Updates from: 08/17/2021 03:14:20
Category Microsoft Docs article Related commit history on GitHub Change details
admin Add Autopilot Devices And Profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/add-autopilot-devices-and-profile.md
+
+ Title: "Use the step-by-step guide to add Autopilot devices and profile"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+- M365-subscription-management
+- M365-identity-device-management
+localization_priority: Normal
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+- AdminTemplateSet
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ms.assetid: be5b6d90-3344-4c5e-bf40-5733eb845beb
+description: "Learn how to use Windows AutoPilot to set up new Windows 10 devices for your business so they're ready for employee use."
++
+# Use the step-by-step guide to add Autopilot devices and profile
+
+You can use Windows AutoPilot to set up **new** Windows 10 devices for your business so they're ready for use when you give them to your employees.
+
+## Device requirements
+
+Devices must meet these requirements:
+
+- Windows 10, version 1703 or later
+
+- New devices that haven't been through Windows out-of-box experience
+
+## Use the setup guide to create devices and profiles
+
+If you haven't created device groups or profiles yet, the best way to get started is by using the step-by-step guide. You can also [add devices](create-and-edit-autopilot-devices.md) and [assign profiles](create-and-edit-autopilot-profiles.md) to them without using the guide.
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+
+2. On the left navigation pane, choose **Devices** \> **AutoPilot**.
+
+ ![In the admin center, choose devices and then AutoPilot.](../../media/AutoPilot.png)
+
+2. On the **AutoPilot** page, click or tap **Start guide**.
+
+ ![Click Start guide for step-by-step instructions for Autopilot.](../../media/31662655-d1e6-437d-87ea-c0dec5da56f7.png)
+
+3. On the **Upload .csv file with list of devices** page, browse to a location where you have the prepared .CSV file, then **Open** \> **Next**. The file must have three headers:
+
+ - Column A: Device Serial Number
+
+ - Column B: Windows Product ID
+
+ - Column C: Hardware Hash
+
+ You can get this information from your hardware vendor, or you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to generate a CSV file.
+
+ For more information, see [Device list CSV-file](../misc/device-list.md). You can also download a sample file on the **Upload .csv file with list of devices** page.
+
+> [!NOTE]
+> This script uses WMI to retrieve properties needed for a customer to register a device with Windows Autopilot. Note that it is normal for the resulting CSV file to not collect a Windows Product ID (PKID) value since this is not required to register a device and PKID being NULL in the output CSV is totally fine. Only the serial number and hardware hash will be populated.
+
+4. On the **Assign a profile** page, you can either pick an existing profile or create a new one. If you don't have one yet, you'll be prompted to create one.
+
+ A profile is a collection of settings that can be applied to a single device or to a group of devices.
+
+ The default features are required and are set automatically. The default features are:
+
+ - Skip Cortana, OneDrive, and OEM registration.
+
+ - Create sign-in experience with your company brand.
+
+ - Connect your devices to Azure Active Directory accounts, and automatically enroll them to be managed by Microsoft 365 Business Premium.
+
+ For more information, see [About AutoPilot Profile settings](autopilot-profile-settings.md).
+
+5. The other settings are **Skip privacy settings** and **Don't allow user to become the local admin**. These are both set to **Off** by default.
+
+ Choose **Next**.
+
+6. **You're done** indicates that the profile you created (or chose) will be applied to the device group you created by uploading the list of devices. The settings will be in effect when the device users sign in next. Choose **Close**.
+
+## Related content
+
+[About AutoPilot Profile settings](autopilot-profile-settings.md) (article)\
+[Options for protecting your devices and app data](../devices/choose-device-security.md) (article)
admin App Protection Settings For Android And Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/app-protection-settings-for-android-and-ios.md
+
+ Title: "Set app protection settings for Android or iOS devices"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: 6f2b80b4-81c3-4714-a7bc-ae69313e8a33
+description: "Learn how to create, edit, or delete an app management policy, and protect work files on Android or iOS devices."
++
+# Set app protection settings for Android or iOS devices
+
+This article applies to Microsoft 365 Business Premium.
+
+## Create an app management policy
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+
+2. In the left nav, choose **Devices** \> **Policies** \> **Add**.
+
+3. On the **Add policy** pane, enter a unique name for this policy.
+
+4. Under **Policy type**, choose **Application Management for Android** or **Application Management for iOS**, depending on which set of policies you want to create.
+
+5. Expand **Protect work files when devices are lost or stolen** and **Manage how users access Office files on mobile devices**. Configure the settings how you would like. **Manage how users access Office files on mobile devices** is **Off** by default, but we recommend that you turn it **On** and accept the default values. For more information, see [Available settings](#available-settings).
+
+ You can always use the **Reset default settings** link to return to the default setting.
+
+ ![Screenshot of Create a policy with Application management for Android selected](../../media/eabbe06d-ac0a-4f3a-8630-68c808b1e662.png)
+
+6. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups that get these settings \> **Select**.
+
+7. Finally, choose **Done** to save the policy, and assign it to devices.
+
+## Edit an app management policy
+
+1. On the **Policies** card, choose **Edit policy**.
+
+2. On the **Edit policy** pane, choose the policy you want to change
+
+3. Choose **Edit** next to each setting to change the values in the policy. When you change a value, it's automatically saved in the policy.
+
+4. When you're finished, close the **Edit policy** pane.
+
+## Delete an app management policy
+
+1. On the **Policies** page, choose a policy and then **Delete**.
+
+2. On the **Delete policy** pane, choose **Confirm** to delete the policy or policies you chose.
+
+## Available settings
+
+The following tables give detailed information about settings available to protect work files on devices and the settings that control how users access Office files from their mobile devices.
+
+ For more information, see [How do protection features in Microsoft 365 Business Premium map to Intune settings](map-protection-features-to-intune-settings.md).
+
+### Settings that protect work files
+
+The following settings are available to protect work files if a user's device is lost or stolen:
++
+|Setting <br/> |Description <br/> |
+|:--|:--|
+|Delete work files from an inactive device after this many days <br/> |If a device isn't used for the number of days that you specify here, any work files stored on the device will be deleted automatically. <br/> |
+|Force users to save all work files to OneDrive for Business <br/> |If this setting is **On**, the only available save location for work files is OneDrive for Business. <br/> |
+|Encrypt work files <br/> |Keep this setting **On** so that work files are protected by encryption. Even if the device is lost or stolen, no one can read your company data. <br/> |
+
+### Settings that control how users access Office files on mobile devices
+
+The following settings are available to manage how users access Office work files:
++
+|Setting <br/> |Description <br/> |
+|:--|:--|
+|Require a PIN or fingerprint to access Office apps <br/> |If this setting is **On** users must provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile devices.<br/> |
+|Reset PIN when login fails this many times <br/> |To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify. <br/> |
+|Require users to sign in again after Office apps have been idle for <br/> |This setting determines how long a user can be idle before they're prompted to sign in again. <br/> |
+|Deny access to work files on jailbroken or rooted devices <br/> |Clever users may have a device that is jailbroken or rooted. This means that the user can modify the operating system, which can make the device more subject to malware. These devices are blocked when this setting is **On**. <br/> |
+|Don't allow users to copy content from Office apps into personal apps <br/> |We do allow this by default, but if the setting is **On**, the user could copy information in a work file to a personal file. If the setting is **Off**, the user will be unable to copy information from a work account into a personal app or personal account. <br/> |
admin Autopilot Profile Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/autopilot-profile-settings.md
+
+ Title: "About AutoPilot Profile settings"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+
+f1_keywords:
+- 'ZTDProfileSettings'
+- 'O365E_ZTDProfileSettings'
+- 'BCS365_ZTDProfileSettings'
+
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ms.assetid: 99bfbf81-e719-4630-9b0f-c187edfa1f8a
+description: "AutoPilot profiles help you control how Windows gets installed on user devices. The profiles contain default and optional settings like skip Cortana installation."
++
+# About AutoPilot Profile settings
+
+## AutoPilot profile settings
+
+You can use AutoPilot profiles to control how Windows is installed on user devices. The profiles contain the following settings.
+
+ **AutoPilot default features (required) that are set automatically:**
+
+|**Setting**|**Description**|
+|:--|:--|
+|Skip Cortana, OneDrive, and OEM registration <br/> |Skips the installation of consumer apps like Cortana and personal OneDrive. The device user can install these later as long as the user is a local admin on the device. The original manufacturer registration is skipped because the device will be managed by Microsoft 365 Business Premium. <br/> |
+|Sign in experience with your company brand <br/> |If your company has a [Add your company branding to Microsoft 365 Sign In page](../setup/customize-sign-in-page.md), the device user will get that experience when signing in. <br/> |
+|MDM auto-enrollment with configured AAD accounts. <br/> |The user identity will be managed by Azure Active Directory, and users will sign in to Windows and Microsoft 365 with their Microsoft 365 Business Premium credentials. <br/> |
+
+ **Optional settings:**
+
+|**Setting**|**Description**|
+|:--|:--|
+|Skip privacy settings (Off by default) <br/> |If this option is set to **On**, the device user will not see the license agreement for the device and Windows when he or she first signs in. <br/> |
+|Don't allow the user to become the local admin <br/> |If this option is set to **On**, the device user will not be able to install any personal apps, such as Cortana.<br/> |
admin Create And Edit Autopilot Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/create-and-edit-autopilot-devices.md
+
+ Title: "Create and edit AutoPilot devices"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ms.assetid: 0f7b1d7c-4086-4331-8534-45d7886f9f34
+description: "Learn how to upload devices using AutoPilot in Microsoft 365 Business Premium. You can assign a profile to a device or a group of devices."
++
+# Create and edit AutoPilot devices
+
+## Upload a list of devices
+
+You can use the [Step-by-step guide](add-autopilot-devices-and-profile.md) to upload devices, but you can also upload devices in the **Devices** tab.
+
+Devices must meet these requirements:
+
+- Windows 10, version 1703 or later
+
+- New devices that haven't been through Windows out-of-box experience
+
+1. In the Microsoft 365 admin center, choose **Devices** \> **AutoPilot**.
+
+2. On the **AutoPilot** page, choose the **Devices** tab \> **Add devices**.
+
+ ![In the Devices tab, choose Add devices.](../../media/6ba81e22-c873-40ad-8a72-ce64d15ea6ba.png)
+
+3. On the **Add devices** panel, browse to a [Device list CSV file](../misc/device-list.md) that you prepared \> **Save** \> **Close**.
+
+ You can get this information from your hardware vendor, or you can use the [Get-WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) to generate a CSV file.
+
+## Assign a profile to a device or a group of devices
+
+1. On the **Prepare Windows** page, choose the **Devices** tab, and select the check box next to one or more devices.
+
+2. On the **Device** panel, select a profile from the **Assigned profile** drop-down.
+
+ If you don't have any profiles yet, see [Create and edit AutoPilot profiles](create-and-edit-autopilot-profiles.md) for instructions.
admin Create And Edit Autopilot Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/create-and-edit-autopilot-profiles.md
+
+ Title: "Create and edit AutoPilot profiles"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ms.assetid: 5cf7139e-cfa1-4765-8aad-001af1c74faa
+description: "Learn to create an AutoPilot profile and apply it to a device, as well as edit or delete a profile or remove a profile from a device."
++
+# Create and edit AutoPilot profiles
+
+## Create a profile
+
+A profile applies to a device, or a group of devices,
+
+1. In the Microsoft 365 admin center, choose **Devices** \> **AutoPilot**.
+
+2. On the **AutoPilot** page, choose the **Profiles** tab \> **Create profile**.
+
+3. On the **Create profile** page, enter a name for the profile that helps you identify it, for example Marketing. Turn on the setting you want, and then choose **Save**. For more information about AutoPilot profile settings, see [About AutoPilot Profile settings](autopilot-profile-settings.md).
+
+ ![Enter name and turn on settings in the Create profile panel.](../../media/63b5a00d-6a5d-48d0-9557-e7531e80702a.png)
+
+### Apply profile to a device
+
+After you create a profile, you can apply it to a device or a group of devices. You can pick an existing profile in the [step-by-step guide](add-autopilot-devices-and-profile.md) and apply it to new devices, or replace an existing profile for a device or group of devices.
+
+1. On the **Prepare Windows** page, choose the **Devices** tab.
+
+2. Select the check box next to a device name, and in the **Device** panel, choose a profile from the **Assigned profile** drop-down list \> **Save**.
+
+ ![In the Device panel, select an Assigned profile to apply it.](../../media/ed0ce33f-9241-4403-a5de-2dddffdc6fb9.png)
+
+## Edit, delete, or remove a profile
+
+Once you've assigned a profile to a device, you can update it, even if you've already given the device to a user. When the device connects to the internet, it downloads the latest version of your profile during the setup process. If the user restores their device to its factory default settings, the device will again download the latest updates to your profile.
+
+### Edit a profile
+
+1. On the **Prepare Windows** page, choose the **Profiles** tab.
+
+2. Select the check box next to a device name, and in the **Profile** panel, update any of the available settings \> **Save**.
+
+ If you do this before a user connects the device to the internet, then the profile gets applied to the setup process.
+
+### Delete a profile
+
+1. On the **Prepare Windows** page, choose the **Profiles** tab.
+
+2. Select the check box next to a device name, and in the **Profile** panel, select **Delete profile** \> **Save**.
+
+ When you delete a profile, it gets removed from a device or a group of devices it was assigned to.
+
+### Remove a profile
+
+1. On the **Prepare Windows** page, choose the **Devices** tab.
+
+2. Select the check box next to a device name, and in the **Device** panel, choose **None** from the **Assigned profile** drop-down list \> **Save**.
+
admin Device States https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/device-states.md
+
+ Title: "Device states"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ms.assetid: c3ac23c5-d4b4-4b1b-b7ce-ea759521bf8c
+description: "Learn about the various device states in the Device actions list in Admin home in Microsoft 365 for business."
++
+# Device states
+
+This article applies to Microsoft 365 Business Premium.
+
+Devices in the **Device actions** list (Admin home \> **Device actions**) can have the following states.
+
+![In the Device actions list, you can see the Devices states.](../../media/a621c47e-45d9-4e1a-beb9-c03254d40c1d.png)
+
+|**Status**|**Description**|
+|:--|:--|
+|Managed by Intune <br/> |Managed by Microsoft 365 Business Premium. <br/> |
+|Retire pending <br/> |Microsoft 365 Business Premium is getting ready to remove company data from the device. <br/> |
+|Retire in progress <br/> |Microsoft 365 Business Premium is currently removing company data from the device. <br/> |
+|Retire failed <br/> | Remove company data action failed. <br/> |
+|Retire canceled <br/> |Retire action was canceled. <br/> |
+|Wipe pending <br/> |Waiting for factory reset to start. <br/> |
+|Wipe in progress <br/> |Factory reset has been issued. <br/> |
+|Wipe failed <br/> |Couldn't do factory reset. <br/> |
+|Wipe canceled <br/> |Factory wipe was canceled. <br/> |
+|Unhealthy <br/> |An action is pending (or in progress), but the device hasn't checked in for 30+ days. <br/> |
+|Delete pending <br/> |Delete action is pending. <br/> |
+|Discovered <br/> |Microsoft 365 Business Premium has detected the device. <br/> |
+
admin Map Protection Features To Intune Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/map-protection-features-to-intune-settings.md
+
+ Title: "How do protection features in Microsoft 365 Business Premium map to Intune settings"
+f1.keywords:
+- NOCSH
+++ Last updated : 8/13/2018
+audience: Admin
++
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: aad21b1a-c775-469a-b89c-c5d1d59d27db
+description: "Learn how protection features in Microsoft 365 Business Premium map to Intune settings. The subscription provides you with a license to modify Intune settings."
++
+# How do protection features in Microsoft 365 Business Premium map to Intune settings
+
+## Android and iOS application protection settings
+
+The following table details how the Android and iOS application policy settings map to Intune settings.
+
+To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to **Admin centers**, and then **Intune**.
+
+ > [!IMPORTANT]
+ >
+ > A Microsoft 365 Business Premium subscription gives you a license to modify all the Intune settings. See [Introduction to Intune to get started.](/intune/introduction-intune)
+
+Select the Policy name you want &mdash; for example, Application policy for Android &mdash; and then choose **Policy settings**.
+
+Under **Protect work files when devices are lost or stolen**
+
+|**Android or iOS application policy setting**|**Intune setting(s)**|
+|:--|:--|
+|Delete work files from an inactive device after <br/> |Offline interval (days) before app data is wiped <br/> |
+|Force users to save work files to OneDrive for Business <br/> Note that only OneDrive for Business is allowed <br/> |Select which storage services corporate data can be saved to <br/> |
+|||
+
+Under **Manage how user access Office files in mobile devices**
+
+|**Android or iOS application policy setting**|**Intune setting(s)**|
+|:--|:--|
+|Delete work files from an inactive device after <br/> |Offline interval (days) before app data is wiped <br/> |
+|Force users to save work files to OneDrive for Business <br/> Note that only OneDrive for Business is allowed <br/> |Select which storage services corporate data can be saved to <br/> |
+|Encrypt work files <br/> |Encrypt app data <br/> |
+|Under **Manage how user access Office files in mobile devices** <br/> ||
+|Require a PIN or fingerprint to access Office apps <br/> | Require PIN to access <br/> This also sets: <br/> **Allow simple PIN** to **Yes** <br/> **Pin Length** to 4 <br/> **Allow fingerprint instead of PIN** to **Yes** <br/> **Disable app PIN when device PIN is managed** to **No** <br/> |
+|Reset PIN when login fails this many times (this is disabled if PIN isn't required) <br/> |Number of attempts before PIN reset <br/> |
+|Require users to sign in again after Office apps have been idle for (this is disabled if PIN isn't required) <br/> | Recheck the access requirements after (minutes) <br/> This also sets: <br/> **Timeout** is set to minutes <br/> This is same number of minutes you set in Microsoft 365 Business. <br/> **Offline grace period** is set to 720 minutes by default <br/> |
+|Deny access to work files on jailbroken or rooted devices <br/> |Block managed apps from running on jailbroken or rooted devices <br/> |
+|Allow users to copy content from Office apps into personal apps <br/> | Restrict cut, copy, and paste with other apps <br/> If the Microsoft 365 Business Premium option is set to **On**, then these three options are also set to **All Apps** in Intune: <br/> **Allow app to transfer data to other apps** <br/> **Allow app to receive data from other apps** <br/> **Restrict cut, copy, and paste with other apps** <br/> If the Microsoft 365 Business option is set to **On**, then all the Intune options are set to: <br/> **Allow app to transfer data to other apps** is set to **Policy managed apps** <br/> **Allow app to receive data from other apps** is set to **All Apps** <br/> **Restrict cut, copy, and paste with other apps** is set to **Policy Managed apps with Paste-In** <br/> |
+|||
+
+## Windows 10 app protection settings
+
+The following table details how the Windows 10 application policy settings map to Intune settings.
+
+To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to [Azure portal](https://portal.azure.com). Select **More services**, and type Intune into the **Filter**. Select **Intune App Protection** \> **App Policy**.
+
+ > [!IMPORTANT]
+ >
+ >A Microsoft 365 Business Premium subscription gives you a license to modify only the Intune settings that map to the settings available in Microsoft 365 Business Premium.
+
+To explore the available settings, select the policy name you want, and then choose **General, Assignments**, **Allowed apps**, **Exempt apps**, **Required settings**, or **Advanced settings** from the left navigation pane.
+
+|**Windows 10 application policy setting**|**Intune setting(s)**|
+|:--|:--|
+|Encrypt work files <br/> |**Advanced settings** \> **Data protection**: **Revoke encryption keys on unenroll** and **Revoke access to protected data device enrolls to MDM** are both set to **On**. <br/> |
+|Prevent users from copying company data to personal files. <br/> |**Required settings** \> **Windows Information Protection mode**. **On** in Microsoft 365 Business Premium maps to: **Hide Overrides**, **Off** in Microsoft 365 Business Premium maps to: **Off**. <br/> |
+|Office documents access control <br/> | If this is set to **On** in Microsoft 365 Business Premium, then <br/> **Advanced settings** \> **Access**, **Use Windows Hello for Business as a method for signing into Windows** is set to **On**, with the following additional settings: <br/> **Set the minimum number of characters required for the PIN** is set to **4**. <br/> **Configure the use of uppercase letters in the Windows Hello for Business PIN** is set to **Do not allow use of upper case letters for PIN**. <br/> **Configure the use of lowercase letters in the Windows Hello for Business PIN** is set to **Do not allow use of lower case letters for PIN**. <br/> **Configure the use of special characters in the Windows Hello for Business PIN** is set to **Do not allow the use of special characters in PIN**. <br/> **Specify the period of time (in days) that a PIN can be used before the system requires the user to change** is set to **0**. <br/> **Specify the number of past PINs that can be associated to a user account that can't be reused** is set to **0**. <br/> **Number of authentication failures allowed before the device will be wiped** is set to same as in Microsoft 365 Business (5 by default). <br/> **Maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked** is set to same as in Microsoft 365 Business. <br/> |
+|Enable recovery of protected data <br/> |**Advanced settings** \> **Data protection**: **Show the enterprise data protection icon** and **Use Azure RMS for WIP** are set to **On**. <br/> |
+|Protect additional company cloud locations <br/> |**Advanced settings** \> **Protected domains** and **Cloud resources** show domains and SharePoint sites. <br/> |
+|Files used by these apps are protected <br/> |The list of protected apps is listed in **Allowed apps**. <br/> |
+|||
+
+## Windows 10 device protection settings
+
+The following table details how the Windows 10 device configuration settings map to Intune settings.
+
+To find the Intune setting, sign in with your Microsoft 365 Business Premium admin credentials, and go to [Azure portal](https://portal.azure.com), then select **More services**, and type in Intune into the **Filter**, select **Intune** \> **Device configuration** \> **Profiles**. Then select **Device policy for Windows 10** \> **Properties** \> **Settings**.
+
+|**Windows 10 device policy setting**|**Intune setting(s)**|
+|:--|:--|
+|Help protect PCs from viruses and other threats using Windows Defender Antivirus <br/> |Allow Real-time Monitoring = ON <br/> Allow Cloud Protection = ON <br/> Prompt Users for Samples Submission = Send Safe samples automatically (Default Non PII auto submit) <br/> |
+|Help protect PCs from web-based threats in Microsoft Edge <br/> |**SmartScreen** in **Edge Browser settings** is set to **Required**. <br/> |
+|Turn off device screen when idle for (minutes) <br/> |Maximum minutes of inactivity until screen locks (minutes) <br/> |
+|Allow users to download apps from Microsoft Store <br/> |Custom URI policy <br/> |
+|Allow users to access Cortana <br/> |**General** \> **Cortana** is set to **block** in Intune when set to **off** in Microsoft 365 Business Premium. <br/> |
+|Allow users to receive Windows tips and advertisements from Microsoft <br/> |**Windows spotlight**, all blocked if this is set to **off** in Microsoft 365 Business Premium. <br/> |
+|Keep Windows 10 devices up to date automatically <br/> | This setting is in **Microsoft Intune** \> **Service updates - Windows 10 Update Rings**, choose **Update policy for Windows 10 devices**, and then **Properties** \> **Settings**. <br/> When the Microsoft 365 Business Premium setting is set to **On**, all the following settings are set: <br/> **Service branch** is set to **CB** (CBB when this is turned off in Microsoft 365 Business Premium). <br/> **Microsoft product updates** is set to **Allow**. <br/> **Windows drivers** is set to **Allow**. <br/> **Automatic update behavior** is set to **Auto install at maintenance time** with: <br/> **After hours start** is set to **6 AM**. <br/> **Active hours end** is set to **10 PM**. <br/> **Quality update deferral period (days)** is set to **0**. <br/> **Feature update deferral period (days)** is set to **0**. <br/> **Delivery optimization download mode** is set to **HTTP blended with peering behind same NAT**. <br/> |
+|||
admin Protection Settings For Windows 10 Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/protection-settings-for-windows-10-devices.md
+
+ Title: "Edit or set application protection settings for Windows 10 devices"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+
+f1_keywords:
+- 'Win10AppPolicy'
+- 'O365E_Win10AppPolicy'
+- 'BCS365_Win10AppPolicy'
+
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ms.assetid: 02e74022-44af-414b-9d74-0ebf5c2197f0
+description: "Learn how to create or edit app management policies and protect work files on your users' personal Windows 10 devices."
++
+# Set or edit application protection settings for Windows 10 devices
+
+This article applies to Microsoft 365 Business Premium.
+
+## Edit an app management policy for Windows 10
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+2. On the left nav, choose **Devices** \> **Policies** .
+1. Choose an existing Windows app policy and then **Edit**.
+1. Choose **Edit** next to a setting you want to change and then **Save**.
+
+## Create an app management policy for Windows 10
+
+If your users have personal Windows 10 devices on which they perform work tasks, you can protect your data on those devices as well.
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+2. On the left nav, choose **Devices** \> **Policies** \> **Add**.
+3. On the **Add policy** pane, enter a unique name for this policy.
+4. Under **Policy type**, choose **Application Management for Windows 10**.
+5. Under **Device type**, choose either **Personal** or **Company Owned**.
+6. The **Encrypt work files** is turned on automatically.
+7. Set **Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business** to **On** if you don't want the users to save work files on their PC.
+9. Expand **Recover data on Windows devices**. We recommend that you turn it **On**.
+ Before you can browse to the location of the Data Recovery Agent certificate, you have to first create one. For instructions, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+
+ By default, work files are encrypted using a secret key that is stored on the device and associated with the user's profile. Only the user can open and decrypt the file. However, if a device is lost or a user is removed, a file can be stuck in an encrypted state. An admin can use the Data Recovery Agent (DRA) certificate to decrypt the file.
+
+ ![Browse to Data Recovery Agent certificate.](../../media/7d7d664f-b72f-4293-a3e7-d0fa7371366c.png)
+
+10. Expand **Protect additional network and cloud locations** if you want to add additional domains or SharePoint Online locations to make sure that files in all the listed apps are protected. If you need to enter more than one item for either field, use a semicolon (;) between the items.
+
+ ![Expand Protect additional network and cloud locations, and enter domains or SharePoint Online sites you own.](../../media/7afaa0c7-ba53-456d-8c61-312c45e09625.png)
+
+11. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups who will get these settings \> **Select**.
+12. Finally, choose **Add** to save the policy, and assign it to devices.
admin Protection Settings For Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/protection-settings-for-windows-10-pcs.md
+
+ Title: "Edit or create device protection settings for Windows 10 PCs"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: bd66c26c-73a4-45a8-8642-3ea4ee7cd89d
+description: "Learn about settings available in Microsoft 365 for business to secure Windows 10 devices."
++
+# Edit or create device protection settings for Windows 10 PCs
+
+This article applies to Microsoft 365 Business Premium.
+
+After you have set set up default Windows protection settings on the Setup page, you can add new ones that apply to either all users, or a set of users. You can also edit any of the ones you have created.
+
+## Create protection settings for Windows 10 devices
+
+View a video on how to secure Windows 10 devices with Microsoft 365 Business Premium:
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/a5734146-620a-4cec-8618-536b3ca37972?autoplay=false]
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+2. On the left nav, choose **Devices** \> **Policies** \> **Add**.
+3. On the **Add policy** pane, enter a unique name for this policy.
+4. Under **Policy type**, choose **Windows 10 Device Configuration**.
+5. Expand **Secure Windows 10 Devices** \> configure the settings how you would like. For more information, see [Available settings](#available-settings).
+
+ You can always use the **Reset default settings** link to return to the default setting.
+
+ ![Add policy pane with Windows 10 Device configuration selected](../../media/fa9e2dc2-7eae-4c96-af34-765a1f641ecf.png)
+
+6. Next decide **Who will get these settings?** If you don't want to use the default **All users** security group, Choose **Change**, search for the security group who will get these settings \> **Select**.
+7. Finally, choose **Done** to save the policy, and assign it to devices.
+
+## Edit Windows 10 protection settings
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+2. On the left nav, choose **Devices** \> **Policies** .
+1. Choose an existing Windows device policy and then **Edit**.
+1. Choose **Edit** next to a setting you want to change and then **Save**.
+
+## Available settings
+
+By default all settings are **On**. The following settings are available.
+
+For more information, see [How do protection features in Microsoft 365 Premium map to Intune settings](map-protection-features-to-intune-settings.md).
++
+|Setting <br/> |Description <br/> |
+|:--|:--|
+|Help protect PCs from viruses and other threats using Windows Defender Antivirus <br/> |Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet. <br/> |
+|Help protect PCs from web-based threats in Microsoft Edge <br/> |Turns on settings in Edge that help protect users from malicious sites and downloads. <br/> |
+|Use rules that reduce the attack surface of devices <br/> |When turned On, attack surface reduction helps block actions and apps typically used by malware to infect devices. This setting is only available if Windows Defender Antivirus is set to On. See [Reduce attack surfaces](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) to learn more. <br/> |
+|Protect folders from threats such as ransomware <br/> |This setting uses controlled folder access to protect company data from modification by suspicious or malicious apps, such as ransomware. These types of apps are blocked from making changes in protected folders. This setting is only available if Windows Defender Antivirus is set to On. See [Protect folders with Controlled folder access](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy#bkmk_CFA) to learn more. <br/> |
+|Prevent network access to potentially malicious content on the Internet <br/> |Use this setting to block outbound user connections to low-reputation Internet locations that may host phishing scams, exploits, or other malicious content. This setting is only available if Windows Defender Antivirus is set to **On**. For more information, see [Protect your network](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). <br/> |
+|Help protect files and folders on PCs from unauthorized access with BitLocker <br/> |Bitlocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. For more information, see [Bitlocker FAQ](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions). <br/> |
+|Allow users to download apps from Microsoft Store <br/> |Lets users download and install apps from the Microsoft Store. Apps include everything from games to productivity tools, so we leave this setting **On**, but you can turn it off for extra security. <br/> |
+|Allow users to access Cortana <br/> |Cortana can be very helpful! Cortana can turn settings on or off for you, give directions, and make sure you're on time for appointments, so we keep this setting **On** by default. <br/> |
+|Allow users to receive Windows tips and advertisements from Microsoft <br/> |Windows tips can be handy and help orient users when new features are released. <br/> |
+|Keep Windows 10 devices up to date automatically <br/> |Makes sure that Windows 10 devices automatically receive the latest updates. <br/> |
+|Turn off device screen when idle for this amount of time <br/> |Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off. <br/> |
admin Remove Company Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/remove-company-data.md
+
+ Title: "Remove company data from devices"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: 80bdae57-f8bc-4e40-a58c-956007117ecb
+description: "Discover how to use Microsoft 365 for business to remove company data that your users have on their devices or Windows PCs."
++
+# Remove company data from devices
+
+This article applies to Microsoft 365 Business Premium.
+
+## Remove company data
+
+You can use Microsoft 365 for business to remove company data that your users have on their [devices](app-protection-settings-for-android-and-ios.md) or [Windows PCs](protection-settings-for-windows-10-devices.md) that are protected by Microsoft 365. **If you remove company data from a device, you cannot restore it later**.
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+
+2. On the left nav, choose **Devices** \> **Manage**.
+
+3. On the **Manage** page, choose or search for a user who's data you want to remove, and choose the name.
+
+4. On the next pane, select the device or devices from the **Devices** list. On the device pane that opens, you can choose to reset the device to factory settings or remove company data, depending on the device type.
+
+ ![On the remove company data pane, select the device from which you want to remove the data.](../../media/resetorremove.png)
+
+5. On the confirmation pane, choose **Confirm** \> **Close**.
+
++
admin Reset Devices To Factory Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/reset-devices-to-factory-settings.md
+
+ Title: "Reset Windows 10 devices to their factory settings"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: c4db6caf-74df-4734-b1dd-53e371c7a3c3
+description: "Learn how to use Microsoft 365 for business to factory reset Windows 10 devices you manage, reverting them to their original settings at purchase."
++
+# Reset Windows 10 devices to their factory settings
+
+This article applies to Microsoft 365 Business Premium.
+
+A factory reset reverts a device to the original settings it had when the device was purchased. All apps and data on the device that were installed after purchase are removed. You can use Microsoft 365 for business to factory reset Windows 10 devices you manage.
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+
+2. In the left nav, choose **Devices** \> **Manage**.
+
+3. On the **Manage** page, check the checkbox next to the device you want to remove data from and then, in the **Manage** drop-down choose **Factory reset**.
+
+4. On the **Are you sure you want to factory reset the devices below** pane, choose **Confirm** \> **Close**.
+
+
+
admin Validate Settings On Android Or Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/validate-settings-on-android-or-ios.md
+
+ Title: "Validate app protection settings on Android or iOS devices"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: f3433b6b-02f7-447f-9d62-306bf03638b0
+description: "Learn how to validate the Microsoft 365 Business Premium app protection settings in your Android or iOS devices."
++
+# Validate app protection settings on Android or iOS devices
+
+Follow the instructions in the following sections to validate app protection settings on Android or iOS devices.
+
+## Android
+
+### Check that the app protection settings are working on user devices
+
+After you [set app configurations for Android devices](app-protection-settings-for-android-and-ios.md) to protect the apps, you can follow these steps to validate that the settings you chose work.
+
+First, make sure that the policy applies to the app in which you're going to validate it.
+
+1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.
+
+2. Choose **Application policy for Android** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook, for example.
+
+ ![Shows all the apps for which this policy protects files.](../../media/b3be3ddd-f683-4073-8d7a-9c639a636a2c.png)
+
+### Validate Require a PIN or a fingerprint to access Office apps
+
+In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require a PIN or fingerprint to access Office apps** is set to **On**.
+
+![Make sure that the Require a PIN or fingerprint to access Office apps is set to On.](../../media/f37eb5b2-7e26-49fb-9bd6-d955d196bacf.png)
+
+1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
+
+2. You'll also be prompted to enter a PIN or use a fingerprint.
+
+ ![Enter a PIN on your Android device to access Office apps.](../../media/9e8ecfee-8122-4a3a-8918-eece80344310.png)
+
+### Validate Reset PIN after number of failed attempts
+
+In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Reset PIN after number of failed attempts** is set to some number. This is 5 by default.
+
+1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
+
+2. Enter an incorrect PIN as many times as specified by the policy. You'll see a prompt that states **PIN Attempt Limit Reached** to reset the PIN.
+
+ ![After too many incorrect PIN attempts, you need to reset your PIN.](../../media/fca6fcb4-bb5c-477f-af5e-5dc937e8b835.png)
+
+3. Press **Reset PIN**. You'll be prompted to sign in with the user's Microsoft 365 Business Premium credentials, and then required to set a new PIN.
+
+### Validate Force users to save all work files to OneDrive for Business
+
+In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Force users to save all work files to OneDrive for Business** is set to **On**.
+
+![Verify that Force users to save all work files to OneDrive for Business is set to On.](../../media/7140fa1d-966d-481c-829f-330c06abb5a5.png)
+
+1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
+
+2. Open an email that contains an attachment and tap the down arrow icon next to the attachment's information.
+
+ ![Tap the down arrow next to an attachment to try to save it.](../../media/b22573bb-91ce-455f-84fa-8feb2846b117.png)
+
+ You'll see **Cannot save to device** on the bottom of the screen.
+
+ ![Warning text that indicates cannot save a file locally to an Android.](../../media/52ca3f3d-7ed0-4a52-9621-4872da6ea9c5.png)
+
+ > [!NOTE]
+ > Saving to OneDrive for Business is not enabled for Android at this time, so you can only see that saving locally is blocked.
+
+### Validate Require user to sign in again if Office apps have been idle for a specified time
+
+In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require users to sign in again after Office apps have been idle for** is set to some number of minutes. This is 30 minutes by default.
+
+1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
+
+2. You should now see Outlook's inbox. Let the Android device idle untouched for at least 30 minutes (or some other amount of time, longer than what you specified in the policy). The device will likely dim.
+
+3. Access Outlook on the Android device again.
+
+4. You'll be prompted to enter your PIN before you can access Outlook again.
+
+### Validate Protect work files with encryption
+
+In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Protect work files with encryption** is set to **On**, and **Force users to save all work files to OneDrive for Business** is set to **Off**.
+
+1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
+
+2. Open an email that contains a few image file attachments.
+
+3. Tap the down arrow icon next to the attachment's info to save it.
+
+ ![Tap the down arrow to save the figure file to the Android device.](../../media/08a9e21e-4022-45d5-acff-59cface651e7.png)
+
+4. You may be prompted to allow Outlook to access photos, media, and files on your device. Tap **Allow**.
+
+5. At the bottom of the screen, choose to **Save to Device** and then open the **Gallery** app.
+
+6. You should see an encrypted photo (or more, if you saved multiple image file attachments) in the list. It may appear in the Pictures list as a gray square with a white exclamation point within a white circle in the center of the gray square.
+
+ ![An encrypted image file in the Gallery app.](../../media/25936414-bd7e-421d-824e-6e59b877722d.png)
+
+## iOS
+
+### Check that the App protection settings are working on user devices
+
+After you [set app configurations for iOS devices](app-protection-settings-for-android-and-ios.md) to protect apps, you can follow these steps to validate that the settings you chose work.
+
+First, make sure that the policy applies to the app in which you're going to validate it.
+
+1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.
+
+2. Choose **Application policy for iOS** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook for example.
+
+ ![Shows all the apps for which this policy protects files.](../../media/842441b8-e7b1-4b86-9edd-d94d1f77b6f4.png)
+
+### Validate Require a PIN to access Office apps
+
+In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require a PIN or fingerprint to access Office apps** is set to **On**.
+
+![Make sure that the Require a PIN or fingerprint to access Office apps is set to On.](../../media/f37eb5b2-7e26-49fb-9bd6-d955d196bacf.png)
+
+1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
+
+2. You'll also be prompted to enter a PIN or use a fingerprint.
+
+ ![Enter a PIN on your IOS device to access Office apps.](../../media/06fc5cf3-9f19-4090-b23c-14bb59805b7a.png)
+
+### Validate Reset PIN after number of failed attempts
+
+In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Reset PIN after number of failed attempts** is set to some number. This is 5 by default.
+
+1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
+
+2. Enter an incorrect PIN as many times as specified by the policy. You'll see a prompt that states **PIN Attempt Limit Reached** to reset the PIN.
+
+ ![After too many incorrect PIN attempts, you need to reset your PIN.](../../media/fab5c089-a4a5-4e8d-8c95-b8eed1dfa262.png)
+
+3. Press **OK**. You'll be prompted to sign in with the user's Microsoft 365 Business Premium credentials, and then required to set a new PIN.
+
+### Validate Force users to save all work files to OneDrive for Business
+
+In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Force users to save all work files to OneDrive for Business** is set to **On**.
+
+![Verify that Force users to save all work files to OneDrive for Business is set to On.](../../media/7140fa1d-966d-481c-829f-330c06abb5a5.png)
+
+1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
+
+2. Open an email that contains an attachment, open the attachment and choose **Save** on the bottom of the screen.
+
+ ![Tap the Save option after you open an attachment to try to save it.](../../media/b419b070-1530-4f14-86a8-8d89933a2b25.png)
+
+3. You should only see an option for OneDrive for Business. If not, tap **Add Account** and select **OneDrive for Business** from the **Add Storage Account** screen. Provide the end user's Microsoft 365 Business Premium to sign in when prompted.
+
+ Tap **Save** and select **OneDrive for Business**.
+
+### Validate Require user to sign in again if Office apps have been idle for a specified time
+
+In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require users to sign in again after Office apps have been idle for** is set to some number of minutes. This is 30 minutes by default.
+
+1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
+
+2. You should now see Outlook's inbox. Let the iOS device untouched for at least 30 minutes (or some other amount of time, longer than what you specified in the policy). The device will likely dim.
+
+3. Access Outlook on the iOS device again.
+
+4. You'll be prompted to enter your PIN before you can access Outlook again.
+
+### Validate Protect work files with encryption
+
+In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Protect work files with encryption** is set to **On**, and **Force users to save all work files to OneDrive for Business** is set to **Off**.
+
+1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
+
+2. Open an email that contains a few image file attachments.
+
+3. Tap the attachment and then tap the **Save** option under it.
+
+4. Open **Photos** app from the home screen. You should see an encrypted photo (or more, if you saved multiple image file attachments) saved, but encrypted.
+
++
admin Validate Settings On Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/validate-settings-on-windows-10-pcs.md
+
+ Title: "Validate app protection settings for Windows 10 PCs"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: fae8819d-7235-495f-9f07-d016f545887f
+description: "Learn how to verify that Microsoft 365 for business app protection settings took effect on your users' Windows 10 devices."
++
+# Validate device protection settings for Windows 10 PCs
+
+## Verify that Windows 10 device policies are set
+
+After you [set up devices policies](protection-settings-for-windows-10-pcs.md), it may take up to a few hours for the policy to take effect on users' devices. You can confirm that the policies took effect by looking at various Windows Settings screens on the users' devices. Because the users won't be able to modify the Windows Update and Windows Defender Antivirus settings on their Windows 10 devices, many options will be grayed out.
+
+1. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Restart options** and confirm that all settings are grayed out.
+
+ ![All the Restart options are grayed out.](../../media/31308da9-18b0-47c5-bbf6-d5fa6747c376.png)
+
+2. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Advanced options** and confirm that all settings are grayed out.
+
+ ![Windows Advanced updates options are all grayed out.](../../media/049cf281-d503-4be9-898b-c0a3286c7fc2.png)
+
+3. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Advanced options** \> **Choose how updates are delivered**.
+
+ Confirm that you can see the message (in red) that some settings are hidden or managed by your organization, and all the options are grayed out.
+
+ ![Choose how updates are delivered page indicates settings are hidden or managed by your organization.](../../media/6b3e37c5-da41-4afd-9983-b4f406216b59.png)
+
+4. To open the Windows Defender Security Center, go to **Settings** \> **Update &amp; security** \> **Windows Defender** \> click **Open Windows Defender Security Center** \> **Virus &amp; thread protection** \> **Virus &amp; threat protection settings**.
+
+5. Verify that all options are grayed out.
+
+ ![The Virus and threat protection settings are grayed out.](../../media/9ca68d40-a5d9-49d7-92a4-c581688b5926.png)
+
+## Related content
+
+[Microsoft 365 for business documentation and resources](./index.yml)\
+[Set device configurations for Windows 10 PCs](protection-settings-for-windows-10-pcs.md)
admin View Policies And Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/view-policies-and-devices.md
+
+ Title: "View policies and devices"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: 6b70fa27-d171-4593-8ecf-f78bb4ed2e99
+description: "View device policies and actions by signing in to Microsoft 365 for business with global admin credentials."
++
+# View and manage policies and devices
+
+This article applies to Microsoft 365 Business Premium.
+
+## View and edit device policies
+
+1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
+2. On the left nav, choose **Devices** \> **Policies**.
+
+ On this page, you can create, edit, change target group, or delete a policy.
+
+ ![Screenshot of the Policies page](../../media/devicepolicies.png)
+
+## View and manage devices
+
+1. On the left nav, choose **Devices** \> **Manage**.
+
+ On this page, you can select one or more devices and remove company data. For Windows 10 devices that you have set device protections settings for, you can also choose to reset the device to factory settings.
+
+ ![Manage devices page](../../media/devicesmanage.png)
+
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
Using the Centralized Deployment Compatibility Checker, you can verify whether t
This command prompts you for *_TenantDomain_* (for example, *TailspinToysIncorporated.onmicrosoft.</span>com*) and *_TenantAdmin_* credentials (use your global admin credentials), and then requests consent. > [!NOTE]
- > Depending on the number of users in your tenant, the checker could complete in minutes or hours.
-
-When the tool finishes running, it produces an output file in comma-separated (.csv) format. The file is saved to **C:\windows\system32** by default. The output file contains the following information:
+ > Depending on the number of users in your tenant, the checker could complete in minutes or hours.
+
+When the tool finishes running, it produces an output file in comma-separated (.csv) format. The file is saved to **the current working directory** by default. The output file contains the following information:
- User Name
admin Increase Threat Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/increase-threat-protection.md
+
+ Title: "Increase threat protection for Microsoft 365 for Business"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+description: "Set up Microsoft Defender for Office 365 and safeguard sensitive data against phishing, malware, and other threats."
+
+# Increase threat protection
+
+This article helps you increase the protection in your Microsoft 365 subscription to protect against phishing, malware, and other threats. These recommendations are appropriate for organizations with an increased need for security, like law offices and health care clinics.
+
+Before you begin, check your Office 365 Secure Score. Office 365 Secure Score analyzes your organization's security based on your regular activities and security settings, and assigns a score. Begin by taking note of your current score. To increase your score, complete the actions recommended in this article. The goal isn't to achieve the maximum score, but to be aware of opportunities to protect your environment that don't negatively affect productivity for your users.
+
+For more information, see [Microsoft Secure Score](../../security/defender/microsoft-secure-score.md).
+
+## Raise the level of protection against malware in mail
+
+Your Office 365 or Microsoft 365 environment includes protection against malware. You can increase this protection by blocking attachments with file types that are commonly used for malware. To increase malware protection in email:
+
+1. Go to [https://protection.office.com](https://protection.office.com) and sign in with your admin account credentials.
+
+2. In the Security &amp; Compliance Center, in the left navigation pane, under **Threat management**, choose **Policy** \> **Anti-Malware**.
+
+3. Double-click the default policy to edit this company-wide policy.
+
+4. Select **Settings**.
+
+5. Under **Common Attachment Types Filter**, select **On**. The file types that are blocked are listed in the window directly below this control. Make sure that you add these file types:
+
+ `ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif`
+
+ If necessary, you can add or delete file types later.
+
+6. Select **Save.**
+
+For more information, see [Anti-malware protection in EOP](../../security/office-365-security/anti-malware-protection.md).
+
+## Protect against ransomware
+
+Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in the form of cryptocurrencies like Bitcoin, in exchange for access to data.
+
+To protect against ransomware, create one or more mail flow rules to block file extensions that are commonly used for ransomware. (You added these rules in the [raise the level of protection against malware in mail](#raise-the-level-of-protection-against-malware-in-mail) step.) You can also warn users who receive these attachments in email.
+
+In addition to the files that you blocked in the previous step, it's a good practice to create a rule to warn users before opening Office file attachments that include macros. Ransomware can be hidden inside macros, so warn users not to open these files from people they don't know.
+
+To create a mail transport rule:
+
+1. Go to the admin center at <https://admin.microsoft.com>, and choose **Admin centers** \> **Exchange**.
+
+2. In the **mail flow** category, select **rules**.
+
+3. Select **+**, and then select **Create a new rule**.
+
+4. Select **More options** at the bottom of the dialog box to see the full set of options.
+
+5. Apply the settings in the following table for the rule. Use the default values for the rest of the settings, unless you want to change them.
+
+6. Select **Save**.
+
+|Setting|Warn users before opening attachments of Office files|
+|||
+|Name|Anti-ransomware rule: warn users|
+|Apply this rule if . . .|Any attachment . . . file extension matches . . .|
+|Specify words or phrases|Add these file types: <br/> dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm|
+|Do the following . . .|Notify the recipient with a message|
+|Provide message text|Do not open these types of files from people you do not know because they might contain macros with malicious code.|
+
+For more information, see:
+
+- [Ransomware: how to reduce risk](https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/)
+
+- [Restore your OneDrive](https://support.microsoft.com/office/fa231298-759d-41cf-bcd0-25ac53eb8a15.aspx)
+
+## Stop auto-forwarding for email
+
+Hackers who gain access to a user's mailbox can steal mail by setting the mailbox to automatically forward email. This can happen even without the user's awareness. To prevent this from happening, configure a mail flow rule.
+
+To create a mail transport rule, either watch [this short video](../../business-video/stop-email-auto-forward.md) or follow these steps:
+
+1. In the Microsoft 365 admin center, select **Admin centers** \> **Exchange**.
+
+2. In the **mail flow** category, select **rules**.
+
+3. Select **+**, and then select **Create a new rule**.
+
+4. To see all the options, select **More options** at the bottom of the dialog box.
+
+5. Apply the settings in the following table. Use the default values for the rest of the settings, unless you want to change them.
+
+6. Select **Save**.
+
+|Setting|Warn users before opening attachments of Office files|
+|||
+|Name|Prevent auto forwarding of email to external domains|
+|Apply this rule if ...|The sender . . . is external/internal . . . Inside the organization|
+|Add condition|The message properties . . . include the message type . . . Auto-forward|
+|Do the following ...|Block the message . . . reject the message and include an explanation.|
+|Provide message text|Auto-forwarding email outside this organization is prevented for security reasons.|
++
+## Protect your email from phishing attacks
+
+If you've configured one or more custom domains for your Office 365 or Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection, part of Microsoft Defender for Office 365, can help protect your organization from malicious impersonation-based phishing attacks and other phishing attacks. If you haven't configured a custom domain, you don't need to do this.
+
+We recommend that you get started with this protection by creating a policy to protect your most important users and your custom domain.
+
+To create an anti-phishing policy in Microsoft Defender for Office 365, watch [this short training video](../../business-video/setup-anti-phishing.md), or complete the following steps:
+
+1. Go to [https://protection.office.com](https://protection.office.com).
+
+2. In the Security &amp; Compliance Center, in the left navigation pane, under **Threat management**, choose **Policy**.
+
+3. On the **Policy** page, choose **Anti-phishing**.
+
+4. On the **Anti-phishing** page, select **+ Create**. A wizard launches that steps you through defining your anti-phishing policy.
+
+5. Specify the name, description, and settings for your policy as recommended in the following table. For more details, see [Learn about anti-phishing policy in Microsoft Defender for Office 365 options](../../security/office-365-security/set-up-anti-phishing-policies.md).
+
+6. After you've reviewed your settings, choose **Create this policy** or **Save**, as appropriate.
+
+|Setting or option|Recommended setting|
+|||
+|Name|Domain and most valuable campaign staff|
+|Description|Ensure most important staff and our domain are not being impersonated.|
+|Add users to protect|Select **+ Add a condition, The recipient is**. Type user names or enter the email address of the candidate, campaign manager, and other important staff members. You can add up to 20 internal and external addresses that you want to protect from impersonation.|
+|Add domains to protect|Select **+ Add a condition, The recipient domain is**. Enter the custom domain associated with your Microsoft 365 subscription, if you defined one. You can enter more than one domain.|
+|Choose actions|If email is sent by an impersonated user: Choose **Redirect message to another email address**, and then type the email address of the security administrator; for example, *Alice<span><span>@contoso.com*. If email is sent by an impersonated domain: Choose **Quarantine message**.|
+|Mailbox intelligence|By default, mailbox intelligence is selected when you create a new anti-phishing policy. Leave this setting **On** for best results.|
+|Add trusted senders and domains|Here you can add your own domain, or any other trusted domains.|
+|Applied to|Select **The recipient domain is**. Under **Any of these**, select **Choose**. Select **+ Add**. Select the check box next to the name of the domain, for example, *contoso.<span><span>com*, in the list, and then select **Add**. Select **Done**.|
+
+## Protect against malicious attachments and files with Safe Attachments
+
+People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. Microsoft Defender for Office 365 includes Safe Attachment protection, but this protection is not turned on by default. We recommend that you create a new rule to begin using this protection. This protection extends to files in SharePoint, OneDrive, and Microsoft Teams.
+
+To create an Safe Attachment policy, either watch [this short video](../../business-video/safe-attachments.md), or complete the following steps:
+
+1. Go to [https://protection.office.com](https://protection.office.com), and sign in with your admin account.
+
+2. In the Security &amp; Compliance Center, in the left navigation pane, under **Threat management**, choose **Policy**.
+
+3. On the Policy page, choose **Safe Attachments**.
+
+4. On the Safe attachments page, apply this protection broadly by selecting the **Turn on ATP for SharePoint, OneDrive, and Microsoft Teams** check box.
+
+5. Select **+** to create a new policy.
+
+6. Apply the settings in the following table.
+
+7. After you have reviewed your settings, choose **Create this policy** or **Save**, as appropriate.
+
+|Setting or option|Recommended setting|
+|||
+|Name|Block current and future emails with detected malware.|
+|Description|Block current and future emails and attachments with detected malware.|
+|Save attachments unknown malware response|Select **Block - Block the current and future emails and attachments with detected malware**.|
+|Redirect attachment on detection|Enable redirection (select this box) Enter the admin account or a mailbox setup for quarantine. Apply the above selection if malware scanning for attachments times out or error occurs (select this box).|
+|Applied to|The recipient domain is . . . select your domain.|
+
+For more information, see [Set up anti-phishing policies in Microsoft Defender for Office 365](../../security/office-365-security/set-up-anti-phishing-policies.md).
+
+## Protect against phishing attacks with Safe Links
+
+Hackers sometimes hide malicious websites in links in email or other files. Safe Links, part of Microsoft Defender for Office 365, can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through Safe Links policies.
+
+We recommend that you do the following:
+
+- Modify the default policy to increase protection.
+
+- Add a new policy targeted to all recipients in your domain.
+
+To set up Safe Links, watch [this short training video](../../business-video/safe-links.md), or complete the following steps:
+
+1. Go to [https://protection.office.com](https://protection.office.com), and sign in with your admin account.
+
+2. In the Security &amp; Compliance Center, in the left navigation pane, under **Threat management**, choose **Policy**.
+
+3. On the Policy page, choose **Safe Links**.
+
+To modify the default policy:
+
+1. On the Safe links page, under **Policies that apply to the entire organization**, select the **Default** policy.
+
+2. Under **Settings that apply to content except email**, select **Microsoft 365 Apps for enterprise, Office for iOS and Android**.
+
+3. Select **Save**.
+
+To create a new policy targeted to all recipients in your domain:
+
+1. On the Safe links page, under **Policies that apply to the entire organization**, select **+** to create a new policy.
+
+2. Apply the settings listed in the following table.
+
+3. Select **Save**.
+
+|Setting or option|Recommended setting|
+|||
+|Name|Safe links policy for all recipients in the domain|
+|Select the action for unknown potentially malicious URLs in messages|Select **On - URLs will be rewritten and checked against a list of known malicious links when user clicks on the link**.|
+|Use Safe Attachments to scan downloadable content|Select this box.|
+|Applied to|The recipient domain is . . . select your domain.|
+
+For more information, see [Safe Links](../../security/office-365-security/safe-links.md).
+
+## Go to Intune admin center
+
+1. Sign in to [Azure portal](https://portal.azure.com/).
+
+2. Select **All services** and type in *Intune* in the **Search Box**.
+
+3. Once the results appear, select the start next to **Microsoft Intune** to make it a favorite and easy to find later.
+
+In addition to the admin center, you can use Intune to enroll and manage your organization's devices. For more information, see [Capabilities by enrollment method for Windows devices](/intune/enrollment/enrollment-method-capab) and [Enrollment options for devices managed by Intune](/intune/enrollment-options).
admin Pre Requisites For Data Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/pre-requisites-for-data-protection.md
+
+ Title: "Prerequisites for protecting data on devices with Microsoft 365 for business"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
++
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: 7770e280-3a6c-436f-a157-b008a2744f51
+description: "Learn about the requirements for setting up your organization with Microsoft 365 for business and protecting work data on your users' devices."
++
+# Prerequisites for protecting data on devices with Microsoft 365 for business
+
+This article applies to Microsoft 365 Business Premium.
+
+The first step in setting up your organization with Microsoft 365 for business is to make sure you can meet the prerequisites.
+
+## Requirements for setting up your organization with Microsoft 365 for business
+
+- Windows devices must be running Windows 7 Professional, Windows 8 Pro, or Windows 8.1 Pro.
+
+ If you're running Windows 10 Home, then you must **purchase** Windows 10 Pro. See [upgrade Windows 10 Home to Windows 10 Pro](../../business-video/upgrade.md) for instructions.
+
+- Remove devices from mobile management solutions (Mobile Iron, AirWatch, and so on). You'll enroll all the people in your organization in Microsoft 365 for business mobile management.
+
+- Apple iOS 8.0 and later.
+
+ Google Android 4.0 and later (including Samsung KNOX Standard 4.0 and higher). For more information, see [Intune supported devices](/mem/intune/fundamentals/supported-devices-browsers).
+
+- If you have existing Office applications on user computers, read [prepare for Office client installation](../../business/prepare-for-office-client-deployment.md) to understand steps you might need to take before you can set up Microsoft 365 for business to install Office 2016 on user computers.
admin Review Threats Take Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/review-threats-take-action.md
+
+ Title: "Review detected threats and take action"
+f1.keywords: NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+search.appverid: MET150
+description: "Learn how to review and manage threats detected by Microsoft Defender Antivirus on your Windows 10 devices."
++
+# Review detected threats and take action
+
+As soon as a malicious file or software is detected, Microsoft Defender Antivirus blocks it and prevents it from running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus and antimalware engine so that your other devices and users are protected, as well.
+
+Microsoft Defender Antivirus detects and protects against the following kinds of threats:
+
+- Viruses, malware, and web-based threats on devices
+- Phishing attempts
+- Data theft attempts
+
+As an IT professional/admin, you can view information about threat detections across [Windows 10 devices that are enrolled in Intune](/mem/intune/enrollment/device-enrollment) in the Microsoft 365 admin center. You'll see summary information, such as:
+
+- How many devices need antivirus protection
+- How many devices are not in compliance with security policies
+- How many threats are currently active, mitigated, or resolved
+
+You have several options to view specific information about threat detections and devices:
+
+- The **Active devices** page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. See [Manage threat detections on the Active devices page](#manage-threat-detections-on-the-active-devices-page) in this article.
+- The **Active threats** page in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>. See [Manage threat detections on the Active threats page](#manage-threat-detections-on-the-active-threats-page) in this article.
+- The **Antivirus** page in <a href="https://go.microsoft.com/fwlink/p/?linkid=2150463" target="_blank">Microsoft Endpoint Manager</a>. See [Manage threat detections in Microsoft Endpoint Manager](#manage-threat-detections-in-microsoft-endpoint-manager) in this article.
+
+To learn more, see [Threats detected by Microsoft Defender Antivirus](threats-detected-defender-av.md).
+
+## Manage threat detections on the **Active devices** page
+
+The following procedure applies to customers who have Microsoft 365 Business Premium.
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and sign in.
+
+2. In the navigation page, select **Devices** > **Active devices**. You'll see a list of active devices and details, such as protection status, antivirus (AV) protection state, and the number of active threats detected.
+
+3. Select a device to view more details about that device and available actions. A flyout opens with recommendations and available actions, such as **Update policy**, **Update antivirus**, **Run quick scan**, **Run full scan**, and more.
+
+## Manage threat detections on the **Active threats** page
+
+The following procedure applies to customers who have Microsoft 365 Business Premium. [Windows 10 devices must be secured](../setup/secure-win-10-pcs.md) and [enrolled in Intune](/mem/intune/enrollment/windows-enrollment-methods).
+
+> [!NOTE]
+> The **Microsoft Defender Antivirus** card and **Active threats** page are being rolled out in phases, so you may not have immediate access to them.
+
+1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and sign in.
+
+2. On the **Microsoft Defender Antivirus** card, select **View active threats**. (Alternatively, in the navigation pane, select **Health** > **Threats & antivirus**.)
+
+3. On the **Active threats** page, select a detected threat to learn more about it. A flyout opens with details about that threat, including which devices are affected.
+
+4. On the flyout, select a device to view available actions, such as **Update policy**, **Update antivirus**, **Run quick scan**, and more.
+
+## Actions you can take
+
+When you view details about specific threats or devices, you'll see recommendations and one or more actions you can take. The following table describes actions that you might see.<br><br>
+
+| Action | Description |
+|--|--|
+| Configure protection | Your threat protection policies need to be configured. Select the link to go to your policy configuration page.<br><br>Need help? See [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). |
+| Update policy | Your antivirus and real-time protection policies need to be updated or configured. Select the link to go to the policy configuration page.<br><br>Need help? See [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy). |
+| Run quick scan | Starts a quick antivirus scan on the device, focusing on common locations where malware might be registered, such as registry keys and known Windows startup folders. |
+| Run full scan | Starts a full antivirus scan on the device, focusing on common locations where malware might be registered, and including every file and folder on the device. Results are sent to [Microsoft Endpoint Manager](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager). |
+| Update antivirus | Requires the device to get [security intelligence updates](https://go.microsoft.com/fwlink/?linkid=2149926) for antivirus and antimalware protection. |
+| Restart device | Forces a Windows 10 device to restart within five minutes.<br><br>**IMPORTANT:** The device owner or user is not automatically notified of the restart and could lose unsaved work. |
+
+## Manage threat detections in Microsoft Endpoint Manager
+
+You can use Microsoft Endpoint Manager to manage threat detections. Windows 10 devices must be [enrolled in Intune](/mem/intune/enrollment/windows-enrollment-methods) (part of Microsoft Endpoint Manager).
+
+1. Go to the Microsoft Endpoint Manager admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2150463" target="_blank">https://endpoint.microsoft.com</a> and sign in.
+
+2. In the navigation pane, select **Endpoint security**.
+
+3. Under **Manage**, select **Antivirus**. You'll see several tabs, such as **Summary**, **Windows 10 unhealthy endpoints**, and **Windows 10 detected malware**.
+
+4. Review the information on the available tabs, and then take any needed action.
+
+For example, suppose that devices are listed on the **Windows 10 detected malware** tab. When you select a device, you'll have certain actions available, such as **Restart**, **Quick Scan**, **Full Scan**, **Sync**, or **Update signatures**. Select an action for that device.
+
+The following table describes the actions you might see in Microsoft Endpoint Manager.<br><br>
+
+| Action | Description |
+|--|--|
+| Restart | Forces a Windows 10 device to restart within five minutes.<br><br>**IMPORTANT:** The device owner or user is not automatically notified of the restart and could lose unsaved work. |
+| Quick Scan | Starts a quick antivirus scan on the device, focusing on common locations where malware might be registered, such as registry keys and known Windows startup folders. Results are sent to [Microsoft Endpoint Manager](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager). |
+| Full Scan | Starts a full antivirus scan on the device, focusing on common locations where malware might be registered, and including every file and folder on the device. Results are sent to [Microsoft Endpoint Manager](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager). |
+| Sync | Requires a device to check in with Intune (part of Microsoft Endpoint Manager). When the device checks in, the device receives any pending actions or policies assigned to the device. |
+| Update signatures | Requires the device to get [security intelligence updates](https://go.microsoft.com/fwlink/?linkid=2149926) for antivirus and antimalware protection. |
+
+> [!TIP]
+> For more information, see [Remote actions for devices](/mem/intune/protect/endpoint-security-manage-devices#remote-actions-for-devices).
+
+## How to submit a file for malware analysis
+
+If you have a file that you think was missed or wrongly classified as malware, you can submit that file to Microsoft for malware analysis. Users and IT admins can submit a file for analysis. Visit [https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission).
admin Set Up Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/set-up-compliance.md
+
+ Title: "Increase threat protection for Microsoft 365 Business Premium"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+description: "Set up compliance features to prevent data loss and help keep your and your customers' sensitive information secure."
+
+# Set up compliance features
+
+Your Microsoft 365 Business Premium comes with features to protect your data and devices, and help you keep your and your customers' sensitive information secure.
+
+## Set up DLP features
+
+See [Create a DLP policy from a template](../../compliance/create-a-dlp-policy-from-a-template.md) for an example on how to set up a policy to protect against protect loss of personal data.
+
+DLP comes with many ready-to-use policy templates for many different locales. For example, Australia Financial Data, Canada Personal Information Act, U.S. Financial Data, and so on. See [What the DLP policy templates include](../../compliance/what-the-dlp-policy-templates-include.md) for a full list. All of these templates can be enabled similar to the PII template example.
+
+## Set up email retention with Exchange Online Archiving
+
+ **Exchange Online Archiving** license features help maintain compliance and regulatory standards by preserving email content for eDiscovery. It also helps reduce your risk if there is a lawsuit, and provides a way to recover data after a security breach or when you need to recover deleted items. You can use litigation hold to preserve all of a user's content, or use retention policies to customize what you want to preserve.
+
+**Litigation hold:** You can preserve all mailbox content including deleted items by putting a user's entire mailbox on litigation hold.
+
+To place a mailbox on litigation hold, in the Admin center:
+
+1. In the left nav, go to **Users** \> **Active users**.
+
+2. Select a user whose mailbox you want to place on litigation hold. In the user pane, expand **Mail settings**, and next to **More settings**, choose **Edit Exchange properties**.
+
+3. On the mailbox page for the user, choose ** mailbox features ** on the left nav, and then choose the **Enable** link under **Litigation hold**.
+
+4. In the **litigation hold** dialog box, you can specify the litigation hold duration in the **Litigation hold duration** field. Leave the field empty if you want to place an infinite hold. You can also add notes and direct the mailbox owner to a website you might have to explain more about the litigation hold. \> **Save**.
+
+**Retention:** You can enable customized retention policies, for example, to preserve for a specific amount of time or delete content permanently at the end of the retention period. To learn more, see [Overview of retention policies](../../compliance/retention.md).
+
+## Set up Sensitivity labels
+
+Sensitivity labels come with Azure Information Protection (AIP) Plan 1, and help you classify, and optionally protect your documents and emails, by applying labels. Labels can be applied automatically by administrators who define rules and conditions, manually by users, or by using a combination where users are given recommendations.
+
+To set up Sensitivity labels, view [create and manage sensitivity labels](../../business-video/create-sensitivity-labels.md) video.
+++
+### Install the Azure Information Protection client manually
+
+To manually install the AIP client:
+
+1. Download **AzinfoProtection_UL.exe** from [Microsoft download center](https://www.microsoft.com/download/details.aspx?id=53018).
+
+2. You can verify that the installation worked by viewing a Word document and making sure that the **Sensitivity** option is available on the **Home** tab.
+<br/>![Protection tab drop-down in a Word document.](../../media/word-sensitivity.png)
+
+For more information, see [Install the client](/azure/information-protection/infoprotect-tutorial-step3).
admin Set Up Multi Factor Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication.md
Based on your understanding of [multifactor authentication (MFA) and its support
- If you have Office 2013 clients on Windows devices, [turn on Modern Authentication for Office 2013 clients](./enable-modern-authentication.md). - Advanced: If you have third-party directory services with Active Directory Federation Services (AD FS), set up the Azure MFA Server. See [advanced scenarios with Azure AD Multifactor Authentication and third-party VPN solutions](/azure/active-directory/authentication/howto-mfaserver-nps-vpn) for more information.
+### Turn off legacy per-user MFA
+
+If you have previously turned on per-user MFA, you must turn it off before enabling Security defaults.
+
+1. In the Microsoft 365 admin center, in the left nav choose **Users** \> **Active users**.
+1. On the **Active users** page, choose **Multi-factor authentication**.
+1. On the multi-factor authentication page, select each user and set their Multi-Factor auth status to **Disabled**.
+ ## Turn Security defaults on or off For most organizations, Security defaults offer a good level of additional sign-in security. For more information, see [What are security defaults?](/azure/active-directory/fundamentals/concept-fundamentals-security-defaults)
For most subscriptions modern authentication is automatically turned on, but if
1. In the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>, in the left nav choose **Settings** \> **Org settings**. 2. Under the **Services** tab, choose **Modern authentication**, and in the **Modern authentication** pane, make sure **Enable Modern authentication** is selected. Choose **Save changes**. + ### Turn off legacy per-user MFA If you have previously turned on per-user MFA, you must turn it off before enabling Security defaults.
If you have previously turned on per-user MFA, you must turn it off before enabl
## Related content
-[Turn on multifactor authentication](../../business-video/turn-on-mfa.md) (video)\
-[Turn on multifactor authentication for your phone](../../business-video/set-up-mfa.md) (video)
+
+[Turn on multi-factor authentication](../../business-video/turn-on-mfa.md) (video)
+
+[Turn on multi-factor authentication for your phone](../../business-video/set-up-mfa.md) (video)
+
admin Threats Detected Defender Av https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/threats-detected-defender-av.md
+
+ Title: "Threats detected by Microsoft Defender Antivirus"
+f1.keywords: CSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+search.appverid: MET150
+description: "Learn how Microsoft Defender Antivirus protects your Windows devices from software threats, such as viruses, malware, and spyware."
++
+# Threats detected by Microsoft Defender Antivirus
+
+Microsoft Defender Antivirus protects your Windows devices from software threats, such as viruses, malware, and spyware.
+
+- Viruses typically spread by attaching their code to other files on your device or network and can cause infected programs to work incorrectly.
+- Malware includes malicious files, applications, and code that can cause damage and disrupt normal use of devices. Also, malware can allow unauthorized access, use system resources, steal passwords and account information, lock you out of your computer and ask for ransom, and more.
+- Spyware collects data, such as web-browsing activity, and sends the data to remote servers.
+
+To provide threat protection, Microsoft Defender Antivirus uses several methods. These methods include cloud-delivered protection, real-time protection, and dedicated protection updates.
+
+- Cloud-delivered protection helps provide near-instant detection and blocking of new and emerging threats.
+- Always-on scanning uses file- and process-behavior monitoring and other techniques (also known as *real-time protection*).
+- Dedicated protection updates are based on machine learning, human and automated big-data analysis, and in-depth threat resistance research.
+
+To learn more about malware and Microsoft Defender Antivirus, see the following articles:
+
+- [Understanding malware & other threats](/windows/security/threat-protection/intelligence/understanding-malware)
+- [How Microsoft identifies malware and potentially unwanted applications](/windows/security/threat-protection/intelligence/criteria)
+- [Next-generation protection in Windows 10](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
+
+## What happens when a non-Microsoft antivirus solution is used?
+
+Microsoft Defender Antivirus is part of the operating system and is enabled on devices that are running Windows 10. However, if you're using a non-Microsoft antivirus solution and you aren't using [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), then Microsoft Defender Antivirus automatically goes into disabled mode.
+
+When in disabled mode, users and customers can still use Microsoft Defender Antivirus for scheduled or on-demand scans to identify threats; however, Microsoft Defender Antivirus will no longer:
+
+- be used as the default antivirus app.
+- actively scan files for threats.
+- remediate, or resolve, threats.
+
+If you uninstall the non-Microsoft antivirus solution, Microsoft Defender Antivirus will automatically go into active mode to protect your Windows devices from threats.
+
+> [!TIP]
+> - If you're using Microsoft 365, consider using Microsoft Defender Antivirus as your primary antivirus solution. Integration can provide better protection. See [Better together: Microsoft Defender Antivirus and Office 365](/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus).
+> - Make sure to keep Microsoft Defender Antivirus up to date, even if you're using a non-Microsoft antivirus solution.
+
+## What to expect when threats are detected
+
+When threats are detected by Microsoft Defender Antivirus, the following things happen:
+
+- Users receive [notifications in Windows](https://support.microsoft.com/windows/8942c744-6198-fe56-4639-34320cf9444e).
+- Detections are listed in the [Windows Security app](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center) on the **Protection history** page.
+- If you've [secured your Windows 10 devices](../setup/secure-win-10-pcs.md) and [enrolled them in Intune](/mem/intune/enrollment/windows-enrollment-methods), and your organization has 800 or fewer devices enrolled, you'll see threat detections and insights in the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a> on the **Threats and antivirus** page, which you can access from the **Microsoft Defender Antivirus** card on the **Home** page (or from the navigation pane by selecting **Health** > **Threats & antivirus**).
+
+ If your organization has more than 800 devices enrolled in Intune, you'll be prompted to view threat detections and insights from [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) instead of from the **Threats and antivirus** page.
+
+ > [!NOTE]
+ > The **Microsoft Defender Antivirus** card and **Threats and antivirus** page are being rolled out in phases, so you may not have immediate access to them.
+
+In most cases, users don't need to take any further action. As soon as a malicious file or program is detected on a device, Microsoft Defender Antivirus blocks it and prevents it from running. Plus, newly detected threats are added to the antivirus and antimalware engine so that other devices and users are protected, as well.
+
+If there's an action a user needs to take, such as approving the removal of a malicious file, they'll see that in the notification they receive. To learn more about actions that Microsoft Defender Antivirus takes on a user's behalf, or actions users might need to take, see [Protection History](https://support.microsoft.com/office/f1e5fd95-09b4-46d1-b8c7-1059a1e09708). To learn how to manage threat detections as an IT professional/admin, see [Review detected threats and take action](review-threats-take-action.md).
+
+To learn more about different threats, visit the <a href="https://www.microsoft.com/wdsi/threats" target="_blank">Microsoft Security Intelligence Threats site</a>, where you can perform the following actions:
+
+- View current information about top threats.
+- View the latest threats for a specific region.
+- Search the threat encyclopedia for details about a specific threat.
+
+## Related content
+
+[Secure Windows 10 devices](../../business/secure-windows-10-devices.md) (article)\
+[Evaluate Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus) (article)\
+[How to turn on real-time and cloud-delivered antivirus protection](/mem/intune/user-help/turn-on-defender-windows#turn-on-real-time-and-cloud-delivered-protection) (article)\
+[How to turn on and use Microsoft Defender Antivirus from the Windows Security app](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus) (article)\
+[How to turn on Microsoft Defender Antivirus by using Group Policy](/mem/intune/user-help/turn-on-defender-windows#turn-on-windows-defender) (article)\
+[How to update your antivirus definitions](/mem/intune/user-help/turn-on-defender-windows#update-your-antivirus-definitions) (article)\
+[How to submit malware and non-malware to Microsoft for analysis](/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis) (article)
admin Access Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/access-resources.md
+
+ Title: "Access on-premises resources from an Azure AD-joined device in Microsoft 365 Business"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+++
+localization_priority: Normal
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+- AdminTemplateSet
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: b0f4d010-9fd1-44d0-9d20-fabad2cdbab5
+description: "Learn how to get access to on-premises resources like line of business apps, file shares, and printers from an Azure Active Directory joined Windows 10 device."
++
+# Access on-premises resources from an Azure AD-joined device in Microsoft 365 Business Premium
+
+This article applies to Microsoft 365 Business Premium.
+
+Any Windows 10 device that is Azure Active Directory joined has access to all cloud-based resources, such as your Microsoft 365 apps, and can be protected by Microsoft 365 Business Premium. You can also allow access to on-premises resources like line of business (LOB) apps, file shares, and printers. To allow access, use [Azure AD Connect](/azure/active-directory/connect/active-directory-aadconnect) to synchronize your on-premises Active Directory with Azure Active Directory.
+
+To learn more, see [Introduction to device management in Azure Active Directory](/azure/active-directory/device-management-introduction).
+The steps are also summarized in the following sections.
+
+## Run Azure AD Connect
+
+Complete the following steps to enable your organization's Azure AD joined devices to access on-premises resources.
+
+1. To synchronize your users, groups, and contacts from local Active Directory into Azure Active Directory, run the Directory synchronization wizard and Azure AD Connect as described in [Set up directory synchronization for Office 365](../../enterprise/set-up-directory-synchronization.md).
+
+2. After the directory synchronization is complete, make sure your organization's Windows 10 devices are Azure AD joined. This step is done individually on each Windows 10 device. See [Set up Windows devices for Microsoft 365 Business Premium users](set-up-windows-devices.md) for details.
+
+3. Once the Windows 10 devices are Azure AD joined, each user must reboot their devices and sign in with their Microsoft 365 Business Premium credentials. All devices now have access to on-premises resources as well.
+
+No additional steps are required to get access to on-premises resources for Azure AD joined devices. This functionality is built into Windows 10.
+
+If you have plans to login to the AADJ device other than password method Like PIN/Bio-metric via WHFB credential login and then access on-premise resources (shares, printers, etc.), please follow [this article](/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base).
+
+If your organization isn't ready to deploy in the Azure AD joined device configuration described above, consider setting up [Hybrid Azure AD Joined device configuration](manage-windows-devices.md).
+
+### Considerations when you join Windows devices to Azure AD
+
+If the Windows device that you Azure-AD joined was previously domain-joined or in a workgroup, consider the following limitations:
+
+- When a device Azure AD joins, it creates a new user without referencing an existing profile. Profiles must be manually migrated. A user profile contains information like favorites, local files, browser settings, and Start menu settings. A best approach is to find a third-party tool to map existing files and settings to the new profile.
+
+- If the device is using Group Policy Objects (GPO), some GPOs may not have a comparable [Configuration Service Provider](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) (CSP) in Intune. Run the [MMAT tool](https://www.microsoft.com/download/details.aspx?id=45520) to find comparable CSPs for existing GPOs.
+
+- Users might not be able to authenticate to applications that depend on Active Directory authentication. Evaluate the legacy app and consider updating to an app that uses modern Auth, if possible.
+
+- Active Directory printer discovery won't work. You can provide direct printer paths for all users or use [Universal Print](/universal-print/).
+
+### Related Articles
+
+[Prerequisites for Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-prerequisites)
admin Business Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/business-set-up.md
+
+ Title: "Set up Microsoft 365 Business Premium"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
+
+f1_keywords:
+- 'O365E_M365SetupBanner'
+- 'BCS365_M365SetupBanner'
+
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- TRN_SMB
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MSB365
+- OKR_SMB_M365
+- TRN_M365B
+- OKR_SMB_Videos
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: 6e7a2dfd-8ec4-4eb7-8390-3ee103e5fece
+description: "Discover the setup steps for Microsoft 365 Business Premium, including adding a domain and users, setting up security policies, and more."
++
+# Set up Microsoft 365 Business Premium in the setup wizard
+
+## Watch: Overview of Microsoft 365 setup
+
+Watch this video for an overview of Microsoft 365 Business Premium setup.<br><br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4jZwg]
+
+## Add your domain, users, and set up policies
+
+When you purchase Microsoft 365 Business Premium, you have the option of using a domain you own, or buying one during the [sign-up](../../business/sign-up.md).
+
+- If you purchased a new domain when you signed up, your domain is all set up and you can move to [Add users and assign licenses](#add-users-and-assign-licenses).
+
+### Add your domain to personalize sign-in
+
+1. Sign in to [Microsoft 365 admin center](https://admin.microsoft.com) by using your global admin credentials.
+
+2. Choose **Go to setup** to start the wizard.
+
+ ![Select Go to setup.](../../media/gotosetupinadmincenter.png)
+
+3. On the **Install your Office apps** page, you can optionally install the apps on your own computer.
+
+4. In the **Add domain** step, enter the domain name you want to use (like contoso.com).
+
+ > [!IMPORTANT]
+ > If you purchased a domain during the sign-up, you will not see **Add a domain** step here. Go to [Add users](#add-users-and-assign-licenses) instead.
+
+ ![Screenshot of the Personalize your sign-in page.](../../media/adddomain.png)
+
+
+4. Follow the steps in the wizard to [Create DNS records at any DNS hosting provider for Microsoft 365](/office365/admin/get-help-with-domains/create-dns-records-at-any-dns-hosting-provider) that verifies you own the domain. If you know your domain host, see also [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain).
+
+ If your hosting provider is GoDaddy or another host enabled with [domain connect](/office365/admin/get-help-with-domains/domain-connect), the process is easy and you'll be automatically asked to sign in and let Microsoft authenticate on your behalf.
+
+ ![On GoDaddy Confirm Access page, select Authorize.](../../media/godaddyauth.png)
+
+### Add users and assign licenses
+
+You can add users in the wizard, but you can also [add users later](../add-users/add-users.md) in the admin center. Additionally, if you have a local domain controller, you can add users with [Azure AD Connect](/azure/active-directory/hybrid/how-to-connect-install-express).
+
+#### Add users in the wizard
+
+Any users you add in the wizard get automatically assigned a Microsoft 365 Business Premium license.
+
+![Screenshot of the Add new users page in the wizard](../../media/addnewuserspage.png)
+
+1. If your Microsoft 365 Business Premium subscription has existing users (for example, if you used Azure AD Connect), you get an option to assign licenses to them now. Go ahead and add licenses to them as well.
+
+2. After you've added the users, you'll also get an option to share credentials with the new users you added. You can choose to print them out, email them, or download them.
+
+### Connect your domain
+
+> [!NOTE]
+> If you chose to use the .onmicrosoft domain, or used Azure AD Connect to set up users, you will not see this step.
+
+To set up services, you have to update some records at your DNS host or domain registrar.
+
+1. The setup wizard typically detects your registrar and gives you a link to step-by-step instructions for updating your NS records at the registrar website. If it doesn't, [Change nameservers to set up Microsoft 365 with any domain registrar](../get-help-with-domains/change-nameservers-at-any-domain-registrar.md).
+
+ - If you have existing DNS records, for example an existing web site, but your DNS host is enabled for [domain connect](/office365/admin/get-help-with-domains/domain-connect), choose **Add records for me**. On the **Choose your online services** page, accept all the defaults, and choose **Next**, and choose **Authorize** on your DNS host's page.
+ - If you have existing DNS records with other DNS hosts (not enabled for domain connect), you'll want to manage your own DNS records to make sure the existing services stay connected. See [domain basics](/office365/admin/get-help-with-domains/dns-basics) for more info.
+
+ ![Activate records page.](../../media/activaterecords.png)
+
+2. Follow the steps in the wizard and email and other services will be set up for you.
+
+### Protect your organization
+
+The policies you set up in the wizard are applied automatically to a [Security group](/office365/admin/create-groups/compare-groups#security-groups) called *All Users*. You can also create additional groups to assign policies to in the admin center.
+
+1. On the **Increase protection from advanced cyber threats**, it is recommended that you accept the defaults to let [Office 365 Advance Threat Protection](../../security/office-365-security/defender-for-office-365.md) scan files and links in Office apps.
+
+ ![Screenshot of Increase protection page.](../../media/increasetreatprotection.png)
++
+2. On the **Prevent leaks of sensitive data** page, accept the defaults to turn on Office 365 Data Loss Prevention (DLP) to track sensitive data in Office apps and prevent the accidental sharing of these outside your organization.
+
+3. On the **Protect data in Office for mobile** page, leave mobile app management on, expand the settings and review them, and then select **Create mobile app management policy**.
+
+ ![Screenshot of Protect data in Office for mobile page.](../../media/protectdatainmobile.png)
++
+## Secure Windows 10 PCs
+
+On the left nav, select **Setup** and then, under **Sign-in and security**, choose **Secure your Windows 10 computers**. Choose **View** to get started. See [secure your Windows 10 computers](secure-win-10-pcs.md) for complete instructions.
+
+## Deploy Office 365 client apps
+
+If you chose to automatically install Office apps during setup, the apps will install on the Windows 10 devices once the users have signed in to Azure AD from their Windows devices, using their work credentials.
+
+To install Office on mobile iOS or Android devices, see [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md).
+
+You can also install Office individually. See [install Office on a PC or Mac](https://support.microsoft.com/office/4414eaaf-0478-48be-9c42-23adc4716658) for instructions.
+
+## Related content
+
+[Microsoft 365 for business training videos](../../business-video/index.yml) (link page)
admin Get Started Windows 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/get-started-windows-365-business.md
There are two different ways in which you can buy Windows 365 Business subscript
- Microsoft 365 admin center After you buy a subscription, you can use the Microsoft 365 admin center to assign licenses to users in your organization.+ ### Buy subscriptions through the Windows 365 products site If you don't already have a Microsoft 365 subscription, you can buy your Windows 365 Business subscriptions on the [Windows 365 products site](https://www.microsoft.com/windows-365/business/compare-plans-pricing). Use the following steps to buy a Windows 365 Business subscription through the Windows 365 products page.
If you don't already have a Microsoft 365 subscription, you can buy your Windows
4. In **step 5 - Confirmation details**, if you are ready to assign licenses to users, select **Get started** to go to your Windows 365 home page at https://windows365.microsoft.com. 5. On the Windows 365 home page, in the **Quick actions** section, select **Manage your organization**. This takes you to the Microsoft 365 admin center where you can assign licenses to users.
+Users without the Global or Billing admin roles can use self-service purchase to buy a subscription for Windows 365 Business directly from the [Windows 365 Business products site](https://www.microsoft.com/windows-365/business?rtc=1). A user who buys a subscription this way is granted a limited view of the [Microsoft 365 admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339), where they can assign licenses for that subscription to other users in their organization. Assigning a license to another user automatically creates a Windows 365 Business Cloud PC for them, which can be accessed from the [Windows 365 home page](https://windows365.microsoft.com/).
+
+> [!NOTE]
+> Self-service purchase isnΓÇÖt available in India or for government or education customers.
+
+To learn more about self-service purchase, see the [Self-service purchase FAQ](../../commerce/subscriptions/self-service-purchase-faq.yml).
+ ### Buy a subscription through the Microsoft admin center If you already have a Microsoft 365 tenant and are a Global or Billing admin, you can use the Microsoft 365 admin center to buy a Windows 365 Business subscription for your organization.
admin Manage Domain Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/manage-domain-users.md
+
+ Title: "Synchronize domain users to Microsoft 365"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
++
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+description: "Synchronize domain-controlled users with Microsoft 365 for business."
++
+# Synchronize domain users to Microsoft 365
+
+## 1. Prepare for Directory Synchronization
+
+Before you synchronize your users and computers from the local Active Directory Domain, review [Prepare for directory synchronization to Microsoft 365](../../enterprise/prepare-for-directory-synchronization.md). In particular:
+
+ - Make sure that no duplicates exist in your directory for the following attributes: **mail**, **proxyAddresses**, and **userPrincipalName**. These values must be unique and any duplicates must be removed.
+
+ - We recommend that you configure the **userPrincipalName** (UPN) attribute for each local user account to match the primary email address that corresponds to the licensed Microsoft 365 user. For example: *mary.shelley@contoso.com* rather than *mary@contoso.local*
+
+ - If the Active Directory domain ends in a non-routable suffix like *.local* or *.lan*, instead of an internet routable suffix such as *.com* or *.org*, adjust the UPN suffix of the local user accounts first as described in [Prepare a non-routable domain for directory synchronization](../../enterprise/prepare-a-non-routable-domain-for-directory-synchronization.md).
+
+The **Run IdFix** in step four (4) below, will also make sure your on-premises Active Directory is ready for directory synchronization.
+
+## 2. Install and configure Azure AD Connect
+
+To synchronize your users, groups, and contacts from the local Active Directory into Azure Active Directory, install Azure Active Directory Connect and set up directory synchronization.
+
+ 1. In the [admin center](https://go.microsoft.com/fwlink/p/?linkid=2024339), select **Setup** in the left nav.
+
+ 2. Under **Sign-in and security**, choose **View** under **Sync users from your org's directory**.
+
+ 3. On the **Sync users from your org's directory** page, choose **Get started**.
+
+ 4. In the first step run IdFix tool to prepare for Directory sync.
+
+ 5. Follow the wizard steps to download Azure AD Connect and use it to synchronize your domain-controlled users to Microsoft 365.
++
+See [Set up directory synchronization for Microsoft 365](../../enterprise/set-up-directory-synchronization.md) to learn more.
+
+As you configure your options for Azure AD Connect, we recommend that you enable **Password Synchronization**, **Seamless Single Sign-On**, and the **password writeback** feature, which is also supported in Microsoft 365 for business.
+
+> [!NOTE]
+> There are some additional steps for password writeback beyond the check box in Azure AD Connect. For more information, see [How-to: configure password writeback](/azure/active-directory/authentication/howto-sspr-writeback).
+
+If you also want to manage domain-joined Windows 10 devices, see [Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium](manage-windows-devices.md) to set up a hybrid Azure AD Join.
admin Manage Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/manage-windows-devices.md
+
+ Title: "Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business"
+f1.keywords:
+- CSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+- AdminTemplateSet
+search.appverid:
+- BCS160
+- MET150
+description: "Learn how to enable Microsoft 365 to protect local Active-Directory-joined Windows 10 devices in just a few steps."
++
+# Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium
+
+If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication.
+To set up this protection, you can implement **Hybrid Azure AD joined devices**. These devices are joined to both your on-premises Active Directory and your Azure Active Directory.
+
+## Watch: Configure Hybrid Azure Active Directory join
+
+This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3C9hO]
+
+## Before you begin
+
+- Synchronize users to Azure AD with Azure AD Connect.
+- Complete Azure AD Connect Organizational Unit (OU) sync.
+- Make sure all the domain users you sync have licenses to Microsoft 365 Business Premium.
+
+See [Synchronize domain users to Microsoft](manage-domain-users.md) for the steps.
+
+## 1. Verify MDM Authority in Intune
+
+Go to [Endpoint Manager](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/EnrollmentMenu/overview) and on the Microsoft Intune page, select **Device enrollment**, then on the **Overview** page, make sure **MDM authority** is **Intune**.
+
+- If **MDM authority** is **None**, click the **MDM authority** to set it to **Intune**.
+- If **MDM authority** is **Microsoft Office 365**,go to **Devices** > **Enroll devices** and use the **Add MDM authority** dialog on the right to add **Intune MDM** authority (the **Add MDM Authority** dialog is only available if the **MDM Authority** is set to Microsoft Office 365).
+
+## 2. Verify Azure AD is enabled for joining computers
+
+- Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and select **Azure Active Directory** (select Show all if Azure Active Directory is not visible) in the **Admin centers** list.
+- In the **Azure Active Directory admin center**, go to **Azure Active Directory** , choose **Devices** and then **Device settings**.
+- Verify**Users may join devices to Azure AD** is enabled
+ 1. To enable all users, set to **All**.
+ 2. To enable specific users, set to **Selected** to enable a specific group of users.
+ - Add the desired domain users synced in Azure AD to a [security group](../../admin/create-groups/create-groups.md).
+ - Choose **Select groups** to enable MDM user scope for that security group.
+
+## 3. Verify Azure AD is enabled for MDM
+
+- Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and select select **Endpoint Managemen**t (select **Show all** if **Endpoint Manager** is not visible)
+- In the **Microsoft Endpoint Manager admin center**, go to **Devices** > **Windows** > **Windows Enrollment** > **Automatic Enrollment**.
+- Verify MDM user scope is enabled.
+
+ 1. To enroll all computers, set to **All** to automatically enroll all user computers that are joined to Azure AD and new computers when the users add a work account to Windows.
+ 2. Set to **Some** to enroll the computers of a specific group of users.
+ - Add the desired domain users synced in Azure AD to a [security group](../create-groups/create-groups.md).
+ - Choose **Select groups** to enable MDM user scope for that security group.
+
+## 4. Create the required resources
+
+Performing the required tasks to [configure hybrid Azure AD join](/azure/active-directory/devices/hybrid-azuread-join-managed-domains#configure-hybrid-azure-ad-join) has been simplified through the use of the [Initialize-SecMgmtHybirdDeviceEnrollment](https://github.com/microsoft/secmgmt-open-powershell/blob/master/docs/help/Initialize-SecMgmtHybirdDeviceEnrollment.md) cmdlet found in the [SecMgmt](https://www.powershellgallery.com/packages/SecMgmt) PowerShell module. When you invoke this cmdlet it will create and configure the required service connection point and group policy.
+
+You can install this module by invoking the following from an instance of PowerShell:
+
+```powershell
+Install-Module SecMgmt
+```
+
+> [!IMPORTANT]
+> It is recommended that you install this module on the Windows Server running Azure AD Connect.
+
+To create the required service connection point and group policy, you will invoke the [Initialize-SecMgmtHybirdDeviceEnrollment](https://github.com/microsoft/secmgmt-open-powershell/blob/master/docs/help/Initialize-SecMgmtHybirdDeviceEnrollment.md) cmdlet. You will need your Microsoft 365 Business Premium global admin credentials when performing this task. When you are ready to create the resources, invoke the following:
+
+```powershell
+PS C:\> Connect-SecMgmtAccount
+PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'
+```
+
+The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify your Microsoft 365 Business Premium global admin credentials.
+
+## 5. Link the Group Policy
+
+1. In the Group Policy Management Console (GPMC), right-click on the location where you want to link the policy and select *Link an existing GPO...* from the context menu.
+2. Select the policy created in the above step, then click **OK**.
+
+## Get the latest Administrative Templates
+
+If you do not see the policy **Enable automatic MDM enrollment using default Azure AD credentials**, it may be because you donΓÇÖt have the ADMX installed for Windows 10, version 1803, or later. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
+
+1. Download: [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/102157).
+2. Install the package on a Domain Controller.
+3. Navigate, depending on the Administrative Templates version to the folder: **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**.
+4. Rename the **Policy Definitions** folder in the above path to **PolicyDefinitions**.
+5. Copy the **PolicyDefinitions** folder to your SYSVOL share, by default located at **C:\Windows\SYSVOL\domain\Policies**.
+ - If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there.
+6. In case you have several Domain Controllers, wait for SYSVOL to replicate for the policies to be available. This procedure will work for any future version of the Administrative Templates as well.
+
+At this point you should be able to see the policy **Enable automatic MDM enrollment using default Azure AD credentials** available.
+
+## Related content
+
+[Synchronize domain users to Microsoft 365](manage-domain-users.md) (article)\
+[Create a group in the admin center](../create-groups/create-groups.md) (article)\
+[Tutorial: Configure hybrid Azure Active Directory join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains.md) (article)
admin Secure Win 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/secure-win-10-pcs.md
+
+ Title: "Secure Windows 10 computers"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- Adm_O365
+- M365-subscription-management
+- TRN_SMB
+
+- Adm_O365
+- Core_O365Admin_Migration
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+description: "Learn how to secure Windows 10 PCs after you have set up Microsoft 365 Business Premium."
++
+# Secure Windows 10 computers
+
+This article applies to Microsoft 365 Business Premium.
+
+After you have [set up](business-set-up.md) Microsoft 365 Business Premium, it is time to protect the Windows 10 computers in your org from theft, and malicious threats like viruses and malware.
+
+## To secure your Windows 10 computers
+
+1. Sign in to [Microsoft 365 admin center](https://admin.microsoft.com) by using your global admin credentials.
+2. On the left nav, select **Setup** and then, under **Sign-in and security**, choose **Secure your Windows 10 computers**. Choose **View** to get started.
+3. On the **Secure your Windows 10 computers** page, read all the information to understand what you are turning on, and what the user impact is.
+
+ On the top of the page, choose **Get started**.
+
+4. On the **Secure your Windows 10 computers** pane, select the options you want to turn on. For more information about the settings, see [Secure Windows 10 devices](../../business/secure-windows-10-devices.md) (article)\
+).
+
+ For most organizations, the options here offer a good level of security, however, if your organization has more complex security needs, you can also use pre-defined security baselines to secure your Windows 10 devices. For more information, see [security baselines for Windows 10 devices](/mem/intune/protect/security-baselines).
+
+1. Choose **Apply settings**.
+
+ These settings will apply to all users in your organization. To set up different policies for different security groups, see [Set device protection settings for Windows 10 PCs](../devices/protection-settings-for-windows-10-pcs.md).
admin Set Up Mobile Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-mobile-devices.md
+
+ Title: "Set up mobile devices for Microsoft 365 for business users"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- TRN_M365B
+- OKR_SMB_Videos
+- AdminSurgePortfolio
+- okr_smb
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: d868561b-d340-4c04-a973-e2575d7f09bc
+description: "Install Office on an iPhone or an Android phone, and your work files in Office apps will be protected by Microsoft 365 for business."
++
+# Set up mobile devices for Microsoft 365 for business users
+
+Follow the instructions in the tabs to install Office on an iPhone or an Android phone. After you follow these steps, your work files created in Office apps will be protected by Microsoft 365 for business.
+
+The example is for Outlook, but applies for any other Office apps you want to install also.
+
+## Set up mobile devices
+
+## [iPhone](#tab/iPhone)
+
+Watch a short video on how to set up Office apps on iOS devices with Microsoft 365 for business.<br><br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWee2n]
+
+If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
+
+Go to **App store**, and in the search field type in Microsoft Outlook.
+
+![Go to the iPhone App Store](../../media/886913de-76e5-4883-8ed0-4eb3ec06188f.png)
+
+Tap the cloud icon to install Outlook.
+
+![Tap the cloud icon to install Outlook](../../media/665e1620-948a-4ab8-b914-dca49530142c.png)
+
+When the installation is done, tap the **Open** button to open Outlook and then tap **Get Started**.
+
+![Screenshot of Outlook with Get Started button](../../media/005bedec-ae50-4d75-b3bb-e7cef9e2561c.png)
+
+Enter your work email address on the **Add Email Account** screen \> **Add Account**, and then enter your Microsoft 365 for business credentials \> **Sign in**.
+
+![Sign in to your work account](../../media/3cef1fb5-7bec-4d3d-8542-872b731ce19f.png)
+
+If your organization is protecting files in apps, you'll see a dialog stating that your organization is now protecting the data in the app and you need to restart the app to continue to use it. Tap **OK** and close Outlook.
+
+![Screenshot that shows your organization is now protecting your Outlook app](../../media/fb4c1c84-b1e9-42e1-8070-c13dcf79fb09.png)
+
+Locate Outlook on the iPhone, and restart it. When prompted, enter a PIN and verify it. Outlook on your iPhone is now ready to be used.
+
+![Set a PIN to access your organization's data](../../media/64f2630b-3164-47a4-9dd6-ca0c29ed5fb3.png)
+
+## [Android](#tab/Android)
+
+Watch a video about installing Outlook and Office on Android devices.<br><br>
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/ecc2e9c0-bc7e-4f26-8b14-91d84dbcfef0]
+
+If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
+
+To begin setup on your Android phone, go to the Play Store.
+
+![On the Android home screen, tap Play Store](../../media/93df88e7-c778-40e1-b35e-868ca6e97f6c.png)
+
+Enter Microsoft Outlook in the Google Play search box and tap **Install**. Once Outlook is done installing, tap **Open**.
+
+![Tap Open to open Outlook app](../../media/8b4c5937-8875-4b5a-a5b6-b8c6c9cd6240.png)
+
+In the Outlook app, tap **Get Started**, then add your Microsoft 365 for business email account \> **Continue**, and sign in with your organization credentials.
+
+![Sign in to your organizational account in Outlook](../../media/18f67c66-4bab-4b99-94bd-080839312e29.png)
+
+In the dialog that states you must install the Intune Company Portal app, tap **Go to store**.
+
+![Tap on Go to store to get Intune Company Portal app](../../media/a702d712-5622-45dd-a511-b1adaee63071.png)
+
+In Play Store, install Intune Company Portal.
+
+![Screenshot that shows the install button for Intune Company Portal in Google Play Store](../../media/5e0408f2-3f37-44dd-80ed-13ca2ac6df0c.png)
+
+Open Outlook again, and enter and confirm a PIN. Your Outlook app is now ready for use.
+
+![Set PIN for Outlook app in Android](../../media/edb91afb-f1ed-451a-bc6b-8ccba664e055.png)
+
+## Related content
+
+[Microsoft 365 for business training videos](../../business-video/index.yml)
++
admin Set Up Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-windows-devices.md
+
+ Title: "Set up Windows devices for Microsoft 365 Business Premium users"
+f1.keywords:
+- CSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- TRN_M365B
+- OKR_SMB_Videos
+- seo-marvel-mar
+- AdminSurgePortfolio
+- okr_smb
+- AdminTemplateSet
+search.appverid:
+- BCS160
+- MET150
+ms.assetid: 2d7ff45e-0da0-4caa-89a9-48cabf41f193
+description: "Set up Windows devices running Windows 10 Pro for Microsoft 365 Business Premium users, enabling centralized management and security controls."
++
+# Set up Windows devices for Microsoft 365 Business Premium users
+
+## Before you begin
+
+Before you can set up Windows devices for Microsoft 365 Business Premium users, make sure all the Windows devices are running Windows 10 Pro, version 1703 (Creators Update). Windows 10 Pro is a prerequisite for deploying Windows 10 Business, which is a set of cloud services and device management capabilities that complement Windows 10 Pro and enable the centralized management and security controls of Microsoft 365 Business Premium.
+
+If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to a Windows 10 upgrade.
+
+For more information on how to upgrade Windows devices to Windows 10 Pro Creators Update, follow the steps in this topic: [Upgrade Windows devices to Windows Pro Creators Update](../../business/upgrade-to-windows-pro-creators-update.md).
+
+See [Verify the device is connected to Azure AD](#verify-the-device-is-connected-to-azure-ad) to verify you have the upgrade, or to make sure the upgrade worked.
+
+## Watch: Connect your PC to Microsoft 365 Business
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3yXh3]
+
+If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../../business-video/index.yml).
+
+## Join Windows 10 devices to your organization's Azure AD
+
+When all Windows devices in your organization have either been upgraded to Windows 10 Pro Creators Update or are already running Windows 10 Pro Creators Update, you can join these devices to your organization's Azure Active Directory. Once the devices are joined, they'll be automatically upgraded to Windows 10 Business, which is part of your Microsoft 365 Business Premium subscription.
+
+### For a brand new, or newly upgraded, Windows 10 Pro device
+
+For a brand new device running Windows 10 Pro Creators Update, or for a device that was upgraded to Windows 10 Pro Creators Update but has not gone through Windows 10 device setup, follow these steps.
+
+1. Go through Windows 10 device setup until you get to the **How would you like to set up?** page.
+
+ ![On the How would you like to set up page, choose Set up for an organization](../../media/1b0b2dba-00bb-4a99-a729-441479220cb7.png)
+
+2. Here, choose **Set up for an organization** and then enter your username and password for Microsoft 365 Business Premium.
+
+3. Finish Windows 10 device setup.
+
+ Once you're done, the user will be connected to your organization's Azure AD. See [Verify the device is connected to Azure AD](#verify-the-device-is-connected-to-azure-ad) to make sure.
+
+### For a device already set up and running Windows 10 Pro
+
+ **Connect users to Azure AD:**
+
+1. In your user's Windows PC, that is running Windows 10 Pro, version 1703 (Creators Update) (see [pre-requisites](../security-and-compliance/pre-requisites-for-data-protection.md)), click the Windows logo, and then the Settings icon.
+
+ ![In the Start menu, click Windows Settings icon](../../media/74e1ce9a-1554-4761-beb9-330b176e9b9d.png)
+
+2. In **Settings**, go to **Accounts**.
+
+ ![In Windows Settings, go to Accounts](../../media/472fd688-d111-4788-9fbb-56a00fbdc24d.png)
+
+3. On **Your info** page, click **Access work or school** \> **Connect**.
+
+ ![Choose Connect under Access work or school](../../media/af3a4e3f-f9b9-4969-b3e2-4ef99308090c.png)
+
+4. On the **Set up a work or school account** dialog, under **Alternate actions**, choose **Join this device to Azure Active Directory**.
+
+ ![Click Join this device to Azure Active Directory](../../media/fb709a1b-05a9-4750-9cb9-e097f4412cba.png)
+
+5. On the **Let's get you signed in** page, enter your work or school account \> **Next**.
+
+ On the **Enter password** page, enter your password \> **Sign in**.
+
+ ![Enter your work or school email on the Let's get you signed in page](../../media/f70eb148-b1d2-4ba3-be38-7317eaf0321a.png)
+
+6. On the **Make sure this is your organization** page, verify that the information is correct, and choose **Join**.
+
+ On the **You're all set!** page, chosse **Done**.
+
+ ![On the Make sure this is your organization screen, choose Join](../../media/c749c0a2-5191-4347-a451-c062682aa1fb.png)
+
+If you uploaded files to OneDrive for Business, sync them back down. If you used a third-party tool to migrate profile and files, also sync those to the new profile.
+
+## Verify the device is connected to Azure AD
+
+To verify your sync status, on the **Access work or school** page in **Settings**, select the **Connected to** _ \<organization name\> _ area to expose the buttons **Info** and **Disconnect**. Choose **Info** to get your synchronization status.
+
+On the **Sync status** page, choose **Sync** to get the latest mobile device management policies onto the PC.
+
+To start using the Microsoft 365 Business Premium account, go to the Windows **Start** button, right-click your current account picture, and then **Switch account**. Sign in by using your organization email and password.
+
+![Click Info button to view synchronization status](../../media/818f7043-adbf-402a-844a-59d50034911d.png)
+
+## Verify the PC is upgraded to Windows 10 Business
+
+Verify that your Azure AD joined Windows 10 devices are upgraded to Windows 10 Business as part of your Microsoft 365 Business Premium subscription.
+
+1. Go to **Settings** \> **System** \> **About**.
+
+2. Confirm that the **Edition** shows **Windows 10 Business**.
+
+ ![Verify that Windows edition is Windows 10 Business.](../../media/ff660fc8-d3ba-431b-89a5-f5abded96c4d.png)
+
+## Next steps
+
+To set up your mobile devices, see [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md), To set device protection or app protection policies, see [Manage Microsoft 365 for business](../../business/manage.md).
+
+## Related content
+
+[Microsoft 365 for business training videos](../../business-video/index.yml) (link page)
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
Auto-applying retention labels are powerful because:
You can apply retention labels to content automatically when that content contains sensitive information, keywords or searchable properties, or a match for [trainable classifiers](classifier-get-started-with.md). > [!TIP]
-> Recently released, use searchable properties to identify [Teams meeting recordings](#microsoft-teams-meeting-recordings).
+> Use searchable properties to identify [Teams meeting recordings](#microsoft-teams-meeting-recordings).
The processes to automatically apply a retention label based on these conditions:
You can apply retention labels to content automatically when that content contai
- [A match for trainable classifiers](#auto-apply-labels-to-content-by-using-trainable-classifiers)
-All three conditions can automatically apply retention labels to emails as they are sent and received, but not to existing items in the mailbox (data at rest). For items in SharePoint and OneDrive, use the following table to identify when retention labels can be automatically applied to them:
+All three conditions can automatically apply retention labels to emails as they are sent and received (data in transit), but not to existing items in the mailbox (data at rest). For items in SharePoint and OneDrive, use the following table to identify when retention labels can be automatically applied to them:
|Condition|New or modified items |Existing items (data at rest)| |:--|:--|:--|
compliance Ediscovery Troubleshooting Common Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-troubleshooting-common-issues.md
search.appverid:
- MOE150 - MET150 ms.assetid:
-description: Learn about basic troubleshooting steps you can take to resolve common issues in Office 365 eDiscovery.
+description: "Learn about basic troubleshooting steps you can take to resolve common issues in Office 365 eDiscovery."
siblings_only: true
You may see that error when running an eDiscovery search that includes SharePoin
### Resolution Open the SPO location and verify that this file indeed is not there.
-Suggested solution is to manually reindex the site, or wait till the site reindexes by the automatic background process.
+Suggested solution is to manually reindex the site, or wait until the site reindexes by the automatic background process.
## Error/issue: This search result was not downloaded as it is a folder or other artifact that can't be downloaded by itself, any items inside the folder or library will be downloaded.
-You may see that error when running an eDiscovery search that includes SharePoint Online and One Drive For Business locations. It means that we were going to try and export the item reported in the index, but it turned out to be a folder so we did not export it. As mentioned in the error, we don't export folder items but we do export their contents.
+You may see that error when running an eDiscovery search that includes SharePoint Online and One Drive For Business locations. It means that we were going to try to export the item reported in the index, but it turned out to be a folder so we did not export it. As mentioned in the error, we don't export folder items but we do export their contents.
## Error/issue: Search fails because recipient is not found
When exporting search results from Core eDiscovery or Content search in the Micr
### Resolution
-1. If necessary, rerun the search. If the search was last ran more than 7 days ago, you have to rerun the search.
+1. If necessary, rerun the search. If the search was last ran more than seven days ago, you have to rerun the search.
2. Restart the export.
This is a client-side issue. To remediate it, follow these steps:
6. If the previous steps don't work, disable zipping and de-duplication.
-7. If this works then the issue is due to a local virus scanner or a disk issue.
+7. If this works, then the issue is due to a local virus scanner or a disk issue.
+
+## Error: "Your request can't be started because the maximum number of jobs for your organization are currently running"
+
+Your organization has reached the limit for the maximum number of concurrent export jobs. All new export jobs are being throttled.
+
+### Resolution
+
+Run the following script to discover how many export jobs that were started in the last seven days are still running.
+
+1. Connect to [Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
+
+2. Run the following script to collection information about the current export jobs are triggering the throttle:
+
+ ```powershell
+ $date = Get-Date;
+ $exports = Get-ComplianceSearchAction -Export -ResultSize Unlimited;
+ $inprogressExports = $exports | ?{$_.Results -eq $null -or (!$_.Results.Contains("Export status: Completed") -and !$_.Results.Contains("Export status: none"))};
+ $exportJobsRunning = $inprogressExports | ?{$_.JobStartTime -ge $date.AddDays(-7)} | Sort-Object JobStartTime -Descending;
+ ```
+
+3. Run the following command to display a list of export jobs that are currently running:
+
+ ```powershell
+ $exportJobsRunning | Format-Table Name, JobStartTime, JobEndTime, Status | More;
+ ```
+
+ If the previous command returns 10 or more exports jobs, your organization has reached the limit for the number of concurrent export jobs. For more information, see [Limits for eDiscovery search](limits-for-content-search.md).
+
+4. Wait for existing export jobs to finish or remove export jobs that are no longer needed by using the [Remove-ComplianceSearchAction](/powershell/module/exchange/remove-compliancesearchaction) cmdlet.
compliance Privacy Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management.md
The privacy management solution for Microsoft 365 evaluates data and files store
- Microsoft OneDrive - Microsoft Teams
-Since privacy management focuses on data specific to your organization, any personal accounts your employees or customers may have on these services will not be in scope.
+Privacy management does not collect data beyond what is already collected in Microsoft 365. Also, since privacy management focuses on data specific to your organization, any consumer accounts your employees or customers may have on these services will not be in scope.
### Additional resources
compliance Record Versioning https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/record-versioning.md
You can now do the following things:
> [!TIP] > When you use record versioning with a retention label that has a delete action, consider configuring the retention setting **Start the retention period based on:** to be **When items were labeled**. With this label setting, the start of the retention period is reset for each new record version, which ensures that older versions will be deleted before newer versions.
-Record versioning is automatically available for any document that has a retention label that marks the item as a record. When a user views the document properties by using the details pane, they can toggle the **Record status** from **Locked** to **Unlocked**. This action creates a record in the Records folder in the Preservation Hold library, where it resides for the remainder of its retention period.
+Record versioning is automatically available for any document that has a retention label applied that marks the item as a record, and that label is [published to the site](create-apply-retention-labels.md#step-2-publish-retention-labels). When a user views the document properties by using the details pane, they can toggle the **Record status** from **Locked** to **Unlocked**. This action creates a record in the Records folder in the Preservation Hold library, where it resides for the remainder of its retention period.
While the document is unlocked, any user with standard edit permissions can edit the file. However, users can't delete the file, because it's still a record. When editing is complete, a user can then toggle the **Record status** from **Unlocked** to **Locked**, which prevents further edits while in this status. <br/><br/>
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
Use the following table to help you identify whether to use a retention policy o
|Retention applied automatically | Yes | Yes | |Retention applied based on conditions <br /> - sensitive info types, KQL queries and keywords, trainable classifiers| No | Yes | |Retention applied manually | No | Yes |
-|UI presence for end users | No | Yes |
+|End user interaction | No | Yes |
|Persists if the content is moved | No | Yes, within your Microsoft 365 tenant | |Declare item as a record| No | Yes | |Start the retention period when labeled or based on an event | No | Yes |
compliance Sensitivity Labels Teams Groups Sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-teams-groups-sites.md
If these containers have Azure AD classification values applied to them, the con
See the webinar recording and answered questions for [Using Sensitivity labels with Microsoft Teams, O365 Groups and SharePoint Online sites](https://techcommunity.microsoft.com/t5/security-privacy-and-compliance/using-sensitivity-labels-with-microsoft-teams-o365-groups-and/ba-p/1221885#M1380).
-This webinar was recorded when the feature was still in preview, so you might notice some discrepancies in the UI. However, the information for this feature is still accurate, with any new capabilities documented on this page.
+For more information on managing Teams connected sites and channel sites, see [Manage Teams connected sites and channel sites](/SharePoint/teams-connected-sites).
+
+This webinar was recorded when the feature was still in preview, so you might notice some discrepancies in the UI. However, the information for this feature is still accurate, with any new capabilities documented on this page.
compliance Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels.md
You can also learn about [partner solutions that are integrated with Microsoft I
For deployment planning and guidance that includes licensing information, permissions, deployment strategy, a list of supported scenarios, and end-user documentation, see [Get started with sensitivity labels](get-started-with-sensitivity-labels.md).
-To learn how to use sensitivity labels to comply with data privacy regulations, see [Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md) (aka.ms/m365dataprivacy).
+To learn how to use sensitivity labels to comply with data privacy regulations, see [Deploy information protection for data privacy regulations with Microsoft 365](../solutions/information-protection-deploy.md) (aka.ms/m365dataprivacy).
+
+## See also
+
+[Manage Teams connected sites and channel sites](/SharePoint/teams-connected-sites)
compliance Unlimited Archiving https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/unlimited-archiving.md
Here are some things to consider when using Outlook or Outlook on the web to acc
- You can access any folder in your archive mailbox, including ones that were moved to the auto-expanded storage area.
+- If an archive mailbox has at least one auto-expanded storage area, you can't delete a folder from the archive mailbox or from the auxiliary archive. In other words, after an auto-expanded storage area has been provisioned, you can't delete any folders in the archive.
+
+- You can delete items in an auto-expanded storage area. However, you can't use the Recover Deleted Items feature to recover an item deleted from an auto-expanded storage area.
+ - Search for auto-expanded archiving is available in Outlook for the web (OWA). Similar to Online Archive, you can search for items that were moved to an additional storage area. When archive is selected as the search scope in OWA, all archives (including auto-expanded archives) and their corresponding subfolders will be searched. - Auto-expanded archive search is available in Outlook Desktop in Current Channel (Preview). Within this preview, the Current Mailbox scope is available, thus allowing you to search the auto-expanded archive. For more information about this and other Microsoft Search support features, see [How Outlook for Windows connected to Exchange Online utilizes Microsoft Search](https://techcommunity.microsoft.com/t5/outlook-global-customer-service/how-outlook-for-windows-connected-to-exchange-online-utilizes/ba-p/1715045). - Item counts in Outlook and Read/Unread counts (in Outlook and Outlook on the web) in an auto-expanded archive might not be accurate. -- You can delete items in a subfolder that points to an auto-expanded storage area, but the folder itself can't be deleted.--- You can't use the Recover Deleted Items feature to recover an item that was deleted from an auto-expanded storage area.- ## Auto-expanding archiving and other compliance features This section explains the functionality between auto-expanding archiving and other compliance and data governance features.
enterprise EU Data Storage Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/EU-data-storage-locations.md
 Title: "Data locations for the European Union"--++ audience: ITPro
enterprise About Microsoft 365 Identity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/about-microsoft-365-identity.md
Title: "Microsoft 365 identity models and Azure Active Directory"--++ audience: Admin Last updated 09/30/2020
enterprise Add A Domain To A Client Tenancy With Windows Powershell For Delegated Access Pe https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/add-a-domain-to-a-client-tenancy-with-windows-powershell-for-delegated-access-pe.md
Title: "Add a domain to a client tenancy with Windows PowerShell for DAP partners"--++ audience: Admin
You also need the following information:
## Create domains
- Your customers will likely ask you to create additional domains to associate with their tenancy because they don't want the default <domain>.onmicrosoft.com domain to be the primary one that represents their corporate identities to the world. This procedure walks you through creating a new domain associated with your customer's tenancy.
+ Your customers will likely ask you to create additional domains to associate with their tenancy because they don't want the default \<domain>.onmicrosoft.com domain to be the primary one that represents their corporate identities to the world. This procedure walks you through creating a new domain associated with your customer's tenancy.
> [!NOTE] > To perform some of these operations, the partner administrator account you sign in with must be set to **Full administration** for the **Assign administrative access to companies you support** setting found in the details of the admin account in the Microsoft 365 admin center. For more information on managing partner administrator roles, see [Partners: Offer delegated administration](https://go.microsoft.com/fwlink/p/?LinkId=532435).
enterprise Address Space Calculator For Azure Gateway Subnets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/address-space-calculator-for-azure-gateway-subnets.md
Title: "Address space calculator for Azure gateway subnets"--++ Last updated 01/07/2021 audience: ITPro
enterprise Architectural Models For Sharepoint Exchange Skype For Business And Lync https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/architectural-models-for-sharepoint-exchange-skype-for-business-and-lync.md
Title: "Architectural models for SharePoint, Exchange, Skype for Business, and Lync"--++ Last updated 05/16/2018 audience: ITPro
enterprise Assign Licenses To User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell.md
Title: "Assign Microsoft 365 licenses to user accounts with PowerShell"--++ Last updated 09/23/2020 audience: Admin
enterprise Assign Licenses To User Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-licenses-to-user-accounts.md
Title: "Assign Microsoft 365 licenses to user accounts"--++ Last updated 09/30/2020 audience: Admin
enterprise Assign Per User Skype For Business Online Policies With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-per-user-skype-for-business-online-policies-with-microsoft-365-powershell.md
Title: "Assign per-user Skype for Business Online policies with PowerShell for Microsoft 365"--++ Last updated 07/16/2020 audience: ITPro
enterprise Assign Roles To User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/assign-roles-to-user-accounts-with-microsoft-365-powershell.md
Title: "Assign roles to Microsoft 365 user accounts with PowerShell"--++ Last updated 09/23/2020 audience: Admin
enterprise Automate Licenses Group Membership Microsoft 365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/automate-licenses-group-membership-microsoft-365-test-environment.md
Title: "Automate licensing and group membership for your Microsoft 365 for enterprise test environment" f1.keywords: - NOCSH--++ Last updated 12/09/2019 audience: ITPro
enterprise Azure Ad Identity Protection Microsoft 365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/azure-ad-identity-protection-microsoft-365-test-environment.md
Title: "Azure AD Identity Protection for your Microsoft 365 for enterprise test environment" f1.keywords: - NOCSH--++ Last updated 12/10/2019 audience: ITPro
enterprise Azure Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/azure-integration.md
Title: "Azure integration with Microsoft 365"--++ audience: Admin
enterprise Block User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell.md
Title: "Block Microsoft 365 user accounts with PowerShell"--++ Last updated 07/16/2020 audience: Admin
enterprise Client Server Software Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/client-server-software-roadmap-microsoft-365.md
Title: Client and server software roadmap for Microsoft 365 f1.keywords: - NOCSH--++ Last updated 08/10/2020 audience: ITPro
enterprise Cloud Adoption Test Lab Guides Tlgs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-adoption-test-lab-guides-tlgs.md
Title: "Test Microsoft 365 with Test Lab Guides (TLGs)"--++ Last updated 11/14/2019 audience: ITPro
enterprise Cloud Only Identities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-only-identities.md
Title: "Microsoft 365 cloud-only identity"--++ Last updated 09/30/2020 audience: Admin
enterprise Cloud Only Prereqs M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-only-prereqs-m365-test-environment.md
Title: "Identity and device access prerequisites for cloud only in your Microsoft 365 test environment"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Cloud Services Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cloud-services-roadmap-microsoft-365.md
Title: Cloud services roadmap for Microsoft 365 f1.keywords: - NOCSH--++ Last updated 08/10/2020 audience: ITPro
enterprise Cmdlet References For Microsoft 365 Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cmdlet-references-for-microsoft-365-services.md
Title: "Cmdlet references for Microsoft 365 services"--++ Last updated 07/16/2020 audience: ITPro
enterprise Configure Services And Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-services-and-applications.md
Title: "Configure Microsoft 365 Enterprise services and applications"--++ audience: ITPro
enterprise Configure User Account Properties With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/configure-user-account-properties-with-microsoft-365-powershell.md
Title: "Configure Microsoft 365 user account properties with PowerShell"--++ audience: Admin
enterprise Connect An On Premises Network To A Microsoft Azure Virtual Network https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network.md
Title: "Connect an on-premises network to a Microsoft Azure virtual network"--++ Last updated 11/21/2019 audience: ITPro
enterprise Connect To All Microsoft 365 Services In A Single Windows Powershell Window https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-to-all-microsoft-365-services-in-a-single-windows-powershell-window.md
Title: "Connect to all Microsoft 365 services in a single PowerShell window"--++ Last updated 02/02/2021 audience: ITPro
enterprise Connect To Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/connect-to-microsoft-365-powershell.md
Title: "Connect to Microsoft 365 with PowerShell"--++ audience: ITPro
enterprise Contoso Case Study https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-case-study.md
Title: "Microsoft 365 for enterprise for the Contoso Corporation"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Contoso Identity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-identity.md
Title: "Identity for the Contoso Corporation"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Contoso Info Protect https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-info-protect.md
Title: "Information protection for the Contoso Corporation"-+ f1.keywords: - NOCSH-+ Last updated 10/02/2019 audience: ITPro
enterprise Contoso Infra Needs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-infra-needs.md
Title: "Contoso IT infrastructure and business needs"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Contoso Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-mdm.md
Title: "Mobile device management for Contoso"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Contoso Networking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-networking.md
Title: "Networking for the Contoso Corporation"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Contoso O365pp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-o365pp.md
Title: "Microsoft 365 Apps for enterprise deployment for Contoso"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Contoso Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-overview.md
Title: "Overview of Contoso Corporation"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Contoso Security Summary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-security-summary.md
Title: "Summary of Microsoft 365 for enterprise security for the Contoso Corporation"-+ f1.keywords: - NOCSH-+ Last updated 10/02/2019 audience: ITPro
enterprise Contoso Win10 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/contoso-win10.md
Title: "Windows 10 Enterprise deployment for Contoso"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Create Sharepoint Sites And Add Users With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/create-sharepoint-sites-and-add-users-with-powershell.md
Title: "Create SharePoint Online sites and add users with PowerShell"--++ audience: Admin
enterprise Create User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/create-user-accounts-with-microsoft-365-powershell.md
Title: "Create Microsoft 365 user accounts with PowerShell"--++ audience: Admin
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
Title: Cross-tenant mailbox migration description: How to move mailboxes between Microsoft 365 or Office 365 tenants.--++ ms.prod: microsoft-365-enterprise
You must ensure the following objects and attributes are set in the target organ
- The Target MailUser must have these attributes from the source mailbox or assigned with the new User object: - ExchangeGUID (direct flow from source to target) ΓÇô The mailbox GUID must match. The move process will not proceed if this is not present on target object. - ArchiveGUID (direct flow from source to target) ΓÇô The archive GUID must match. The move process will not proceed if this is not present on the target object. (This is only required if the source mailbox is Archive enabled).
- - LegacyExchangeDN (flow as proxyAddress, ΓÇ£x500:<LegacyExchangeDN>ΓÇ¥) ΓÇô The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes will not proceed if these are not present on the target object.
+ - LegacyExchangeDN (flow as proxyAddress, ΓÇ£x500:\<LegacyExchangeDN>ΓÇ¥) ΓÇô The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes will not proceed if these are not present on the target object.
- UserPrincipalName ΓÇô UPN will align to the userΓÇÖs NEW identity or target company (for example, user@northwindtraders.onmicrosoft.com). - Primary SMTPAddress ΓÇô Primary SMTP address will align to the userΓÇÖs NEW company (for example, user@northwind.com). - TargetAddress/ExternalEmailAddress ΓÇô MailUser will reference the userΓÇÖs current mailbox hosted in source tenant (for example user@contoso.onmicrosoft.com). When assigning this value, verify that you have/are also assigning PrimarySMTPAddress or this value will set the PrimarySMTPAddress which will cause move failures.
You must ensure the following objects and attributes are set in the target organ
if ($source.LitigationHoldEnabled) {$ELCValue = $ELCValue + 8} if ($source.SingleItemRecoveryEnabled) {$ELCValue = $ELCValue + 16} if ($ELCValue -gt 0) {Set-ADUser -Server $domainController -Identity $destination.SamAccountName -Replace @{msExchELCMailboxFlags=$ELCValue}} ```
-3. Non-hybrid target tenants can modify the quota on the Recoverable Items folder for the MailUsers prior to migration by running the following command to enable Litigation Hold on the MailUser object and increasing the quota to 100 GB: `Set-MailUser -EnableLitigationHoldForMigration $TRUE`. Note this will not work for tenants in hybrid.
+3. Non-hybrid target tenants can modify the quota on the Recoverable Items folder for the MailUsers prior to migration by running the following command to enable Litigation Hold on the MailUser object and increasing the quota to 100 GB: `Set-MailUser -EnableLitigationHoldForMigration`. Note this will not work for tenants in hybrid.
4. Users in the target organization must be licensed with appropriate Exchange Online subscriptions applicable for the organization. You may apply a license in advance of a mailbox move but ONLY once the target MailUser is properly set up with ExchangeGUID and proxy addresses. Applying a license before the ExchangeGUID is applied will result in a new mailbox provisioned in target organization.
Yes, however we only keep the store permissions as described in these articles:
**Is Azure Key Vault required and when are transactions made?**
-Yes, an Azure subscription is required to use Key Vault to store the certificate to authorize migration. Unlike onboarding migrations which use username & password to authenticate to the source, cross-tenant mailbox migrations use OAuth and this certificate as the secret/credential. Access to the Key Vault must be maintained throughout all mailbox migrations as it is accessed once at the beginning and once end of migration, as well as once every 24 hours during incremental sync times. You can review AKV costing details [here](https://azure.microsoft.com/en-us/pricing/details/key-vault/).
+Yes, an Azure subscription is required to use Key Vault to store the certificate to authorize migration. Unlike onboarding migrations which use username & password to authenticate to the source, cross-tenant mailbox migrations use OAuth and this certificate as the secret/credential. Access to the Key Vault must be maintained throughout all mailbox migrations as it is accessed once at the beginning and once end of migration, as well as once every 24 hours during incremental sync times. You can review AKV costing details [here](https://azure.microsoft.com/pricing/details/key-vault/).
**Do you have any recommendations for batches?**
enterprise Data Classification Microsoft 365 Enterprise Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/data-classification-microsoft-365-enterprise-dev-test-environment.md
Title: "Data classification for your Microsoft 365 for enterprise test environment" f1.keywords: - NOCSH--++ Last updated 12/10/2019 audience: ITPro
enterprise Delete And Restore User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/delete-and-restore-user-accounts-with-microsoft-365-powershell.md
Title: "Delete Microsoft 365 user accounts with PowerShell"--++ Last updated 09/23/2020 audience: Admin
enterprise Deploy High Availability Federated Authentication For Microsoft 365 In Azure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-high-availability-federated-authentication-for-microsoft-365-in-azure.md
Title: "Deploy high availability federated authentication for Microsoft 365 in Azure"--++ Last updated 11/25/2019 audience: ITPro
enterprise Deploy Microsoft 365 Directory Synchronization Dirsync In Microsoft Azure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-microsoft-365-directory-synchronization-dirsync-in-microsoft-azure.md
Title: "Deploy Microsoft 365 Directory Synchronization in Microsoft Azure"--++ Last updated 11/05/2018 audience: ITPro
enterprise Deploy Update Channels Examples Rapid Deploy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-update-channels-examples-rapid-deploy.md
Title: "Example of broad deployment for the latest releases"-+ f1.keywords: - NOCSH-+ Last updated 07/21/2020 audience: ITPro
enterprise Deploy Update Channels Examples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/deploy-update-channels-examples.md
Title: "Deployment and update channel example configurations"-+ f1.keywords: - NOCSH-+ Last updated 07/21/2020 audience: ITPro
enterprise Desktop Deployment Center Home https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/desktop-deployment-center-home.md
Title: Desktop Deployment Center f1.keywords: - NOCSH--++ Last updated 08/10/2020 audience: ITPro
enterprise Device Management Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/device-management-roadmap-microsoft-365.md
Title: Device management roadmap for Microsoft 365 keywords: Microsoft 365, Microsoft 365 for enterprise, Microsoft 365 documentation, mobile device management, Intune--++ Last updated 08/10/2020
enterprise Disable Access To Services While Assigning User Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/disable-access-to-services-while-assigning-user-licenses.md
Title: "Disable access to Microsoft 365 services while assigning user licenses"--++ Last updated 04/24/2020 audience: Admin
enterprise Disable Access To Services With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/disable-access-to-services-with-microsoft-365-powershell.md
Title: "Disable access to Microsoft 365 services with PowerShell"--++ Last updated 07/27/2020 audience: Admin
enterprise Disable Access To Sway With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/disable-access-to-sway-with-microsoft-365-powershell.md
Title: "Disable access to Sway with PowerShell for Microsoft 365"--++ Last updated 07/17/2020 audience: Admin
enterprise Enroll Ios And Android Devices In Your Microsoft Enterprise 365 Dev Test Environ https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/enroll-ios-and-android-devices-in-your-microsoft-enterprise-365-dev-test-environ.md
Title: "Enroll iOS/iPadOS and Android devices in your Microsoft 365 for enterprise test environment" f1.keywords: - NOCSH--++ Last updated 11/19/2020 audience: ITPro
enterprise Federated Identity For Your Microsoft 365 Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/federated-identity-for-your-microsoft-365-dev-test-environment.md
Title: "Federated identity for your Microsoft 365 test environment" f1.keywords: - NOCSH--++ Last updated 05/26/2019 audience: ITPro
enterprise Fix Problems With Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/fix-problems-with-directory-synchronization.md
Title: "Fixing problems with directory synchronization for Microsoft 365"--++ audience: Admin
enterprise Get Your Organization Ready For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/get-your-organization-ready-for-office-365.md
Title: "Plan for Microsoft 365 Enterprise"--++ Last updated 08/12/2019 audience: Admin
enterprise Getting Started With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/getting-started-with-microsoft-365-powershell.md
Title: "Get started with PowerShell for Microsoft 365"--++ Last updated 07/17/2020 audience: ITPro
enterprise High Availability Federated Authentication Phase 1 Configure Azure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/high-availability-federated-authentication-phase-1-configure-azure.md
Title: "High availability federated authentication Phase 1 Configure Azure"--++ Last updated 11/25/2019 audience: ITPro
enterprise High Availability Federated Authentication Phase 2 Configure Domain Controllers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/high-availability-federated-authentication-phase-2-configure-domain-controllers.md
Title: "High availability federated authentication Phase 2 Configure domain controllers"--++ Last updated 11/25/2019 audience: ITPro
enterprise High Availability Federated Authentication Phase 3 Configure Ad Fs Servers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/high-availability-federated-authentication-phase-3-configure-ad-fs-servers.md
Title: "High availability federated authentication Phase 3 Configure AD FS servers"--++ Last updated 11/25/2019 audience: ITPro
enterprise High Availability Federated Authentication Phase 4 Configure Web Application Pro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/high-availability-federated-authentication-phase-4-configure-web-application-pro.md
Title: "High availability federated authentication Phase 4 Configure web application proxies"--++ Last updated 11/25/2019 audience: ITPro
enterprise High Availability Federated Authentication Phase 5 Configure Federated Authentic https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/high-availability-federated-authentication-phase-5-configure-federated-authentic.md
Title: "High availability federated authentication Phase 5 Configure federated authentication for Microsoft 365"--++ Last updated 11/25/2019 audience: ITPro
enterprise Hybrid Solutions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/hybrid-solutions.md
Title: "Hybrid solutions"--++ Last updated 09/30/2020 audience: ITPro
enterprise Identify Directory Synchronization Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/identify-directory-synchronization-errors.md
Title: "View directory synchronization errors in Microsoft 365"--++ audience: Admin
enterprise Identity Device Access M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/identity-device-access-m365-test-environment.md
Title: "Identity and device access for your Microsoft 365 test environment"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Identity Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/identity-roadmap-microsoft-365.md
Title: "Identity roadmap for Microsoft 365" f1.keywords: - NOCSH--++ Last updated 09/30/2020 audience: ITPro
enterprise Increased O365 Security Microsoft 365 Enterprise Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/increased-o365-security-microsoft-365-enterprise-dev-test-environment.md
Title: "Increased Microsoft 365 security for your Microsoft 365 for enterprise test environment" f1.keywords: - NOCSH--++ Last updated 12/09/2019 audience: ITPro
enterprise Integrated Apps And Azure Ads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/integrated-apps-and-azure-ads.md
Title: "Integrated apps and Azure AD for Microsoft 365 administrators"--++ audience: Admin
enterprise Lightweight Base Configuration Microsoft 365 Enterprise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/lightweight-base-configuration-microsoft-365-enterprise.md
Title: "Lightweight base configuration" f1.keywords: - NOCSH--++ Last updated 11/14/2019 audience: ITPro
enterprise M365 Enterprise Test Lab Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/m365-enterprise-test-lab-guides.md
Title: "Microsoft 365 for enterprise Test Lab Guides" f1.keywords: - NOCSH--++ Last updated 11/20/2019 audience: ITPro
enterprise Maintain Group Membership With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/maintain-group-membership-with-microsoft-365-powershell.md
Title: "Maintain security group membership with PowerShell"--++ audience: Admin
enterprise Mam Policies For Your Microsoft 365 Enterprise Dev Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/mam-policies-for-your-microsoft-365-enterprise-dev-test-environment.md
Title: "Device compliance policies for your Microsoft 365 for enterprise test environment" f1.keywords: - NOCSH--++ Last updated 11/19/2020 audience: ITPro
enterprise Manage Microsoft 365 Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-accounts.md
Title: "Manage Microsoft 365 user accounts"--++ audience: Admin
enterprise Manage Microsoft 365 Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-groups.md
Title: "Manage Microsoft 365 groups"--++ audience: Admin
enterprise Manage Microsoft 365 Identity Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-identity-governance.md
Title: "Manage Microsoft 365 identity governance"--++ audience: Admin
enterprise Manage Microsoft 365 Passwords https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-passwords.md
Title: "Manage Microsoft 365 user account passwords"--++ audience: Admin
enterprise Manage Microsoft 365 Tenants With Windows Powershell For Delegated Access Permissio https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-tenants-with-windows-powershell-for-delegated-access-permissio.md
Title: "Manage Microsoft 365 tenants with Windows PowerShell for DAP partners"--++ audience: Admin
Get-MsolPartnerContract -DomainName <domainname.onmicrosoft.com> | Select-Object
### List all domains for a tenant
-To get all domains for any one customer tenant, run this command. Replace _<customer TenantId value>_ with the actual value.
+To get all domains for any one customer tenant, run this command. Replace _\<customer TenantId value>_ with the actual value.
```powershell Get-MsolDomain -TenantId <customer TenantId value>
$Tenants = Get-MsolPartnerContract -All; $Tenants | foreach {$Domains = $_.Tenan
### Get all users for a tenant
-This will display the **UserPrincipalName**, the **DisplayName**, and the **isLicensed** status for all users for a particular tenant. Replace _<customer TenantId value>_ with the actual value.
+This will display the **UserPrincipalName**, the **DisplayName**, and the **isLicensed** status for all users for a particular tenant. Replace _\<customer TenantId value>_ with the actual value.
```powershell Get-MsolUser -TenantID <customer TenantId value>
Get-MsolUser -TenantID <customer TenantId value>
### Get all details about a user
-If you want to see all the properties of a particular user, run this command. Replace _<customer TenantId value>_ and _<user principal name value>_ with the actual values.
+If you want to see all the properties of a particular user, run this command. Replace _\<customer TenantId value>_ and _\<user principal name value>_ with the actual values.
```powershell Get-MsolUser -TenantId <customer TenantId value> -UserPrincipalName <user principal name value>
enterprise Manage Microsoft 365 With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-with-microsoft-365-powershell.md
Title: "Manage Microsoft 365 with PowerShell"--++ audience: Admin
enterprise Manage Microsoft 365 With Windows Powershell For Delegated Access Permissions Dap P https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-microsoft-365-with-windows-powershell-for-delegated-access-permissions-dap-p.md
Title: "Manage Microsoft 365 with Windows PowerShell for DAP partners"--++ audience: Admin
enterprise Manage Passwords With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-passwords-with-microsoft-365-powershell.md
Title: "Manage passwords with PowerShell"--++ audience: Admin
enterprise Manage Security Groups With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-security-groups-with-microsoft-365-powershell.md
Title: "Manage security groups with PowerShell"--++ audience: Admin
enterprise Manage Sharepoint Online With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-sharepoint-online-with-microsoft-365-powershell.md
Title: "Manage SharePoint with PowerShell"--++ Last updated 07/17/2020 audience: Admin
enterprise Manage Sharepoint Site Groups With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-sharepoint-site-groups-with-powershell.md
Title: "Manage SharePoint Online site groups with PowerShell"--++ Last updated 12/17/2019 audience: Admin
enterprise Manage Sharepoint Users And Groups With Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-sharepoint-users-and-groups-with-powershell.md
Title: "Manage SharePoint Online users and groups with PowerShell"--++ Last updated 07/17/2020 audience: Admin
enterprise Manage Skype For Business Online Policies With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-skype-for-business-online-policies-with-microsoft-365-powershell.md
Title: "Manage Skype for Business Online policies with PowerShell"--++ Last updated 07/17/2020 audience: ITPro
enterprise Manage Skype For Business Online With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-skype-for-business-online-with-microsoft-365-powershell.md
Title: "Manage Skype for Business Online with PowerShell"--++ Last updated 07/17/2020 audience: ITPro
enterprise Manage User Accounts And Licenses With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/manage-user-accounts-and-licenses-with-microsoft-365-powershell.md
Title: "Manage Microsoft 365 user accounts, licenses, and groups with PowerShell"--++ Last updated 11/13/2020 audience: ITPro
enterprise Microsoft 365 Exchange Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-exchange-monitoring.md
Title: "Exchange Online monitoring for Microsoft 365"--++ Last updated 12/03/2020 audience: Admin
enterprise Microsoft 365 Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-integration.md
Title: "Microsoft 365 integration with on-premises environments"--++ audience: Admin
enterprise Microsoft 365 Inter Tenant Collaboration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-inter-tenant-collaboration.md
Title: "Microsoft 365 inter-tenant collaboration"--++ audience: Admin
enterprise Microsoft 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-overview.md
Title: Microsoft 365 for enterprise overview f1.keywords: - NOCSH--++ Last updated 02/01/2021 audience: ITPro
enterprise Microsoft 365 Powershell Community Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-powershell-community-resources.md
Title: "Microsoft 365 community resources for PowerShell"--++ Last updated 07/17/2020 audience: ITPro
enterprise Microsoft 365 Secure Sign In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-secure-sign-in.md
Title: "Secure user sign-ins to your Microsoft 365 tenant" f1.keywords: - NOCSH--++ Last updated 09/30/2020 audience: ITPro
enterprise Microsoft 365 Tenant To Tenant Migrations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-tenant-to-tenant-migrations.md
Title: "Microsoft 365 tenant-to-tenant migrations"--++ audience: Admin
enterprise Migrate Data To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/migrate-data-to-office-365.md
Title: "Migrate your organization data to Microsoft 365 Enterprise"--++ audience: ITPro
enterprise Multi Factor Authentication Microsoft 365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-factor-authentication-microsoft-365-test-environment.md
Title: Microsoft 365 for enterprise test environment multi-factor authentication f1.keywords: - NOCSH--++ Last updated 12/12/2019 audience: ITPro
enterprise Network Requests In Office 2016 For Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-requests-in-office-2016-for-mac.md
Title: "Network requests in Office for Mac"--++ Last updated 11/9/2018 audience: ITPro
enterprise Pass Through Auth M365 Ent Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/pass-through-auth-m365-ent-test-environment.md
Title: "Pass-through authentication for your Microsoft 365 test environment" f1.keywords: - NOCSH--++ Last updated 11/21/2019 audience: ITPro
enterprise Password Hash Sync M365 Ent Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/password-hash-sync-m365-ent-test-environment.md
Title: "Password hash synchronization for your Microsoft 365 test environment" f1.keywords: - NOCSH--++ Last updated 05/26/2020 audience: ITPro
enterprise Password Reset M365 Ent Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/password-reset-m365-ent-test-environment.md
Title: "Password reset for your Microsoft 365 test environment" f1.keywords: - NOCSH--++ Last updated 12/13/2019 audience: ITPro
enterprise Password Writeback M365 Ent Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/password-writeback-m365-ent-test-environment.md
Title: "Password writeback for your Microsoft 365 test environment" f1.keywords: - NOCSH--++ Last updated 11/22/2019 audience: ITPro
enterprise Phs Prereqs M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/phs-prereqs-m365-test-environment.md
Title: "Identity and device access prerequisites for password hash synchronization in your Microsoft 365 test environment"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Placeholder https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/placeholder.md
Title: Placeholder article f1.keywords: - NOCSH--++ Last updated 09/19/2019 audience: ITPro
enterprise Plan For Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/plan-for-directory-synchronization.md
Title: "Hybrid identity and directory synchronization for Microsoft 365"--++ audience: Admin
enterprise Plan For Third Party Ssl Certificates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/plan-for-third-party-ssl-certificates.md
Title: "Plan for third-party SSL certificates for Microsoft 365"--++ audience: ITPro Last updated 05/15/2019
enterprise Plan Upgrade Previous Versions Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/plan-upgrade-previous-versions-office.md
Title: "Plan your upgrade from Office 2007 or 2010 servers and clients"--++ audience: ITPro
enterprise Powershell Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/powershell-roadmap-microsoft-365.md
Title: PowerShell roadmap for Microsoft 365 f1.keywords: - NOCSH--++ Last updated 09/19/2019 audience: ITPro
enterprise Pps 2007 End Of Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/pps-2007-end-of-support.md
Title: "PerformancePoint Server 2007 end of support roadmap"--++ audience: ITPro
enterprise Prepare A Non Routable Domain For Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization.md
Title: "Prepare a non-routable domain for directory synchronization"--++ audience: Admin
enterprise Prepare For Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/prepare-for-directory-synchronization.md
Title: "Prepare for directory synchronization to Microsoft 365"--++ Last updated 09/30/2020 audience: Admin
enterprise Protect Global Administrator Accounts Microsoft 365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/protect-global-administrator-accounts-microsoft-365-test-environment.md
Title: "Protect global administrator accounts in your Microsoft 365 for enterprise test environment" f1.keywords: - NOCSH--++ Last updated 12/12/2019 audience: ITPro
enterprise Protect Your Global Administrator Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/protect-your-global-administrator-accounts.md
Title: "Protect your Microsoft 365 global administrator accounts"--++ Last updated 09/30/2020 audience: Admin
enterprise Pta Prereqs M365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/pta-prereqs-m365-test-environment.md
Title: "Identity and device access prerequisites for pass-through authentication in your Microsoft 365 test environment"-+ f1.keywords: - NOCSH-+ audience: ITPro
enterprise Remove Licenses From User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell.md
Title: "Remove Microsoft 365 licenses from user accounts with PowerShell"--++ Last updated 09/23/2020 audience: Admin
enterprise Retrieve Customer Tenant Reporting Data With Windows Powershell For Delegated Ac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/retrieve-customer-tenant-reporting-data-with-windows-powershell-for-delegated-ac.md
Title: "Retrieve customer tenant reporting data with Windows PowerShell for DAP partners"--++ audience: Admin
enterprise Set Up Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/set-up-directory-synchronization.md
Title: "Set up directory synchronization for Microsoft 365"--++ Last updated 09/30/2020 audience: Admin
enterprise Set Up Network For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/set-up-network-for-microsoft-365.md
Title: "Set up your network for Microsoft 365"--++ Last updated 11/19/2019 audience: ITPro
enterprise Setup Guides For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md
Title: "Setup guides for Microsoft 365 and Office 365 services"--++ audience: ITPro
enterprise Setup Overview For Enterprises https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-overview-for-enterprises.md
Title: "Deploy Microsoft 365 Enterprise for your organization"--++ Last updated 11/19/2019 audience: ITPro
enterprise Simulated Cross Premises Microsoft 365 Enterprise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/simulated-cross-premises-microsoft-365-enterprise.md
Title: "Simulated cross-premises virtual network in a Microsoft 365 test environment" f1.keywords: - NOCSH--++ Last updated 11/14/2019 audience: ITPro
enterprise Simulated Ent Base Configuration Microsoft 365 Enterprise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/simulated-ent-base-configuration-microsoft-365-enterprise.md
Title: "Simulated enterprise base configuration for Microsoft 365" f1.keywords: - NOCSH--++ Last updated 11/21/2019 audience: ITPro
enterprise Single Sign On M365 Ent Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/single-sign-on-m365-ent-test-environment.md
Title: "Azure AD Seamless Single Sign-on for your Microsoft 365 test environment" f1.keywords: - NOCSH--++ Last updated 11/21/2019 audience: ITPro
enterprise Skype For Business Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/skype-for-business-online.md
Title: "Skype for Business Online in Office 365 - Admin Help"--++ Last updated 6/29/2018 audience: Admin
enterprise Subscriptions Licenses Accounts And Tenants For Microsoft Cloud Offerings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings.md
Title: "Subscriptions, licenses, accounts, and tenants for Microsoft's cloud offerings"--++ audience: ITPro
enterprise Tenant Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/tenant-roadmap-microsoft-365.md
Title: Tenant roadmap for Microsoft 365 f1.keywords: - NOCSH--++ audience: ITPro
enterprise Turn Off Directory Synchronization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/turn-off-directory-synchronization.md
Title: "Turn off directory synchronization for Microsoft 365"--++ audience: Admin
enterprise Upgrade From Office 2007 Servers And Products https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/upgrade-from-office-2007-servers-and-products.md
Title: "Resources to help you upgrade from Office 2007 servers and clients"--++ Last updated 11/01/2018 audience: ITPro
enterprise Upgrade From Office 2010 Servers And Products https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/upgrade-from-office-2010-servers-and-products.md
Title: "Resources to help you upgrade from Office 2010 servers and clients"--++ audience: ITPro
enterprise Use Powershell To Perform A Staged Migration To Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-powershell-to-perform-a-staged-migration-to-microsoft-365.md
Title: "Use PowerShell to perform a staged migration to Microsoft 365"--++ Last updated 07/17/2020 audience: Admin
enterprise Use Powershell To Perform An Imap Migration To Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-powershell-to-perform-an-imap-migration-to-microsoft-365.md
Title: "Use PowerShell to perform an IMAP migration to Microsoft 365"--++ Last updated 07/17/2020 audience: Admin
enterprise Use Windows Powershell To Create Reports In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/use-windows-powershell-to-create-reports-in-microsoft-365.md
Title: "Use PowerShell to create reports for Microsoft 365"--++ Last updated 07/17/2020 audience: ITPro
enterprise View Account License And Service Details With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-account-license-and-service-details-with-microsoft-365-powershell.md
Title: "View Microsoft 365 account license and service details with PowerShell"--++ Last updated 07/17/2020 audience: Admin
enterprise View Directory Synchronization Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-directory-synchronization-status.md
Title: "View directory synchronization status in Microsoft 365"--++ audience: Admin
enterprise View Licensed And Unlicensed Users With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-licensed-and-unlicensed-users-with-microsoft-365-powershell.md
Title: "View licensed and unlicensed Microsoft 365 users with PowerShell"--++ Last updated 07/21/2020 audience: Admin
enterprise View Licenses And Services With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-licenses-and-services-with-microsoft-365-powershell.md
Title: "View Microsoft 365 licenses and services with PowerShell"--++ Last updated 07/17/2020 audience: Admin
enterprise View Service Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-service-health.md
Title: "How to check Microsoft 365 service health"--++ audience: Admin
enterprise View User Accounts With Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-user-accounts-with-microsoft-365-powershell.md
Title: "View Microsoft 365 user accounts with PowerShell"--++ Last updated 07/17/2020 audience: Admin
enterprise Why You Need To Use Microsoft 365 Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/why-you-need-to-use-microsoft-365-powershell.md
Title: "Why you need to use PowerShell for Microsoft 365"--++ Last updated 07/17/2020 audience: ITPro
lighthouse M365 Lighthouse Deploy Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-baselines.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse baselines let you deploy standard managed tenant configurations to secure tenant users, devices, and data. There are six default baseline configurations that come standard with Microsoft 365 Lighthouse:
+Microsoft 365 Lighthouse baselines let you deploy standard managed-tenant configurations to secure users, devices, and data within customer tenants. There are six default baseline configurations that come standard with Microsoft 365 Lighthouse:
- Require MFA for admins - Require MFA for end users
Select **Baselines** from the left navigation pane to open the Baselines page. Y
2. Select the tenant you want to deploy the baseline configuration to.
-3. Select the **Deployment plan** tab to see all the deployment steps from the baseline that have been added to the tenant's deployment plan.
+3. Select the **Deployment Plans** tab to see all the deployment steps from the baseline that have been added to the tenant's deployment plan.
4. Select a deployment step to open the deployment step page.
lighthouse M365 Lighthouse Deploy Standard Tenant Configurations Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse baselines provide a repeatable and scalable way for you to assess and manage Microsoft 365 security settings across multiple tenants. Baselines also help monitor core security policies and tenant compliance standards with configurations that secure users, devices, and data.
+Microsoft 365 Lighthouse baselines provide a repeatable and scalable way for you to assess and manage Microsoft 365 security settings across multiple customer tenants. Baselines also help monitor core security policies and tenant compliance standards with configurations that secure users, devices, and data.
Designed to help partners enable customer adoption of security at their own pace, Microsoft 365 Lighthouse provides a standard set of baseline parameters and pre-defined configurations for Microsoft 365 services. These security configurations help measure your tenants' Microsoft 365 security and compliance progress.
lighthouse M365 Lighthouse Device Compliance Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-device-compliance-page-overview.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse lets you view insights and information related to Intune device compliance for all your tenants by selecting **Devices** in the left navigation pane to open the Device compliance page. From this page, you can get an overview of compliance status across tenants, view a list of devices for each tenant, and get status reports on compliance policies and settings.
+Microsoft 365 Lighthouse lets you view insights and information related to Intune device compliance for all your customer tenants by selecting **Devices** in the left navigation pane to open the Device compliance page. From this page, you can get an overview of compliance status across tenants, view a list of devices for each tenant, and get status reports on compliance policies and settings.
## Overview tab
The Policies tab also includes the following options:
## Settings tab
-The settings tab provides an aggregated report of non-compliant settings across tenant devices.
+The Settings tab provides an aggregated report of non-compliant settings across tenant devices.
To see non-compliant settings for devices on a specific platform, use the **Platform** dropdown menu to filter the list. To see non-compliant settings for one or more specific customer tenants, use the **Tenants** dropdown menu to filter the list.
lighthouse M365 Lighthouse Threat Management Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-threat-management-page-overview.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
Microsoft Defender Antivirus protects tenants, users, and devices from software threats including viruses, malware, and spyware. It's robust, ongoing protection that's built into Windows 10 and included with Microsoft 365 Business Premium.
-To access the Threat management page in Microsoft 365 Lighthouse, select **Threat Management** in the left navigation pane to view your tenants' security posture against threats. You'll see tenants, users, and devices that require your attention and recommendations that will help you reduce risk.
+To access the Threat management page in Microsoft 365 Lighthouse, select **Threat Management** in the left navigation pane to view your customer tenants' security posture against threats. You'll see tenants, users, and devices that require your attention and recommendations that will help you reduce risk.
## Overview tab
lighthouse M365 Lighthouse Users Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-users-page-overview.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse lets you manage users across tenant accounts by selecting **Users** in the left navigation pane to open the Users page. From this page, you can search for users and assess and act on the security state of your user accounts. You can also view insights into risky users and the status of multifactor authentication and self-service password reset.
+Microsoft 365 Lighthouse lets you manage users across customer tenant accounts by selecting **Users** in the left navigation pane to open the Users page. From this page, you can search for users and assess and act on the security state of your user accounts. You can also view insights into risky users and the status of multifactor authentication and self-service password reset.
## Search users tab
managed-desktop Address Device Names https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/address-device-names.md
audience: Admin
Microsoft Managed Desktop applies a standardized name format when devices are enrolled and will automatically rename devices if the name is changed later. For more info, see [Device names](../service-description/device-names.md). > [!IMPORTANT]
-> If your environment depends on specific device names (for example, to support a particular network configuration), you should investigate options to remove that dependency before enrolling in Microsoft Managed Desktop. If you must keep the name dependency, you can submit a request through the [Admin portal](../working-with-managed-desktop/admin-support.md) to disable the renaming function and use your desired name format.
+> If your environment depends on specific device names (for example, to support a particular network configuration), you should investigate options to remove that dependency before enrolling in Microsoft Managed Desktop. If you must keep the name dependency, you can submit a request through the [Admin portal](../working-with-managed-desktop/admin-support.md) to disable the renaming function and use your desired name format.
+
+## Steps to get ready for Microsoft Managed Desktop
+
+1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names (this article).
managed-desktop Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/apps.md
Review your apps, checking:
- Apps must be ready for management by Microsoft Intune. For more about this topic, see [Windows 10 app deployment using Microsoft Intune](/intune/apps-windows-10-app-deploy) and [Add apps to Microsoft Intune](/intune/apps-add). - Other pre-packaging requirements such as providing license keys, agreement with license terms, and pre-setting server connections.
-## Steps to get ready
-
-1. Review [Prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [Readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md) (This article)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+## Steps to get ready for Microsoft Managed Desktop
+
+1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. Prepare apps (this article).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/authentication.md
Microsoft Managed Desktop devices cannot connect to printers that are published
While printers can't be automatically discovered in a cloud only environment, your users can use on-premises printers by using the printer path or printer queue path, as long as the devices have access to an on-premises domain controller. <!--add fuller material on printers when available-->
-## Steps to get ready
-
-1. Review [Prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [Readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md) (This article)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+## Steps to get ready for Microsoft Managed Desktop
+
+1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. Prepare user access to data (this article).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Certs Wifi Lan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/certs-wifi-lan.md
To deploy certificates and profiles, follow these steps:
4. Create a profile for each corporate VPN (see [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/intune/vpn-settings-windows-10)). 5. Submit a Support request titled ΓÇ£Certificate DeploymentΓÇ¥ or ΓÇ£Wi-Fi Profile DeploymentΓÇ¥ to Microsoft Managed Desktop IT Operations using the Microsoft Managed Desktop Admin portal to review and deploy the configuration profile to ΓÇ£Modern Workplace Devices ΓÇô TestΓÇ¥. Microsoft Managed Desktop IT Operations will let you know when the request has been completed via the Support request in the Admin portal.
-## Steps to get ready
+## Steps to get ready for Microsoft Managed Desktop
-1. Review [Prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [Readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md) (This article)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. Prepare certificates and network profiles (this article).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Guest Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/guest-accounts.md
To enable this setting, follow these steps:
For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins).
-## Steps to get ready
+## Steps to get ready for Microsoft Managed Desktop
1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md) (This article)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review prerequisites for guest accounts (this article).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/index.md
audience: Admin
These topics describe the steps you'll need to take in your organization to prepare for enrollment, including checking that your environment meets key prerequisites, configuring networks, setting up certificates, and preparing your apps for inclusion in the service. Once you have run the readiness assessment tools, you can complete the other steps in any order or in parallel. Depending on your environment, some of the steps might not be relevant to you.
-![Suggested sequence of steps to get ready for enrollment, listed in this article](../../medi_getready_sequence.png)
+![Suggested sequence of steps to get ready for enrollment, listed in this article](../../medi-getready-sequence.png)
1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Mapped Drives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/mapped-drives.md
Make sure that mapped drives cannot be avoided and you have carefully reviewed t
4. You must test and confirm whether the configuration deployed by the Microsoft Managed Desktop IT Operations works as you expect. Reply using the Discussion tab in the details of the same support request to notify Microsoft Managed Desktop IT Operations once you've completed your testing. 5. Microsoft Managed Desktop IT Operations team will then deploy the configuration to the other deployment groups.
-## Steps to get ready
-
-1. Review [Prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. [Use Readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md) (This article)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+## Steps to get ready for Microsoft Managed Desktop
+
+1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. Prepare mapped drives (this article).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Network https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/network.md
Microsoft Teams | \*.teams.skype.com <br>\*.teams.microsoft.com <br>teams.micr
Power BI | maxcdn.bootstrapcdn.com <br>ajax.aspnetcdn.com <br>netdna.bootstrapcdn.com <br>cdn.optimizely.com <br>google-analytics.com <br>\*.mktoresp.com <br>\*.aadcdn.microsoftonline-p.com <br>\*.msecnd.com <br>\*.localytics.com <br>ajax.aspnetcdn.com <br>\*.localytics.com <br>\*.virtualearth.net <br>platform.bing.com <br>powerbi.microsoft.com <br>c.microsoft.com <br>app.powerbi.com <br>\*.powerbi.com <br>dc.services.visualstudio.com <br>support.powerbi.com <br>powerbi.uservoice.com <br>go.microsoft.com <br>c1.microsoft.com <br>\*.azureedge.net |[Power BI & Express Route](/power-bi/service-admin-power-bi-expressroute) OneNote | apis.live.net <br>www.onedrive.com <br>login.microsoft.com <br>www.onenote.com <br>\*.onenote.com <br>\*.msecnd.net <br>\*.microsoft.com <br>\*.office.net <br>cdn.onenote.net <br>site-cdn.onenote.net <br>cdn.optimizely.com <br>Ajax.aspnetcdn.com <br>officeapps.live.com <br>\\*.onenote.com <br>\*cdn.onenote.net <br>contentstorage.osi.office.net <br>\*onenote.officeapps.live.com <br>\*.microsoft.com | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-## Steps to get ready
-
-1. Review [Prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [Readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md) (This article)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+## Steps to get ready for Microsoft Managed Desktop
+
+1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check network configuration (this article).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/prerequisites.md
Microsoft Managed Desktop requires certain license options in order to function.
> [!TIP] > Your Microsoft Account Manager will help you review your current licenses and service plans and find the most efficient path for you to get any additional licenses or service plans you might need, while avoiding duplication.
-## Steps to get ready
+## Steps to get ready for Microsoft Managed Desktop
-1. Review [Prerequisites for Microsoft Managed Desktop](prerequisites.md). (This article)
-2. Use [Readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+1. Review prerequisites (this article).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Printing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/printing.md
If you've decided to deploy printers by using a custom PowerShell script and hav
## Steps to get ready
-1. Review [Prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [Readiness assessment tools](readiness-assessment-tool.md).
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md) (This article)
+1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
+2. Run [readiness assessment tools](readiness-assessment-tool.md).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. Prepare printing resources (this article).
+1. Address [device names](address-device-names.md).
managed-desktop Readiness Assessment Tool https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-tool.md
For each check, the tool will report one of four possible results:
After you've completed enrollment in Microsoft Managed Desktop, remember to go back and adjust certain Intune and Azure AD settings. For details, see [Adjust settings after enrollment](../get-started/conditional-access.md).
-## Steps to get ready
+## Steps to get ready for Microsoft Managed Desktop
1. Review [prerequisites for Microsoft Managed Desktop](prerequisites.md).
-2. Use [readiness assessment tools](readiness-assessment-tool.md). (This article)
-3. [Prerequisites for guest accounts](guest-accounts.md)
-4. [Network configuration for Microsoft Managed Desktop](network.md)
-5. [Prepare certificates and network profiles for Microsoft Managed Desktop](certs-wifi-lan.md)
-6. [Prepare on-premises resources access for Microsoft Managed Desktop](authentication.md)
-7. [Apps in Microsoft Managed Desktop](apps.md)
-8. [Prepare mapped drives for Microsoft Managed Desktop](mapped-drives.md)
-9. [Prepare printing resources for Microsoft Managed Desktop](printing.md)
+2. Run readiness assessment tools (this article).
+1. Buy [Company Portal](../get-started/company-portal.md).
+1. Review [prerequisites for guest accounts](guest-accounts.md).
+1. Check [network configuration](network.md).
+1. [Prepare certificates and network profiles](certs-wifi-lan.md).
+1. [Prepare user access to data](authentication.md).
+1. [Prepare apps](apps.md).
+1. [Prepare mapped drives](mapped-drives.md).
+1. [Prepare printing resources](printing.md).
+1. Address [device names](address-device-names.md).
managed-desktop Access Admin Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/access-admin-portal.md
If you need to assign one or more of the built-in roles to a existing group, fol
6. Search for the group you want from **Users and groups**. 7. Search for the applicable role from **Select a role**, and then select it. 8. Select **Assign**.+
+## Steps to get started with Microsoft Managed Desktop
+
+1. Access admin portal (this article).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Add Admin Contacts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/add-admin-contacts.md
Admin contacts are required when you [submit a Support request](../service-descr
## Steps to get started with Microsoft Managed Desktop
-1. Add and verify admin contacts in the Admin portal (this topic)
-2. [Adjust conditional access](conditional-access.md)
-3. [Assign licenses](assign-licenses.md)
-4. [Install Intune Company Portal on on devices](company-portal.md)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. [Set up Microsoft Managed Desktop devices](set-up-devices.md)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps to devices](deploy-apps.md)
+1. Access [admin portal](access-admin-portal.md).
+1. Add and verify admin contacts in the Admin portal (this article).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Assign Licenses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/assign-licenses.md
If you have any difficulty with license assignment, contact Admin [support](../w
## Steps to get started with Microsoft Managed Desktop
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust conditional access](conditional-access.md)
-3. Assign licenses (this article)
-4. [Deploy Intune Company Portal](company-portal.md)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. [Set up devices](set-up-devices.md)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps](deploy-apps.md)
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. Assign licenses (this article).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Company Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/company-portal.md
As the IT administrator for your organization, itΓÇÖs important to let your user
## Steps to get started with Microsoft Managed Desktop
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust conditional access](conditional-access.md)
-3. [Assign licenses](assign-licenses.md)
-4. Deploy Intune Company Portal (this topic)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. [Set up devices](set-up-devices.md)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps](deploy-apps.md)
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign Intune Company Portal (this article).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md)
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/conditional-access.md
In this query, replace @TENANT with your tenant domain name.
## Steps to get started with Microsoft Managed Desktop
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. Adjust settings after enrollment (this article)
-3. [Assign licenses](assign-licenses.md)
-4. [Deploy Intune Company Portal](company-portal.md)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. [Set up devices](set-up-devices.md)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps](deploy-apps.md)
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. Adjust settings after enrollment (this article).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Deploy Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/deploy-apps.md
Add your users to these groups to either make the app available, install the app
## Steps to get started with Microsoft Managed Desktop
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust conditional access](conditional-access.md)
-3. [Assign licenses](assign-licenses.md)
-4. [Deploy Intune Company Portal](company-portal.md)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. [Set up devices](set-up-devices.md)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. Deploy apps (this topic)
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. Deploy apps (this article).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
<!--# Preparing apps for Microsoft Managed Desktop
managed-desktop Enable Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/enable-support.md
Whether you are providing your own user support or working with a partner to pro
1. If they don't already have one, users need an account in same Azure Active Directory (AAD) domain as the Microsoft Managed Desktop devices. 2. Add the user accounts from Step 1 to the **Modern Workplace Roles-Support Partner** security group in AAD.
-<!--when available, add link to downloadable articles at DLC-->
+<!--when available, add link to downloadable articles at DLC-->
+
+## Steps to get started with Microsoft Managed Desktop
+
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. Enable user support features (this article).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Esp First Run https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/esp-first-run.md
Microsoft Managed Desktop uses these settings for the Enrollment Status Page exp
|Allow users to reset device if installation error occurs|Yes| |Allow users to use device if installation error occurs|Yes| |Block device use until these required apps are installed if they are assigned to the user/device|Modern Workplace - Time Correction|Modern Workplace - Client Library|
-|
+ The Enrollment Status Page experience occurs in three phases. For more, see [Enrollment Status Page tracking information](/mem/intune/enrollment/windows-enrollment-status#enrollment-status-page-tracking-information).
You might want to request a different device name template. You cannot, however,
- Keep the total size of all applications collectively under 1 GB to avoid timeouts during the application installation phase. - Ideally, apps should not have any dependencies. If you have apps that *must* have dependencies, be sure you configure, test, and validate them as part of your ESP evaluation. - Microsoft Teams cannot be included in ESP.+
+## Steps to get started with Microsoft Managed Desktop
+
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up first-run experience with Autopilot and the Enrollment Status Page (this article).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Get Started App Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/get-started-app-control.md
If already have at least one Microsoft Managed Desktop device in use, follow the
You can always open another service request to pause or roll back part of this deployment at any time during the rollout. -
+## Steps to get started with Microsoft Managed Desktop
+
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. Get started with app control (this article).
managed-desktop Get Started Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/get-started-devices.md
At this point, you're ready to move on to deploying apps:
## Steps to get started with Microsoft Managed Desktop
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust conditional access](conditional-access.md)
-3. [Assign licenses](assign-licenses.md)
-4. [Deploy Intune Company Portal](company-portal.md)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. [Set up devices](set-up-devices.md)
-7. Get your users ready to use devices (this topic)
-8. [Deploy apps](deploy-apps.md)
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. Get your users ready to use devices (this article).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/index.md
Now that youΓÇÖre ready to enroll, open [Microsoft Endpoint Manager](https://end
> [!NOTE] > You must be logged in as a Global Administrator to complete enrollment. For more information, see [access the admin portal](access-admin-portal.md) for details.
-Once youΓÇÖve finished enrollment, follow the steps below to configure the service. This is the recommended order to follow, but you do have some flexibility in the sequence.
+Once youΓÇÖve finished enrollment, follow the steps below to configure the service. This is the recommended order to follow, but you do have some flexibility in the sequence.
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust settings after enrollment](conditional-access.md)
-3. [Assign licenses](assign-licenses.md)
-4. [Deploy Intune Company Portal](company-portal.md)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. [Set up devices](set-up-devices.md)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps](deploy-apps.md)
+![Suggested sequence of steps to get started, listed in this article](../../medi-getstarted-sequence.png)
+
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. [Set up devices](set-up-devices.md).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
managed-desktop Set Up Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/set-up-devices.md
We recommend working with one of our approved device partners. You can work with
## Steps to get started with Microsoft Managed Desktop
-1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md)
-2. [Adjust conditional access](conditional-access.md)
-3. [Assign licenses](assign-licenses.md)
-4. [Deploy Intune Company Portal](company-portal.md)
-5. [Enable Enterprise State Roaming](enterprise-state-roaming.md)
-6. Set up devices (this article)
-7. [Get your users ready to use devices](get-started-devices.md)
-8. [Deploy apps](deploy-apps.md)
+1. Access [admin portal](access-admin-portal.md).
+1. [Add and verify admin contacts in the Admin portal](add-admin-contacts.md).
+1. [Adjust settings after enrollment](conditional-access.md).
+1. Deploy and assign [Intune Company Portal](company-portal.md).
+1. [Assign licenses](assign-licenses.md).
+1. [Deploy apps](deploy-apps.md).
+1. Set up devices (this article).
+1. Set up [first-run experience with Autopilot and the Enrollment Status Page](esp-first-run.md).
+1. [Enable user support features](enable-support.md).
+1. [Get your users ready to use devices](get-started-devices.md).
+1. [Get started with app control](get-started-app-control.md).
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
The following steps will guide you through onboarding VDI devices and will highl
1. Click **Download package** and save the .zip file.
-2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
+2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the golden/master image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
- 1. If you aren't implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
+ 1. If you are implementing multiple entries for each device - one for each session, copy WindowsDefenderATPOnboardingScript.cmd.
1. If you're implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
Title: Configure Microsoft Defender Antivirus exclusions on Windows Server-+ description: Windows Server includes automatic exclusions, based on server role. You can also add custom exclusions. keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Microsoft Defender Antivirus
- Previously updated : 02/10/2021 Last updated : 08/16/2021 # Configure Microsoft Defender Antivirus exclusions on Windows Server
Last updated 02/10/2021
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+On Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019, Microsoft Defender Antivirus automatically enrolls you in certain exclusions, as defined by your specified server role. These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
> [!NOTE]
-> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+> Automatic exclusions only apply to real-time protection (RTP) scanning. Automatic exclusions are not honored during a full scan, quick scan, or on-demand scan.
-In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
+In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to the following articles:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
In addition to server role-defined automatic exclusions, you can add or remove c
Keep the following important points in mind: - Custom exclusions take precedence over automatic exclusions.-- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
+- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a full scan, quick scan, or on-demand scan.
- Custom and duplicate exclusions do not conflict with automatic exclusions. - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions
-In Windows Server 2016 and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+In Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
> [!WARNING] > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
-Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
+Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL folders to another drive or path that is *different from the original path*, you must add exclusions manually. See [Configure the list of exclusions based on folder name or file extension](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension).
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. ### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then select **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**, and then select **Administrative templates**.
+ 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
-### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
+4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then select **OK**.
+
+### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server
Use the following cmdlets:
To learn more, see the following resources:
- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). - [Use PowerShell with Microsoft Defender Antivirus](/powershell/module/defender/).
-### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server
Use the **Set** method of the [MSFT_MpPreference](/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
The following sections contain the exclusions that are delivered with automatic
### Default exclusions for all roles
-This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
+This section lists the default exclusions for all roles in Windows Server 2016 and Windows Server 2019.
> [!NOTE] > The default locations could be different than what's listed in this article.
security Device Control Removable Storage Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection.md
ms.technology: mde
[!INCLUDE [Prerelease](../includes/prerelease.md)]
-Microsoft Defender for Endpoint Device Control Removable Storage Protection prevents user or machine or both from using unauthorized removable storage media.
+Device control removable storage protection in Microsoft Defender for Endpoint prevents users, endpoints, or both from using unauthorized removable storage media.
## Protection policies
-### Device installation
+### Removable storage access control
-**Capabilities** - Prevent installation with or without exclusion based on various device properties.
+**Capabilities**
+
+- *Audit* Read or Write or Execute access to removable storage based on various device properties, with or without an exclusion.
+- *Prevent* Read or Write or Execute access with or without an exclusion - Allow specific device based on various device properties.
**Windows 10 support details**: -- Applied at machine level: the same policy applies for any logged on user.-- Supports Microsoft Endpoint Manager and Group Policy Objects.
+- Applied at either the device level, user level. or both. Only allow specific people performing Read/Write/Execute access to specific removable storage on specific machine.
+- Support MEM OMA-URI and GPO.
- Supported '[Device Properties](#device-properties)' as listed.-- For more information on Windows, see [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md).
+- For feature in Windows, see [Removable storage Access Control](device-control-removable-storage-access-control.md).
**Supported Platform** - Windows 10 **macOS support details**: -- Applied at machine level: the same policy applies for any logged on user
+- Applied at the device level: the same policy applies for any logged on user.
- For macOS specific information, see [Device control for macOS](mac-device-control-overview.md).
-**Supported platform** - macOS Catalina 10.15.4+ (with system extensions enabled) or later
+**Supported platform** - macOS Catalina 10.15.4+ (with system extensions enabled)
-### Removable storage Access Control
-**Capabilities**
+### Device installation
-- *Audit* Read or Write or Execute access to removable storage based on various device properties, with or without an exclusion.-- *Prevent* Read or Write or Execute access with or without an exclusion - Allow specific device based on various device properties.
+**Capabilities** - Prevent installation with or without exclusion based on various device properties.
**Windows 10 support details**: -- Applied at either machine or user or both. Only allow specific people performing Read/Write/Execute access to specific removable storage on specific machine.-- Support MEM OMA-URI and GPO.
+- Applied at the device level: the same policy applies for any logged on user.
+- Supports Microsoft Endpoint Manager and Group Policy Objects.
- Supported '[Device Properties](#device-properties)' as listed.-- For feature in Windows, see [Removable storage Access Control](device-control-removable-storage-access-control.md).
+- For more information on Windows, see [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md).
**Supported Platform** - Windows 10 **macOS support details**: -- Applied at machine level: the same policy applies for any logged on user.
+- Applied at the device level: the same policy applies for any logged on user
- For macOS specific information, see [Device control for macOS](mac-device-control-overview.md).
-**Supported platform** - macOS Catalina 10.15.4+ (with system extensions enabled)
+**Supported platform** - macOS Catalina 10.15.4+ (with system extensions enabled) or later
### Endpoint DLP Removable storage
-**Capabilities** - Audit or Warn or Prevent a user from copying an item or information to removable media or USB device.
+**Capabilities** - Audit, warn, or prevent a user from copying an item or information to removable media or USB device.
**Description** - For more information on Windows, see [Learn about Microsoft 365 Endpoint data loss prevention](../../compliance/endpoint-dlp-learn-about.md).
Microsoft Defender for Endpoint Device Control Removable Storage Protection allo
**** |Property Name|Applicable Policies|Applies to Operating Systems|Description|
-|||||
-|Device Class|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [device setup class](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). **Note**: Device Installation can be applied to any devices, not only Removable storage.|
-|Primary ID|Removable storage Access Control|Windows|The Primary ID includes removable storage and CD/DVD.|
-|Device ID|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md); Removable storage Access Control|Windows|For information about Device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07|
-|Hardware ID|[How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md); Removable storage Access Control|Windows|A string identified the device in the system, for example, USBSTOR\DiskGeneric_Flash_Disk___8.07; **Note**: Hardware ID is not unique; different devices might share the same value.|
-|Instance ID|Device Installation; Removable storage Access Control|Windows|A string uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0|
-|Friendly Name|Removable storage Access Control|Windows|A string attached to the device, for example, Generic Flash Disk USB Device|
-|Vendor ID / Product ID|Removable storage Access Control|Windows <br/> macOS |Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device; Support wildcard.|
-|Serial NumberId|Removable storage Access Control|Windows <br/> macOS |For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId>|
-
-## See also
--- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md)
+|||||
+|Device Class|- [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [device setup class](/windows-hardware/drivers/install/overview-of-device-setup-classes). The following two links provide the complete list of Device Setup Classes. ΓÇÿSystem UseΓÇÖ classes are mostly refer to devices that come with a computer/machine from the factory, while ΓÇÿVendorΓÇÖ classes are mostly refer to devices that could be connected to an existing computer/machine: [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) and [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use). **Note**: Device Installation can be applied to any devices, not only Removable storage.|
+|Primary ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows|The Primary ID includes removable storage and CD/DVD and Windows Portable Device/WPD.|
+|Device ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md);</br>- [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|For information about Device ID formats, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07|
+|Hardware ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md);</br>- [How to control USB devices and other removable media using Microsoft Defender for Endpoint](control-usb-devices-using-intune.md)|Windows|A string identified the device in the system, for example, USBSTOR\DiskGeneric_Flash_Disk___8.07; **Note**: Hardware ID is not unique; different devices might share the same value.|
+|Instance ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md);</br>- Device Installation|Windows|A string uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0|
+|Friendly Name|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows|A string attached to the device, for example, Generic Flash Disk USB Device|
+|Vendor ID / Product ID|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <br/> macOS |Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device; Support wildcard.|
+|Serial NumberId|- [Removable storage Access Control](device-control-removable-storage-access-control.md)|Windows <br/> macOS |For example, <SerialNumberId>002324B534BCB431B000058A</SerialNumberId>|
+
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
ARP, CDP, DHCP, DHCPv6, IP (headers), LLDP, LLMNR, mDNS, MNDP, NBNS, SSDP, TCP (
## Which protocols do you use for active probing in Standard discovery? When a device is configured to run Standard discovery, exposed services are being probed by using the following protocols:
-ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync
+ARP, FTP, HTTP, HTTPS, ICMP, LLMNR, NBNS, RDP, SIP, SMTP, SNMP, SSH, Telnet, UPNP, WSD, SMB, NBSS, IPP, PJL, RPC, mDNS, DHCP, AFP, CrestonCIP, IphoneSync, WinRM, VNC, SLP
## How can I exclude targets from being probed with Standard discovery? If there are devices on your network which should not be actively probed, you can also define a list of exclusions to prevent them from being scanned. The configuration is available in the device discovery settings page.
security Get Domain Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-alerts.md
Empty
## Response
-If successful and domain exists - 200 OK with list of [alert](alerts.md) entities. If domain does not exist - 404 Not Found.
+If successful and domain exists - 200 OK with list of [alert](alerts.md) entities. If domain does not exist - 200 OK with an empty set.
## Example
security Get Domain Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-machines.md
Empty
## Response
-If successful and domain exists - 200 OK with list of [machine](machine.md) entities. If domain do not exist - 404 Not Found.
+If successful and domain exists - 200 OK with list of [machine](machine.md) entities. If domain do not exist - 200 OK with an empty set.
## Example
security Get Domain Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-statistics.md
Empty
## Response
-If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
+If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 200 OK with an prevalence set to 0.
## Example
security Indicator Ip Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md
Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, thro
The threat intelligence data set for this has been managed by Microsoft.
-By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
+By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can also warn users with a prompt if they open a risky app. The prompt won't stop them from using the app but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if they need.
++
+You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
> [!NOTE] > Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
-### Before you begin
-
+## Before you begin
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: - URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).-- The Antimalware client version must be 4.18.1906.x or later.-- Supported on machines on Windows 10, version 1709 or later.-- Ensure that **Custom network indicators** is enabled in **Microsoft 365 DefenderΓÇ»> Settings > Endpoints > Advanced features**. For more information, see [Advanced features](advanced-features.md).
+- The Antimalware client version must be 4.18.1906.x or later.
+- Supported on machines on Windows 10, version 1709 or later.
+- Ensure that **Custom network indicators** is enabled in **Microsoft 365 Defender > Settings > Endpoints > Advanced features**. For more information, see [Advanced features](advanced-features.md).
- For support of indicators on iOS, see [Configure custom indicators](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-custom-indicators). > [!IMPORTANT]
It's important to understand the following prerequisites prior to creating indic
> > There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
-### Create an indicator for IPs, URLs, or domains from the settings page
+
+When using the warn mode, you can configure the following controls:
+
+**Bypass ability**
+- Allow button in Edge
+- Allow button on toast (Non-Microsoft browsers)
+- Bypass duration parameter on the indicator
+- Bypass enforcement across Microsoft and Non-Microsoft browsers
+
+**Redirect URL**
+- Redirect URL parameter on the indicator
+- Redirect URL in Edge
+- Redirect URL on toast (Non-Microsoft browsers)
+
+For more information, see [Govern apps discovered by Microsoft Defender for Endpoint](/cloud-app-security/mde-govern).
+
+## Create an indicator for IPs, URLs, or domains from the settings page
1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
In order to preview new features and provide early feedback, it is recommended t
```bash sudo yum install yum-utils ```
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/rhel/`.
-- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/`. For instance, RHEL 7.9 is closer to 7.4 than to 8.
+ Use the following table to help guide you in locating the package:
- In the below commands, replace *[distro]* and *[version]* with the information you've identified:
+ | Distro & version | Package |
+ |||
+ | For RHEL 8.0-8.5 | https://packages.microsoft.com/rhel/8/prod/ |
+ | For RHEL 7.2-7.9 | https://packages.microsoft.com/rhel/7/prod/ |
+
+ In the following commands, replace *[version]* and *[channel]* with the information you've identified:
> [!NOTE] > In case of Oracle Linux, replace *[distro]* with "rhel". ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/rhel/[version]/[channel].repo
``` For example, if you are running CentOS 7 and want to deploy Defender for Endpoint on Linux from the *prod* channel: ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/prod.repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/rhel/7/prod.repo
``` Or if you wish to explore new features on selected devices, you might want to deploy Microsoft Defender for Endpoint on Linux to *insiders-fast* channel: ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/rhel/7/insiders-fast.repo
``` - Install the Microsoft GPG public key:
In order to preview new features and provide early feedback, it is recommended t
### SLES and variants -- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/config/`.
+- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/sles/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified: ```bash
- sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
+ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/[distro]/[version]/[channel].repo
``` For example, if you are running SLES 12 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel: ```bash
- sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo
+ sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/sles/12/prod.repo
``` - Install the Microsoft GPG public key:
In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install libplist-utils ``` -- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config`.
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/[distro]/`.
In the below command, replace *[distro]* and *[version]* with the information you've identified: ```bash
- curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
+ curl -o microsoft.list https://packages.microsoft.com/[distro]/[version]/[channel].list
```
- For example, if you are running Ubuntu 18.04 and wish to deploy MDE for Linux from the *prod* channel:
+ For example, if you are running Ubuntu 18.04 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel:
```bash
- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list
+ curl -o microsoft.list https://packages.microsoft.com/ubuntu/18.04/prod.list
``` - Install the repository configuration:
When upgrading your operating system to a new major version, you must first unin
sudo yum-config-manager --disable packages-microsoft-com-fast-prod ```
-1. Redeploy MDE for Linux using the "Production channel".
+1. Redeploy Microsoft Defender for Endpoint on Linux using the "Production channel".
## Uninstallation
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Create a subtask or role files that contribute to a playbook or task.
> [!WARNING] > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
- Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+ Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/[distro]/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified.
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
In order to preview new features and provide early feedback, it is recommended t
> [!WARNING] > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
+Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/[distro]/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
During the onboarding process, the **Devices list** is gradually populated with
You can apply the following filters to limit the list of alerts and get a more focused view.
+### Device name
+
+Select the name of the device you're interested in investigating.
+
+### Domain
+
+Select the domain you're interested in investigating.
+ ### Risk level The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
The exposure level reflects the current exposure of the device based on the cumu
If the exposure level says "No data available," there are a few reasons why this may be the case: -- Device stopped reporting for more than 30 days. In that case it is considered inactive, and the exposure isn't computed-- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md)-- Device with stale agent (very unlikely)
+- Device stopped reporting for more than 30 days. In that case it's considered inactive, and the exposure isn't computed.
+- Device OS not supported - see [minimum requirements for Microsoft Defender for Endpoint](minimum-requirements.md).
+- Device with stale agent (unlikely).
### OS Platform Select only the OS platforms you're interested in investigating.
+### Windows 10 versions
+
+Select only the Windows 10 versions you're interested in investigating.
+ ### Health state Filter by the following device health states: - **Active**: Devices that are actively reporting sensor data to the service.-- **Inactive**: Devices that have completely stopped sending signals for more than 7 days.
+- **Inactive**: Devices that have stopped sending signals for more than 7 days.
- **Misconfigured**: Devices that have impaired communications with service or are unable to send sensor data. Misconfigured devices can further be classified to: - No sensor data - Impaired communications For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-### Antivirus status
+### Onboarding status
-Filter devices by antivirus status. Applies to active Windows 10 devices only.
+Onboarding status indicates whether the device is currently onboarded to Microsoft Defender for Endpoint or not. You can filter by the following states:
-- **Disabled** - Virus & threat protection is turned off.-- **Not reporting** - Virus & threat protection is not reporting.-- **Not updated** - Virus & threat protection is not up to date.
+- **Onboarded**: The endpoint is onboarded to Microsoft Defender for Endpoint.
-For more information, see [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md).
+- **Can be onboarded**: The endpoint was discovered in the network as a supported device, but it's not currently onboarded. Microsoft highly recommends onboarding these devices.
-### Threat mitigation status
+- **Unsupported**: The endpoint was discovered in the network, but is not supported by Microsoft Defender for Endpoint.
-To view devices that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated.
+- **Insufficient info**: The system couldn't determine the supportability of the device.
-To learn more about certain threats, see [Threat analytics](threat-analytics.md). For mitigation information, see [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md).
+### Last device update
-### Windows 10 version
+Filter your view based on when the device was last updated.
-Select only the Windows 10 versions you're interested in investigating.
+### First seen
+
+Filter your view based on when the device was first seen in the network or when it was first reported by the Microsoft Defender for Endpoint sensor.
-### Tags & Groups
+### Tags
-Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md) and [Create and manage device groups](machine-groups.md).
+Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md).
## Related topics
security Manage Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-indicators.md
The current supported actions are:
- Allow - Alert only - Alert and block
+- Warn
++
+>[!NOTE]
+> Using Warn mode will prompt your users with a warning if they open a risky app. The prompt won't block them from using the app, but you can provide a custom message and links to a company page that describes appropriate usage of the app. Users can still bypass the warning and continue to use the app if they need. For more information, see [Govern apps discovered by Microsoft Defender for Endpoint](/cloud-app-security/mde-govern).
You can create an indicator for:
security Overview Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-client-analyzer.md
For more information about our privacy statement, see [Microsoft Privacy Stateme
- Before running the analyzer, we recommend ensuring your proxy or firewall configuration allows access to [Microsoft Defender for Endpoint service
- URLs](/microsoft-365/security/defender-endpoint/configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
+ URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server).
- The analyzer can run on supported editions of
- [Windows](/microsoft-365/security/defender-endpoint/minimum-requirements.md#supported-windows-versions),
- [Linux](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md#system-requirements),
+ [Windows](minimum-requirements.md#supported-windows-versions),
+ [Linux](microsoft-defender-endpoint-linux.md#system-requirements),
or
- [macOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md#system-requirements)
+ [macOS](microsoft-defender-endpoint-mac.md#system-requirements)
either before of after onboarding to Microsoft Defender for Endpoint. - For Windows devices, if you are running the analyzer directly on specific machines and not
For more information about our privacy statement, see [Microsoft Privacy Stateme
> [!NOTE] > On Windows devices, if you use Attack Surface Reduction (ASR) rule [Block process creations originating from PSExec and WMI
- commands](/microsoft-365/security/defender-endpoint/attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands),
+ commands](attack-surface-reduction-rules.md#block-process-creations-originating-from-psexec-and-wmi-commands),
then may want to temporarily disable the rule or [configure an exclusion to the ASR
- rule](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules)
+ rule](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules)
to allow the analyzer to run connectivity checks to cloud as expected.
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
run:
installed, the analyzer will try to fetch it from the official repository for python packages below: https://files.pythonhosted.org/packages/\*/lxml\*.whl
+> In addition, the tool currently requires Python version 3 or later to be installed.
Example:
security Switch To Microsoft Defender Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-migration.md
Title: Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint
-description: Make the switch to Microsoft Defender for Endpoint. Read this article for an overview.
-keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr
+description: Make the switch to Microsoft Defender for Endpoint, which includes Microsoft Defender Antivirus for your endpoint protection solution.
+keywords: migration, windows defender, advanced endpoint protection, antivirus, antimalware, passive mode, active mode
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
- m365solution-symantecmigrate Previously updated : 06/14/2021 Last updated : 08/16/2021 ms.technology: mde
ms.technology: mde
If you are thinking about switching from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint), you're in the right place. Use this article as a guide.
-When you make the switch to Defender for Endpoint, you begin with your non-Microsoft solution operating in active mode. Then, you configure Defender for Endpoint in passive mode, and onboard your devices to Defender for Endpoint. Next, you set Defender for Endpoint to active mode. Finally, you remove the non-Microsoft solution.
+When you make the switch to Defender for Endpoint, you begin with your non-Microsoft antivirus/antimalware protection in active mode. Then, you configure Microsoft Defender Antivirus in passive mode, and onboard your devices to Defender for Endpoint. Next, you configure your endpoint protection features, set Microsoft Defender Antivirus to active mode, and verify that everything is working correctly. Finally, you remove the non-Microsoft solution.
## The migration process The process of migrating to Defender for Endpoint can be divided into three phases, as described in the following table:
-![Migration phases - prepare, setup, onboard](images/phase-diagrams/migration-phases.png)
+![MDE migration process](images/phase-diagrams/migration-phases.png)
|Phase |Description | |--|--|
security Directory Service Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/directory-service-accounts.md
+
+ Title: Configure Directory Services account in Microsoft Defender for Identity
+description: Learn how to configure the Microsoft Defender for Identity Directory Services account in Microsoft 365 Defender
Last updated : 08/15/2021+++++++
+# Microsoft Defender for Identity Directory Services account in Microsoft 365 Defender
+
+**Applies to:**
+
+- Microsoft 365 Defender
+- Defender for Identity
+
+This article explains how to configure the [Microsoft Defender for Identity](/defender-for-identity) Directory Services account in [Microsoft 365 Defender](/microsoft-365/security/defender/overview-security-center).
+
+>[!IMPORTANT]
+>As part of the convergence with Microsoft 365 Defender, some options and details have changed from their location in the Defender for Identity portal. Please read the details below to discover where to find both the familiar and new features.
+
+## Configure Directory Services account
+
+To connect the [sensor](sensor-health.md#add-a-sensor) with your Active Directory domains, you'll need to configure Directory Services accounts.
+
+1. In [Microsoft 365 Defender](https://security.microsoft.com/), go to **Settings** and then **Identities**.
+
+ ![Go to Settings, then Identities](../../media/defender-identity/settings-identities.png)
+
+1. Select **Directory Service accounts**. You'll see which accounts are associated with which domains.
+
+ ![Directory Service accounts](../../media/defender-identity/directory-service-accounts.png)
+
+1. If you select an account, a pane will open with the settings for that account.
+
+ ![Account settings](../../media/defender-identity/account-settings.png)
+
+1. To add a new Directory Services account, select **Create new account** and fill in the **Account name**, **Domain**, and **Password**. You can also choose if it's a **Group managed service account** (gMSA), and if it belongs to a **Single label domain**.
+
+ ![New Directory Service account](../../media/defender-identity/new-directory-service-account.png)
+
+1. Select **Save**.
+
+## See also
+
+- [Microsoft Defender for Identity sensor health and settings](sensor-health.md)
security Entity Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/entity-tags.md
To set these tags, in [Microsoft 365 Defender](https://security.microsoft.com/),
![Go to Settings, then Identities](../../media/defender-identity/settings-identities.png)
-The tag settings will appear in the **Settings** column.
+The tag settings will appear under **Entity tags**.
![Tag setting types](../../media/defender-identity/tag-settings.png)
The **Sensitive tag** is used to identify high value assets. The lateral movemen
You can also manually tag users, devices, or groups as sensitive.
-1. Select **Sensitive tag**. You will then see the existing sensitive **Users**, **Devices**, and **Groups**.
+1. Select **Sensitive**. You will then see the existing sensitive **Users**, **Devices**, and **Groups**.
![Sensitive entities](../../media/defender-identity/sensitive-entities.png)
Honeytoken entities are used as traps for malicious actors. Any authentication a
You can tag users or devices with the **Honeytoken** tag in the same way you tag sensitive accounts.
-1. Select **Honeytoken tag**. You'll then see the existing honeytoken **Users** and **Devices**.
+1. Select **Honeytoken**. You'll then see the existing honeytoken **Users** and **Devices**.
![Honeytoken entities](../../media/defender-identity/honeytoken-entities.png)
You can tag users or devices with the **Honeytoken** tag in the same way you tag
Defender for Identity considers Exchange servers as high-value assets and automatically tags them as **Sensitive**. You can also manually tag devices as Exchange servers.
-1. Select **Exchange server tag**. You'll then see the existing devices labeled with the **Exchange server** tag.
+1. Select **Exchange server**. You'll then see the existing devices labeled with the **Exchange server** tag.
![Exchange servers](../../media/defender-identity/exchange-servers.png)
security Sensor Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/sensor-health.md
From the **Sensors** page, you can add a new sensor.
1. Copy the package to the dedicated server or domain controller onto which you're installing the Defender for Identity sensor.
-## Configure Directory Services account
-
-To connect the sensor with your Active Directory domains, you'll need to configure Directory Services accounts.
-
-1. In [Microsoft 365 Defender](https://security.microsoft.com/), go to **Settings** and then **Identities**.
-
- ![Go to Settings, then Identities](../../media/defender-identity/settings-identities.png)
-
-1. Select **Directory Service accounts**. You'll see which accounts are associated with which domains.
-
- ![Directory Service accounts](../../media/defender-identity/directory-service-accounts.png)
-
-1. If you select an account, a pane will open with the settings for that account.
-
- ![Account settings](../../media/defender-identity/account-settings.png)
-
-1. To add a new Directory Services account, select **Create new account** and fill in the **Account name**, **Domain**, and **Password**. You can also choose if it's a **Group managed service account** (gMSA), and if it belongs to a **Single label domain**.
-
- ![New Directory Service account](../../media/defender-identity/new-directory-service-account.png)
-
-1. Select **Save**.
- ## See also - [Manage Defender for Identity security alerts](manage-security-alerts.md)