remediating the issue and help prevent issues impacting end users. +You can then download the log files and use the Windows Performance Analyzer, or your preferred toolkit, to investigate further. You can also work jointly with the Test Base for Microsoft 365 team on remediating the issue and help prevent issues impacting end users. -Memory signals are captured in the Memory Utilization tab in the Test Base for M365 service for all test runs. The example below shows a recent test run with the onboarded application ΓÇ£Smoke Test Memory StressΓÇ¥ against the pre-release August 2020 security update. (This application was written by our team to illustrate memory regressions.) +Memory signals are captured in the Memory Utilization tab in the Test Base for Microsoft 365 service for all test runs. The example below shows a recent test run with the onboarded application ΓÇ£Smoke Test Memory StressΓÇ¥ against the pre-release August 2020 security update. (This application was written by our team to illustrate memory regressions.)  -In this example, the favorite process ΓÇ£USLTestMemoryStress.exeΓÇ¥ process consumed an average of approximately 100 MB on the pre-release August update compared to the released July update, hence the Test Base for M365 identified a regression. +In this example, the favorite process ΓÇ£USLTestMemoryStress.exeΓÇ¥ process consumed an average of approximately 100 MB on the pre-release August update compared to the released July update, hence the Test Base for Microsoft 365 identified a regression. The other processesΓÇöshown here as ΓÇ£USLTestMemoryStress_Aux1.exeΓÇ¥ and ΓÇ£USLTestMemoryStress_Aux2.exeΓÇ¥ΓÇöalso belong to the same application, but consumed approximately the same amount of memory for the two releases so they "passed" and were considered healthy. -The regression on the main process was determined to be ΓÇ£statistically significantΓÇ¥ so the service communicated and highlighted this difference to the user. If the comparison was not statistically significant, it would not be highlighted. Memory utilization can be noisy, so we use statistical models to distinguish, across builds and releases, meaningful differences from inconsequential differences. +The regression on the main process was determined to be ΓÇ£statistically significantΓÇ¥ so the service communicated and highlighted this difference to the user. If the comparison wasn't statistically significant, it wouldn't be highlighted. Memory utilization can be noisy, so we use statistical models to distinguish, across builds and releases, meaningful differences from inconsequential differences. -A comparison may rarely be flagged when there is no true difference (a false positive), but this is a necessary tradeoff to improve the likelihood of correctly identifying regressions (or true positives.) +A comparison may rarely be flagged when there's no true difference (a false positive), but this is a necessary tradeoff to improve the likelihood of correctly identifying regressions (or true positives.) The next step is to understand what caused the memory regression. You can download the zip files for both executions from the Download log files option, as shown below. -These zip files contain the results of your test run, including script results and memory and CPU performance data which is included in the ETL file. +These zip files contain the results of your test run, including script results and memory and CPU performance data that is included in the ETL file.  -You can download and unzip the logs for the two test runs, then locate the ETL file within each folder and rename them as target.etl (for the test run on the pre-release update) and baseline.etl (for the test run on last released update) to simplify exploration and navigation. +You can download and unzip the logs for the two test runs, then locate the ETL file within each folder and rename them as target.etl (for the test that run on the pre-release update) and baseline.etl (for the test that run on last released update) to simplify exploration and navigation. ## Next steps |
| test-base | Ondemandrun | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/ondemandrun.md | + + Title: 'Run your test on-demand' +description: How to run your test on-demand +search.appverid: MET150 ++++audience: Software-Vendor + Last updated : 08/10/2022++ms.localizationpriority: medium ++++f1.keywords: NOCSH +++# Run your test on-demand ++> [!NOTE] +> Test Base now provides the option to kickoff a test with an on-demand approach. ++## Run as request under Manage packages ++For an active package, you can access the run-on-request feature from the Manage packages page. ++> [!div class="mx-imgBorder"] +> [  ](Media/runondemand01-managepackages.png#lightbox) ++By specifying the OS update type and Windows product which are pre-defined with the package, you can kick off the test on demand which immediately gets scheduled for the current monthly churn of Windows updates. +++> [!div class="mx-imgBorder"] +> [  ](Media/runondemand02-runonrequest.png#lightbox) ++You donΓÇÖt need the test to be executed with its automatic cadence before you can use the feature. You can now decide which product and when to be tested. ++> [!div class="mx-imgBorder"] +> [  ](Media/runondemand03-testsummary.png#lightbox) ++> [!NOTE] +> Please be remind that only active packages will have Run on request button enabled. Make sure you Enable the package for future tests if you would like to opt-in the package for this feature. |
| test-base | Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/overview.md | |
| test-base | Pythonsdkoverview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/pythonsdkOverview.md | Title: 'Test Base SDK for Python' description: Details on understanding Test Base's SDK for Python search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Test Base SDK for Python ## Overview-The Test Base SDK can be used to interact with the Azure test base resource. (i.e. manage your application package, include create package, edit package and delete package) +The Test Base SDK can be used to interact with the Azure test base resource. (That is, manage your application package, include create package, edit package, and delete package). -With the SDK, the test summary and Analysis Result which can be gotten include : scriptExecution, reliability, memoryUtilization, cpuUtilization, memoryRegression, cpuRegression. +With the SDK, the test summary and Analysis Result that can be gotten include: scriptExecution, reliability, memoryUtilization, cpuUtilization, memoryRegression, cpuRegression. With the Test Base SDK, you can integrate test base in your CI/CD pipeline. |
| test-base | Review | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/review.md | Title: 'Review' description: Review section after onboarding. search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH |
| test-base | Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/rules.md | |
| test-base | Sdkapi | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/sdkapi.md | Title: Test Base API & SDK description: Test Base API & SDK search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH |
| test-base | Server | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/server.md | Title: 'Windows Server application testing' description: How to validate with windows server application testing search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Windows Server Application Testing |
| test-base | Testapplication | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testapplication.md | |
| test-base | Testintuneapplication | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testintuneapplication.md | |
| test-base | Testoptions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testoptions.md | Title: 'Choose your test options' description: Choose your test options search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH |
| test-base | Testoverview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testoverview.md | |
| test-base | Testtask | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/testtask.md | Title: 'Set your test tasks' description: Set your test tasks search.appverid: MET150 -+ audience: Software-Vendor Last updated 07/06/2021-+ ms.localizationpriority: medium -+ f1.keywords: NOCSH # Step 4: The tasks tab -On the tasks tab, you are expected to provide the paths to your test scripts which are in the zip folder you uploaded under the binaries tab. +On the tasks tab, you're expected to provide the paths to your test scripts that are in the zip folder you uploaded under the binaries tab. - - **Out of Box Test Scripts:** Type in the relative paths to your install, launch, close and uninstall scripts. You also have the option to select additional settings for the install script. - - **Functional Test Scripts:** Type in the relative path to each functional test script uploaded. Additional functional test scripts can be added using the ```Add Script``` button. You need a minimum of one (1) script and can add up to eight (8) functional test scripts. + - **Out of Box Test Scripts:** Type in the relative paths to your install, launch, close and uninstall scripts. You also can select extra settings for the install script. + - **Functional Test Scripts:** Type in the relative path to each functional test script uploaded. Extra functional test scripts can be added using the ```Add Script``` button. You need a minimum of one (1) script and can add up to eight (8) functional test scripts. - The scripts run in the sequence they are listed. A failure in a particular script stops subsequent scripts from executing. - You also have the option of selecting additional settings for each script provided. + The scripts run in the sequence they're listed. A failure in a particular script stops subsequent scripts from executing. + You also have the option of selecting extra settings for each script provided. ## Set script path |
| test-base | Uploadapplication | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/uploadapplication.md | |
| test-base | Usagecost | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/usagecost.md | |
| whiteboard | Index | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/whiteboard/index.md | The resources in this section help you learn more about what Microsoft Whiteboar |Learn how to get Microsoft Whiteboard|[Microsoft Whiteboard product page](https://www.microsoft.com/en-us/microsoft-365/microsoft-whiteboard/digital-whiteboard-app)| |Find resources in the Microsoft Tech Community Resource Center|[Microsoft 365 Whiteboard blog](https://techcommunity.microsoft.com/t5/microsoft-365-blog/bg-p/microsoft_365blog/label-name/Microsoft%20Whiteboard)| |Watch videos to explore helpful tips|[Microsoft Whiteboard YouTube channel](https://www.youtube.com/c/MicrosoftWhiteboard/videos/Microsoft%20Whiteboard)|-|Find Microsoft Whiteboard guidance for end users|[Microsoft Whiteboard help](https://support.microsoft.com/office/microsoft-whiteboard-help-d236aef8-fcdf-4b5e-b5d7-7f157461e920)| +|Find Microsoft Whiteboard guidance for end users|[Microsoft Whiteboard help center](https://support.microsoft.com/office/microsoft-whiteboard-help-d236aef8-fcdf-4b5e-b5d7-7f157461e920)| ## Setup and management The resources in this section help the admin in your organization to set up and | If you're looking for this information | Go to this resource | |:--|:--|-|Learn how to set up Whiteboard for your organization|[Set up and use Whiteboard](/surface-hub/whiteboard-collaboration)| -|Deploy Whiteboard on devices that run Windows 10 or later using Microsoft Intune or Microsoft Configuration Manager|[Deploy Microsoft Whiteboard on Windows devices](deploy-on-windows-organizations.md)| -|Learn how to manage access to Whiteboard for your organization|[Manage access to Whiteboard](manage-whiteboard-access-organizations.md)| -|Find where your Whiteboard content and data are stored in Azure and OneDrive for Business |[Manage data for Whiteboard](manage-data-organizations.md) | +|Learn how to manage access to Whiteboard for your organization|[Manage access to Whiteboard](manage-whiteboard-access-organizations.md) | |Learn about the sharing experience in Teams and how to share links to specific users |[Manage sharing for Whiteboard](manage-sharing-organizations.md) |+|Find where your Whiteboard content and data are stored in Azure and OneDrive for Business |[Manage data for Whiteboard](manage-data-organizations.md) | |Learn how to configure privacy settings and diagnostic data for Whiteboard |[Configure privacy settings in Whiteboard](configure-privacy-settings.md) |+|Learn how to set up Whiteboard on Surface Hub|[Set up and use Whiteboard on Surface Hub](/surface-hub/whiteboard-collaboration)| +|Deploy Whiteboard on devices that run Windows 10 or later using Microsoft Intune or Microsoft Configuration Manager|[Deploy Microsoft Whiteboard on Windows devices](deploy-on-windows-organizations.md) | |Learn how to manage General Data Protection Regulation (GDPR) requirements for personal data collected in Whiteboard |[Manage GDPR data subject requests in Whiteboard](gdpr-requests.md) | ### For government |