Updates from: 08/13/2021 03:21:51
Category Microsoft Docs article Related commit history on GitHub Change details
admin Domain Registrar Setup Limitations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/domain-registrar-setup-limitations.md
For DNSMadeEasy accounts, the domain you added was purchased from a separate dom
## Create DNS records at easyDNS for Microsoft
-SRV Records are currently NOT available under all easyDNS service packages. You may need to upgrade to a higher service level with easyDNS to add SRV records which are required for Skype for Business.
+SRV Records are currently not available under any easyDNS service package. You may need to upgrade to a higher service level with easyDNS to add SRV records which are required for Teams.
## Create DNS records at Freenom for Microsoft
-The Freenom website doesn't support SRV records, which means that several Skype for Business Online and Outlook Web App features won't work. No matter which Microsoft plan you use, there are significant service limitations, and you may want to switch to a different DNS hosting provider.
+The Freenom website doesn't support adding SRV records, which means that several Teams and Email features won't work. No matter which Microsoft plan you use, there are significant service limitations, and you may want to switch to a different DNS hosting provider.
## Create DNS records at MyDomain for Microsoft
-The MyDomain website doesn't support SRV records, which means several Skype for Business Online and Outlook Web App features won't work. No matter which Microsoft plan you use, if you manage your DNS records at MyDomain, there are significant service limitations, and you might want to switch to a different DNS hosting provider.
+The MyDomain website doesn't support SRV records, which means several Teams and Email features won't work. No matter which Microsoft plan you use, if you manage your DNS records at MyDomain, there are significant service limitations, and you might want to switch to a different DNS hosting provider.
## Create DNS records for Microsoft using Windows-based DNS
-Go to the page that has the DNS records for your domain. If you're working in Windows Server 2008, go to Start > Run. If you're working in Windows Server 2012, press the Windows key and r. Type **dnsmgmnt.msc**, and then select **OK**. In DNS Manager, expand <DNS server name> > **Forward Lookup Zones**. Select your domain. You're now ready to create the DNS records.
+Go to the page that has the DNS records for your domain. If you're working in Windows Server 2008, go to **Start**, **Run**. If you're working in Windows Server 2012, press the **Windows key** and **r**. Type **dnsmgmnt.msc**, and then select **OK**. In DNS Manager, expand **DNS server name**, **Forward Lookup Zones**. Select your domain. You're now ready to create the DNS records.
## Create DNS records when your domain is managed by Google (eNom)
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
You can apply retention labels to content automatically when that content contai
- [A match for trainable classifiers](#auto-apply-labels-to-content-by-using-trainable-classifiers)
-All three conditions can automatically apply retention labels to emails as they are sent. For items in SharePoint and OneDrive, use the following table to identify when retention labels can be automatically applied to them:
+All three conditions can automatically apply retention labels to emails as they are sent and received, but not to existing items in the mailbox (data at rest). For items in SharePoint and OneDrive, use the following table to identify when retention labels can be automatically applied to them:
|Condition|New or modified items |Existing items (data at rest)| |:--|:--|:--|
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
- These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they are part of an open session (the file is open). - Currently, attachments to list items aren't supported and won't be auto-labeled. - Maximum of 25,000 automatically labeled files in your tenant per day.
- - Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive). With the [recent enhancements now rolling out](#recent-enhancements-for-auto-labeling-policies), these numbers increase to 100 policies and 100 sites when they are specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum.
+ - Maximum of 100 auto-labeling policies per tenant, each targeting up to 100 sites (SharePoint or OneDrive) when they are specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum.
- Existing values for modified, modified by, and the date are not changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied. - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the account that last modified the file.
Use the following table to help you identify the differences in behavior for the
|Override IRM encryption applied without a label|Yes if the user has the minimum usage right of Export |Yes (email only) | |Label incoming email|No |Yes|
-\* Auto-labeling isn't currently available in all regions. If your tenant can't support this functionality, the Auto-labeling tab isn't visible in the admin labeling center.
+\* Auto-labeling isn't currently available in all regions. If your tenant can't support this functionality, the **Auto-labeling** tab isn't visible in the Compliance center.
## How multiple conditions are evaluated when they apply to more than one label
Specific to the Azure Information Protection unified labeling client:
## How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange
-> [!IMPORTANT]
-> New enhancements are currently rolling out for auto-labeling policies that include faster simulation results, support for more files and more sites, and email notifications. For more information, see [Recent enhancements for auto-labeling policies](#recent-enhancements-for-auto-labeling-policies).
- Make sure you're aware of the prerequisites before you configure auto-labeling policies. ### Prerequisites for auto-labeling policies
Workflow for an auto-labeling policy:
1. Create and configure an auto-labeling policy.
-2. Run the policy in simulation mode, which can take 48 hours to complete.
-
- With the [recent enhancements](#recent-enhancements-for-auto-labeling-policies) now rolling out, this time is reduced to 12 hours and the completed simulation triggers an email notification that's sent to the user configured to receive [activity alerts](alert-policies.md).
+2. Run the policy in simulation mode, which can take 12 hours to complete. The completed simulation triggers an email notification that's sent to the user configured to receive [activity alerts](alert-policies.md).
3. Review the results, and if necessary, refine your policy. Rerun simulation mode and wait for it to complete again.
Finally, you can use simulation mode to provide an approximation of the time nee
5. For the page **Name your auto-labeling policy**: Provide a unique name, and optionally a description to help identify the automatically applied label, locations, and conditions that identify the content to label.
-6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint sites, and OneDrive. Then select **Next**.
+6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** for your chosen locations, select the link to choose specific instances. Then select **Next**.
![Choose locations page auto-labelingwizard](../media/locations-auto-labeling-wizard.png)
For more information about the PowerShell cmdlets that support auto-labeling pol
## Recent enhancements for auto-labeling policies
-The recent enhancements now rolling out for auto-labeling policies for OneDrive and SharePoint have the following improvements from the previous version:
+The recent enhancements for auto-labeling policies for OneDrive and SharePoint have the following improvements from the previous version:
- Maximum of 100 auto-labeling policies per tenant instead of 10.
When your tenant has the new enhancements, you'll see the following notification
![Banner to confirm a tenant has the new enhancements](../media/auto-labeling-updatedbanner.png)
-If you don't see this notification, your tenant hasn't got the new enhancements but check again in a few days.
- > [!NOTE] > If you had any auto-labeling policies that were in simulation mode when your tenant received the new enhancements, you must re-run the simulation. If this scenario applies to you, you'll be prompted to select **Restart Simulation** when you review the simulation. If you don't restart the simulation, it won't complete. >
compliance Auditing Troubleshooting Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/auditing-troubleshooting-scenarios.md
You must be assigned the View-Only Audit Logs or Audit Logs role in Exchange Onl
This section describes the basics for creating and running audit log searches. Use these instructions as a starting point for each troubleshooting scenario in this article. For more detailed step-by-step instructions, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md#step-1-run-an-audit-log-search). 1. Go to <https://compliance.microsoft.com/auditlogsearch> and sign in using your work or school account.
-
- The **Audit** page is displayed.
-
+
+ The **Audit** page is displayed.
+
![Configure criteria and then select Search to run the search](../media/AuditLogSearchPage1.png)
-4. You can configure the following search criteria. Each troubleshooting scenario in this article recommends specific guidance for configuring these fields.
-
- a. **Start date** and **End date:** Select a date and time range to display the events that occurred within that period. The last seven days are selected by default. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days.
+2. You can configure the following search criteria. Each troubleshooting scenario in this article recommends specific guidance for configuring these fields.
+
+ a. **Start date** and **End date:** Select a date and time range to display the events that occurred within that period. The last seven days are selected by default. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days.
b. **Activities:** Select the drop-down list to display the activities that you can search for. After you run the search, only the audit records for the selected activities are displayed. Selecting **Show results for all activities** displays results for all activities that meet the other search criteria. You'll also have to leave this field blank in some of the troubleshooting scenarios.
-
+
c. **Users:** Click in this box and then select one or more users to display search results for. Audit records for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
-
+
d. **File, folder, or site:** Type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL, be sure the type the full URL path or if you only type a portion of the URL, don't include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization. This field is left blank in all the troubleshooting scenarios in this article.
-
-5. Select **Search** to run the search using your search criteria.
-
- The search results are loaded, and after a few moments they're displayed under **Results** on the **Audit log search** page. Each of the sections in this article provides guidance about things to look for in the context of the specific troubleshooting scenario.
+
+3. Select **Search** to run the search using your search criteria.
+
+ The search results are loaded, and after a few moments they're displayed on a page in the audit log search tool. Each of the sections in this article provides guidance about things to look for in the context of the specific troubleshooting scenario.
- For more information about viewing, filtering, or exporting audit log search results, see:
+ For more information about viewing and exporting audit log search results, see:
- [View search results](search-the-audit-log-in-security-and-compliance.md#step-2-view-the-search-results)
- - [Filter search results](search-the-audit-log-in-security-and-compliance.md#step-3-filter-the-search-results)
- - [Export search results](search-the-audit-log-in-security-and-compliance.md#step-4-export-the-search-results-to-a-file)
+
+ - [Export search results](search-the-audit-log-in-security-and-compliance.md#step-3-export-the-search-results-to-a-file)
## Find the IP address of the computer used to access a compromised account
compliance Create Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-retention-policies.md
When you have more than one retention policy, and when you also use retention la
3. For the **Choose locations to apply the policy** page, select any or all of the locations for Teams: - **Teams channel message**: Messages from standard channel chats and standard channel meetings, but not from [private channels](/microsoftteams/private-channels) that have their own policy location. - **Teams chats**: Messages from private 1:1 chats, group chats, and meeting chats.
- - **Teams private channel messages**: Messages from private channel chats and private channel meetings. This option is currently rolling out in preview and if you don't see it displayed, try again in a few days.
+ - **Teams private channel messages**: Messages from private channel chats and private channel meetings.
By default, [all teams and all users are selected](#a-policy-that-applies-to-entire-locations), but you can refine this by selecting the **Edit** options to configure a retention policy for [specific inclusions or exclusions](#a-policy-with-specific-inclusions-or-exclusions). However, before you change the default, be aware of the following consequences for a retention policy that deletes messages when it's configured for includes or excludes:
Additionally, resource mailboxes and Microsoft 365 group mailboxes are not suppo
If you do choose recipients to include or exclude, you can select distribution groups and email-enabled security groups. Behind the scenes, these groups are automatically expanded at the time of configuration to select the mailboxes of the users in the group. If the membership of those groups later change, an existing retention policy isn't automatically updated.
-For detailed information about which mailbox items are included and excluded when you configure retention settings for Exchange, see [What's included for retention and deletion](retention-policies-exchange.md#whats-included-for-retention-and-deletion)
+For detailed information about which mailbox items are included and excluded when you configure retention settings for Exchange, see [What's included for retention and deletion](retention-policies-exchange.md#whats-included-for-retention-and-deletion).
The **Exchange public folders** location applies retention settings to all public folders and can't be applied at the folder or mailbox level.
compliance Deploy Facebook Connector https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-facebook-connector.md
This article contains the step-by-step process to deploy a connector that uses t
![Click Add Products and then click **Webhooks](../media/FBCimage32.png)
-9. Add Webhooks Callback URL and add a verify token. The format of the callback URL, use the format **<connectorserviceuri>/api/FbPageWebhook**, where the value for connectorserviceuri is the Azure app service URL for your organization; for example `https://fbconnector.azurewebsites.net`.
+9. Add Webhooks Callback URL and add a verify token. The format of the callback URL, use the format `<connectorserviceuri>/api/FbPageWebhook`, where the value for connectorserviceuri is the Azure app service URL for your organization; for example `https://fbconnector.azurewebsites.net`.
The verify token should similar to a strong password. Copy the verify token to a text file or other storage location.
compliance Detailed Properties In The Office 365 Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log.md
The following table describes the properties that are included (depending on the
|||| > [!NOTE]
-><sup>1</sup> For Azure Active Directory-related events, the value for an administrator isn't used in an audit record. Audit records for activities performed by administrators will indicate that a regular user (for example, **UserType: 0**) performed the activity. The **UserID** property will identify the person (regular user or administrator) who performed the activity.<br/>
-
-The properties described above are also displayed when you click **More information** when viewing the details of a specific event.
-
-![Click More information to view the detailed properties of the audit log event record](../media/6df582ae-d339-4735-b1a6-80914fb77a08.png)
+><sup>1</sup> For Azure Active Directory-related events, the value for an administrator isn't used in an audit record. Audit records for activities performed by administrators will indicate that a regular user (for example, **UserType: 0**) performed the activity. The **UserID** property will identify the person (regular user or administrator) who performed the activity.
compliance Importing Pst Files To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/importing-pst-files-to-office-365.md
Additionally, to create import jobs in the Security & Compliance Center, one of
#### Where is drive shipping available?
-Drive shipping is currently available in the United States, Canada, Brazil, the United Kingdom, Europe, India, East Asia, Southeast Asia, Japan, Republic of Korea, and Australia. Drive shipping will be available in more regions soon.
+Drive shipping is currently available in the United States, Canada, Brazil, the United Kingdom, Europe, India, East Asia, Southeast Asia, Japan, Republic of Korea, Australia, and South Africa. Drive shipping will be available in more regions soon.
> [!NOTE] > At this time, drive shipping to import PST files is not available in Germany and Switzerland. This FAQ will be updated when drive shipping is available in these countries.
compliance Information Barriers Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-barriers-policies.md
With information barriers, you can define policies that are designed to prevent
This article describes how to plan, define, implement, and manage information barrier policies. Several steps are involved, and the work flow is divided into several parts. Make sure to read through the [prerequisites](#prerequisites) and the entire process before you begin defining (or editing) information barrier policies. > [!TIP]
-> This article includes an [example scenario](#example-contosos-departments-segments-and-policies) and a [downloadable Excel workbook](https://github.com/MicrosoftDocs/OfficeDocs-O365SecComp/raw/public/SecurityCompliance/media/InfoBarriers-PowerShellGenerator.xlsx) to help you plan and define your information barrier policies.
+> This article includes an [example scenario](#example-contosos-departments-segments-and-policies) to help you plan and define your information barrier policies.
## Concepts of information barrier policies
In addition to the [required licenses and permissions](information-barriers.md#r
When all the prerequisites are met, proceed to the next section. > [!TIP]
-> To help you prepare your plan, an example scenario is included in this article. [See Contoso's departments, segments, and policies](#example-contosos-departments-segments-and-policies).<p>In addition, a downloadable Excel workbook is available to help you plan and define your segments and policies (and create your PowerShell cmdlets). [Get the workbook](https://github.com/MicrosoftDocs/OfficeDocs-O365SecComp/raw/public/SecurityCompliance/media/InfoBarriers-PowerShellGenerator.xlsx).
+> To help you prepare your plan, an example scenario is included in this article. [See Contoso's departments, segments, and policies](#example-contosos-departments-segments-and-policies).
## Part 1: Segment users
compliance Retention Policies Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
For other workloads, see:
## What's included for retention and deletion
-Teams chats messages and channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: Embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages include all the names of the people in the chat, and channel messages include the team name and the message title (if supplied).
-> [!NOTE]
-> Support for messages in private channels is currently rolling out in preview.
+Teams chats messages, channel messages, and private channel messages can be deleted by using retention policies for Teams, and in addition to the text in the messages, the following items can be retained for compliance reasons: Embedded images, tables, hypertext links, links to other Teams messages and files, and [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards). Chat messages and private channel messages include all the names of the people in the conversation, and channel messages include the team name and the message title (if supplied).
Code snippets, recorded voice memos from the Teams mobile client, thumbnails, announcement images, and reactions from others in the form of emoticons are not retained when you use retention policies for Teams.
compliance Search For Ediscovery Activities In The Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-ediscovery-activities-in-the-audit-log.md
As previously stated, it may take up to 24 hours for eDiscovery cmdlet activitie
## Detailed properties for eDiscovery activities
-The following table describes the properties that are included when you click **More information** on the **Details** page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. An audit log record for an eDiscovery activity won't include every detailed property listed below.
+The following table describes the properties that are included on the flyout page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. An audit log record for an eDiscovery activity won't include every detailed property listed below.
> [!TIP]
-> When you export the search results, the CSV file contains a column named **Detail**, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. For more information, see the "Export the search results to a file" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#step-4-export-the-search-results-to-a-file).
+> When you export the search results, the CSV file contains a column named **AudtiData**, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. For more information, see the "Export the search results to a file" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#step-3-export-the-search-results-to-a-file).
|**Property**|**Description**| |:--|:--|
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
audience: Admin-+ localization_priority: Priority
Here's the process for searching the audit log in Microsoft 365.
[Step 2: View the search results](#step-2-view-the-search-results)
-[Step 3: Filter the search results](#step-3-filter-the-search-results)
-
-[Step 4: Export the search results to a file](#step-4-export-the-search-results-to-a-file)
+[Step 3: Export the search results to a file](#step-3-export-the-search-results-to-a-file)
### Step 1: Run an audit log search
Here's the process for searching the audit log in Microsoft 365.
- You have to select **Show results for all activities** in the **Activities** list to display events from the Exchange admin audit log. Events from this audit log display a cmdlet name (for example, **Set-Mailbox**) in the **Activity** column in the results. For more information, click the **Audited activities** tab in this topic and then click **Exchange admin activities**.
- Similarly, there are some auditing activities that don't have a corresponding item in the **Activities** list. If you know the name of the operation for these activities, you can search for all activities, then filter the results by typing the name of the operation in the box for the **Activity** column. See [Step 3: Filter the search results](#step-3-filter-the-search-results) for more information about filtering the results.
+ Similarly, there are some auditing activities that don't have a corresponding item in the **Activities** list. If you know the name of the operation for these activities, you can search for all activities, then filter the operations after you export the search results to a CSV file.
- Click **Clear** to clear the current search criteria. The date range returns to the default of the last seven days. You can also click **Clear all to show results for all activities** to cancel all selected activities.
The results contain the following information about each event returned by the s
#### View the details for a specific event
-You can view more details about an event by clicking the event record in the list of search results. A **Details** page is displayed that contains the detailed properties from the event record. The properties that are displayed depend on the service in which the event occurs. To display these details, click **More information**. For descriptions, see [Detailed properties in the audit log](detailed-properties-in-the-office-365-audit-log.md).
-
-![Click More information to view the detailed properties of the audit log event record](../media/6df582ae-d339-4735-b1a6-80914fb77a08.png)
-
-### Step 3: Filter the search results
-
-In addition to sorting, you can also filter the results of an audit log search. This is a great feature that can help you quickly filter the results for a specific user or activity. You can initially create a wide search and then quickly filter the results to see specific events. Then you can narrow the search criteria and rerun the search to return a smaller, more concise set of results.
-
-To filter the results:
-
-1. Run an audit log search.
-
-2. When the results are displayed, click **Filter results**.
-
- Keyword boxes are displayed under each column header.
+You can view more details about an event by clicking the event record in the list of search results. A flyout page is displayed that contains the detailed properties from the event record. The properties that are displayed depend on the service in which the event occurs.
-3. Click one of the boxes under a column header and type a word or phrase, depending on the column you're filtering on. The results will dynamically readjust to display the events that match your filter.
-
- ![Type a word in filter to display events that match the filter](../media/542dc323-a997-402c-934b-cc5e218e50bc.png)
-
-4. To clear a filter, click the **X** in the filter box or click **Hide filtering**.
-
-> [!TIP]
-> To display events from the Exchange admin audit log, type a **-** (dash) in the **Activity** filter box. This will display cmdlet names, which are displayed in the **Activity** column for Exchange admin events. Then you can sort the cmdlet names in alphabetical order.
-
-### Step 4: Export the search results to a file
+### Step 3: Export the search results to a file
You can export the results of an audit log search to a comma-separated value (CSV) file on your local computer. You can open this file in Microsoft Excel and use features such as search, sorting, filtering, and splitting a single column (that contains multiple properties) into multiple columns. 1. Run an audit log search, and then revise the search criteria until you have the desired results.
-2. Click **Export results** and select one of the following options:
-
- - **Save loaded results**: Choose this option to export only the entries that are displayed under **Results** on the **Audit log search** page. The CSV file that is downloaded contains the same columns (and data) displayed on the page (Date, User, Activity, Item, and Details). An extra column (named **More**) is included in the CSV file that contains more information from the audit log entry. Because you're exporting the same results that are loaded (and viewable) on the **Audit log search** page, a maximum of 5,000 entries are exported.
+2. On the search results page, click **Export** > **Download all results**.
- - **Download all results**: Choose this option to export all entries from the audit log that meet the search criteria. For a large set of search results, choose this option to download all entries from the audit log in addition to the 5,000 audit records that can be displayed on the **Audit log search** page. This option downloads the raw data from the audit log to a CSV file, and contains additional information from the audit log entry in a column named **AuditData**. It may take longer to download the file if you choose this export option because the file may be much larger than the one that's downloaded if you choose the other option.
+ All entries from the audit log that meet the search criteria rre exported to a CSV file. The raw data from the audit log is saved to a CSV file. Additional information from the audit log entry is included in a column named **AuditData** in the CSV.
> [!IMPORTANT] > You can download a maximum of 50,000 entries to a CSV file from a single audit log search. If 50,000 entries are downloaded to the CSV file, you can probably assume there are more than 50,000 events that met the search criteria. To export more than this limit, try using a date range to reduce the number of audit log entries. You might have to run multiple searches with smaller date ranges to export more than 50,000 entries.
-3. After you select an export option, a message is displayed at the bottom of the window that prompts you to open the CSV file, save it to the Downloads folder, or save it to a specific folder.
+3. After the export process is complete, a message is displayed at the top of the window that prompts you to open the CSV file and save it to your local computer. You can also access the CSV file in the Downloads folder.
#### More information about exporting and viewing audit log search results -- If you download all search results, the CSV file contains a column named **AuditData**, which contains additional information about each event. The data in this column consists of a JSON object that contains multiple properties from the audit log record. Each *property:value* pair in the JSON object is separated by a comma. You can use the JSON transform tool in the Power Query Editor in Excel to split **AuditData** column into multiple columns so that each property in the JSON object has its own column. This lets you sort and filter on one or more of these properties. For step-by-step instructions using the Power Query Editor to transform the JSON object, see [Export, configure, and view audit log records](export-view-audit-log-records.md).
+- When you download all search results, the CSV file contains the columns **CreationDate**, **UserIds**, **Operations**, and **AuditData**. The **AuditData** column contains additional information about each event (similar to the detailed information displayed on the flyout page when you view the search results in the compliance center). The data in this column consists of a JSON object that contains multiple properties from the audit log record. Each *property:value* pair in the JSON object is separated by a comma. You can use the JSON transform tool in the Power Query Editor in Excel to split **AuditData** column into multiple columns so that each property in the JSON object has its own column. This lets you sort and filter on one or more of these properties. For step-by-step instructions using the Power Query Editor to transform the JSON object, see [Export, configure, and view audit log records](export-view-audit-log-records.md).
After you split the **AuditData** column, you can filter on the **Operations** column to display the detailed properties for a specific type of activity. -- The **Download all results** option downloads the raw data from the audit log to a CSV file. This file contains different column names (CreationDate, UserIds, Operation, AuditData) than the file that's downloaded if you select the **Save loaded results** option. The values in the two different CSV files for the same activity may also be different. For example, the activity in the **Action** column in the CSV file and may have a different value than the "user-friendly" name that's displayed in the **Activity** column on the **Audit log search** page. For example, MailboxLogin vs. User signed in to mailbox.- - When you download all results from a search query that contains events from different services, the **AuditData** column in the CSV file contains different properties depending on which service the action was performed in. For example, entries from Exchange and Azure AD audit logs include a property named **ResultStatus** that indicates if the action was successful or not. This property isn't included for events in SharePoint. Similarly, SharePoint events have a property that identifies the site URL for file and folder-related activities. To mitigate this behavior, consider using different searches to export the results for activities from a single service. For a description of many of the properties that are listed in the **AuditData** column in the CSV file when you download all results, and the service each one applies to, see [Detailed properties in the audit log](detailed-properties-in-the-office-365-audit-log.md).
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
Additional capabilities are available when you install the Azure Information Pro
The numbers listed are the minimum Office application version required for each capability.
-|Capability |Windows |Mac |iOS |Android |Web |
+|Capability |Windows<sup>\*</sup> |Mac |iOS |Android |Web |
||-||-|-|| |[Manually apply, change, or remove label](https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)| 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |
The numbers listed are the minimum Office application version required for each
|[Dynamic markings with variables](#dynamic-markings-with-variables) | 2010+ | 16.42+ | 2.42+ | 16.0.13328+ | Rolling out | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 2.21+ | 16.0.11231+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Let users assign permissions: <br /> - Prompt users](encryption-sensitivity-labels.md#let-users-assign-permissions) |2004+ | 16.35+ | Under review | Under review | Under review |
-|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes <sup>\*</sup> |
+|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.43+ | 2.46+ | 16.0.13628+ | Yes <sup>\*\*</sup> |
|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.45+ | 2.47+ | 16.0.13628+ | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | 2009+ | 16.44+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | 2009+ | Under review | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |[Support co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for labeled and encrypted documents | 2106+ | 16.50+ | Under review | Under review | [Yes - opt-in](sensitivity-labels-sharepoint-onedrive-files.md) | |
-**Footnote:**
+**Footnotes:**
<sup>\*</sup>
+Version numbers are for the **Current Channel**. Newly released capabilities usually carry forward into the next Monthly Enterprise Channel, and then Semi-Annual Enterprise Channel. However, this isn't always the case because each update channel has release criteria for new features. [Learn more](/deployoffice/overview-update-channels)
+<br /><br />
+<sup>\*\*</sup>
Currently, doesn't include justification text to remove a label or lower the classification level ### Sensitivity label capabilities in Outlook The numbers listed are the minimum Office application version required for each capability.
-|Capability |Outlook for Windows |Outlook for Mac |Outlook on iOS |Outlook on Android |Outlook on the web |
+|Capability |Outlook for Windows<sup>\*</sup> |Outlook for Mac |Outlook on iOS |Outlook on Android |Outlook on the web |
|||||-|-| |[Manually apply, change, or remove label](https://support.microsoft.com/en-us/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9)| 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Apply a default label](sensitivity-labels.md#what-label-policies-can-do) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
The numbers listed are the minimum Office application version required for each
|[Dynamic markings with variables](#dynamic-markings-with-variables) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Assign permissions now](encryption-sensitivity-labels.md#assign-permissions-now) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes | |[Let users assign permissions: <br /> - Do Not Forward](encryption-sensitivity-labels.md#let-users-assign-permissions) | 1910+ | 16.21+ | 4.7.1+ | 4.0.39+ | Yes |
-|[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | 16.48+ <sup>\*</sup> | 4.2112.0+ | 4.2112.0+ | Yes |
-|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes |
-|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.51+ <sup>\*</sup> | 4.2126+ | 4.2126+ | Rolling out |
-|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | 2009+ | 16.44+ <sup>\*</sup> | Under review | Under review | Yes |
+|[Let users assign permissions: <br /> - Encrypt-Only](encryption-sensitivity-labels.md#let-users-assign-permissions) |2011+ | 16.48+ <sup>\*\*</sup> | 4.2112.0+ | 4.2112.0+ | Yes |
+|[Require users to apply a label to their email and documents](#require-users-to-apply-a-label-to-their-email-and-documents) | 2101+ | 16.43+ <sup>\*\*</sup> | 4.2111+ | 4.2111+ | Yes |
+|[Audit label-related user activity](data-classification-activity-explorer.md) | 2011+ | 16.51+ <sup>\*\*</sup> | 4.2126+ | 4.2126+ | Yes |
+|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using sensitive info types | 2009+ | 16.44+ <sup>\*\*</sup> | Under review | Under review | Yes |
|[Apply a sensitivity label to content automatically](apply-sensitivity-label-automatically.md) <br /> - Using trainable classifiers | 2009+ | Under review | Under review | Under review | Yes |
-|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43+ <sup>\*</sup> | 4.2111+ | 4.2111+ | Yes |
+|[Different settings for default label and mandatory labeling](#outlook-specific-options-for-default-label-and-mandatory-labeling) | 2105+ | 16.43+ <sup>\*\*</sup> | 4.2111+ | 4.2111+ | Yes |
| **Footnotes:** <sup>\*</sup>
+Version numbers are for the **Current Channel**. Newly released capabilities usually carry forward into the next Monthly Enterprise Channel, and then Semi-Annual Enterprise Channel. However, this isn't always the case because each update channel has release criteria for new features. [Learn more](/deployoffice/overview-update-channels)
+<br /><br />
+<sup>\*\*</sup>
Requires the [new Outlook for Mac](https://support.microsoft.com/office/the-new-outlook-for-mac-6283be54-e74d-434e-babb-b70cefc77439)
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
To help you manage the coexistence of sensitivity labels and Azure AD classifica
## Auditing sensitivity label activities > [!IMPORTANT]
-> If you use label separation by selecting just the **Groups & sites** scope for labels that protect containers: Because of the **Detected document sensitivity mismatch** audit event and email described in this section, consider [ordering these labels](sensitivity-labels.md#label-priority-order-matters) before labels that have a scope for **Files & emails**.
+> If you use label separation by selecting just the **Groups & sites** scope for labels that protect containers: Because of the **Detected document sensitivity mismatch** audit event and email described in this section, consider [ordering labels](sensitivity-labels.md#label-priority-order-matters) before labels that have a scope for **Files & emails**.
If somebody uploads a document to a site that's protected with a sensitivity label and their document has a [higher priority](sensitivity-labels.md#label-priority-order-matters) sensitivity label than the sensitivity label applied to the site, this action isn't blocked. For example, you've applied the **General** label to a SharePoint site, and somebody uploads to this site a document labeled **Confidential**. Because a sensitivity label with a higher priority identifies content that is more sensitivity than content that has a lower priority order, this situation could be a security concern.
Although the action isn't blocked, it is audited and by default, automatically g
It wouldn't be a security concern if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled **General** is uploaded to a site labeled **Confidential**. In this scenario, an auditing event and email aren't generated.
+> [!NOTE]
+> Just as for the policy option that requires users to provide a justification for changing a label to a lower classification, sublabels for the same parent label are all considered to have the same priority.
+ To search the audit log for this event, look for **Detected document sensitivity mismatch** from the **File and page activities** category. The automatically generated email has the subject **Incompatible sensitivity label detected** and the email message explains the labeling mismatch with a link to the uploaded document and site. It also contains a documentation link that explains how users can change the sensitivity label. These automated emails cannot be customized but you can prevent them from being sent when you use the following PowerShell command from [Set-SPOTenant](/powershell/module/sharepoint-online/set-spotenant):
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
For these pages that have unavailable options, select **Next** to continue. Or,
When you create your sensitivity labels in your admin center, they appear in a list on the **Sensitivity** tab on the **Labels** page. In this list, the order of the labels is important because it reflects their priority. You want your most restrictive sensitivity label, such as Highly Confidential, to appear at the **bottom** of the list, and your least restrictive sensitivity label, such as Public, to appear at the **top**.
-You can apply just one sensitivity label to an item such as a document, email, or container. If you set an option that requires your users to provide a justification for changing a label to a lower classification, the order of this list identifies the lower classifications. However, this option does not apply to sublabels.
+You can apply just one sensitivity label to an item such as a document, email, or container. If you set an option that requires your users to provide a justification for changing a label to a lower classification, the order of this list identifies the lower classifications. However, this option does not apply to sublabels that share the priority of their parent label.
The ordering of sublabels is used with [automatic labeling](apply-sensitivity-label-automatically.md), though. When you configure labels to be applied automatically or as a recommendation, multiple matches can result for more than one label. To determine the label to apply or recommend, the label ordering is used: The last sensitive label is selected, and then if applicable, the last sublabel.
compliance Use Content Search For Targeted Collections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-content-search-for-targeted-collections.md
The script that you run in this first step will return a list of mailbox folders
- **Email address or site URL**: Type an email address of the custodian to return a list of Exchange mailbox folders and folder IDs. Or type the URL for a SharePoint site or a OneDrive for Business site to return a list of paths for the specified site. Here are some examples:
- - **Exchange**: stacig@contoso.onmicrosoft<spam><spam>.com
+ - **Exchange**: `stacig@contoso.onmicrosoft.com`
- - **SharePoint**: https<span>://</span>contoso.sharepoint.com/sites/marketing
+ - **SharePoint**: `https://contoso.sharepoint.com/sites/marketing`
- - **OneDrive for Business**: https<span>://</span>contoso-my.sharepoint.com/personal/stacig_contoso_onmicrosoft_com
+ - **OneDrive for Business**: `https://contoso-my.sharepoint.com/personal/stacig_contoso_onmicrosoft_com`
- **Your user credentials**: The script will use your credentials to connect to Exchange Online PowerShell or Security & Compliance Center PowerShell using modern authentication. As previously explained, you have to be assigned the appropriate permissions to successfully run this script.
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
Detailed lab guides take you through multiple deployment and management scenario
[Download the Windows and Office Deployment Lab Kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit). > [!NOTE]
-> Please use a broadband Internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The kit expires August 23, 2021. A new version will be published prior to expiration.
+> Please use a broadband Internet connection to download this content and allow 30-45 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The lab expires November 6, 2021. A new version will be published prior to expiration.
## Additional guidance
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [Recommendation methods and properties](recommendation.md) ####### [List all recommendations](get-all-recommendations.md) ####### [Get recommendation by ID](get-recommendation-by-id.md)
-####### [Get recommendation by software](get-recommendation-software.md)
+####### [Get recommendation by software](list-recommendation-software.md)
####### [List machines by recommendation](get-recommendation-machines.md) ####### [List vulnerabilities by recommendation](get-recommendation-vulnerabilities.md)
##### [Misconfigured devices](fix-unhealthy-sensors.md#misconfigured-devices) ##### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md)
+#### [Troubleshoot sensor health issues using Client Analyzer]()
+##### [Client analyzer overview](overview-client-analyzer.md)
+##### [Download and run the client analyzer](download-client-analyzer.md)
+##### [Run the client analyzer on Windows](run-analyzer-windows.md)
+##### [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md)
+##### [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
+##### [Understand the analyzer HTML report](analyzer-report.md)
+##### [Provide feedback on the client analyzer tool](analyzer-feedback.md)
+
+
+ #### [Troubleshoot Microsoft Defender for Endpoint service issues]() ##### [Troubleshoot service issues](troubleshoot-mdatp.md) ##### [Check service health](service-status.md)
security Analyzer Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md
+
+ Title: Provide feedback on the Microsoft Defender for Endpoint Client Analyzer tool
+description: Provide feedback on the Microsoft Defender for Endpoint client analyzer tool
+keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Provide feedback on the Microsoft Defender for Endpoint client analyzer tool
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, please use either of these options to submit feedback:
+
+1. Microsoft Defender for Endpoint portal (securitycenter.windows.com):
+
+ ![Image of smiley feedback icon](images/3e2db5015cd4f47436b4765b2303f4f5.png)
+
+2. Microsoft 365 Defender portal (security.microsoft.com):
+
+ ![Image of give feedback button](images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png)
security Analyzer Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md
+
+ Title: Understand the client analyzer HTML report
+description: Learn how to analyze the Microsoft Defender for Endpoint Client Analyzer HTML report
+keywords: client analyzer report, html report, client analyzer
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Understand the client analyzer HTML report
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+The client analyzer produces a report in HTML format. Learn how to review the report to identify potential sensor issues so that you can troubleshoot them.
+
+Use the following example to understand the report.
+
+ Example output from the analyzer on a machine onboarded to expired Org ID and
+failing to reach one of the required Microsoft Defender for Endpoint URLs:
+
+![Image of client analyzer result](images/147cbcf0f7b6f0ff65d200bf3e4674cb.png)
+
+- On the top the script version and script runtime are listed for reference
+
+- The **Device Information** section provides basic OS and device identifiers
+ to uniquely identify the device on which the analyzer has run.
+
+- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor
+ process. If important processes are not online as expected, the color will change to red.
+
+![Image of client analyzer detailed result](images/85f56004dc6bd1679c3d2c063e36cb80.png)
+
+- On **Check Results Summary** you will have an aggregated count for error,
+ warning, or informational events detected by the analyzer.
+
+- On the **Detailed Results** you will see a list (sorted by severity) with
+ the results and the guidance based on the observations made by the analyzer.
+
+## Open a support ticket to Microsoft and include the Analyzer results
+
+To include analyzer result files [when opening a support
+ticket](contact-support.md#open-a-service-request),
+make sure you use the **Attachments** section and include the
+`MDEClientAnalyzerResult.zip` file:
+
+![Image of attachment prompt](images/508c189656c3deb3b239daf811e33741.png)
+
+> [!NOTE]
+> If the file size is larger than 25 MB, the support engineer assigned to your
+case will provide a dedicated secure workspace to upload large files for
+analysis.
security Check Sensor Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md
You can also download the entire list in CSV format using the **Export** feature
You can view the device details when you click on a misconfigured or inactive device.
-## Related topic
+## See also
- [Fix unhealthy sensors in Defender for Endpoint](fix-unhealthy-sensors.md)
+- [Client analyzer overview](overview-client-analyzer.md)
+- [Download and run the client analyzer](download-client-analyzer.md)
+- [Run the client analyzer on Windows](run-analyzer-windows.md)
+- [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md)
+- [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
security Data Collection Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md
+
+ Title: Data collection for advanced troubleshooting on Windows
+description: Learn how to use the client analyzer to collect data for complex troubleshooting scenarios
+keywords: analzyer, collect data, troubleshooting mdeclientanalyzer, advanced troubleshooting
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Data collection for advanced troubleshooting on Windows
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+When collaborating with Microsoft support professionals, you may be asked to use
+the client analyzer to collect data for troubleshooting of more complex
+scenarios. The analyzer script supports other parameters for that purpose
+and can collect a specific log set based on the observed symptoms that need to
+be investigated.
+
+Run '**MDEClientAnalyzer.cmd /?**' to see the list of available
+parameters and their description:
+
+![Image of client analyzer parameters in command line](images/d89a1c04cf8441e4df72005879871bd0.png)
+
+> [!NOTE]
+> When any advanced troubleshooting parameter is used, the analyzer also calls
+into [MpCmdRun.exe](/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance)
+to collect Microsoft Defender Antivirus related support logs.
+
+**-h** - Calls into [Windows Performance
+Recorder](/windows-hardware/test/wpt/wpr-command-line-options)
+to collect a verbose general performance trace in addition to the standard
+log set.
+
+**-l** - Calls into built-in [Windows Performance
+Monitor](/windows-server/remote/remote-desktop-services/rds-rdsh-performance-counters)
+to collect a lightweight perfmon trace. This may be useful when diagnosing slow
+performance degradation issues that occur over time but hard to reproduce on
+demand.
+
+**-c** - Calls into [process
+monitor](/sysinternals/downloads/procmon) for advanced
+monitoring of real-time file system, registry, and process/thread activity. This
+is especially useful when troubleshooting various application compatibility
+scenarios.
+
+**-i** - Calls into built-in
+[netsh.exe](/windows/win32/winsock/netsh-exe) command
+to start a network and windows firewall trace that is useful when
+troubleshooting various network-related issues.
+
+**-b** - Same as '-c' but the process monitor trace will be initiated during next
+boot and stopped only when the -b is used again.
+
+**-a** - Calls into [Windows Performance
+Recorder](/windows-hardware/test/wpt/wpr-command-line-options)
+to collect a verbose performance trace specific to analysis of high CPU
+issues related to the antivirus process (MsMpEng.exe).
+
+**-v** - Uses antivirus [MpCmdRun.exe command line
+argument](/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus)
+with most verbose -trace flags.
+
+**-t** - Starts verbose trace of all client-side components relevant to Endpoint
+DLP. This is useful for scenarios where [DLP
+actions](/microsoft-365/compliance/endpoint-dlp-learn-about#endpoint-activities-you-can-monitor-and-take-action-on) are not happening as expected for files.
+
+**-q** - Calls into DLPDiagnose.ps1 script from the analyzer 'Tools' directory
+that validates the basic configuration and requirements for Endpoint DLP.
+
+**-d** - Collects a memory dump of MsSense**S**.exe (the sensor process on Windows
+Server 2016 or older OS) and related processes.
+\* This flag can be used in conjunction with above mentioned flags.
+\*\* Capturing a memory dump of [PPL protected
+processes](/windows-hardware/drivers/install/early-launch-antimalware)
+such as MsSense.exe or MsMpEng.exe is not supported by the analyzer at this
+time.
+
+**-z** - Configures registry keys on the machine to prepare it for full machine
+memory dump collection via
+[CrashOnCtrlScroll](/windows-hardware/drivers/debugger/forcing-a-system-crash-from-the-keyboard).
+This would be useful for analysis of computer freeze issues.
+\* Hold down the rightmost CTRL key, then press the SCROLL LOCK key twice.
+
+**-k** - Uses
+[NotMyFault](/sysinternals/downloads/notmyfault) tool
+to force the system to crash and generate a machine memory dump. This would be
+useful for analysis of various OS stability issues.
+
+The analyzer and all the above scenario flags can be initiated remotely by
+running 'RemoteMDEClientAnalyzer.cmd', which is also bundled into the
+analyzer toolset:
+
+![Image of commandline with analyzer information](images/57cab9d82d08f672a92bf9e748ac9572.png)
+
+>[!NOTE]
+> - When using RemoteMDEClientAnalyzer.cmd it calls into psexec to download the
+ tool from the configured file share and then run it locally via PsExec.exe.
+ The CMD script uses '-r' flag to specify that it is running remotely within
+ SYSTEM context and so no prompt to the user will be presented.
+>- That same flag can be used with MDEClientAnalyzer.cmd to avoid a prompt to
+ user that requests to specify the number of minutes for data collection. For
+ example:
+ **MDEClientAnalyzer.cmd -r -i -m 5**
+> <br> **-r** - Indicates that tool is being run from remote (or
+ non-interactive context)
+ **-i** - Scenario flag for collection of network trace along with other
+ related logs
+ **-m** \# - The number of minutes to run (5 minutes in the above example)
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Title: Microsoft Defender for Endpoint Device Control Removable Storage Access Control
+ Title: Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media
description: A walk-through about Microsoft Defender for Endpoint
-keywords: removable storage media
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Deploy Removable Storage Access Control on Windows 10 devices that have antimalw
You can use the following properties to create a removable storage group:
-### Property name: Group Id
-
-**Description**: GUID, a unique ID, represents the group and will be used in the policy.
-
-### Property name: DescriptorIdList
-
-**Description**: List the device properties you want to use to cover in the group.
-
-For each device property, see **Device Properties** section above for more detail.
-
-**Options**:
--- Primary ID
- - RemovableMediaDevices
- - CdRomDevices
-- DeviceId-- HardwareId-- InstancePathId: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0.-
-The number at the end (for example **&0**) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.
--- FriendlyNameId-- SerialNumberId-- VID-- PID-- VID_PID
- - 0751_55E0: match this exact VID/PID pair
- - _55E0: match any media with PID=55E0
- - 0751_: match any media with VID=0751
-
-### Property name: MatchType
-
-**Description**: When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.
-
-**Options**:
--- MatchAll: Any attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.-- MatchAny: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.-
-Following are the access control policy properties:
-
-### Property name: PolicyRuleId
-
-**Description**: GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting.
-
-### Property name: IncludedIdList
-
-**Description**: The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.
-
-**Options** The Group ID/GUID must be used at this instance.
-
-The following example shows the usage of GroupID:
-
-`<IncludedIdList> <GroupId>{EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>`
-
-### Property name: ExcludedIDList
-
-**Description**: The group(s) that the policy will not be applied to.
-
-**Options**: The Group ID/GUID must be used at this instance.
-
-### Property name: Entry Id
-
-**Description**: One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.
-
-### Property name: Type
-
-**Description**: Defines the action for the removable storage groups in IncludedIDList.
--- Enforcement: Allow or Deny-- Audit: AuditAllowed or AuditDenied-
-**Options**:
--- Allow-- Deny-- AuditAllowed: Defines notification and event when access is allowed-- AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.-
-When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.
-
-### Property name: Options
-
-**Description**: Defines whether to display notification or not.
--
-**Options**: 0-4.
-
-When Type **Allow** or **Deny** is selected:
--- 0: nothing-- 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system will not show notification.-
-When Type **AuditAllowed** or **AuditDenied** is selected:
--- 0: nothing-- 1: show notification, only works for AuditDenied-- 2: send event-- 3: show notification and send event. If applying this to AuditAllowed, will only fire the event for reporting but will not show the notification.-
-### Property name: Sid
-
-**Description**: Defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one SID and an entry without any SID means applying the policy over the machine.
-
-### Property name: ComputerSid
-
-**Description**: Defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSID and an entry without any ComputerSID means applying the policy over the machine. If you want to apply an entry to a specific user and specific machine, add both SID and ComputerSID into the same entry.
-
-### Property name: AccessMask
-
-**Description**: Defines the access.
-
-Options 1-7:
--- 1: Read-- 2: Write-- 3: Read and Write-- 4: Execute-- 5: Read and Execute-- 6: Write and Execute-- 7: Read and Write and Execute
+#### Removable Storage Group
+|Property Name |Description |Options |
+||||
+|**GroupId** | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy. | |
+|**DescriptorIdList** | List the device properties you want to use to cover in the group. For each device property, see [Device Properties](/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide&preserve-view=true) for more detail.ΓÇï | - **PrimaryId**ΓÇï: RemovableMediaDevices, CdRomDevices, WpdDevices</br> - **DeviceIdΓÇï** </br>- **HardwareIdΓÇï**</br>- **InstancePathId**ΓÇï: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*</br>- **FriendlyNameIdΓÇï**</br>- **SerialNumberIdΓÇï**</br>- **VIDΓÇï**</br>- **PIDΓÇï**</br>- **VID_PID**</br> 0751_55E0: match this exact VID/PID pair </br>_55E0: match any media with PID=55E0 </br>0751_: match any media with VID=0751 |
+|**MatchType** | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. | **MatchAll**: </br>ΓÇïAny attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.ΓÇï </br> </br>**MatchAny**:</br> ΓÇïThe attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.ΓÇï |
+||||
+
+#### Access Control Policy
+
+|Property Name |Description |Options |
+||||
+|PolicyRuleIdΓÇï | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting. | |
+|IncludedIdList | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups. | The Group ID/GUID must be used at this instance.ΓÇï </br> ΓÇïThe following example shows the usage of GroupID:ΓÇï </br> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>ΓÇï` |
+|ExcludedIDList | The group(s) that the policy will not be applied to. | The Group ID/GUID must be used at this instance. |
+|Entry Id | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.ΓÇï | |
+|Type|Defines the action for the removable storage groups in IncludedIDList.ΓÇï </br>- Enforcement: Allow or DenyΓÇï </br>- Audit: AuditAllowed or AuditDeniedΓÇï|- AllowΓÇï </br>- DenyΓÇï</br> - AuditAllowed: Defines notification and event when access is allowedΓÇï</br>- AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.ΓÇï </br></br> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.ΓÇï|
+|Sid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine.ΓÇï||
+|ComputerSid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.ΓÇï||
+|Options|Defines whether to display notification or notΓÇï|**0-4**: When Type Allow or Deny is selected.</br>ΓÇï</br>0: nothingΓÇï</br>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification.ΓÇï </br> </br>When Type **AuditAllowed** or **AuditDenied** is selected:ΓÇï</br>0: nothingΓÇï</br>1: show notificationΓÇï</br>2: send eventΓÇï</br>3: show notification and send eventΓÇï|
+|AccessMask|Defines the access.ΓÇï|**1-7**:ΓÇï </br></br>1: ReadΓÇï</br>2: WriteΓÇï</br>3: Read and WriteΓÇï</br>4: ExecuteΓÇï</br>5: Read and ExecuteΓÇï</br>6: Write and ExecuteΓÇï</br>7: Read and Write and ExecuteΓÇï|
+||||
## Common Removable Storage Access Control scenarios
security Download Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/download-client-analyzer.md
+
+ Title: Download the Microsoft Defender for Endpoint client analyzer
+description: Learn how to download the Microsoft Defender for Endpoint Client Analyzer on Windows, macOS, or Linux.
+keywords: download, client analyzer, troubleshoot sensor, analyzer, mdeanalyzer
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Download the Microsoft Defender for Endpoint client analyzer
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+Learn how to download the Microsoft Defender for Endpoint client analyzer on supported Windows, macOS, and Linux Operating Systems.
+
+## Download client analyzer for Windows OS
+
+1. The latest stable edition is available for download from following URL:
+ <https://aka.ms/MDEAnalyzer>
+
+2. The latest preview edition is available for download from following URL:
+ <https://aka.ms/BetaMDEAnalyzer>
+
+## Download client analyzer for macOS or Linux
+
+1. The latest stable edition will be integrated into the MDE for Endpoint
+ agent.
+ Ensure that you are running the latest edition for either
+ [macOS](mac-whatsnew.md)
+ or
+ [Linux](linux-whatsnew.md).
+
+2. The latest preview edition is available for direct download from following
+ URL: <https://aka.ms/XMDEClientAnalyzer>
++
security Event Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md
For example, if devices aren't appearing in the **Devices list**, you might need
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
-## Related topics
-
+## See also
- [Onboard Windows 10 devices](configure-endpoints.md) - [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md) - [Troubleshoot Microsoft Defender for Endpoint](troubleshoot-onboarding.md)
+- [Client analyzer overview](overview-client-analyzer.md)
+- [Download and run the client analyzer](download-client-analyzer.md)
+- [Understand the analyzer HTML report](analyzer-report.md)
security Fix Unhealthy Sensors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md
If you took corrective actions and the device status is still misconfigured, [op
## See also - [Check sensor health state in Microsoft Defender for Endpoint](check-sensor-status.md)
+- [Client analyzer overview](overview-client-analyzer.md)
+- [Download and run the client analyzer](download-client-analyzer.md)
+- [Run the client analyzer on Windows](run-analyzer-windows.md)
+- [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md)
+- [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
+
security Get Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alerts.md
Retrieves a collection of Alerts. <br>Supports [OData V4 queries](https://www.odata.org/documentation/). <br>OData supported operators:
-<br>```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
+<br>```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```, ```InvestigationId```, ```id```, ```asssignedTo```, ```detectionSource```, ```lastEventTime```, ```status```, ```severity``` and ```category``` properties.
<br>```$top``` with max value of 10,000 <br>```$skip``` <br>```$expand``` of ```evidence```
security Get Domain Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-statistics.md
Retrieves the statistics on the given domain.
## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+2. The maximum value for `lookbackhours` is 720 hours (30 days).
## Permissions
security Get File Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-alerts.md
Retrieves a collection of alerts related to a given file hash.
## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+2. Only SHA-1 Hash Function is supported (not MD5 or SHA-256).
## Permissions
Empty
## Response
-If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file does not exist - 404 Not Found.
+If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file does not exist - 200 OK with an empty set.
## Example
security Get File Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-machines.md
Retrieves a collection of [Machines](machine.md) related to a given file hash.
## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+2. Only SHA-1 Hash Function is supported (not MD5 or SHA-256).
## Permissions
Empty
## Response
-If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file does not exist - 404 Not Found.
+If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file does not exist - 200 OK with an empty set.
## Example
security Get File Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-statistics.md
Retrieves the statistics for the given file.
## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+2. The maximum value for `lookbackhours` is 720 Hours(30 days).
## Permissions
security Get Investigation Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-investigation-collection.md
Retrieves a collection of [Investigations](investigation.md).
Supports [OData V4 queries](https://www.odata.org/documentation/).
-The OData's `$filter` query is supported on: `startTime`, `state`, `machineId` and `triggeringAlertId` properties.
+The OData's `$filter` query is supported on: `startTime`, `id`, `state`, `machineId` and `triggeringAlertId` properties.
+<br>```$stop``` with max value of 10,000
+<br>```$skip```
See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md)
security Get Ip Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-related-alerts.md
Empty
## Response
-If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP do not exist - 404 Not Found.
+If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP address is unknown but valid, it will return an empty set.
+If the IP address is invalid, it will return HTTP 400.
## Example
security Get Ip Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-statistics.md
Retrieves the statistics for the given IP.
## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+2. Maximum Value for Lookbackhours is 720 Hours(30days).
## Permissions
Empty
## Response
-If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
+If successful and ip exists - 200 OK with statistical data in the body. IP is valid but does not exist - organizationPrevalence 0, IP is invalid - HTTP 400.
## Example
security Get User Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-machines.md
Empty
## Response
-If successful and user exists - 200 OK with list of [machine](machine.md) entities in the body. If user does not exist - 404 Not Found.
+If successful and user exists - 200 OK with list of [machine](machine.md) entities in the body. If user does not exist - 200 OK with an empty set.
## Example
security Overview Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-client-analyzer.md
+
+ Title: Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer
+description: Troubleshoot sensor health on devices to identify potential configuration, environment, connectivity, or telemetry issue affecting sensor data or capability.
+keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
+The Microsoft Defender for Endpoint Client Analyzer (MDECA) can be useful when
+diagnosing sensor health or reliability issues on [onboarded
+devices](/microsoft-365/security/defender-endpoint/onboard-configure)
+running either Windows, Linux, or macOS. For example, you may want to run the
+analyzer on a machine that appears to be unhealthy according to the displayed
+[sensor health
+status](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors)
+(Inactive, No Sensor Data or Impaired Communications) in the security
+portal.
+
+Besides obvious sensor health issues, MDECA can collect other traces, logs,
+and diagnostic information for troubleshooting complex scenarios such
+as:
+Application compatibility (AppCompat), performance, network connectivity, or
+unexpected behavior related to [Endpoint Data Loss
+Prevention](/microsoft-365/compliance/endpoint-dlp-learn-about).
+
+## Privacy notice
++
+- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used
+ by Microsoft Customer Support Services (CSS) to collect information that
+ will help troubleshoot issues you may be experiencing with Microsoft
+ Defender for Endpoint.
+
+- The collected data may contain Personally Identifiable Information (PII)
+ and/or sensitive data, such as (but not limited to) IP addresses, PC names,
+ and usernames.
+
+- Once data collection is complete, the tool saves the data locally on the
+ machine within a subfolder and compressed zip file.
+
+- No data is automatically sent to Microsoft. If you are using the tool during
+ collaboration on a support issue, you may be asked to send the compressed
+ data to Microsoft CSS using Secure File Exchange to facilitate the investigation of the issue.
+
+For more information about Secure File Exchange, see [How to use Secure File Exchange to exchange files with Microsoft Support](/troubleshoot/azure/general/secure-file-exchange-transfer-files)
+
+For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).
+
+## Requirements
+
+- Before running the analyzer, we recommend ensuring your proxy or firewall
+ configuration allows access to [Microsoft Defender for Endpoint service
+ URLs](/microsoft-365/security/defender-endpoint/configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+
+- The analyzer can run on supported editions of
+ [Windows](/microsoft-365/security/defender-endpoint/minimum-requirements.md#supported-windows-versions),
+ [Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md#system-requirements),
+ or
+ [macOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md#system-requirements)
+ either before of after onboarding to Microsoft Defender for Endpoint.
+
+- For Windows devices, if you are running the analyzer directly on specific machines and not
+ remotely via [Live
+ Response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log),
+ then SysInternals
+ [PsExec.exe](/sysinternals/downloads/psexec)
+ should be allowed (at least temporarily) to run.
+ The analyzer calls into PsExec.exe tool to run cloud connectivity checks as
+ Local System and emulate the behavior of the SENSE service.
+
+ > [!NOTE]
+ > On Windows devices, if you use Attack Surface Reduction (ASR) rule [Block process creations
+ originating from PSExec and WMI
+ commands](/microsoft-365/security/defender-endpoint/attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands),
+ then may want to temporarily disable the rule or [configure an exclusion to
+ the ASR
+ rule](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules)
+ to allow the analyzer to run connectivity checks to cloud as expected.
security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/recommendation.md
Method |Return Type |Description
:|:|: [List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization [Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
+[Get recommendation software](list-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation [Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
security Run Advanced Query Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-api.md
5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.
+6. The maximum query result size of a single request cannot exceed 124 MB. If exceeded, HTTP 400 Bad Request with the message "Query execution has exceeded the allowed result size. Optimize your query by limiting the amount of results and try again" will appear.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
+
+ Title: Run the client analyzer on macOS or Linux
+description: Learn how to run the Microsoft Defender for Endpoint Client Analyzer on macOS or Linux
+keywords: client analyzer, troubleshoot sensor, analyzer, mdeanalyzer, macos, linux, mdeanalyzer
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Run the client analyzer on macOS and Linux
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
++
+## Running the analyzer through GUI scenario
+
+1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer)
+ tool to the macOS or Linux machine you need to investigate.
+> [!NOTE]
+> The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: '029296D437BA97B5563D0C75DD874F8F51C563B2B5AC16745619F4DB2E064C85'.
+
+2. Extract the contents of XMDEClientAnalyzer.zip on the machine.
+
+3. Open a terminal session, change directory to the extracted location and run:
+
+`./mde_support_tool.sh -d`
+
+!Note
+On Linux, if the script does not have permissions to execute, then you'll need to first
+run:
+*chmod a+x mde_support_tool.sh*
+
+## Running the analyzer using a terminal or SSH scenario
+
+1. Open a terminal or SSH into the relevant machine.
+
+2. Run `wget --quiet -O XMDEClientAnalyzer.zip*
+ <http://aka.ms/XMDEClientAnalyzer> *&& unzip -q XMDEClientAnalyzer.zip && cd
+ XMDEClientAnalyzer && chmod +x mde_support_tool.sh"`
+
+3. Run ` ./mde_support_tool.sh -d ` to generate the result archive file.
+
+> [!NOTE]
+> For Linux, the analyzer requires 'lxml' to produce the result output. If not
+installed, the analyzer will try to fetch it from the official repository for
+python packages below:
+https://files.pythonhosted.org/packages/\*/lxml\*.whl
+
+Example:
++
+![Image of command line example](images/4ca188f6c457e335abe3c9ad3eddda26.png)
+
+
+
+Additional syntax help:
+
+**-h** \# Help
+\# Show help message
+
+**-p** \# Performance
+\# Planned parameter that is not yet implemented.
+\# Collects extensive tracing for analysis of a performance issue that can be
+reproduced on demand.
+
+**-o** \# Output
+\# Specify the destination path for the result file
+
+**-nz** \# No-Zip
+\# If set, a directory will be created instead of a resulting archive file
+
+**-f** \# Force
+\# Overwrite if output already exists in destination path
+
+## Result package contents on macOS and Linux
+
+- report.html <br> Description: The main HTML output file that will contain the findings and
+ guidance that the analyzer script run on the machine can produce.
+
+- mde_diagnostic.zip <br> Description: Same diagnostic output that gets generated when
+ running *mdatp diagnostic create* on either
+ [macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-resources#collecting-diagnostic-information)
+ or
+ [Linux](/windows/security/threat-protection/microsoft-defender-atp/linux-resources#collect-diagnostic-information)
+
+- mde.xml <br> Description: XML output that is generated while running and is used to build
+ the html report file.
+
+- Processes_information.txt <br> Description: contains the details of the running Microsoft Defender for Endpoint related
+ processes on the system.
+
+- Log.txt <br> Description: contains the same log messages written on screen during the data
+ collection.
+
+- Health.txt <br> Description: The same basic health output that is shown when running *mdatp
+ health* command.
+
+- Events.xml <br> Description: Additional XML file used by the analyzer when building the
+ HTML report.
+
+- Auditd_info.txt <br> Description: details on auditd service and related components for
+ [Linux](/windows/security/threat-protection/microsoft-defender-atp/linux-support-events)
+ OS
security Run Analyzer Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md
+
+ Title: Run the client analyzer on Windows
+description: Learn how to run the Microsoft Defender for Endpoint Client Analyzer on Windows.
+keywords: client analyzer, troubleshoot sensor, analyzer, mdeanalyzer, windows
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Run the client analyzer on Windows
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
++
+1. Download the [MDE Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the
+ Windows machine you need to investigate.
+
+2. Extract the contents of MDEClientAnalyzer.zip on the machine.
+
+3. Open an elevated command line:
+ 1. Go to **Start** and type **cmd**.
+ 2. Right-click **Command prompt** and select **Run as administrator**.
+
+4. Enter the following command and press **Enter**:
+
+```
+HardDrivePath\MDEClientAnalyzer.cmd
+```
+
+**Replace HardDrivePath with the path to which the tool was extracted to, for example:**
+
+`C:\Work\tools\MDATPClientAnalyzer\MDEClientAnalyzer.cmd`
+
+In addition to the above, there is also an option to [collect the analyzer
+support logs using live
+response.](troubleshoot-collect-support-log.md).
+
+> [!NOTE]
+> On windows 10, Windows Server 2019 or later OS editions, the client analyzer script calls into an executable file called `MDEClientAnalyzer.exe` to run the connectivity tests to cloud service URLs. <br> <br>
+> On Windows 8.1, Windows Server 2016 or previous OS editions, the client analyzer script calls into an executable file called `MDEClientAnalyzerPreviousVersion.exe` to run connectivity tests for Command and Control (CnC) URLs while also calling into Microsoft Monitoring Agent connectivity tool `TestCloudConnection.exe` for Cyber Data channel URLs.
+
+## Result package contents on Windows
+
+> [!NOTE]
+> The exact files captured may change depending on factors such as:
+> - The version of windows on which the analyzer is run.
+> - Event log channel availability on the machine.
+> - The start state of the EDR sensor (Sense is stopped if machine is not yet
+ onboarded).
+>- If an advanced troubleshooting parameter was used with the analyzer command.
+
+By default, the unpacked MDEClientAnalyzerResult.zip file will contain the
+following items.
+
+- MDEClientAnalyzer.htm \| This is the main HTML output file, which will
+ contain the findings and guidance that the analyzer script run on the
+ machine can produce.
+
+- SystemInfoLogs [Folder]
+
+ - AddRemovePrograms.csv <br> Description: List of installed software
+ collected from registry.
+
+- AddRemoveProgramsWOW64.csv <br> Description: List of x86 installed software on
+ x64 OS software collected from registry.
+
+ - CertValidate.log <br> Description: Detailed result from certificate
+ revocation executed by calling into
+ [CertUtil](/windows-server/administration/windows-commands/certutil).
+
+ - dsregcmd.txt <br> Description: Output from running
+ [dsregcmd](/azure/active-directory/devices/troubleshoot-device-dsregcmd).
+ This provides details about the Azure AD status of the machine.
+
+ - IFEO.txt <br> Description: Output of [Image File Execution
+ Options](/previous-versions/windows/desktop/xperf/image-file-execution-options)
+ configured on the machine
+
+ - MDEClientAnalyzer.txt <br> Description: This is verbose text file showing
+ with details of the analyzer script execution.
+
+ - MDEClientAnalyzer.xml <br> Description: XML format containing the analyzer
+ script findings.
+
+ - RegOnboardedInfoCurrent.Json <br> Description: The onboarded machine
+ information gathered in JSON format from the registry.
+
+ - RegOnboardingInfoPolicy.Json <br> Description: The onboarding policy
+ configuration gathered in JSON format from the registry.
+
+ - SCHANNEL.txt <br> Description: Details about [SCHANNEL
+ configuration](/windows-server/security/tls/manage-tls)
+ applied to the machine such gathered from registry.
+
+ - SessionManager.txt <br> Description: Session Manager specific settings
+ gather from registry.
+
+ - SSL_00010002.txt <br> Description: Details about [SSL
+ configuration](/windows-server/security/tls/manage-tls)
+ applied to the machine gathered from registry.
+
+- EventLogs [Folder]
+
+ - utc.evtx <br> Description: Export of DiagTrack event log
+
+ - senseIR.evtx <br> Description: Export of the Automated Investigation event
+ log
+
+ - sense.evtx <br> Description: Export of the Sensor main event log
+
+ - OperationsManager.evtx <br> Description: Export of the Microsoft
+ Monitoring Agent event log
++
+## See also
+- [Client analyzer overview](overview-client-analyzer.md)
+- [Download and run the client analyzer](download-client-analyzer.md)
+- [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
+- [Understand the analyzer HTML report](analyzer-report.md)
security Run Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-live-response.md
Runs a sequence of live response commands on a device
4. RunScript command timeouts after 10 minutes.
-5. When a live response command fails all followed actions will not be
+5. Live response commands cannot be queued up and can only be executed one at a time.
+
+6. Multiple live response commands can be run on a single API call. However, when a live response command fails all the following actions will not be
executed. ## Minimum Requirements
POST https://api.securitycenter.microsoft.com/API/machines/{machine_id}/runliver
## Response -- If successful, this method returns 200, Ok.
+- If successful, this method returns 201 Created.
Action entity. If machine with the specified ID was not found - 404 Not Found.
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
- m365solution-symantecmigrate Previously updated : 08/11/2021 Last updated : 08/12/2021
To verify that your onboarded devices are properly connected to Defender for End
## Confirm that Microsoft Defender Antivirus is in passive mode on your endpoints
-Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
+Now that your endpoints have been onboarded to Defender for Endpoint, your next step is to make sure Microsoft Defender Antivirus is running in passive mode. You can use one of several methods, as described in the following table:
| Method | What to do | |:-|:-|
security Troubleshoot Collect Support Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md
This topic provides instructions on how to run the tool via Live Response.
> ``` > > - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-for-endpoint-service-urls).++
+## See also
+- [Client analyzer overview](overview-client-analyzer.md)
+- [Download and run the client analyzer](download-client-analyzer.md)
+- [Run the client analyzer on Windows](run-analyzer-windows.md)
+- [Run the client analyzer on macOS or Linux](run-analyzer-macos-linux.md)
+- [Data collection for advanced troubleshooting on Windows](data-collection-analyzer.md)
+- [Understand the analyzer HTML report](analyzer-report.md)
+
security Advanced Hunting Emailattachmentinfo Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailattachmentinfo-table.md
The `EmailAttachmentInfo` table in the [advanced hunting](advanced-hunting-overv
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+ | Column name | Data type | Description | |-|--|-| | `Timestamp` | datetime | Date and time when the event was recorded |
For information on other tables in the advanced hunting schema, [see the advance
| `ThreatNames` | string | Detection name for malware or other threats found | | `DetectionMethods` | string | Methods used to detect malware, phishing, or other threats found in the email | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
+| `FileSize` | string | Size of the file in bytes |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security Advanced Hunting Emailevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailevents-table.md
The `EmailEvents` table in the [advanced hunting](advanced-hunting-overview.md)
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+ | Column name | Data type | Description | |-|--|-| | `Timestamp` | datetime | Date and time when the event was recorded |
For information on other tables in the advanced hunting schema, [see the advance
| `UserLevelAction` | string | Action taken on the email in response to matches to a mailbox policy defined by the recipient | | `UserLevelPolicy` | string | End-user mailbox policy that triggered the action taken on the email | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
+| `AuthenticationDetails` | string | List of pass or fail verdicts by email authentication protocols like DMARC, DKIM, SPF or a combination of multiple authentication types (CompAuth) |
## Related topics
security Advanced Hunting Emailpostdeliveryevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md
The `EmailPostDeliveryEvents` table in the [advanced hunting](advanced-hunting-o
To get more information about individual email messages, you can also use the [`EmailEvents`](advanced-hunting-emailevents-table.md), [`EmailAttachmentInfo`](advanced-hunting-emailattachmentinfo-table.md), and the [`EmailUrlInfo`](advanced-hunting-emailurlinfo-table.md) tables. For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md).
+> [!IMPORTANT]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+ | Column name | Data type | Description | |-|--|-| | `Timestamp` | datetime | Date and time when the event was recorded |
To get more information about individual email messages, you can also use the [`
| `RecipientEmailAddress` | string | Email address of the recipient, or email address of the recipient after distribution list expansion | | `DeliveryLocation` | string | Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
+| `ThreatTypes` | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
+| `DetectionMethods` | string | Methods used to detect malware, phishing, or other threats found in the email |
## Supported event types This table captures events with the following `ActionType` values:
security Configure Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-event-hub.md
to save it**.
Auto-Inflate (requires standard pricing and under features) appropriate for the load you are expecting. For more information, see [Pricing - Event Hubs \| Microsoft
- Azure](https://azure.microsoft.com/en-us/pricing/details/event-hubs/)
+ Azure](https://azure.microsoft.com/pricing/details/event-hubs/)
>[!NOTE] > You can use an existing event hub, but the throughput and scaling are set at the namespace level so it is recommended to place an event hub in itsown namespace.
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
RSS feed: Get notified when this page is updated by copying and pasting the foll
```http https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+365+defender%22&locale=en-us ```
+## August 2021
+- (Preview) Microsoft Defender for Office 365 data available in advanced hunting
+<br>New columns in email tables can provide more insight into email-based threats for more thorough investigations using advanced hunting. You can now include the `AuthenticationDetails` column in [EmailEvents](./advanced-hunting-emailevents-table.md), `FileSize` in [EmailAttachmentInfo](./advanced-hunting-emailattachmentinfo-table.md), and `ThreatTypes` and `DetectionMethods` in [EmailPostDeliveryEvents](./advanced-hunting-emailpostdeliveryevents-table.md) tables.
## July 2021 - [Professional services catalog](https://sip.security.microsoft.com/interoperability/professional_services)<br>Enhance the detection, investigation, and threat intelligence capabilities of the platform with supported partner connections.
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
The available actions for spam filtering verdicts are described in the following table.
- - A check mark ( ![Check mark](../../media/checkmark.png) ) indicates the action is available (not all actions are available for all verdicts).
+ - A check mark ( ![Check mark](../../media/checkmark.png)) indicates the action is available (not all actions are available for all verdicts).
- An asterisk ( <sup>\*</sup> ) after the check mark indicates the default action for the spam filtering verdict. <br>
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
|Action|Spam|High<br>confidence<br>spam|Phishing|High<br>confidence<br>phishing|Bulk| ||::|::|::|::|::|
- |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.<sup>1</sup>|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)<sup>\*</sup>|
- |**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <p> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <p> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.<sup>1,2</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)<sup>\*</sup>|
+ |**Move message to Junk Email folder**: The message is delivered to the mailbox and moved to the Junk Email folder.<sup>1</sup>|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)<sup>\*</sup>|
+ |**Add X-header**: Adds an X-header to the message header and delivers the message to the mailbox. <p> You enter the X-header field name (not the value) later in the **Add this X-header text** box. <p> For **Spam** and **High confidence spam** verdicts, the message is moved to the Junk Email folder.<sup>1,2</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)|
|**Prepend subject line with text**: Adds text to the beginning of the message's subject line. The message is delivered to the mailbox and moved to the Junk email folder.<sup>1,2</sup> <p> You enter the text later in the **Prefix subject line with this text** box.|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)| |**Redirect message to email address**: Sends the message to other recipients instead of the intended recipients. <p> You specify the recipients later in the **Redirect to this email address** box.|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)| |**Delete message**: Silently deletes the entire message, including all attachments.|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)||![Check mark](../../media/checkmark.png)|
- |**Quarantine message**: Sends the message to quarantine instead of the intended recipients. <p> You specify how long the message should be held in quarantine later in the **Quarantine** box.|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|
+ |**Quarantine message**: Sends the message to quarantine instead of the intended recipients. <p> You specify how long the message should be held in quarantine later in the **Quarantine** box.|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)<sup>\*</sup>|![Check mark](../../media/checkmark.png)|
|**No action**|||||![Check mark](../../media/checkmark.png)| |
security Quarantine Email Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-email-messages.md
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone E
Anti-malware policies automatically quarantine a message if *any* attachment is found to contain malware. For more information, see [Configure anti-malware policies in EOP](configure-anti-malware-policies.md).
-By default, anti-spam polices quarantine phishing messages, and deliver spam and bulk email messages to the user's Junk Email folder. But, you can also create and customize anti-spam policies to quarantine spam and bulk-email messages. For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
+By default, anti-spam polices quarantine phishing and high confidence phishing messages, and deliver spam, high confidence spam, and bulk email messages to the user's Junk Email folder. But, you can also create and customize anti-spam policies to quarantine spam, high confidence spam, and bulk-email messages. For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
Both users and admins can work with quarantined messages:
security Recommended Settings For Eop And Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365.md
To create and configure anti-spam policies, see [Configure anti-spam policies in
|**Actions**||||| |**Spam** detection action <p> _SpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|| |**High confidence spam** detection action <p> _HighConfidenceSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
-|**Phishing** detection action <p> _PhishSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
+|**Phishing** detection action <p> _PhishSpamAction_|**Quarantine message** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`||
|**High confidence phishing** detection action <p> _HighConfidencePhishAction_|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|**Quarantine message** <p> `Quarantine`|| |**Bulk** detection action <p> _BulkSpamAction_|**Move message to Junk Email folder** <p> `MoveToJmf`|**Move message to Junk Email folder** <p> `MoveToJmf`|**Quarantine message** <p> `Quarantine`|| |**Retain spam in quarantine for this many days** <p> _QuarantineRetentionPeriod_|15 days|30 days|30 days||
security Walkthrough Spoof Intelligence Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md
description: Admins can learn how to use the spoof intelligence policy and the s
ms.technology: mdo ms.prod: m365-security+ # Manage spoofed senders using the spoof intelligence policy and spoof intelligence insight in EOP
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-> [!NOTE]
-> This article describes the older spoofed sender management experience that's being replaced (the **spoof intelligence policy** on the **Anti-spam policies** page). For more information about the new experience (the **Spoofing** tab in the Tenant Allow/Block List), see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md)
+> [!IMPORTANT]
+> This article describes the older spoofed sender management experience that's being replaced (the **spoof intelligence policy** on the **Anti-spam policies** page). For more information about the new experience (the **Spoofing** tab in the Tenant Allow/Block List), see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, inbound email messages are automatically protected against spoofing by EOP as of October 2018. EOP uses **spoof intelligence** as part of your organization's overall defense against phishing. For more information, see [Anti-spoofing protection in EOP](anti-spoofing-protection.md).
There are two ways to allow and block spoofed senders:
### Manage spoofed senders in the spoof intelligence policy
+> [!IMPORTANT]
+> This article describes the older spoofed sender management experience that's being replaced (the **spoof intelligence policy** on the **Anti-spam policies** page). For more information about the new experience (the **Spoofing** tab in the Tenant Allow/Block List), see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
+ 1. In the Microsoft 365 Defender portal, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Anti-spam** in the **Policies** section. 2. On the **Anti-spam policies** page, select **Spoof intelligence policy** by clicking on the name.
There are two ways to allow and block spoofed senders:
#### Use PowerShell to manage spoofed senders
+> [!IMPORTANT]
+> This article describes the older spoofed sender management experience that's being replaced (the **spoof intelligence policy** on the **Anti-spam policies** page). For more information about the new experience (the **Spoofing** tab in the Tenant Allow/Block List), see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
+ To view allowed and blocked senders in spoof intelligence, use the following syntax: ```powershell
For detailed syntax and parameter information, see [Set-PhishFilterPolicy](/powe
### Manage spoofed senders in the spoof intelligence insight
+> [!IMPORTANT]
+> This article describes the older spoofed sender management experience that's being replaced (the **spoof intelligence policy** on the **Anti-spam policies** page). For more information about the new experience (the **Spoofing** tab in the Tenant Allow/Block List), see [Spoof intelligence insight in EOP](learn-about-spoof-intelligence.md).
+ 1. In the Security & Compliance Center, go to **Threat Management** \> **Dashboard**. 2. In the **Insights** row, look for one of the following items:
solutions Collaborate As Team https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/collaborate-as-team.md
To invite guests to a team
4. Type the guest's full name and click the check mark. 5. Click **Add**, and then click **Close**.
+> [!NOTE]
+> Guests with a work or school account can only be invited by using their User Principal Name (UPN) (for example, adele@contoso.com). Inviting guests by using EAS ID, or other email formats, is not supported.
+ ## See also [Best practices for sharing files and folders with unauthenticated users](best-practices-anonymous-sharing.md)