Updates from: 08/18/2021 03:07:46
Category Microsoft Docs article Related commit history on GitHub Change details
admin Choose Device Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/devices/choose-device-security.md
Or use the subscriptions that include some, or all of the previous standalone pl
Azure AD Premium P1 and Azure AD Premium P2 allow you to set conditional access features, self-service password reset, etc. For more information on the capabilities of the Premium plans, see [Azure AD pricing](https://azure.microsoft.com/pricing/details/active-directory/) page. - **Microsoft 365 Business Premium** includes Intune and Azure Active Directory Premium P1 and Office 365 Advanced Threat Protection.
- Microsoft 365 Business Premium offers a set of policy templates for securing your devices and app data. It offers a good level of security and threat protection for most businesses under 300 users. For more information, see [set up Microsoft 365 Business Premium in the setup wizard](../../business/set-up.md), [secure Windows 10 computers](../../business/secure-win-10-pcs.md), and [Microsoft 365 Business Premium security and compliance features](../../business/security-features.md).
+ Microsoft 365 Business Premium offers a set of policy templates for securing your devices and app data. It offers a good level of security and threat protection for most businesses under 300 users. For more information, see [set up Microsoft 365 Business Premium in the setup wizard](../../business/set-up.md), [secure Windows 10 computers](../../business/secure-win-10-pcs.md), and [Microsoft 365 Business Premium security and compliance features](/security-and-compliance/security-your-business-data.md).
- **Microsoft 365 for enterprise** subscriptions include Microsoft Intune and E5 also includes the Azure AD premium plans 1 and 2.
admin Centralized Deployment Of Add Ins https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/centralized-deployment-of-add-ins.md
Alternately, you can use the Azure Active Directory Graph API to run queries to
If you or your users encounter problems loading the add-in while using Office apps for the web (Word, Excel, etc.), which were centrally deployed, you may need to contact Microsoft support ([learn how](../../business-video/get-help-support.md)). Provide the following information about your Microsoft 365 environment in the support ticket.
-|**Platform**|**Debug information**|
+| Platform | Debug information |
|:--|:--|
-|Office <br/> | Charles/Fiddler logs <br/> Tenant ID ([learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` <br/> |
-|Rich clients (Windows, Mac) <br/> | Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**) <br/> |
+|Office | Charles/Fiddler logs <br/> Tenant ID ([learn how](/onedrive/find-your-office-365-tenant-id)) <br/> CorrelationID. View the source of one of the office pages and look for the Correlation ID value and send it to support: <br/>`<input name=" **wdCorrelationId**" type="hidden" value=" **{BC17079E-505F-3000-C177-26A8E27EB623}**">` <br/> `<input name="user_id" type="hidden" value="1003bffd96933623"></form>` |
+|Rich clients (Windows, Mac) | Charles/Fiddler logs <br/> Build numbers of the client app (preferably as a screenshot from **File/Account**) |
## Related content
If you or your users encounter problems loading the add-in while using Office ap
[Manage add-ins in the admin center](manage-addins-in-the-admin-center.md) (article)\ [Centralized Deployment FAQ](../manage/centralized-deployment-faq.yml) (article)\ [Upgrade your Microsoft 365 for business users to the latest Office client](../setup/upgrade-users-to-latest-office-client.md) (article)
-
+
admin Device List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/device-list.md
You can get this information from your hardware vendor, or you can use the [Get-
When you add devices, you also need to add them to a Profile. A profile is used to apply AutoPilot deployment profiles to a device or a group of devices.
-## Related articles
+## Related content
-[Microsoft 365 for business documentation and resources](../../business/index.yml)
+[Microsoft 365 for business documentation and resources](../../index.yml)
-[Get started with Microsoft 365 for business](../../business/microsoft-365-business-overview.md)
-
-[Manage Microsoft 365 for business](../../business/manage.md)
+[Get started with Microsoft 365 for business](../../business-video/what-is-microsoft-365.md)
admin Prepare For Office Client Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/prepare-for-office-client-deployment.md
+
+ Title: "Prepare for Office client deployment by Microsoft 365 for business"
+f1.keywords:
+- CSH
+++ Last updated : 10/31/2017
+audience: Admin
++
+localization_priority: Normal
++
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+ROBOTS: NO INDEX, NO FOLLOW
+ms.assetid: ed34fff3-2881-4ed4-9906-1ba6bb8dd804
+description: "Learn how to automatically install the 32-bit Office apps on Windows 10 computers and keep them updated."
++
+# Prepare for Office client deployment by Microsoft 365 for business
+
+This article applies to Microsoft 365 Business Premium.
+
+## Prepare to automatically install Office apps to client computers
+
+You can use Microsoft 365 Business Premium to automatically install the 32-bit Office apps on Windows 10 computers and keep them current with updates.
+
+Automatic installation works best if the end user's computer is on Windows 10 Business and:
+
+- Doesn't have existing Office desktop apps (Word, Excel, PowerPoint, Outlook, OneNote, Publisher, Access, and OneDrive).
+
+ or
+
+- Has an existing version of Click-to-Run Office installed.
+
+To determine if you have the Click-to-Run version of Office, in any Office app go to **File** \> **Account** ( **Office Account** in Outlook). If you see **Office Updates** as shown in the following figure, then the installation was done by using Click-to-Run.
+
+![Screenshot of Office updates in Office app Account](../../media/e3439380-fa43-4ed6-ae5d-64851c297df5.png)
+
+ **Who benefits from having this feature**
+
+The end user whose PC:
+
+- **Has** a Windows 10 Business user license, an active Microsoft 365 for business license, Windows 10 Creators Update, and is joined to Azure Active Directory.
+
+- **Doesn't have** 64-bit Office apps (example: Word, Excel, PowerPoint). If 64-bit Office apps are required, then this feature isn't a good fit because there's no support for triggering a 64-bit 2016 Click-to-Run version of Office from the Microsoft 365 for business admin console.
+
+- **Doesn't have** any 2016 Windows Installer (MSI) standalone apps (for example, Visio or Project). Microsoft 365 for business upgrades Office to the Click-to-Run version of Office 2016 and that doesn't work with Office 2016 MSI standalone apps.
+
+The following table shows what action the end users/admins may need to take, depending on their beginning state, to have a successful 32-bit Click-to-Run version of Office deployment from the Microsoft 365 for business admin console.<br/>
++
+|Starting Office install status|Action to take before Microsoft 365 for business Office install|End state|
+|:--|:--|:--|
+|No Office suite installed <br/> |None <br/> |Office 2016 32-bit is installed by using Click-to-Run <br/> |
+|Existing Click-to-Run 32-bit version of Office (2016 or earlier) and no standalone apps <br/> |None <br/> |Upgraded to the latest 32-bit Click-to-Run version of Office 2016, as needed **\*** <br/> |
+|Existing Click-to-Run 32-bit version of Office and Click-to-Run 32-bit or 64-bit standalone Office apps (for example, Visio, Project) <br/> |None <br/> |Standalone apps aren't affected. Suite is upgraded to Click-to-Run 32-bit version of Office 2016 <br/> |
+|Existing Click-to-Run 32-bit version of Office and any 32-bit or 64-bit (except 2016) MSI standalone Office apps <br/> |None <br/> |Standalone apps aren't affected. Suite is upgraded to Click-to-Run 32-bit version of Office 2016 <br/> |
+|Any existing Click-to-Run 64-bit version of Office <br/> |Uninstall the 64-bit Office apps, if it's OK to replace them with 32-bit Office apps <br/> |If Office 64-bit apps are removed, the Click-to-Run 32-bit version of Office 2016 is installed <br/> |
+|An existing MSI install of Office 2016 with or without standalone apps <br/> |Uninstall MSI Office 2016. <br/> |Click-to-Run 32-bit version of Office 2016 is installed. No change to standalone apps <br/> |
+|Existing MSI install of Office 2013 (or earlier) and/or standalone Office apps <br/> |None <br/> |Click-to-Run 32-bit version of Office 2016 with the pre-existing MSI Office install (and standalone apps) exist side-by-side <br/> |
+||||
+
+ **(\*) Note:** Does not upgrade to Click-to-Run 32-bit version of Office 2016 due to a known bug. A fix is in progress.
+
admin Secure Windows 10 Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/secure-windows-10-devices.md
+
+ Title: "Secure Windows 10 devices"
+f1.keywords:
+- CSH
+++
+audience: Admin
+
+f1_keywords:
+- 'O365E_BCSSetup4WindowsConfig'
+
+localization_priority: Normal
+
+- M365-subscription-management
+- M365-identity-device-management
+
+- Core_O365Admin_Migration
+- MiniMaven
+- MSB365
+- OKR_SMB_M365
+- seo-marvel-mar
+- AdminSurgePortfolio
+search.appverid:
+- BCS160
+- MET150
+- MOE150
+ROBOTS: NO INDEX, NO FOLLOW
+ms.assetid: 21e5551f-fa35-4f13-9418-f80d668b6a2b
+description: "Learn about configuring the settings of the default device policy that any Windows 10 device will receive upon signing in to their work or school account."
++
+# Secure Windows 10 devices
+
+This article applies to Microsoft 365 Business Premium.
+
+The settings that you configure here are part of the default device policy for Windows 10. All users who connect a Windows 10 device, including mobile devices and PCs, by signing in with their work account will automatically receive these settings. We recommend that you accept the default policy during setup and add policies later that target specific groups of users.
+
+## Settings to secure Windows 10 devices
+
+By default all settings are **On**. The following settings are available:
+
++
+|Setting <br/> |Description <br/> |
+|:--|:--|
+|Help protect PCs from viruses and other threats using Windows Defender Antivirus <br/> |Requires that Windows Defender Antivirus is turned on to protect PCs from the dangers of being connected to the internet. <br/> |
+|Help protect PCs from web-based threats in Microsoft Edge <br/> |Turns on settings in Edge that help protect users from malicious sites and downloads. <br/> |
+|Help protect files and folders on PCs from unauthorized access with BitLocker <br/> |Bitlocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. For more information, see [Bitlocker FAQ](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions). <br/> |
+|Turn off device screen when idle for this amount of time <br/> |Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off. <br/> |
+|
admin Pre Requisites For Data Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/pre-requisites-for-data-protection.md
The first step in setting up your organization with Microsoft 365 for business i
Google Android 4.0 and later (including Samsung KNOX Standard 4.0 and higher). For more information, see [Intune supported devices](/mem/intune/fundamentals/supported-devices-browsers). -- If you have existing Office applications on user computers, read [prepare for Office client installation](../../business/prepare-for-office-client-deployment.md) to understand steps you might need to take before you can set up Microsoft 365 for business to install Office 2016 on user computers.
+- If you have existing Office applications on user computers, read [prepare for Office client installation](../misc/prepare-for-office-client-deployment.md) to understand steps you might need to take before you can set up Microsoft 365 for business to install Office 2016 on user computers.
admin Threats Detected Defender Av https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/threats-detected-defender-av.md
To learn more about different threats, visit the <a href="https://www.microsoft.
## Related content
-[Secure Windows 10 devices](../../business/secure-windows-10-devices.md) (article)\
+[Secure Windows 10 devices](/misc/secure-windows-10-devices.md) (article)\
[Evaluate Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus) (article)\ [How to turn on real-time and cloud-delivered antivirus protection](/mem/intune/user-help/turn-on-defender-windows#turn-on-real-time-and-cloud-delivered-protection) (article)\ [How to turn on and use Microsoft Defender Antivirus from the Windows Security app](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus) (article)\
admin Business Set Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/business-set-up.md
Watch this video for an overview of Microsoft 365 Business Premium setup.<br><br
## Add your domain, users, and set up policies
-When you purchase Microsoft 365 Business Premium, you have the option of using a domain you own, or buying one during the [sign-up](../../business/sign-up.md).
+When you purchase Microsoft 365 Business Premium, you have the option of using a domain you own, or buying one during the [sign-up](../../business-video/sign-up.md).
- If you purchased a new domain when you signed up, your domain is all set up and you can move to [Add users and assign licenses](#add-users-and-assign-licenses).
admin Secure Win 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/secure-win-10-pcs.md
After you have [set up](business-set-up.md) Microsoft 365 Business Premium, it i
On the top of the page, choose **Get started**.
-4. On the **Secure your Windows 10 computers** pane, select the options you want to turn on. For more information about the settings, see [Secure Windows 10 devices](../../business/secure-windows-10-devices.md) (article)\
+4. On the **Secure your Windows 10 computers** pane, select the options you want to turn on. For more information about the settings, see [Secure Windows 10 devices](/misc/secure-windows-10-devices.md) (article)\
). For most organizations, the options here offer a good level of security, however, if your organization has more complex security needs, you can also use pre-defined security baselines to secure your Windows 10 devices. For more information, see [security baselines for Windows 10 devices](/mem/intune/protect/security-baselines).
admin Set Up Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/set-up-windows-devices.md
Before you can set up Windows devices for Microsoft 365 Business Premium users,
If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to a Windows 10 upgrade.
-For more information on how to upgrade Windows devices to Windows 10 Pro Creators Update, follow the steps in this topic: [Upgrade Windows devices to Windows Pro Creators Update](../../business/upgrade-to-windows-pro-creators-update.md).
+For more information on how to upgrade Windows devices to Windows 10 Pro Creators Update, follow the steps in this topic: [Upgrade Windows devices to Windows Pro Creators Update](../../business-video/upgrade.md).
See [Verify the device is connected to Azure AD](#verify-the-device-is-connected-to-azure-ad) to verify you have the upgrade, or to make sure the upgrade worked.
Verify that your Azure AD joined Windows 10 devices are upgraded to Windows 10 B
## Next steps
-To set up your mobile devices, see [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md), To set device protection or app protection policies, see [Manage Microsoft 365 for business](../../business/manage.md).
+To set up your mobile devices, see [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md), To set device protection or app protection policies, see [Manage Microsoft 365 for business](/admin/index.yml).
## Related content
business-video Employee Quick Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/employee-quick-setup.md
description: "Help your employees learn how to set up Office apps they get with
# Employee quick setup
-Are you new to Microsoft 365 for business? :::image type="icon" source="../medi) to learn about it. Then follow these steps.
+Are you new to Microsoft 365 for business? :::image type="icon" source="../medi) to learn about it. Then follow these steps.
:::image type="content" source="../media/m365-employee-quick-setup.png" alt-text="Image showing quick employee setup steps.":::
business-video What Is Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/what-is-microsoft-365.md
When you sign up for Microsoft 365 Business Premium, you get all the same produc
If you have Microsoft Business Premium, the quickest way to setup security and begin collaborating safely is to follow the guidance in this library: [Microsoft 365 for smaller businesses and campaigns](../campaigns/index.md). This guidance was developed in partnership with the Microsoft Defending Democracy team to protect all small business customers against cyber threats launched by sophisticated hackers.
-For full details, see [Microsoft 365 Business content](../business/index.yml).
+For full details, see [Microsoft 365 Business content](../admin/index.yml).
business Configure Windows 10 Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/configure-windows-10-devices.md
- Title: "Configure Windows 10 devices"-- NOCSH------ 'O365E_BCSSetup4PushSoftware'-
-localization_priority: Normal
--- M365-subscription-management -- M365-identity-device-management--- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn about configuring device policies for Windows 10 that apply to all users in your organization, ensuring they connect in a secure way."
--
-# Configure Windows 10 devices
-
-During setup, you create a device policy for Windows 10 that applies to all users in your organization. When a user signs in to an Office app on their Windows 10 device with their work or school account, the settings you configure are automatically applied to make sure that the user is connecting in a secure way.
-
-We recommend that you accept the default configuration during setup. After setup, you can create more policies and target them to specific groups of users.
-
-To add a policy to manage Windows 10 device configurations, see [Set device configurations for Windows 10 PCs](protection-settings-for-windows-10-pcs.md).
-
-
business Help Users Connect To Microsoft 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/help-users-connect-to-microsoft-365-business.md
- Title: "Help users connect to Microsoft 365 Business Premium"-- NOCSH------ 'O365E_BCSSetupComplete'-- 'BCSSetupComplete'-- 'BCS365_BCSSetupComplete'-
-localization_priority: Normal
---- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn what to expect after Business Cloud Suite setup is complete and your default device policies are in place and ready to apply."
--
-# Help users connect to Microsoft 365 Business Premium
-
-After you complete setup, your default device policies are in place and ready to apply. On mobile devices, users download Office apps. Policies are then applied when the user signs in with their work or school account. There's a bit more work to do before policies apply to Windows PCs, such as an in-place upgrade. See and share the following topics to help users get set up and connected:
-
-[Set up Windows devices for Microsoft 365 Business Premium users](set-up-windows-devices.md)
-
-[Use the step-by-step guide to add Autopilot devices and profile](add-autopilot-devices-and-profile.md)
-
-[Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md)
-
-
business Help Users Install Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/help-users-install-office.md
- Title: "Help your users install Office on Windows 10 devices"-- NOCSH-----
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management --- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- TRN_M365B-- OKR_SMB_Videos-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Help your users install Office apps on Windows 10 devices and easily install Office on Windows 10 PCs from the Microsoft 365 admin center."
--
-# Help your users install Office on Windows 10 devices
-
-[![Label to let you know the admin center is changing and you can find more details at aka.ms/aboutM365preview.](../media/m365admincenterchanging.png)](/office365/admin/microsoft-365-admin-center-preview)
-
-You can quickly and easily install Office on Windows 10 PCs from the Microsoft 365 admin center.
-
-To understand how this works with previously installed Office apps, read [Prepare for Office client installation](prepare-for-office-client-deployment.md) before you get started.
-
-Watch a short video about installing Office apps.<br><br>
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/acce002c-0756-4b64-ac5d-2198ee96a9b1]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../business-video/index.yml).
-
-## Manage Office deployments
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>, and sign in with global admin credentials.
-
-2. Go to **Setup** in the left navigation pane, and on the **Setup** page, scroll to **Apps and updates**.
- > [!NOTE]
- > You might not see this card if all of your users have installed Office apps.
-
-3. On the **Help users install their Office apps** card, choose **View**, and then **Get started**.
-
-4. On the **Email users a link to download Office** panel, select the users you want to email, and then **Email selected users**.
-
- ![Select users to send email with Office download link.](../media/sendemailtousers.png)
-
-## For more on setting up and using Microsoft 365 Business Premium
-
-[Microsoft 365 for business training videos](../business-video/index.yml)
business How Policies Protect Company Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/how-policies-protect-company-data.md
- Title: "How policies in Microsoft 365 for business protect company data"-- NOCSH------ 'O365E_ESPoliciesLM'-- 'ESPoliciesLM'-- 'BCS365_ESPoliciesLM'-
-localization_priority: Normal
---- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "To protect company data on users' personal devices, use policies that target specific devices and security groups."
--
-# How policies in Microsoft 365 for business protect company data
-
-This article applies to Microsoft 365 Business Premium.
-
-The policies that you create are specific to the device type and can be applied to specific groups of users. This means that you could create one policy that applies to your executives, and another that applies to everyone else.
-
-For Android and iOS devices, you can add or edit application policies that protect Office apps and work files used by Office apps. We're able to control Windows 10 devices a bit more, so application policies can include more settings, like encryption and protection for network and cloud locations. You can also create device policies for Windows 10 devices that enforce settings like virus protection and automatic updates. We recommend that you stick with the policies created during setup, but if you'd like to fine-tune your policies or add more, see these articles:
-
-[Set app configurations for Android or iOS devices](app-protection-settings-for-android-and-ios.md)
-
-[Set device configurations for Windows 10 PCs](protection-settings-for-windows-10-pcs.md)
-
-[Set app protection settings for Windows 10 devices](protection-settings-for-windows-10-devices.md)
-
-
business Install Office On Windows 10 During Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/install-office-on-windows-10-during-setup.md
- Title: "Install Office on Windows 10 during setup"-- NOCSH------ 'O365E_BCSSetup4OfficeInstall'-
-localization_priority: Normal
---- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Discover how, with Microsoft 365 Business Premium, you can automatically make sure users have the latest version of Office on all their Windows 10 devices."
--
-# Install Office on Windows 10 during setup
-
-![Banner that point to https://aka.ms/aboutM365preview.](../media/m365admincenterchanging.png)
-
-This setting is off by default. You can turn it on to make sure users have the latest version of Office on all their Windows 10 devices, but first verify that all prerequisites are met. Users must be licensed for Microsoft 365 Business Premium for this setting to push the software to the device, in addition to other requirements described in [Prepare for Office client deployment by Microsoft 365 Business Premium](prepare-for-office-client-deployment.md).
-
-We recommend that you accept the default setting during setup.
business Manage User Access On Mobile Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/manage-user-access-on-mobile-devices.md
- Title: "Manage how users access Office documents on mobile devices"-- NOCSH------ 'O365E_BCSSetup4OfficeMobile'-
-localization_priority: Normal
--- M365-subscription-management -- M365-identity-device-management--- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn about protection policies that allow you to manage how users access Office apps and work files from mobile devices."
--
-# Manage how users access Office documents on mobile devices
-
-This article applies to Microsoft 365 Business Premium.
-
-Policy settings that control how users access Office files from their mobile devices are **Off** by default. We recommend that you accept the default values during setup to create application policies for Android, iOS, and Windows 10 that apply to all users. You can create more policies after setup completes.
-
-## Settings that control how users access Office files on mobile devices
-
-The following settings are available to manage how users access Office work files:
-
-|Setting <br/> |Description <br/> |
-|:--|:--|
-|Require a PIN or fingerprint to access Office apps <br/> |If this setting is **On**, users must provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile device. <br/> |
-|Reset PIN when login fails this many times <br/> |To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify. <br/> |
-|Require users to sign in again after Office apps have been idle for <br/> |This setting determines how long a user can be idle before they're prompted to sign in again. <br/> |
-|Deny access to work files on jailbroken or rooted devices <br/> |Clever users may have a device that is jailbroken or rooted. This means that the user can modify the operating system, which can make the device more susceptible to malware. These devices are blocked when this setting is **On**. <br/> |
-|Don't allow users to copy content from Office apps into personal apps <br/> |When the setting is **On**, the user can't copy information in a work file to a personal file. If the setting is **Off**, the user can copy information from a work file to a personal app or personal account. <br/> |
-
-
business Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/manage.md
- Title: "Manage Microsoft 365 for business"-- NOCSH-----
-localization_priority: Normal
---- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn to Manage Microsoft 365 for business related admin tasks, mobile devices, Windows 10 PCs, and many such tasks."
--
-# Manage Microsoft 365 for business
-
-## General Microsoft 365 for business admin tasks
-
-Most of the [admin content](/office365/admin/admin-home) for Office 365 also applies to Microsoft 365 for business.
--- [Add more users to Microsoft 365 for business](../admin/add-users/add-users.md)
-
-- [View policies and devices](view-policies-and-devices.md)
-
-- [Microsoft 365 for business security features](security-features.md)
-
-- [How do protection features in Microsoft 365 for business map to Intune settings](map-protection-features-to-intune-settings.md)
-
-See the following sections on how to use Microsoft 365 for business to protect your organization's data on PCs and mobile devices.
-
-## Manage mobile devices
--- [Set up mobile devices for Microsoft 365 for business users](set-up-mobile-devices.md)
-
-- [Set app protection settings for Android or iOS devices](app-protection-settings-for-android-and-ios.md)
-
- To make sure this worked, see [Validate app protection settings on an Android or iOS device](validate-settings-on-android-or-ios.md).
-
-- [Remove company data from devices](remove-company-data.md)
-
-## Manage Windows 10 PCs
--- [Set up Windows devices for Microsoft 365 for business users](set-up-windows-devices.md)-
- Read [Prepare for Office client deployment by Microsoft 365 for business](prepare-for-office-client-deployment.md) before you auto-install Office.
-
-- [Set device protection settings for Windows 10 devices](protection-settings-for-windows-10-pcs.md)
-
- To make sure this worked, see [Validate device protection settings on Windows 10 devices](validate-settings-on-windows-10-pcs.md).
-
-- [Set application protection settings for Windows 10 devices](protection-settings-for-windows-10-devices.md)
-
- To make sure this worked, see [Validate app protection settings on Windows 10 PCs](validate-protection-settings-on-windows-10-pcs.md).
-
-- [Remove company data from devices](remove-company-data.md)
-
-- [Reset Windows 10 devices to their factory settings](reset-devices-to-factory-settings.md)
-
-### Use AutoPilot to deploy Windows 10 devices
-
-The following topics describe how you can use Windows AutoPilot in Microsoft 365 for business to pre-configure Windows 10 devices.
-
-- [Use the step-by-step guide to add Autopilot devices and profile](add-autopilot-devices-and-profile.md)
-
-- [Create and edit AutoPilot profiles](create-and-edit-autopilot-profiles.md)
-
-- [Create and edit AutoPilot devices](create-and-edit-autopilot-devices.md)
-
-- [Troubleshoot AutoPilot device errors](troubleshoot-autopilot-errors.md)
-
-- [Device states](device-states.md)
-
-- [About AutoPilot Profile settings](autopilot-profile-settings.md)
-
-## Set up and prerequisite information
--- [Prerequisites for protecting data on devices with Microsoft 365 for business](pre-requisites-for-data-protection.md)
-
-- [Set up Microsoft 365 for business by using the setup wizard](set-up.md)
-
-- [Migrate to Microsoft 365 for business](migrate-to-microsoft-365-business.md)
-
-- [Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business](manage-windows-devices.md)
-
-- [Additional security features](security-features.md#additional-security-features)
business Microsoft 365 Business Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/microsoft-365-business-overview.md
- Title: "Overview of Microsoft 365 Business Premium"-- NOCSH--- Previously updated : 9/20/2018--
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management-- TRN_SMB--- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- TRN_M365B-- OKR_SMB_Videos-- seo-marvel-mar-- AdminSurgePortfolio-- AdminTemplateSet-- BCS160-- MET150
-description: "Learn about Microsoft 365 Business Premium, a subscription service that includes Office apps and advanced protection against cyber threats."
--
-# Overview of Microsoft 365 Business Premium
-
-## What is Microsoft 365 Business Premium
-
-Microsoft 365 Business Premium (formerly Microsoft 365 Business) is a comprehensive subscription service for businesses with less than 300 employees. It integrates your favorite Office productivity apps and services, and collaboration tools like Microsoft Teams, with advanced security and device management capabilities.
-
-## Watch: What is Microsoft 365 Business Premium
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE2mhaA]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../business-video/index.yml).
-
-Microsoft 365 Business Premium is meant for up to 300 licenses. If you need more licenses, see [Microsoft 365 Enterprise](../enterprise/index.yml) documentation for more information.
-
-See the [Microsoft 365 Business Premium service description](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-business-service-description) for the entire list of features.
-
-## Small business security needs
-
-Your business data can be compromised in many ways. You and your users can compromise your organization's security when you sign in with compromised credentials or view organization data on different devices and applications. More specifically, your organization is at risk from:
--- Compromised or weak sign-in credentials.-- Compromised device with a weak pin, or a user owned device.-- Users who can copy/paste/save your organization's data to personal apps.-- Users who install and use third-party apps with weak security.-- Email vulnerabilities, including sharing sensitive data, phishing attempts, malware, and so on.-- When people who should not, can access documents with sensitive information.-
-Microsoft 365 Business Premium helps safeguard your data in each of these instances. The security features that protect your business data are detailed in the following figure.
-
-![A figure that shows how M365B protects your business.](../media/m365businessvalueadd.png)
-
-## How your data and devices are protected
-
-Microsoft 365 Business Premium helps **defended against threats** by:
--- Scanning links in emails and documents in real time to block unsafe web sites (Safe Links).--- Performing advanced analysis of email attachments in a sandbox environment to detect newly developed malware (Safe Attachments).--- Enabling anti-phishing policies that use machine learning models and impersonation detection to provide protection against advanced attacks (Anti-phishing in Defender for Office 365 intelligence).--- Setting up advanced policies that disable access from untrusted locations or bypass multifactor authentication from trusted places such as your office network (Azure MFA including trusted IPs, and Conditional Access).--- Enforcing malware protection across all your organization's Windows 10 devices and protecting files in key system folders from changes made by ransomware (Windows Defender)-
-Your **business data is protected** by:
--- Using automatic detection to help prevent sensitive information such as Social Security numbers or credit cards from leaking outside your business (data loss prevention).--- Encrypting sensitive emails so you can communicate securely with customers or other people outside your organization. This ensures that only the intended recipient can read the message (Office 365 Message Encryption).--- Controlling who has access to company information by applying restrictions such as **Do Not Copy** and **Do Not Forward** to email and documents (Azure Information Protection, Plan 1).--- Enabling unlimited cloud archiving so you can retain all your organization's email, including the mailboxes of former employees (Exchange Online Archiving).-
-Your **devices are secured** by:
--- Controlling which devices and users can access your Microsoft data, with options to block users from signing in from home computers, unapproved apps, or outside of work hours (Conditional Access).--- Applying security policies to protect business data on iOS and Android devices. For example, you can require users to provide a PIN or fingerprint to access business data, and encrypt data on mobile devices (App protection for Office mobile apps).--- Keeping business documents, emails, and other data within approved Office mobile apps and preventing employees from saving these to unauthorized apps and locations (App protection for Office mobile apps).--- Remotely wiping business data from lost or stolen devices without affecting personal information (Intune selective wipe).--- Using simplified controls to manage policies for all the Windows 10 PCs in your company, enforcing BitLocker encryption and automatically installing critical Windows updates (Enforce Windows update policies).-
-To see the full list of security features, see [Microsoft 365 Business Premium security features](security-features.md). After you [Set up Microsoft 365 Business Premium](set-up.md), see [increase threat protection](increase-threat-protection.md) and [set up compliance features](set-up-compliance.md) to get started with the security features that aren't included as a part of the guided setup. Read also [Top 10 ways to secure Office 365 and Microsoft 365 Business Premium plans](/office365/admin/security-and-compliance/secure-your-business-data) for a good overview on how to set up protections against cyber criminals and hackers.
-
-## Next steps
--- If you have a partner, they'll get Microsoft 365 Business Premium: [Get Microsoft 365 Business Premium from Microsoft Partner Center](get-microsoft-365-business.md).--- If you don't have a partner and want to get Microsoft 365 Business Premium, you can [buy it here](https://www.microsoft.com/microsoft-365/business) and follow the [sign up](sign-up.md) instructions.-
-## Related content
-
-[Microsoft 365 Business Premium training videos](../business-video/index.yml) (link page)
business Microsoft 365 Business Start https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/microsoft-365-business-start.md
- Title: "Get started with Microsoft 365 for business"-- NOCSH-----
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management-- TRN_SMB--- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- TRN_M365B-- OKR_SMB_Videos-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn about Microsoft 365 for business, how to set it up, and how to prepare your users' devices and PCs to ensure they're protected by Microsoft 365 for business."
--
-# Get started with Microsoft 365 for business
-
-## What is Microsoft 365 for business
-
-Microsoft 365 for business is a comprehensive set of business productivity and collaboration tools, such as Outlook, Word, Excel, and other Office products, that are always up to date. You can protect your work files on all your iOS, Android, and Windows 10 devices with enterprise-grade security that is simple to manage.
-
-## Watch: What is Microsoft 365 Business Premium
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE2mhaA]
-
-Microsoft 365 for business is meant for up to 300 licenses. If you need more licenses, see [Microsoft 365 Enterprise](../enterprise/index.yml) documentation for more information.
-
-## Get Microsoft 365 for business
--- If you have a partner, they'll get Microsoft 365 for business: [Get Microsoft 365 for business from Microsoft Partner Center](get-microsoft-365-business.md).
-
-- If you don't have a partner and want to get Microsoft 365 for business, you can [buy it here](https://www.microsoft.com/microsoft-365/business).
-
-## Set up Microsoft 365 for business
-
- **Overview of Microsoft 365 for business Suite set up**
-
-The following diagram describes how admins set up Microsoft 365 for business. It also describes the steps to prepare Windows PCs for Microsoft 365 for business. You can also add new devices in the Microsoft 365 admin center with [Windows AutoPilot](add-autopilot-devices-and-profile.md). You can use AutoPilot to set up and pre-configure new devices so that they're ready for productive use as soon as a user signs in with their Microsoft 365 for business credentials.
-
-![A diagram that shows the setup and management flow for admins, and also for a user](../media/249f81fc-7e79-44c7-8425-3a0b7b651c3b.png)
-
-## Watch: Set up Microsoft 365 Business
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FYSM]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../business-video/index.yml).
-
-
-### 1: Set up Microsoft 365 for business (Admin)
-
-Sign in to [Microsoft 365 admin center](https://admin.microsoft.com/adminportal/home) with your global admin credentials, and complete the following steps to set up Microsoft 365 for business.
-
-1. [Prerequisites for protecting data on devices with Microsoft 365 for business](pre-requisites-for-data-protection.md)
-
- Read the prerequisites first to make sure that your devices are ready for Microsoft 365 for business.
-
-2. [Use the setup wizard to set up Microsoft 365 for business](set-up.md)
-
- If you're **permanently moving from a local Active Directory to the cloud**, you can go to the Microsoft 365 admin center and use the setup wizard to add your users manually, or you can do a one-time sync with Azure AD Connect. There are two ways to do this:
-
- - If you also have an Exchange 2010, Exchange 2013, or Exchange 2016 server, you can [Use Minimal Hybrid to quickly migrate Exchange mailboxes to Microsoft 365](/Exchange/mailbox-migration/use-minimal-hybrid-to-quickly-migrate). The minimal hybrid steps include a one-time sync of users to Azure AD, and email migration from on-premises to the cloud. After the email migration is complete, the directory synchronization is automatically turned off when you use this method.
-
- - Use the directory sync wizard to synchronize your users to the cloud. Follow the steps in [Set up directory synchronization for Microsoft 365](../enterprise/set-up-directory-synchronization.md) to complete this process. After you synchronize your users to the cloud, you'll have to [Turn off directory synchronization for Microsoft 365](../enterprise/turn-off-directory-synchronization.md).
-
- You'll also have to give each user that was added this way a license to Microsoft 365 for business. You can do this in the [setup wizard](set-up.md) or you can [Assign licenses to users](../admin/manage/assign-licenses-to-users.md).
-
-### 2: Prepare mobile devices
-
-Follow the steps in [Set up mobile devices for Microsoft 365 for business users](set-up-mobile-devices.md) to install Office apps on devices and make sure they're protected by Microsoft 365 for business.
-
-### 3: Prepare PCs
-
-Admins can pre-select settings for new Windows 10 PCs by using [Windows AutoPilot](add-autopilot-devices-and-profile.md). Users can set up their existing or new Windows 10 devices by following the steps in this topic: [Set up Windows PCs for Microsoft 365 for business users](set-up-windows-devices.md). For existing devices, users can **optionally** [move files to OneDrive for Business](move-files-to-onedrive.md). They can also use third-party tools to move files associated with Windows profile to OneDrive.
-
-If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 for business to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication. Follow the steps in [Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business](manage-windows-devices.md) to set this up. This method is preferred, and devices in this state are called **Hybrid Azure AD joined devices**.
-
-If you retain a local Active Directory that contains some on-premises resources (such as file shares and printers), you can give your **Azure AD-joined devices** access to these resources by following the steps here: [Access on-premises resources from an Azure AD-joined device in Microsoft 365 for business](access-resources.md).
-
-
-## Contact support
-
- **If you need to contact support:**
-
-- Contact your partner.
-
-- As a Microsoft 365 for business admin, you have access to our customer support team: **[Contact support for business products - Admin Help](../business-video/get-help-support.md)**
-
-## Related content
-
-[Microsoft 365 for business documentation and resources](./index.yml) (link page)\
-[Manage Microsoft 365 for business](manage.md) (article)\
-[Migrate to Microsoft 365 for business](migrate-to-microsoft-365-business.md) (article)\
-[Microsoft 365 for business training videos](../business-video/index.yml) (link page)
business Migrate From E3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/migrate-from-e3.md
- Title: "Migrate to Microsoft 365 Business from Office 365 E3"-- NOCSH-----
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management --- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- AdminSurgePortfolio-- AdminTemplateSet-- BCS160-- MET150
-description: "If you have an Office 365 E3 subscription but don't have more than 300 employees, consider switching to Microsoft 365 Business Premium."
--
-# Migrating from Office 365 E3 to Microsoft 365 Business Premium
-
-Microsoft 365 Business Premium has everything you need for your small business, combining the best-in-class cloud-based productivity apps with simple device management and security. If you currently have an Office 365 E3 subscription, but don't have more than 300 employees, consider switching to Microsoft 365 Business Premium for added security features.
-
-Migrating is easy: First you switch licenses and all your data and user information in your current subscription is maintained. After the migration, you'll need to set up the features that are added in Microsoft 365 Business Premium.
-
-## Differences between Office 365 E3 and Microsoft 365 Business Premium
-
-This table shows the differences between Microsoft 365 Business Premium and Office 365 E3.
-
-| Feature | Support in Microsoft 365 Business Premium | Support in Office 365 E3 |
-|:-|:--|:--|
-| **On-premises** | | |
-| Office apps<sup>1</sup> | Microsoft 365 Apps for business | Microsoft 365 Apps for enterprise |
-| **Cloud productivity apps** | | |
-| Exchange Online and Outlook | 50 GB storage limit per mailbox and unlimited Exchange Online Archiving | 100 GB storage limit per mailbox and unlimited Exchange Online Archiving |
-| Teams | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Office 365 E3](../media/check-mark.png) |
-| OneDrive for Business | 1 TB storage limit per user | Unlimited |
-| Yammer, SharePoint Online, Planner, Stream | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Office 365 E3](../media/check-mark.png) |
-| StaffHub | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Office 365 E3](../media/check-mark.png) |
-| **Threat Protection** | | |
-| Defender for Office 365 Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | Not included, but can be added on |
-| **Identity management** | | |
-| Self-service password reset for hybrid Azure Active Directory (Azure AD) accounts, Azure AD multi-factor authentication (MFA), Conditional Access, password writeback for on-premises identities| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | |
-| **Device and app management** | | |
-| Microsoft Intune, Windows AutoPilot| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | |
-| Shared computer activation| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Office 365 E3](../media/check-mark.png)|
-| Upgrade rights to Windows 10 Pro from Win 7/8.1 Pro licenses| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) ||
-| **Information protection** | | |
-|Office 365 Data Loss Prevention| ![Included with Microsoft 365 Business Premium](../media/check-mark.png)|![Included with Office 365 E3](../media/check-mark.png)|
-|Azure Information Protection Plan 1, BitLocker enforcement|![Included with Microsoft 365 Business Premium](../media/check-mark.png)||
-|Azure Information Protection Plan 1, Sensitivity labels|![Included with Microsoft 365 Business Premium](../media/check-mark.png)||
-|**Client Access License (CAL rights)**|||
-|Enterprise CAL Suite (Exchange, SharePoint, Skype)||![Included with Office 365 E3](../media/check-mark.png)|
-
-<sup>1</sup> The Microsoft 365 Business Premium version of the Office apps doesn't include volume activation through Group Policy, app telemetry, update controls, spreadsheet compare and inquire, or business Intelligence.
-
-## Migration
-
-To migrate your subscription, see [Change plans manually](../commerce/subscriptions/change-plans-manually.md) for instructions if you want to move just a few people to Microsoft 365 Business Premium. You can also [upgrade everyone automatically](../commerce/subscriptions/upgrade-to-different-plan.md), or work with a partner to move your E3 subscription and licenses to a Microsoft 365 Business Premium subscription.
-The following sections describe the changes you need to make, if any, and what you can do after the migration.
-
-### Office 365 E3 subscription configuration and data
-You don't need to do any changes to your current subscription or data before migrating, which includes:
--- Subscription configuration, such as DNS records and domain names.-- User and group accounts and authentication settings, such as multi factor authentication or conditional access policies.-- Productivity service configurations and their data, such as Teams, Exchange Online mailboxes, SharePoint Online sites, OneDrive for Business folders, and OneNote notebooks.-- Office applications will scale automatically. Office 365 modern licensing will check the userΓÇÖs license assignment every 72 hours and will convert Office applications to the version that matches the user subscription.-
-### Windows 10
-
-If your Windows aren't already on Windows Pro Creator update, [upgrade them to Windows Pro Creators Update](upgrade-to-windows-pro-creators-update.md).
-
-### Set up policies to protect user devices and files
-
-> [!NOTE]
-> If you set up Office 365 MDM policies and devices, those devices will be listed on the **Devices** page in the Microsoft 365 admin center. Any policies you set up will show up in the list of classic policies in the [Intune portal](https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/ExtensionLandingBlade/overview).
-
-After you have assigned licenses to Microsoft 365 Business Premium, you can start protecting the users' devices and files.
-
-If you upgraded everyone in your organization to Microsoft 365 Business Premium, you'll see the setup wizard on the Home page, and can follow the [Set up Microsoft 365 Business Premium in the setup wizard](set-up.md) steps to protect files and mobile devices.
-
-You can also complete these steps on the Devices page:
-
-1. In the admin center, in the left nav, go to **Devices** \> **Policies**.
-
-2. On the **Device policies** page, choose **Add**.
-
-3. In the **Add policy** pane give the policy a name, and then choose a **Policy type** from the drop-down.
-
- You can set up application policies for protecting files on Android and iPhone devices, as well as Windows 10, and you can set up device configuration policies for company owned Windows 10 devices. See the following links for details:
-
- - [Set app protection settings for Android or iOS devices](app-protection-settings-for-android-and-ios.md)
-
- - [Set application protection settings for Windows 10 devices](protection-settings-for-windows-10-devices.md)
-
- - [Set device protection settings for Windows 10 PCs](protection-settings-for-windows-10-pcs.md)
-
-4. Once you set up policies, you and your employees can set up devices:
-
- - See [Set up Windows devices for Microsoft 365 Business Premium users](set-up-windows-devices.md) for steps for Windows devices.
-
- - See [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md) for steps for Android phones and iPhones.
-
-### Mailbox Size
-
-Microsoft 365 Business Premium has a 50 GB storage limit as it uses Exchange Online Plan 1. While migrating to Microsoft 365 Business Premium, if any of your users exceed 50 GB of mailbox storage, it is recommended that you assign this user an Exchange Online Plan 2 and remove the Exchange Online Plan 1 as it's not feasible to assign both.
-
-### Threat protection
-
-After migrating to Microsoft 365 Business Premium, you have Defender for Office 365. See [Microsoft Defender for Office 365](../security/office-365-security/defender-for-office-365.md) for an overview. To set up, see [set up Safe Links](https://support.microsoft.com/office/61492713-53c2-47da-a6e7-fa97479e97fa), [set up Safe Attachments](https://support.microsoft.com/office/e7e68934-23dc-4b9c-b714-e82e27a8f8a5), and [set up Anti-phishing in Defender for Office 365](https://support.microsoft.com/office/86c425e1-1686-430a-9151-f7176cce4f2c).
-
-### Sensitivity labels
-
-To start using sensitivity labels, see [Overview of sensitivity labels](../compliance/sensitivity-labels.md) and [create and manage sensitivity labels](../business-video/create-sensitivity-labels.md) video.
-
-## Related content
-
-[Change plans manually](../commerce/subscriptions/change-plans-manually.md) (article)\
-[Upgrade Windows devices to Windows 10 Pro](upgrade-to-windows-pro-creators-update.md) (video)\
-[Set app protection settings for Android or iOS devices](app-protection-settings-for-android-and-ios.md) (article)\
-[Set or edit application protection settings for Windows 10 devices](protection-settings-for-windows-10-devices.md) (article)\
-[]
-
business Migrate From Microsoft 365 Business To Microsoft 365 Enterprise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/migrate-from-microsoft-365-business-to-microsoft-365-enterprise.md
- Title: "Migrate from Microsoft 365 Business to Microsoft 365 E3"-- NOCSH-----
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management--- Core_O365Admin_Migration-- MiniMaven-- MSB365-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn how to move your business from Microsoft 365 Business Premium to Microsoft 365 E3."
--
-# Migrate from Microsoft 365 Business Premium to Microsoft 365 E3
-
-Microsoft 365 Business Premium has everything you need for your small business, combining the best-in-class cloud-based productivity apps with simple device management and security that enable your employees to do their best work. In some cases, however, you may need to migrate your Microsoft 365 Business Premium subscription to Microsoft 365 E3.
-
-For example, your business has grown and needs more than 300 licenses (congratulations, by the way).
-
-Or, your business needs enterprise features, such as Microsoft 365 Apps for enterprise, Windows 10 Enterprise E3, or Enterprise Client Access Licenses (CALs).
-
-Upgrading is easy: you can start the upgrade [from the Admin center](../commerce/subscriptions/upgrade-to-different-plan.md). All your data and configuration in your current subscription is maintained. There's nothing for you to do to prepare for the migration and nothing to do afterward, except take advantage of the new features.
-
-> [!NOTE]
-> You can also use a Microsoft 365 Business Premium subscription for up to 300 seats and get a Microsoft 365 E3 subscription for more than 300 seats. However, Microsoft Defender for Office 365 is not included with Microsoft 365 E3. For continued threat protection, you should add additional Defender for Office 365 licenses so that all of the users in scope of your Defender for Office 365 polices are licensed.
-
-## Differences between Microsoft 365 Business Premium and Microsoft 365 Enterprise
-
-This table shows the differences between Microsoft 365 Business Premium and Microsoft 365 E3.
-
-| Feature | Support in Microsoft 365 Business Premium | Support in Microsoft 365 E3 |
-|:-|:--|:--|
-| **On-premises** | | |
-| Windows 10 | Windows 10 Business | Windows 10 Enterprise E3|
-| Office apps* | [Microsoft 365 Apps for business](#office-365-business) | Microsoft 365 Apps for enterprise |
-| **Cloud productivity apps** | | |
-| Exchange Online and Outlook | 50 GB storage limit per mailbox and unlimited Exchange Online archiving | 100 GB storage limit per mailbox and unlimited Exchange Online archiving |
-| Teams | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| OneDrive for Business | 1 TB storage limit per user | Unlimited |
-| Yammer, SharePoint Online, Planner, Stream | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Threat Protection** | | |
-| Attack surface reduction capabilities | [See this list](#threat-protection) | Enterprise management of hardware-based isolation for Microsoft Edge |
-| Defender for Office 365 Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | Not included, but can be added on |
-| **Identity management** | | |
-| Self-service password reset for hybrid Azure Active Directory (Azure AD) accounts, Azure AD multi-factor authentication (MFA), Conditional Access, password writeback for on-premises identities| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Cloud App Discovery, Azure AD Connect Health | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Azure AD Office 365 apps Single Sign-On (SSO): 10 apps per user (Gallery SaaS apps such as Salesforce)* | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Azure AD Premium 1 SSO: no limit (On-premises apps through Azure AD Application Proxy and non-gallery apps using Self-Service App Integration templates) | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Device and app management** | | |
-| Microsoft Intune, Windows Autopilot| ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-|Virtual Desktop Access (VDA) | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-|Windows Virtual Desktop (WVD) | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-|Shared Computer Activation (SCA) | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Microsoft Desktop Optimization Package | | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Information protection** | | |
-| Office 365 Data Loss Prevention, Azure Information Protection Plan 1 | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Window Information Protection for endpoint DLP | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Client Access License (CAL rights)** | | |
-| Enterprise CAL Suite (Exchange, SharePoint, Skype, Windows, Microsoft Endpoint Configuration Manager, Windows Rights Management)| | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| **Compliance** | | |
-| Unlimited email archiving | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Compliance Manager | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| eDiscovery | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| In-place hold and litigation hold | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-| Messaging Records Management (MRM) retention tags and retention policies | ![Included with Microsoft 365 Business Premium](../media/check-mark.png) | ![Included with Microsoft 365 E3](../media/check-mark.png) |
-||||
-
-\* Users who have been assigned access to SaaS apps can get SSO access to up to 10 apps. Admins can configure SSO and change user access to different SaaS apps, but SSO access is only allowed for 10 apps per user at a time. All Office 365 apps are counted as a single app.
-
-## Migration
-
-To migrate, work with your partner to move your Microsoft 365 Business Premium subscription and licenses to a suitable Microsoft 365 E3 subscription with its licenses.
-
-The following sections describe what changes you need to make, if any, and what you can do after the migration.
-
-### Microsoft 365 subscription configuration and data
-
-You don't need to make any changes to your current subscription or data before migrating, which includes:
--- Subscription configuration, such as DNS domain names.-- User and group accounts and authentication settings, such as multi factor authentication or conditional access policies.-- Productivity service configurations and their data, such as Teams, Exchange Online mailboxes, SharePoint Online sites, OneDrive for Business folders, and OneNote notebooks.-
-Your users can now enjoy unlimited storage in the Exchange Online mailboxes and OneDrive for Business folders.
-
-You can begin using Cloud App Discovery, Azure AD Connect Health, and SSO for more than 10 apps.
-
-<a name="threat-protection"></a>
-### Threat protection
-
-Windows 10 Business includes these protections:
--- Integrity enforcement of operating system boot up process-- Integrity enforcement of sensitive operating components-- Advanced vulnerability and zero-day exploit mitigations-- Reputation-based network protection for Microsoft Edge, Internet Explorer, and Chrome-- Host-based firewall-- Ransomware mitigations-- Hardware-based isolation for Microsoft Edge-- Application control powered by the Intelligent Security Graph-- Device control (USB)-- Network protection for web-based threats-- Host intrusion prevention rules-
-Windows 10 Enterprise E3 also includes enterprise management of hardware-based isolation for Microsoft Edge.
-
-> [!NOTE]
-> Users migrated to Microsoft 365 E3 will each require a Microsoft Defender for Office 365 license for continued threat protection. Be sure to purchase additional Defender for Office 365 licenses so that all of the users in scope of your Defender for Office 365 polices are licensed.
-
-### Device management with Intune
-
-You don't need to make any changes to your current Intune configuration before migrating, which includes enrolled devices and device and app settings.
-
-### Windows 10
-
-Microsoft 365 Business Premium includes Windows 10 Business, which you can install with Windows AutoPilot. When you migrate to Microsoft 365 E3, each user license includes Windows 10 Enterprise E3, which you can also install with Windows Autopilot.
-
-<a name="office-365-business"></a>
-### Microsoft 365 Apps for business
-
-Your Microsoft 365 Apps for business client installed on your devices will automatically begin to use the features of Microsoft 365 Apps for enterprise. After migration, you can now use:
--- Group Policy support-- Spreadsheet compare and inquire-- Business intelligence
business Migrate To Microsoft 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/migrate-to-microsoft-365-business.md
- Title: "Upgrade to Microsoft 365 Business Premium from Microsoft 365 Business Standard"-- NOCSH-----
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management --- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn the difference between Microsoft 365 Business Standard and Microsoft 365 Business Premium and how you can upgrade to Microsoft 365 Business Premium."
--
-# Upgrade to Microsoft 365 Business Premium from Microsoft 365 Business Standard
-
-If you have a [Microsoft 365 for business subscription](https://products.office.com/compare-all-microsoft-office-products-4-column?activetab=tab:primaryr2), for example, Microsoft 365 Business Standard, you can easily upgrade to Microsoft 365 Business Premium. Upgrade to Microsoft 365 Business Premium if you want to add:
--- Windows 10 Pro (to PCs running Windows 8 or later)--- Simple controls that manage business data on devices--- Advanced security capabilities.
-Find out more about Microsoft 365 Business Premium at [Microsoft.com](https://www.microsoft.com/microsoft-365/business)
-
-## What's the difference between Microsoft 365 Business Standard and Microsoft 365 Business Premium?
-
-We've added a side-by-side comparison of these two plans to the [Microsoft 365 Business Premium Service Description](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-business-service-description).
-
-## Before you begin
--- **When should I choose to upgrade?** Upgrade is the right choice when you want to upgrade **all users** assigned to a single plan. When you choose upgrade, all plan users get switched to another plan at the same time. If you don't want to upgrade everyone assigned to a single plan, buy licenses for the new plan (in this case Microsoft 365 Business Premium), and [assign those licenses individually](../admin/manage/assign-licenses-to-users.md) to each user that you want to upgrade.--- **Some add-ons might prevent the upgrade** If you try to start an upgrade and you have an add-on that prevents you from continuing, you can remove the add-on first, and then add it back later if you still need it.--- **If you prepaid your plan** There isn't a straightforward upgrade path for prepaid plans. You'll know if you have a prepaid plan because you set up your plan using a product ID that you might have purchased in a store. Contact a partner, go to the Microsoft Store, or wait until your prepaid plan expires to switch to a new plan.-
-## Upgrade to Microsoft 365 Business Premium
-
-1. Sign into the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
-
-2. Go to the navigation pane and select **Billing** \> **Your products**. Find your current subscription and select it to view the details.
-
-3. On the next page, select **Upgrade**.
-
- > [!NOTE]
- > If you see a message that says **Upgrading your subscription is not supported with group-based licensing in Azure Active Directory**, you can safely ignore this unless you have a very large organization. Organizations who have selected this option will be aware that they're using group-based licensing.
-
-4. Next, you can view a list of plans that you can upgrade to. In this case, find the Microsoft 365 Business Premium plan. You can scroll down if you want to see all the apps and services that are included with this plan. Under **Microsoft 365 Business Premium**, select **Upgrade** to add Microsoft 365 Business Premium to your cart.
-
-5. In the cart:
-
- 1. We'll automatically include licenses for all your current users. If you need more or fewer licenses, you need to [buy and assign those licenses individually](../admin/manage/assign-licenses-to-users.md).
- 2. You can adjust how you'd like to pay: monthly or yearly. Select the drop-down menu to make your choice.
-
-6. Select **Go to Checkout** where you'll see a summary of your purchase, including the payment method for this account. You can also add a promo code here if you have one.
-
-7. Select **Place order** to complete your purchase.\
-It takes Microsoft a few minutes to set up your new service plans. To check on progress, select **Check upgrade status**.
-
-8. When your plan is ready, you might need to complete some additional setup steps in the admin center. In the navigation pane, select **Home** to complete any additional setup steps.
-
-> [!NOTE]
-> You'll receive a prorated refund for the Microsoft 365 licenses that you no longer need. Your bank account or credit card will be charged about two days after you set up the new plan.
-
-## Protect user devices and files
-
-Now that Microsoft 365 Business Premium licenses have been assigned, complete steps to start protecting devices and files. You'll use some new options included in the admin center navigation pane.
-
-1. In the admin center, in the navigation pane, go to **Devices** \> **Policies**.
-
-2. On the **Device policies** page, select **Add**.
-
-3. In the **Add policy** pane give the policy a name (for example, Protect work files), and then choose a **Policy type** from the drop-down list.
-
- You can set up application policies for protecting files on Android and iPhone devices, as well as Windows 10, and you can set up device configuration policies for company owned Windows 10 devices. See the following links for details:
-
- - [Set app protection settings for Android or iOS devices](app-protection-settings-for-android-and-ios.md)
-
- - [Set application protection settings for Windows 10 devices](protection-settings-for-windows-10-devices.md)
-
- - [Set device protection settings for Windows 10 PCs](protection-settings-for-windows-10-pcs.md)
-
-4. After you set up policies, you and your employees can set up devices:
-
- - If your Windows devices aren't already using the Windows Pro Creator update, you'll need to [upgrade them to Windows Pro Creators Update](upgrade-to-windows-pro-creators-update.md).
-
- - See [Set up Windows devices for Microsoft 365 Business Premium users](set-up-windows-devices.md) for steps for Windows devices.
-
- - See [Set up mobile devices for Microsoft 365 Business Premium users](set-up-mobile-devices.md) for steps for Android phones and iPhones.
business Move Files To Onedrive https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/move-files-to-onedrive.md
- Title: "Move files to OneDrive for Business"-- NOCSH-----
-localization_priority: Normal
---- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- TRN_M365B-- OKR_SMB_Videos-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn how you can move your personal work files and sensitive company files to OneDrive for Business in just a few easy steps."
--
-# Move files to OneDrive for Business
-
-Watch a short video about moving files to OneDrive for Business.<br><br>
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/d74b083c-1f44-43ea-8a14-2e1fc600b341]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../business-video/index.yml).
--
-## Move files to OneDrive for Business
-
-If a user has a computer that includes many personal files, you should first move those files to OneDrive for Business:
-
-1. Go to admin.microsoft.com and sign in with the user's Microsoft 365 for business credentials.
-
-2. Click the app launcher ![The app launcher icon in Office 365](../media/7502f4ec-3c9a-435d-a7b4-b9cda85189a7.png) and go to OneDrive.
-
-3. Choose **Upload**![Upload](../media/d9b963b8-10af-42e2-953d-360301b83d3c.png) in the menu bar, and browse to the files you want to save.
-
-To transfer the user profile and important files, you can also use a third-party tool, such as ForensiT. You should upload the resulting files in OneDrive for Business also.
-
-## For more on setting up and using Microsoft 365 for business
-
-[Microsoft 365 for business training videos](../business-video/index.yml)
business Protect Data With Windows Defender Exploit Guard Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/protect-data-with-windows-defender-exploit-guard-settings.md
- Title: "Protect your data with Windows Defender Exploit Guard settings"-- NOCSH------ 'O365E_Win10DevPol_Ransomware'-- 'O365E_Win10DevPol_NetworkProt'-- 'O365E_Win10DevPol_ASR'-- 'BCS365_Win10DevPol_Ransomware'-- 'BCS365_Win10DevPol_NetworkProt'-- 'BCS365_Win10DevPol_ASR'-
-localization_priority: Normal
---- Core_O365Admin_Migration-- MiniMaven-- MSB365-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn how to protect the Windows 10 devices in your organization from malware attacks, ransomware, and malicious content on the internet."
--
-# Protect your data with Windows Defender Exploit Guard settings
-
-This article applies to Microsoft 365 Business Premium.
-
-You can set up policies to help protect the Windows 10 devices in your organization from malware attacks, ransomware, and malicious content on the internet.
-
-## Reduce the attack surface of devices
-
-This setting targets specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
-
-- Malware included as executable files and scripts in Office apps or email.
-
-- Scripts that are obfuscated or otherwise suspicious.
-
-- App behaviors that aren't usually initiated during normal day-to-day work.
-
-For more information about this setting, read [Reduce attack surfaces](/windows/security/threat-protection/microsoft-defender-atp/exploit-protection).
-
-## Protect folders from threats such as ransomware
-
-When this setting is turned on, all apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus to determine if the app is malicious or safe. If an app is determined to be malicious or suspicious, then it won't be allowed to make changes to any files in any protected folder.
-
-This setting is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage.
-
-For more information about this setting, read [Protect important folders with controlled folder access](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy#bkmk_CFA).
-
-## Prevent network access to potentially malicious content on the internet
-
-Network protection helps reduce the attack surface of your devices from internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet.
-
-For more information about this setting, read [Protect your network](/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy#bkmk_Nwp).
business Protect Work Files On Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/protect-work-files-on-devices.md
- Title: "Protect work files on devices"-- NOCSH------ 'O365E_BCSSetup4MobileData'-- 'BCSSetup4MobileData'-- 'BCS365_BCSSetup4MobileData'-
-localization_priority: Normal
--- M365-subscription-management-- M365-identity-device-management --- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn about default configuration and adding application management policies to protect company data on users' personal mobile devices. "
--
-# Protect work files on devices
-
-This article applies to Microsoft 365 Business Premium.
-
-In today's world, users are tied to their devices, and as personal and work life collide, your company data can end up on an employee's personal device. The settings that you configure here can help you take back control and provide protection for work files, without affecting any of the user's personal settings or data.
-
-## Configuring policies during setup
-
-During setup, three application management policies are added, one each for Android, iOS, and Windows 10. Each policy has the same settings and they apply to all users. The policies are activated when the user connects their work account to their mobile phone.
-
-We recommend that you accept the default configuration during setup. After setup completes, you can add more policies that let you fine-tune the configuration and let you apply varying levels of control for specific user groups.
-
-To add policies after setup, see [Manage policies and devices in the admin center](manage.md).
business Protect Work Files On Lost Or Stolen Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/protect-work-files-on-lost-or-stolen-device.md
- Title: "Protect work files when a mobile device is lost or stolen"-- NOCSH------ 'O365E_BCSSetup4StolenDevice'-
-localization_priority: Normal
--- M365-subscription-management-- M365-identity-device-management--- Core_O365Admin_Migration-- MiniMaven-- MSB365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn about the settings available in Microsoft 365 for business to protect work files if a user's device is lost or stolen."
--
-# Protect work files when a mobile device is lost or stolen
-
-The policy settings determine what happens automatically to protect a device that is lost or stolen. We recommend that you accept the default values during setup to create application policies for Android, iOS, and Windows 10 that apply to all users. You can create more policies after setup completes.
-
-## Settings that protect work files
-
-The following settings are available to protect work files if a user's device is lost or stolen:
--
-|Setting <br/> |Description <br/> |
-|:--|:--|
-|Delete work files from an inactive device after this many days <br/> |If a device isn't used for the number of days that you specify here, any work files stored on the device are automatically deleted. <br/> |
-|Force users to save all work files to OneDrive for Business <br/> |If this setting is **On**, the only available save location for work files is OneDrive for Business. <br/> |
-|Encrypt work files <br/> |Keep this setting **On** so that work files are protected by encryption. Even if the device is lost or stolen, no one can read your company data. <br/> |
-
-
business Security Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/security-features.md
- Title: "Microsoft 365 Business Premium security and compliance features"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- M365-security-compliance --- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn about the security features that come with Microsoft 365 Business Premium to help safeguard your data on PCs, phones, and tablets."
--
-# Microsoft 365 Business Premium security and compliance features
-
-Microsoft 365 Business Premium offers simplified security features to help safeguard your data on PCs, phones, and tablets.
-
-## Microsoft 365 admin center security features
-
-You can manage many of the Microsoft 365 Business Premium security features in the admin center, which gives you a simplified way to turn these features on or off. In the admin center, you can do the following:
-
-- [Set application management settings for Android or iOS devices](app-protection-settings-for-android-and-ios.md) .
-
- These settings include deleting files from an inactive device after a set period, encrypting work files, requiring that users set a PIN, and so on.
-
-- [Set application protection settings for Windows 10 devices](protection-settings-for-windows-10-devices.md) .
-
- These settings can be applied to company data on both company-owned, or personally owned devices.
-
-- [Set device protection settings for Windows 10 devices](protection-settings-for-windows-10-pcs.md) .
-
- You can enable [BitLocker](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions) encryption to help protect data in case a device is lost or stolen, and enable [Windows Exploit Guard](/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection) to provide advanced protection against ransomware.
-
-- [Remove company data from devices](remove-company-data.md)
-
- You can remotely wipe company data if a device is lost, stolen, or an employee leaves your company.
-
-- [Reset Windows 10 devices to their factory settings](reset-devices-to-factory-settings.md) .
-
- You can reset any Windows 10 devices that have device protection settings applied to them.
-
-## Additional security features
-
-Advanced features in Microsoft 365 Business Premium are available to help you protect your business against cyber-threats and safeguard sensitive information.
-
-- **[Microsoft Defender for Office 365](../security/office-365-security/defender-for-office-365.md)**
-
- Microsoft Defender for Office 365 helps guard your business against sophisticated phishing and ransomware attacks designed to compromise employee or customer information. Features include:
-
- - Sophisticated attachment scanning and AI-powered analysis to detect and discard dangerous messages.
-
- - Automatic checks of links in email to assess if they're part of a phishing scheme. This keeps you safe from accessing unsafe websites.
--- **[The full capabilities of Intune in the Azure portal](/mem/intune/fundamentals/what-is-intune)**
-
- Accessing the Intune admin center in the Azure portal allows you to set up additional security features, such as management of MacOS devices, iPhone, and Android devices, along with advanced device management for Windows, that aren't available through Microsoft 365 admin center.
-- **Same [Conditional Access](/azure/active-directory/conditional-access/overview) as Azure AD Premium P1 plan**--
- Conditional Access can help protect your organization from sign-in risk, access attempts from an unexpected network or locale, access attempts from risky device types, and so on. Conditional Access policies are enforced after the first authentication is completed, and it uses signals from the first authentication event to determine if the attempted access should be approved, denied, or if more proof (such as a second form of identification) is required.
-
- The conditional access features included are:
-
- - Access based on username, group, and role
- - Access [based on an app](/azure/active-directory/conditional-access/app-based-conditional-access)
- - [Access based on location](/azure/active-directory/authentication/howto-registration-mfa-sspr-combined#conditional-access-policies-for-combined-registration); only allow access from trusted IP ranges or specific countries
- - Require MFA for access
- - Block access to apps that use [legacy authentication](/azure/active-directory/conditional-access/block-legacy-authentication)
- - Require apps to use [Intune app protection](/azure/active-directory/conditional-access/app-protection-based-conditional-access)
- - Custom authentication such as MFA with third-party providers, for example DUO.
-
- Other features:
- - [Self-service password reset](/azure/active-directory/authentication/concept-sspr-customization) for hybrid Azure AD
-
-## Compliance features
-
-Your Microsoft 365 Business Premium subscription includes features that help you maintain compliance and regulatory standards.
--- **[Learn about data loss prevention](../compliance/dlp-learn-about-dlp.md))** (DLP).
-
- You can set up DLP to automatically detect sensitive information, like credit card numbers, social security numbers, and so on, to prevent their inadvertent sharing outside your company.
-
-- **[Exchange Online Archiving](https://products.office.com/exchange/microsoft-exchange-online-archiving-email)**
-
- Exchange Online Archiving license enables messages to be easily archived with continuous data backup. It stores all of a user's emails, including deleted items, in case they're needed later for discovery or restoration. Additionally, you can use different retention policies to preserve email data for litigation holds, eDiscovery, or to meet compliance requirements.
-
-- **[Sensitivity labels](../compliance/sensitivity-labels.md)**-
- Microsoft 365 Business Premium includes all the features of [Azure Information Protection Plan 1](https://go.microsoft.com/fwlink/p/?linkid=871407). With this plan, you can create **Sensitivity labels** that allow you to control access to sensitive information in email and documents, with controls like "Do not forward" and "Do not copy." You can also classify sensitive information as "Confidential" and specify how classified information can be shared outside and inside the business. Enterprise-grade encryption is easy to apply to email and documents to keep your information private. You can also install the Azure Information Protection client add-in for Office apps. For more information, see [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/unifiedlabelingclient-version-release-history). For Sensitivity labels, install the **AzInfoProtection_UL.exe**.
-
-You can manage these features in the Security &amp; Compliance center and the Intune admin center. Over time the simplified controls will be added to the Microsoft 365 admin center.
-
-
-## FAQ
-
- ### Are these security features available in all markets?
-
-Yes, these features are available in all markets where Microsoft 365 Business Premium is sold.
-
-### How do I find the Security &amp; Compliance center?
-
-1. [Sign in to Microsoft 365 Business Premium](https://portal.microsoft.com/) by using your admin credentials.
-
-2. In the left nav, locate **Admin centers** and expand it.
-
- ![In the left nav in the Microsoft 365 admin center, choose Admin centers.](../media/fa4484f8-c637-45fd-a7bd-bdb3abfd6c03.png)
-
-3. Choose **Security &amp; Compliance** to go to Security &amp; compliance center.
business Set Up Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/set-up-overview.md
- Title: "Overview of setup"-- NOCSH------ 'O365E_M365SetupBanner'-- 'BCS365_M365SetupBanner'-
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management--- Adm_O365-- Core_O365Admin_Migration-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn the setup steps for Microsoft 365 Business Premium, from subscribing, to adding a domain and users, to setting up security policies, and more."
--
-# Overview of setup
-
-Watch a short video about Microsoft 365 Business Premium setup.<br><br>
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4jZwg]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../business-video/index.yml).
-
-Most of the setup steps can be done in the guided setup, but the other options are also listed.
-
-## Step 1: Add your domain and users
-
- - **[Add your domain](set-up.md#add-your-domain-to-personalize-sign-in)** (if you bought your domain during [sign up](sign-up.md), this step is already done.)
-
- - **Add users**. You can add users in any of the three ways:
- - In the [guided setup](set-up.md#add-users-in-the-wizard).
- - Use directory synchronization to [add users by using Azure AD Connect](../enterprise/set-up-directory-synchronization.md) if you have an on-premises Active directory.
- - You can also [add users later](../admin/add-users/add-users.md) in the admin center.
-## Step 2: Set up security policies and configure devices
-
- - Use the [guided setup](set-up.md#protect-your-organization) to configure device policies.
- - You can also add more or edit them later in the [admin center](view-policies-and-devices.md) and in the [Intune portal](/intune/tutorial-walkthrough-intune-portal).
- - The setup wizard will also set up basic threat protection and data loss prevention settings.
-
- In addition to the security settings in the setup wizard, you can increase your security by adding the following settings:
--- **Email malware protection**-- **Anti-phishing in Defender for Office 365**-- **Exchange Online Archiving**-- **Azure Information Protection (Plan1**)-
-To get started, see [increase threat protection](increase-threat-protection.md) and [set up compliance features](set-up-compliance.md).
-
-See also [top 10 ways to secure your Microsoft 365 Business Premium](/office365/admin/security-and-compliance/secure-your-business-data) for a road-map of best security practices.
-
-## Step 3: Set up and manage Windows 10 devices
-
-After you complete the guided setup, you will want to protect all the Windows 10 computers in your organization.
-
-- Windows 10 Pro is a [prerequisite](pre-requisites-for-data-protection.md) for Microsoft 365 Business Premium, but if you have Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your subscription entitles you to an [upgrade to Windows 10 Pro](./upgrade-to-windows-pro-creators-update.md).-- Follow the steps in [secure Windows 10 PCs](secure-win-10-pcs.md) to set up policies for Windows 10 devices.-
-When you join a Windows 10 device to Azure AD, the policies you set for Windows 10 computers get applied to it. For more information, see [Set up Windows devices for Microsoft 365 users](set-up-windows-devices.md).
-
-## Step 4: Install Microsoft 365 Apps for business
-- You can automatically install Office in the Windows devices by using the [setup wizard](set-up.md#deploy-office-365-client-apps).-- Let users [install Office apps](/office365/admin/setup/install-applications) for Windows and devices.
-
-## Advanced
-- **Use Autopilot to set up new devices**
-
- You can use [Windows Autopilot](add-autopilot-devices-and-profile.md) to automatically pre-configure **new** Windows 10 devices for a user, but it might be easier to get a [partner](https://www.microsoft.com/solution-providers/search) who can do this for you. You can also go to [Microsoft Store](https://go.microsoft.com/fwlink/?linkid=874598), and ask a cloud technology expert to set up new devices that you purchase.
--- **Access on-premises resources**-
- - If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows 10 devices, while still maintaining access to on-premises resources that require local authentication. Follow the steps in [Enable domain-joined Windows 10 devices to be managed by Microsoft 365 Business Premium](manage-windows-devices.md) to set this up. This is the preferred method, and devices in this state are called Hybrid Azure AD joined devices.
-
- - If your business has a local Active Directory that contains some on-premises resources (such as file shares and printers), you can give your Azure AD-joined devices access to these resources by following the steps here: [Access on-premises resources from an Azure AD-joined device in Microsoft 365 Business Premium](access-resources.md).
-
-## Related content
-
-[Microsoft 365 for business training videos](../business-video/index.yml) (link page)
business Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/sign-up.md
- Title: "Sign up for Microsoft 365 Business Premium"-- NOCSH-----
-localization_priority: Normal
--- Adm_O365-- M365-subscription-management-- TRN_SMB--- Adm_O365-- Core_O365Admin_Migration-- MSB365-- OKR_SMB_M365-- TRN_M365B-- OKR_SMB_Videos-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn what Microsoft 365 Business Premium includes, and get step-by-step guidance in signing up for Microsoft 365 Business Premium."
--
-# Sign up for Microsoft 365 Business Premium
-
-To find out what Microsoft 365 Business Premium includes, watch a [short video](../business-video/what-is-microsoft-365.md) and see the [Overview](microsoft-365-business-overview.md).
-
-There are three ways to get Microsoft 365 Business Premium:
-- **Buy Microsoft 365 Business Premium and complete your own setup**: To purchase Microsoft 365 Business Premium online, [follow the steps below](#sign-up-steps).-- **For Microsoft partners**: If you're a partner, see [Get Microsoft 365 Business Premium from Microsoft Partner Center](get-microsoft-365-business.md).-- **Get help at a Microsoft store**: Head to a [Microsoft Store](https://go.microsoft.com/fwlink/?linkid=2109652). Microsoft stores can help you with questions about plans, help you purchase a plan that suits your business needs, and help you complete your setup.-
-**Need something different?** You can:
-- [Upgrade your Office 365 plan to Microsoft 365 Business Premium](migrate-to-microsoft-365-business.md).-- [Get a free trial](https://go.microsoft.com/fwlink/p/?linkid=2102309) of Microsoft 365 Business Premium for one month.-- [Sign up for Microsoft 365 Business Standard](https://go.microsoft.com/fwlink/p/?LinkID=510935) if you need a plan with fewer features. Find out what each business plan includes at [products.office.com](https://go.microsoft.com/fwlink/?linkid=2109397).-- [Sign up for a home or family plan](https://go.microsoft.com/fwlink/?linkid=2109398) if you're not buying for a business. -
-## Sign up steps
-
-Watch this video for a quick overview of the sign-up process.<br><br>
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3znhX]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](https://support.microsoft.com/office/6ab4bbcd-79cf-4000-a0bd-d42ce4d12816).
-
-To sign up and purchase Microsoft 365 for your business, complete the following steps:
-
-1. On the [Microsoft 365 for business page](https://go.microsoft.com/fwlink/?linkid=2109654), select **See plans & pricing**.
-2. On the next page, find out the monthly cost, and then scroll down the page to find out more about what's included in Microsoft 365. Under Microsoft 365 Business Premium, select **Buy now**.
-3. On the **Thank you for choosing Microsoft 365 Business Premium** page, enter your information to get started.
-4. In **step 1**, enter an email address that you already use. This can be your current work email address or any address you want Microsoft to use to communicate with you during setup. It is also the address where we'll send you information about your bill and renewals. Then select, **Set up account**.
-5. In **step 2**, enter your name, business phone number, company name, and location. Your Country or Region determines the exact services you receive from Microsoft, and can't be changed after you complete this step. Select **Next**.
- > [!NOTE]
- > We display your company name in the admin center; this is where you manage Microsoft 365 users, licenses, and so on. We also include it in any internal (SharePoint) site URLs.
-6. In **step 3**:
-
- 1. Prove you're not a robot! Select either **Text me** or **Call me**, and enter a number where we can reach you. Select **Send Verification Code** and you'll receive a text or call right away. Enter your code and select **Verify**.
- 2. Next, decide whether to buy a new domain name or get a temporary one:
-
- - **I don't own a domain name**
-
- If your email address doesn't include your business name and if you don't have a web site that uses your business name, you can easily buy a domain now. Select **Buy a new domain name**, and enter the name of your business. For example, if your company is called *ContosoSkis*, try entering Contosokis.com, Contososkis.org, or Contososkis.biz. Then select **Check availability** to see whether your chosen domain is available. You can try multiple options before you make a decision. If your domain name is available, we'll let you know the cost and bill you directly with your new plan.
-
- > [!TIP]
- > if you're not sure what domain extension to choose for your new domain (for example, .com or .org), see [Buy a domain name](../admin/get-help-with-domains/buy-a-domain-name.md)
-
- - **I'm not sure, or I own a domain name already**
-
- Choose **Get a Microsoft domain for now**. This doesn't cost anything, and later you can get a custom name for your business, or connect to one you already own. We'll show you how.
-
- 3. Select **Next** to create your user ID and business email address. Enter the name (also called an alias) that you want to use. For example, Robert Young might use RobY or RobYoung as a work alias. Add a password and select **Sign up**. Make a note of your password. We'll send an email to the address you entered in step 1 to remind you of your user ID.
-7. In **step 4**:
-
- 1. Decide how many people in your business need a Microsoft 365 license, or leave the **Number of users** set to 1 for now and add more people later.
- 2. Select monthly or annual billing, check the total cost, and select **Next**.
- 3. Add your credit card details. If your company address doesn't match your credit card address, we'll need your company address too. Your company address determines what taxes you pay and which services are available. For more information about taxes, see [What tax will I be charged?](../commerce/billing-and-payments/tax-information.md).
- 4. Select **Place order**.
-It takes a short time for Microsoft to finish setting up a new plan.
-
-## What's next?
-
-Select **Go to setup** to complete other steps such as adding more security to protect your business, and downloading Office apps like Word and Excel.
-
-To get help with setup, see [set up](set-up.md).
-
-## See also
-
-[Microsoft 365 for business training videos](../business-video/index.yml)
business Transition Csp Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/support/transition-csp-subscription.md
- Title: "Transition a Microsoft 365 Business CSP subscription"
-description: "Find out how you can transition a Microsoft 365 Business CSP subscription from preview to general availability (GA)."
--- NOCSH--- seo-marvel-mar-- AdminSurgePortfolio---
-localization_priority: Normal
-keywords: Microsoft 365 Business, Microsoft 365, SMB, transition CSP subscription
Previously updated : 11/01/2017--
-# Transition a Microsoft 365 Business CSP subscription
-
-If you have a Microsoft 365 Business Preview CSP subscription, follow this guide to find out how you can transition your existing preview subscription to Microsoft 365 Business GA (general availability).
-
-**How to transition a preview subscription to GA**
-
-1. Sign in to <a href="https://partnercenter.microsoft.com" target="_blank">Partner Center</a>.
-2. From the dashboard, select **Customers**, and then find and select the company name.
-
- The subscriptions for the company will be listed.
-
- ![Customer's subscriptions in Partner Center](../../media/pc_customer_subscriptions_1.png)
-
-3. On the company's **Subscriptions** page, select **Add subscription**.
-4. On the **New subscription** page, select **Small business** and then select **Microsoft 365 Business** from the list.
-5. Add the number of licenses and then select **Next: Review** to review the subscription and then select **Submit**.
-
- ![Review the new subscription to Microsoft 365 Business](../../media/pc_customer_reviewnewsubscription.png)
-
- The **License-based subscriptions** will show **Microsoft 365 Business Preview** and **Microsoft 365 Business**. You'll suspend the Preview subscription next.
-
-6. Select **Microsoft 365 Business Preview**.
-7. On the **Microsoft 365 Business Preview** page, select **Suspended** to suspend the Preview subscription.
-
- ![Suspend the Microsoft 365 Business Preview subscription](../../media/pc_customer_m365bpreview_suspend.png)
-
-8. Select **Submit** to confirm.
-
- On the **Subscriptions** page, confirm that the **Microsoft 365 Business Preview** status shows **Suspended**.
-
- ![Confirm the Preview subscription status is suspended](../../media/pc_customer_m365bpreview_suspend_confirm.png)
-
-9. Optionally, you can also validate the license agreement. To do this, follow these steps:
- 1. Select **Users and licenses** from the company's **Subscriptions** page.
- 2. On the **Users and licenses** page, select a user.
- 3. On the user's page, check the **Assign licenses** section and confirm that it shows **Microsoft 365 Business**.
-
- ![Confirm the Microsoft 365 Business license is assigned to the user](../../media/pc_customer_userslicenses_m365b_validate.png)
-
-## Impact to customers and users during and after transition
-
-There's no impact to customers and users during transition and post transition.
-
-## Impact to customers who don't transition
-
-The following table summarizes the impact to customers who don't transition from a Microsoft 365 Business Preview subscription to a Microsoft 365 Business subscription.
-
-| | T-0 to T+30 | T+30 to T+60 | T+60 to T+120 | Beyond T+120 |
-|-|--|--|||
-| **State** | In grace period | Expired | Disabled | Deprovisioned |
-| **Service impacts** |
-| **Microsoft 365 admin center** | No impact to functionality | No impact to functionality | Can add/delete users, purchase subscriptions.</br> Can't assign/revoke licenses. | Customer's subscription and all data is deleted. Admin can manage other paid subscriptions. |
-| **Office apps** | No end user impact | No end user impact | Office enters reduced functionality mode.</br> Users can view files only. | Office enters reduced functionality mode.</br> Users can view files only. |
-| **Cloud services (SharePoint Online, Exchange Online, Skype, Teams, and more)** | No end user impact | No end user impact | End users and admins have no access to data in the cloud. | Customer's subscription and all data are deleted. |
-| **EM+S components** | No admin impact</br> No end user impact | No admin impact</br> No end user impact | Capability is no longer enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability is no longer enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
-| **Windows 10 Business** | No admin impact</br> No end user impact | No admin impact</br> No end user impact | Capability is no longer enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. | Capability is no longer enforced.</br> See [Mobile device impacts upon subscription expiration](#mobile-device-impacts-upon-subscription-expiration) and [Windows 10 PC impacts upon subscription expiration](#windows-10-pc-impacts-upon-subscription-expiration) for more info. |
-| **Azure AD login to a Windows 10 PC** | No admin impact</br> No end user impact | No admin impact</br> No end user impact | No admin impact</br> No end user impact | Once the tenant is deleted, a user can sign in with local credentials only. Re-image the device if there are no local credentials. |
-
-## Mobile device impacts upon subscription expiration
-
-The following table summarizes the impact to the app management policies on mobile devices.
-
-| | Fully licensed experience | T+60 days post expiration |
-|-|||
-| **Delete work files from an inactive device** | Work files are removed after selected days | Work files remain on the user's personal devices |
-| **Force users to save all work files to OneDrive for Business** | Work files can only be saved to OneDrive for Business | Work files can be saved anywhere |
-| **Encrypt work files** | Work files are encrypted | Work files are no longer encrypted.</br> Security policies are removed and Office data on apps is removed. |
-| **Require PIN or fingerprint to access Office apps** | Restricted access to apps | No app-level access restriction |
-| **Reset PIN when login fails** | Restricted access to apps | No app-level access restriction |
-| **Require users to sign in again after Office apps have been idle** | Sign-in required | No sign-in required |
-| **Deny access to work files on jailbroken or rooted devices** | Work files can't be accessed on jailbroken/rooted devices | Work files can be accessed on jailbroken/rooted devices |
-| **Allow users to copy content from Office apps to Personal apps** | Copy/paste restricted to apps available as part of Microsoft 365 subscription | Copy/paste available to all apps |
-
-## Windows 10 PC impacts upon subscription expiration
-
-The following table summarizes the impact to the Windows 10 device configuration policies.
-
-| | Fully licensed experience | T+60 days post expiration |
-|-|||
-| **Help protect PCs from threats using Windows Defender** | Turn on/off is outside of user control | User can turn on/off Windows Defender on the Windows 10 PC |
-| **Help protect PCs from web-based threats in Microsoft Edge** | PC protection in Microsoft Edge | User can turn on/off PC protection in Microsoft Edge |
-| **Turn off device screen when idle** | Admin defines screen timeout interval policy | Screen timeout can be configured by end user |
-| **Allow users to download apps from Microsoft Store** | Admin defines if a user can download apps from Microsoft Store | User can download apps from Microsoft Store anytime |
-| **Allow users to access Cortana** | Admin defines policy on user access to Cortana | User devices to turn on/off Cortana |
-| **Allow users to receive tips and advertisements from Microsoft** | Admin defines policy on user receive tips and advertisements from Microsoft | User can turn on/off tips and advertisements from Microsoft |
-| **Allow users to copy content from Office apps into personal apps** | Admin defines policy to keep Windows 10 devices up to date | Users can decide when to update Windows |
business Troubleshoot Autopilot Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/troubleshoot-autopilot-errors.md
- Title: "Troubleshoot AutoPilot device errors"-- NOCSH------ 'ZTDTroubleshootDeviceErrors'-- 'O365E_ZTDTroubleshootDeviceErrors'-- 'BCS365_ZTDTroubleshootDeviceErrors'-
-localization_priority: Normal
--- M365-subscription-management-- M365-identity-device-management --- Adm_O365-- Core_O365Admin_Migration-- MSB365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn how to troubleshoot errors you might see while working with AutoPilot device files in Microsoft 365 Business Premium."
--
-# Troubleshoot AutoPilot device errors
-
-## Device file error messages
-
-Here's info on some of the errors you might see while working with AutoPilot device files in Microsoft 365 Business Premium.
-
-|**Error code**|**Fix to try**|
-|:--|:--|
-|Invalid request body <br/> |This error should happen rarely, if you see this error, try the operation again. <br/> |
-|Hardware hash value for a device isn't correct. <br/> |If you see this error, it means that the value you provided in your CSV file for the hardware hash of one device isn't correct. First, verify that the value was typed correctly. If you think that the value is correct, but this error is still happening, ask your hardware vendor for help. <br/> |
-|Device assigned to another tenant <br/> |If you see this error, it means that the value you provided in your CSV file for either the serial number or the product key of one or more devices isn't correct. First, verify that the value was typed correctly. If you think that the value is correct, but this error is still happening, ask your hardware vendor for help. <br/> |
-|The CSV file contains an invalid serial number or product key <br/> |If you see this error, it means that the device you are trying to register is already registered by another organization. To fix this error, ask your hardware vendor for help. <br/> |
-|This device is not supported for setup by using AutoPilot <br/> | This error means the device doesn't meet AutoPilot deployment requirements. Devices need to meet these requirements: <br/> Windows 10, version 1703 or later. <br/> New devices that haven't been through Windows out-of-box experience. <br/> |
-|Device not found <br/> |This error means that one or more devices in your CSV file isn't registered to your organization. To fix this, ask your hardware vendor for help. <br/> |
business Mam And Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/ui/mam-and-mdm.md
description: "Learn the differences between mobile device management and mobile
# Difference between MDM and MAM
-Microsoft 365 Business Premium offers a number of ways for you to protect your business data. See [Overview of Microsoft 365 Business Premium](../microsoft-365-business-overview.md) for more about the various protections that are automatically set up, and what you can set up yourself to further protect your business. You can also set up policies that protect your Windows 10 devices and the data in your mobile devices.
+Microsoft 365 Business Premium offers a number of ways for you to protect your business data. See [Overview of Microsoft 365 Business Premium](../../business-video/what-is-microsoft-365.md) for more about the various protections that are automatically set up, and what you can set up yourself to further protect your business. You can also set up policies that protect your Windows 10 devices and the data in your mobile devices.
[Set application protection settings for Windows 10 devices](../protection-settings-for-windows-10-devices.md). ## Mobile device management or MDM
business Upgrade To Windows Pro Creators Update https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/upgrade-to-windows-pro-creators-update.md
- Title: "Upgrade Windows devices to Windows 10 Pro"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- TRN_SMB--- Adm_O365-- Core_O365Admin_Migration-- MSB365-- OKR_SMB_M365-- TRN_M365B-- OKR_SMB_Videos-- seo-marvel-mar-- AdminSurgePortfolio-- AdminTemplateSet-- MET150-- MOE150
-description: "Discover ways you can upgrade your Windows devices to Windows 10 Pro to utilize more advanced security and business networking features."
--
-# Upgrade Windows devices to Windows 10 Pro
-
-## Watch: Upgrade Windows 10 Home to Windows 10 Pro
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3t58j]
-
-If you found this video helpful, check out the [complete training series for small businesses and those new to Microsoft 365](../business-video/index.yml).
-
-## Upgrade to Windows 10 Pro
-
-To upgrade to Windows 10 Pro, you have several options. You can:
--- Install the upgrade from the [Microsoft Software Download site](https://go.microsoft.com/fwlink/?LinkID=836951).
- - Select this option if the device that you're logged in is on the same device as the one you want to update.
- - From the software download site, click **Update now** to start upgrading the device to Windows 10 Pro Creators Update.
--- Create an installation media using the [Media Creation Tool](https://go.microsoft.com/fwlink/?LinkID=836960) &ndash; Select this option to create a Windows 10 Pro Creators Update installation media (USB flash drive or ISO file) to install Windows 10 on a PC that's different from the one you're using.
- - Read the instructions on how to use the tool and create your installation media.
-
-> [!NOTE]
-> If you have Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 for business subscription entitles you to a Windows Pro 10 upgrade.
-
-## Next steps
-
-To complete setting up Windows 10 devices, see [Set up Windows devices for Microsoft 365 for business users](set-up-windows-devices.md).
-
-To complete setting up Android and iOS devices, see [Set up mobile devices for Microsoft 365 for business users](set-up-mobile-devices.md).
-
-## Related content
-
-[Microsoft 365 for business training videos](../business-video/index.yml) (link page)
business Validate Protection Settings On Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/validate-protection-settings-on-windows-10-pcs.md
- Title: "Validate app protection settings on Windows 10 PCs"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management-- M365-identity-device-management--- Adm_O365-- Core_O365Admin_Migration-- MSB365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Validate Microsoft 365 Business Premium app protection settings on Windows 10 devices and verify users cannot copy company data to personal files or non-managed apps."
--
-# Validate app protection settings on Windows 10 PCs
-
-## Verify that users cannot copy company data to personal files on corporate devices
-
-After you [set up app protection policies](protection-settings-for-windows-10-devices.md), it may take up to a few hours for the policy to take effect on users' devices. If you turned **On** the **Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business** setting for company owned devices, you can check this on the user's device after they've connected to Azure AD and signed in.
-
- **Verify connection settings**
-
-1. After you sign in with Microsoft 365 Business Premium credentials and connect to Azure AD as described in [Set up Windows devices for Microsoft 365 Business Premium users](set-up-windows-devices.md), go to **Windows Settings** \> **Accounts** \> **Access work or school**. Choose **Connected to \<tenant name\> Azure AD**, and then choose **Info**.
-
- ![Click or tap Info on the Connected to Azure AD dialog.](../media/a36ede2b-d1a0-4d4e-8ea7-af39b4b63890.png)
-
-2. On the **Managed by** \<tenant name\> page, you can see the **Connection info** that includes a **Management Server Address** like the one shown in the following figure.
-
- ![Managed by page shows connection info of the device manager URL.](../media/47515a8e-2d0c-4bea-99f0-6b2545b88a11.png)
-
- **Verify that you cannot paste company data in a non-managed app**
-
-1. Open Outlook 2016 that was installed by Microsoft 365 Business Premium.
-
-2. Open an email and copy some content from it.
-
- Open Notepad and attempt to paste the content in.
-
- You'll receive an error that states the app can't access content.
-
- ![A dialog that states app can't access content when you paste into an unmanaged app.](../media/5e82b154-cf2f-43c8-ae80-b45d8ad80e56.png)
-
- You can, however, paste the same content into Word 2016.
-
-## Verify that users cannot copy company data to personal files on personal devices
-
- **Verify connection settings**
-
-1. On your Windows 10 personal device where you're logged in as a local user, go to **Windows Settings**, and click or tap **Accounts** \> **Access work or school**.
-
-2. Under the **Access work or school**, choose **Connect**.
-
-3. Enter your Microsoft 365 Business Premium credential into the **Set up a work or school account dialog** \> **Sign in**.
-
-4. On the **Access work or school** page, choose the **Work or school account**, and then choose **Info**.
-
- ![Click or tap Info on the Work or school account dialog.](../media/63bd8b32-cb32-4afa-8ce0-6070ac403abc.png)
-
-5. On the **Access work or school** page, you can see the **Connection info** that includes a **Management Server Address** like the one shown in the following figure, and includes the words *wip* and *mam* within.
-
- ![Managed by page shows connection info URL that includes the words mam and wpi.](../media/abd4eaf4-44fa-4538-a3e8-1e0d331dfe1e.png)
-
- **Verify that you cannot paste company data in a non-managed app**
-
-1. Open Outlook 2016 and add your Microsoft 365 Business Premium account if necessary and sign in with your Microsoft 365 Business Premium credentials.
-
-2. Open an email and copy some content from it.
-
- Open Notepad and attempt to paste the content in.
-
- You'll receive an error that states App can't access content.
-
- ![A dialog that states app can't access content when you paste into an unmanaged app.](../media/5e82b154-cf2f-43c8-ae80-b45d8ad80e56.png)
-
- You can, however, paste the same content into Word 2016.
-
-
business What Subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business/what-subscription.md
- Title: "What subscription is right for your business?"-- NOCSH------
-localization_priority: Normal
--- Core_O365Admin_Migration-- MiniMaven-- MSB365-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Determine whether Office 365 E3, Microsoft 365 Business Standard, or Microsoft 365 Business Premium is right for your business."
--
-# What subscription is right for your small business?
-
-Microsoft offers several plans for small businesses. The recommended subscriptions are either Microsoft 365 Business Standard or Microsoft 365 Business Premium with up to 300 users. Microsoft 365 Business Premium offers more security features than Microsoft 365 Business Standard for an added cost.
campaigns Microsoft 365 Campaigns Setup Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/campaigns/microsoft-365-campaigns-setup-overview.md
The following diagram describes how admins set up Microsoft 365.
For campaigns that qualify for special pricing, get started by [requesting an invite from Microsoft](https://m365forcampaigns.microsoft.com/), then [signing up for Microsoft 365 for Campaigns](m365-campaigns-sign-up.md). To complete setup, [run the setup wizard](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json) to configure the core settings.
-For all other organizations, after you've [signed up for Microsoft 365 Business Premium](../business/sign-up.md), complete setup by [running the setup wizard](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json) to configure the core settings.
+For all other organizations, after you've [signed up for Microsoft 365 Business Premium](../business-video/sign-up.md), complete setup by [running the setup wizard](../business/set-up.md?toc=/microsoft-365/campaigns/toc.json) to configure the core settings.
For all organizations, bump up security protection by: [protecting admin accounts](m365-campaigns-protect-admin-accounts.md), [protecting access to mail and data](m365-campaigns-conditional-access.md), and [increasing threat protection](m365-campaigns-increase-protection.md).
commerce Enter Your Product Key https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/enter-your-product-key.md
audience: Admin
-localization_priority: Normal
+localization_priority: Priority
- M365-subscription-management - Adm_O365
Or, [call Microsoft Support](../business-video/get-help-support.md).
[Upgrade to a different plan](./subscriptions/upgrade-to-different-plan.md) (article)\ [What happens to my data and access when my Microsoft 365 for business subscription ends?](./subscriptions/what-if-my-subscription-expires.md) (article)\
-[Understand subscriptions and licenses in Microsoft 365 for business](./licenses/subscriptions-and-licenses.md) (article)
+[Understand subscriptions and licenses in Microsoft 365 for business](./licenses/subscriptions-and-licenses.md) (article)
commerce Allowselfservicepurchase Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/subscriptions/allowselfservicepurchase-powershell.md
$product = Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | wh
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product.ProductID -Enabled $false ```
+If there are multiple values for the product, you can run the command individually for each value as shown in the following example:
+
+```powershell
+Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product[0].ProductID -Enabled $false
+Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $product[1].ProductID -Enabled $false
+```
++ ## Troubleshooting ### Problem
compliance Bulk Edit Content Searches https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/bulk-edit-content-searches.md
- Title: "Bulk edit Content Searches"-- NOCSH--- Previously updated : 12/29/2016--
-localization_priority: Normal
-- MOE150-- MET150--- seo-marvel-apr2020
-description: "Use the Bulk Search Editor in the security and compliance center to quickly change the query and content locations for one or more Content Searches."
--
-# Bulk edit Content Searches
-
-You can use the Bulk Search Editor in the Content Search tool to edit multiple searches at the same time. Using this tool lets you quickly change the query and content locations for one or more searches. Then you can rerun the searches and get new estimated search results for the revised searches. The editor also lets you copy and paste queries and content locations from a Microsoft Excel file or text file. This means you can use the Search Statistics tool to view the statistics of one or more searches, export the statistics to a CSV file, where you can edit the queries and content locations in Excel. Then you use the Bulk Search Editor to add the revised queries and content locations to the searches. After you've revised one or more searches, you can restart them and get new estimated search results.
-
-For more information about using the Search Statistics tool, see [View keyword statistics for Content Search results](view-keyword-statistics-for-content-search.md).
-
-## Use the Bulk Search Editor to change queries
-
-1. Go to <https://compliance.microsoft.com>, and then select **Content search**.
-
-2. In the list of searches, select one or more searches, and then select **Bulk Search Editor** ![Bulk Search Editor button](../media/1ddb3d18-2f00-4a7b-98a6-817ca5ec7014.png).
-
- ![Select one or more searches and then select Bulk search editor](../media/600c9716-89a2-4451-b111-fa7cfaad2006.png)
-
- The following information is displayed on the **Queries** page of the Bulk Search Editor.
-
- ![The Bulk search editor page displays the queries for the selected searches](../media/189659af-cc78-4479-b0bc-a93decad2f6c.png)
-
- a. The **Search** column displays the name of the Content Search. As previously stated, you can edit the query for multiple searches.
-
- b. The **Query** column displays the query for the Content Search listed in the **Search** column. If the query was created using the keyword list feature, the keywords are separated by the text **`(c:s)`**. This indicates that the keywords are connected by the **OR** operator. Additionally, if the query includes conditions, the keywords and the conditions are separated by the text **`(c:c)`**. This indicates that the keywords (or keyword phases) are connected to the conditions by the **AND** operator. For example, in the previous screenshot the for search ContosoSearch1, the KQL query that is equivalent to `customer (c:s) pricing(c:c)(date=2000-01-01..2016-09-30)` would be `(customer OR pricing) AND (date=2002-01-01..2016-09-30)`.
-
-3. To edit a query, select in the cell of the query that you want to change and doing one of the following things. The cell is bordered by a blue box when you select it.
-
- - Type the new query in the cell. You can't edit a portion of the query. You have to type the entire query.
-
- Or
-
- - Paste a new query in the cell. This assumes that you've copied the query text from a file, such as a text file or an Excel file.
-
-4. After you've edited one or more queries on the **Queries** page, select **Save**.
-
- The revised query is displayed in the **Query** column for the selected search.
-
-5. Select **Close** to close the Bulk Search Editor.
-
-6. On the **Content search** page, select the search that you edited, and select **Start** search to restart the search using the revised query.
-
-Here are some tips for editing queries using the Bulk Search Editor:
--- Copy the existing query (by using **Ctrl C**) to a text file. Edit the query in the text file, and then copy the revised query and paste it (using **Ctrl V**) back into the cell on the **Queries** page.--- You can also copy queries from other applications (such as Microsoft Word or Microsoft Excel). However, you might inadvertently add unsupported characters to a query using the Bulk Search Editor. The best way to prevent unsupported characters is to just type the query in a cell on the **Queries** page. Or you can copy a query from Word or Excel and then paste it to file in a plain text editor, such as Microsoft Notepad. Then save the text file and select **ANSI** in the **Encoding** drop-down list. This removes any formatting and unsupported characters. Then you can copy and paste the query from the text file to the **Queries** page.-
-## Use the Bulk Search Editor to change content locations
-
-1. In the Bulk Search Editor for one or more selected searches, select **Enable bulk location editor**, and then select the **Locations** link that is displayed on the page.
-
- The following information is displayed on the **Locations** page of the Bulk Search Editor.
-
- ![Select Enable bulk location editor and then select Locations to add or remove content locations](../media/a5a468ce-bd63-4c53-bc37-ff64cf769e59.png)
-
- a. **Mailboxes to search** This section displays a column for each selected Content Search and a row for each mailbox that's included in the search. A check mark indicates that the mailbox is included in the search. You can add mailboxes to a search by typing the email address of the mailbox in a blank row and then selecting the check box for the Content Search that you want to add it to. Or you can remove a mailbox from a search by clearing the check box.
-
- b. **SharePoint sites to search** This section displays a row for each SharePoint and OneDrive site that's included in each selected Content Search. A check mark indicates that the site is included in the search. You can add sites to a search by typing the URL for the site in a blank row and then selecting the check box for the Content Search that you want to add it to. Or you can remove a site from a search by clearing the check box.
-
- c. **Other search options** This section indicates whether unindexed items and public folders are included in the search. To include them, make sure the check box is selected. To remove them, clear the check box.
-
-2. After you've edited one or more of the sections on the **Locations** page, select **Save**.
-
- The revised content locations are displayed in the appropriate section for the selected searches.
-
-3. Select **Close** to close the Bulk Search Editor.
-
-4. On the **Content search** page, select the search that you edited, and select **Start** search to restart the search using the revised content locations.
-
-Here are some tips for editing content locations using the Bulk Search Editor:
--- You can edit Content Searches to search all mailboxes or sites in the organization by typing **All** in a blank row in the **Mailboxes to search** or **SharePoint sites to search** section and then selecting the check box.--- You can add multiple content locations to one or more searches by copying multiple rows from a text file or an Excel file and then pasting them in a section on the **Locations** page. After you add new locations, be sure to select the check box for each search that you want add the location to.-
- > [!TIP]
- > To generate a list of email addresses for all the users in your organization, run the PowerShell command in Step 2 in [Step 2: Generate a list of users](search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md#step-2-generate-a-list-of-users). Or follow the steps in [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls) to generate a list of all OneDrive for Business sites in your organization. Note that you'll have to append the URL for your organization's MySite domain (for example, https://contoso-my.sharepoint.com) to the OneDrive for Business sites that's created by the script. After you have list of email addresses or OneDrive for Business sites, you can copy and paste them to the **Locations** page in the Bulk Search Editor.
--- After you select **Save** to save changes in Bulk Search Editor, the email address for mailboxes that you added to a search will be validated. If the email address doesn't exist, an error message is displayed saying the mailbox can't be located. URLs for sites aren't validated.
compliance Partially Indexed Items In Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/partially-indexed-items-in-content-search.md
Similarly, messages with partially indexed file attachments and documents of a p
For a list of email and document properties that you can search for by using the Search feature in the Security & Compliance Center, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md).
+> [!NOTE]
+> If a mailbox item is moved from a folder that is indexed to a folder that is not indexed, a flag is set to unindex the item and the item is removed from the index and will not be searchable. Later, if that same item is moved back to a folder that is indexed, the flag is not reset. That means the item will remain unindexed, and not searchable.
+ ## Partially indexed items included in the search results Your organization might be required to identify and perform additional analysis on partially indexed items to determine what they are, what they contain, and whether they're relevant to a specific investigation. As previously explained, the partially indexed items in the content locations that are searched are automatically included with the estimated search results. You have the option to include these partially indexed items when you export search results or prepare the search results for Advanced eDiscovery.
For a list of indexing limits for SharePoint documents, see [Search limits for S
## See also
-[Investigating partially indexed items in eDiscovery](investigating-partially-indexed-items-in-ediscovery.md)
+[Investigating partially indexed items in eDiscovery](investigating-partially-indexed-items-in-ediscovery.md)
compliance Privacy Management Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-setup.md
After obtaining your subscription, allow up to 30 minutes for it to activate. Th
### Accept privacy management terms
-When you first open privacy management, you will be asked to confirm that you agree to the terms and the personal data evaluation process ([learn more](privacy-management.md#how-we-evaluate-your-data)). You can review the provided links in full before proceeding. Once you agree, it may take up to 24 hours before privacy management starts providing insights about your organizationΓÇÖs data.
+When you first open privacy management, you will be asked to confirm that you agree to the terms and the personal data evaluation process ([learn more](privacy-management.md#where-privacy-management-identifies-personal-data)). You can review the provided links in full before proceeding. Once you agree, it may take up to 24 hours before privacy management starts providing insights about your organizationΓÇÖs data.
If you donΓÇÖt hold the required role to obtain the subscription or consent to the terms of using privacy management, youΓÇÖll be prompted to contact your global admin for assistance.
compliance Privacy Management Subject Rights Requests https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-subject-rights-requests.md
Customers with Microsoft 365 subscriptions that include privacy management do no
The following Power Automate templates are included in privacy management: -- **Create record for privacy management case in ServiceNow**: This template is for organizations that want to use their ServiceNow solution to track subject rights request cases. You will be asked to enter your ServiceNow instance details. Once connected to your instance, subject rights requests administrators will be able to create a record for the case in ServiceNow and can customize what the template will populate into selected fields if needed. For more information on the connector, see the [ServiceNow Connector reference page](/connectors/service-now/).
+- **Create record for privacy management case in ServiceNow**: This template is for organizations that want to use their ServiceNow solution to track subject rights request cases. You will be asked to enter your ServiceNow instance details, inclusive of an account to connect to ServiceNow. This account must have the ability to create an incident in ServiceNow and fill in incident details. Once connected to your instance, subject rights requests administrators will be able to create a record for the case in ServiceNow and can customize what the template will populate into selected fields if needed. For more information on the connector, see the [ServiceNow Connector reference page](/connectors/service-now/).
- **Create a calendar reminder**: This template is for setting due date reminders in your Outlook calendar for subject rights requests. The tool will populate certain details for you from the properties of the request, such as the name of the request and its due date. You can add descriptive details, specify recipients, and adjust other advanced settings. ### Create a new Power Automate flow from a template
compliance Privacy Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management.md
Privacy management in Microsoft 365 can help you handle these inquiries through
To learn more, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
-## How we evaluate your data
+## Where privacy management identifies personal data
-To show personal information in your Microsoft 365 environment and provide capabilities for managing that data and remediating issues, privacy management evaluates data within the following scope.
-
-### What privacy management evaluates
--- Sensitive information, which we call personal data and is the data supported by Microsoft data classification, for example, name, address, or Social Security number-- Personal data of people connected to your organization, such as customers and employees-- Data handling activities of employees who work with personal data, such as file owners and business operations staff-
-For more information about how Microsoft 365 defines sensitive information, see [Learn about sensitive information types](sensitive-information-type-learn-about.md).
-
-### Where privacy management identifies personal data
-
-The privacy management solution for Microsoft 365 evaluates data and files stored by your organization in Microsoft 365ΓÇÖs cloud service to help you identify and manage privacy risks in that space. This includes:
+The privacy management solution for Microsoft 365 evaluates data and files stored by your organization in Microsoft 365ΓÇÖs cloud
- Microsoft Exchange - Microsoft SharePoint - Microsoft OneDrive - Microsoft Teams
-Privacy management does not collect data beyond what is already collected in Microsoft 365. Also, since privacy management focuses on data specific to your organization, any consumer accounts your employees or customers may have on these services will not be in scope.
+Privacy management does not collect data beyond what is already collected in Microsoft 365, and will not make modifications to the data on its own. Also, since privacy management specifically evaluates data that your organization manages, any consumer accounts your employees or customers may have on these services will not be in scope.
+
+## How privacy management identifies items with personal data
+
+Privacy management utilizes the capabilities of Microsoft 365 to help you identify and tag sensitive items. This is done through the use of [sensitive information types (SIT)](sensitive-information-type-learn-about.md), trainable [classifiers](classifier-learn-about.md), and auto and manual application of [sensitivity labels](sensitivity-labels.md).
+
+Sensitive information types (SIT) are the data types supported by Microsoft data classification. For example, this includes personal information about individuals such as their name, address, or Social Security number.
+
+For more information about how Microsoft 365 defines sensitive information, see [Learn about sensitive information types](sensitive-information-type-learn-about.md).
-### Additional resources
+## Additional resources
For more information about how Microsoft approaches privacy and safeguards your data, see the following resources:
compliance Retention Flowchart https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-flowchart.md
This logic flow is used for an item when either of the following conditions appl
- There is more than one retention policy applied - There is a retention label and one or more retention policies
+When an item is subject to an eDiscovery hold, it will always be retained before the decision flows for retention policies and a retention label.
+ If any of the terms used in this flowchart are unfamiliar to you, see [Learn about retention policies and retention labels](retention.md).
compliance Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention.md
Different types of retention labels can be published to different locations, dep
In Exchange, retention labels that you auto-apply are applied only to messages newly sent (data in transit), not to all items currently in the mailbox (data at rest). Also, auto-apply retention labels for sensitive information types and trainable classifiers apply to all mailboxes; you can't select specific mailboxes.
-Exchange public folders, Skype, Teams and Yammer messages do not support retention labels. To retain and delete contain from these locations, use retention policies instead.
+Exchange public folders, Skype, Teams and Yammer messages do not support retention labels. To retain and delete content from these locations, use retention policies instead.
#### Only one retention label at a time
compliance Search For Content https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-content.md
The first step is to starting using the Content search tool to choose content lo
- [Search for third-party data](use-content-search-to-search-third-party-data-that-was-imported.md) that your organization has imported to Microsoft 365 -- [Bulk edit](bulk-edit-content-searches.md) the query and content locations for multiple searches- - [Retry a Content search](retry-failed-content-search.md) to resolve a content location error - [Preserve Bcc recipients](/exchange/policy-and-compliance/holds/preserve-bcc-recipients-and-group-members) so you can search for them
enterprise Microsoft 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-overview.md
For an example of how a fictional but representative multinational organization
## Additional Microsoft 365 products -- [Microsoft 365 Business Premium](../business/index.yml)
+- [Microsoft 365 Business Premium](../admin/index.yml)
Bring together the best-in-class productivity and collaboration capabilities with device management and security solutions to safeguard business data for small and midsize businesses.
enterprise Plan Upgrade Previous Versions Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/plan-upgrade-previous-versions-office.md
Microsoft 365 is the way to digitally transform your business with constantly im
|Resource|Description| ||| |[Microsoft 365](https://www.microsoft.com/microsoft-365)|Get information about the versions of Microsoft 365.|
-|[Microsoft 365 for Business documentation](../business/index.yml)|Get detailed information about the version of Microsoft 365 for small and medium businesses.|
+|[Microsoft 365 for Business documentation](../admin/index.yml)|Get detailed information about the version of Microsoft 365 for small and medium businesses.|
|[Microsoft 365 for Education documentation](/microsoft-365/education/)|Get detailed information about the version of Microsoft 365 for educational organizations.| |[Microsoft 365 for Enterprise documentation](./index.yml)|Get detailed information about the version of Microsoft 365 for enterprise organizations.| |||
managed-desktop Validate Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/validate-device.md
audience: Admin
# Validate new devices
-Whether you're completely new to Microsoft Managed Desktop or a long-time subscriber, it's best to test an example of any device model you're enrolling in the service for the first time. This is true whether you're ordering brand-new devices or reusing existing ones, including devices recommended for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/windowsforbusiness/view-all-devices) site. At that site, view the devices recommended for use with the service by expanding **Features** in the **Filter by** area, and then selecting **Microsoft Managed Desktop**. Validating devices ensures that they'll deliver the user experience you expect.
+Whether you're completely new to Microsoft Managed Desktop or a long-time subscriber, it's best to test an example of any device model you're enrolling in the service for the first time. This is true whether you're ordering brand-new devices or reusing existing ones, including devices recommended for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/en-us/windowsforbusiness/view-all-devices) site. At that site, view the devices recommended for use with the service by expanding **Features** in the **Filter by** area, and then selecting **Microsoft Managed Desktop**. Validating devices ensures that they'll deliver the user experience you expect.
## Validate devices
Whether you're completely new to Microsoft Managed Desktop or a long-time subscr
If any problems occur, you can [request support](../working-with-managed-desktop/admin-support.md) in the Admin portal.
-If everything goes well, you're ready to order the rest of the validated devices you need for your deployment.
+If everything goes well, you're ready to order the rest of the validated devices you need for your deployment.
managed-desktop Device Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/device-requirements.md
# Device requirements
-Microsoft Managed Desktop regularly evaluates device requirements to be included in the service. This article describes the hardware and software requirements a device must meet in order to work with Microsoft Managed Desktop. You can review a list of specific devices already approved for use with the service based on these requirements. Filter for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/windowsforbusiness/view-all-devices) site
+Microsoft Managed Desktop regularly evaluates device requirements to be included in the service. This article describes the hardware and software requirements a device must meet in order to work with Microsoft Managed Desktop. You can review a list of specific devices already approved for use with the service based on these requirements. Filter for Microsoft Managed Desktop on the [Shop Windows 10 Pro business devices](https://www.microsoft.com/en-us/windowsforbusiness/view-all-devices) site
> [!NOTE] > These requirements can change at any time, but we will provide 30 days notice of any hardware requirement changes. The requirements most recently changed are marked with **\***.
scheduler Scheduler Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-overview.md
After a user sends a meeting request to Cortana, the Scheduler service:
- Finds a time to meet based on the availability of the organizer and attendees in the same tenant. - If the organizer does not have access to availability of the attendees, Cortana negotiates a time to meet with those attendees by email. - Once a mutually agreeable time has been found, Cortana adds a Teams meeting and sends out the calendar invites. +
+## Pricing and licensing
+
+Learn more: [Scheduler for Microsoft 365 licensing](https://wwww.microsoft.com/microsoft-365/meeting-scheduler-pricing)
+
+>[Note:
+>Meeting attendees do not need a Scheduler or Microsoft 365 license. <br>The Scheduler assistant mailbox does not require a Microsoft 365 or a Scheduler license.
+
scheduler Scheduler Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-setup.md
description: "Setting up Scheduler for Microsoft 365."
# Setting up Scheduler for Microsoft 365
+Tenant admins need to setup a Scheduler assistant mailbox and obtain Scheduler licenses for meeting organizers to enable the Scheduler for Microsoft 365 service.
-To set up the Scheduler for Microsoft 365, following are the prerequisites:
+## Licensing
-| What do I need? | Description |
+Learn more: [Scheduler for Microsoft 365 licensing](https://wwww.microsoft.com/microsoft-365/meeting-scheduler-pricing)
+
+>[Note:
+>Meeting attendees do not need a Scheduler or Microsoft 365 license. <br>The Scheduler assistant mailbox does not require a Microsoft 365 or a Scheduler license.
+++
+| Prerequisite | Description |
|-|-|
-|Cortana mailbox |Tenant admins will need to set a mailbox to serve as the ΓÇ£CortanaΓÇ¥ mailbox (that is, cortana@yourdomain.com). |
-|Exchange Online mailbox |Users must have an Exchange Online mail and calendar |
-|Scheduler license |For licensing and pricing information, see [Scheduler for Microsoft 365](https://www.microsoft.com/en-us/microsoft-365/meeting-scheduler-pricing). |
+|A Scheduler assistant mailbox for the tenant |An Exchange equipment type resource mailbox that acts as the Scheduler assistant mailbox for your tenant to send and receive emails to and from Cortana. All emails sent to Cortana are retained in your tenantΓÇÖs Cortana mailbox based on your retention policy. The Scheduler assistant mailbox is typically named ΓÇ£CortanaΓÇ¥ or ΓÇ£Cortana SchedulerΓÇ¥ since all the emails from the assistant will be signed Cortana.</br> - Create an equipment type Exchange resource mailbox</br> - Name the mailboxΓÇÖs display name and primary SMTP address ΓÇ£Cortana <cortana@yourdomain.com>ΓÇ¥ or ΓÇ£Cortana Scheduler <cortana.scheduler@yourdomain.com>ΓÇ¥.</br>**Note:** The Scheduler assistant mailbox does not require a Microsoft 365 or a Scheduler license.|
+|Exchange Online mailbox |Meeting organizers must have an Exchange Online mailbox and calendar typically as part of their Microsoft 365 license. In addition, meeting organizers must have a Scheduler license. The Scheduler license enables the Scheduler assistant to use the meeting organizerΓÇÖs mailbox and calendar to schedule meetings for them.</br></br> See Scheduler for Microsoft 365 for licensing and pricing information. </br></br>**Note:** Meeting attendees do not need a Scheduler or Microsoft 365 license. Meeting attendees can be internal or external to the tenant. Meeting attendees only need access to an email address.|
++
+## Setting up the Scheduler assistant mailbox
+
+Scheduler assistant mailbox is an Exchange equipment type mailbox that does not require an additional Microsoft 365 or Scheduler license. The display name and the primary SMTP address of the mailbox should contain Cortana since all the emails from the Scheduler assistant will be signed Cortana (i.e. ΓÇ£Cortana <cortana@yourdomain.com>ΓÇ¥ or ΓÇ£Cortana Scheduler <cortana.scheduler@yourdomain.com>ΓÇ¥). After the Scheduler assistant mailbox has been created, you must designate the mailbox as the Scheduler assistant mailbox. After you designate the Scheduler assistant mailbox, Cortana will be available to schedule meetings on behalf of your users.
-## Create a mailbox for Cortana
-An Exchange mailbox in your tenant acts as the Cortana mailbox for your tenant to send and receive emails to and from Cortana. All emails sent to Cortana are retained in your tenantΓÇÖs Cortana mailbox based on your retention policy.
- Use the Microsoft 365 admin center to create a user mailbox. A 30-day retention policy is recommended. - Use the name Cortana in your mailboxΓÇÖs primary SMTP address. Names such as ΓÇ£Cortana@yourdomain.com,ΓÇÖ ΓÇÿCortanaScheduler@contoso.com,ΓÇÖ or ΓÇÿCortana.Scheduler@yourdomain.comΓÇÖ are recommended.
An Exchange mailbox in your tenant acts as the Cortana mailbox for your tenant t
After a unique mailbox for Cortana Scheduler has been created, you must designate the mailbox to Microsoft 365 formally. After you designate the Cortana Scheduler mailbox, it will be available to schedule meetings on behalf of your users.
-To designate the Cortana Scheduler mailbox, an authorized admin must run a one-line PowerShell command.
+#### Connect to PowerShell
-1. Connect to Microsoft 365 remote PowerShell run space for your organization.
+Use the Microsoft 365 admin center to create a user mailbox. A 30-day retention policy is recommended.
+Use the name Cortana in your mailboxΓÇÖs primary SMTP address. Names such as ΓÇ£Cortana@yourdomain.com,ΓÇÖ ΓÇÿCortanaScheduler@contoso.com,ΓÇÖ or ΓÇÿCortana.Scheduler@yourdomain.comΓÇÖ are recommended.
-2. Run the following PowerShell script to designate the mailbox for Scheduler:
+```PowerShell
- ```powershell
- Set-mailbox cortana@contoso.com -SchedulerAssistant:$true
- ```
-
- After running this "set" command on the Cortana Scheduler mailbox, a new "PersistedCapability" is set on the mailbox to note that this mailbox is the "SchedulerAssistant".
+$domain="yourdomain.com "
+$tenantAdmin="<tenantadmin>@$domain"
+Import-Module ExchangeOnlineManagement
+Connect-ExchangeOnline -UserPrincipalName $tenantAdmin
+
+```
-> [!NOTE]
-> Follow these steps to connect your organization to PowerShell if youΓÇÖve not done so previously: [Connect to Microsoft 365 with PowerShell](../enterprise/connect-to-microsoft-365-powershell.md).
+#### Create the Scheduler Assistant Mailbox
-To discover which mailbox in your organization is currently set as the Cortana Scheduler assistant, run the get function:
+```PowerShell
+New-Mailbox -Name Cortana -Organization $domain -DisplayName "Cortana Scheduler" -Equipment
+Set-CalendarProcessing Cortana@$domain -DeleteNonCalendarItems $false
-```powershell
-Get-mailbox | where {$_.PersistedCapabilities -Match "SchedulerAssistant"}
```
+
+#### Designate the Scheduler Assistant Mailbox
-> [!IMPORTANT]
-> It might take up to two hours for the Scheduler mailbox to complete full provisioning to set the SchedulerAssistant capability.
+```PowerShell
-## Exchange Online mailbox
-A Scheduler license is an add-on to Microsoft 365, that enables the meeting organizer to delegate their meeting scheduling tasks to their Scheduler assistant. For the Scheduler to work, typically through Microsoft 365 license, meeting organizers require the following components:
+Set-mailbox cortana@$domain -SchedulerAssistant:$true
++
+```
+After running this "set" command on the Cortana Scheduler assistant mailbox, a new "PersistedCapability" is set on the mailbox to note that this mailbox is the "SchedulerAssistant".
+
+>[!Note]
+> To learn how to connect your organization to PowerShell, see:
+[Connect to Microsoft 365 with PowerShell](/microsoft-365/enterprise/connect-to-microsoft-365-powershell)
+
+### Verifying the Scheduler assistant mailbox
+
+To verify the Scheduler assistant mailbox has been created
+
+```PowerShell
-- A mailbox designated as Scheduler assistant mailbox-- Scheduler license-- Exchange Online mailbox and calendar
+Get-CalendarProcessing cortana$domain <cortana>@microsoft.com | fl DeleteNonCalendarItems`
-The meeting attendees do not require Scheduler or Microsoft 365 license.
+```
+
+The result should be ΓÇ£falseΓÇ¥.
+
+<br>
+
+```PowerShell
+
+Get-Mailbox -Identity <cortana>@microsoft.com$domain -Organization microsoft.com$domain | fl *type*
+
+```
+
+The result should be
+- ResourceType: Equipment
+- Remote RecipientType: None
+- RecipientType: UserMailbox
+- RecipientTypeDetails: EquipmentMailbox
+
+</br>
-## Scheduler end-user license requirements
+### To discover which mailbox is the Scheduler assistant mailbox
+
+```PowerShell
+
+Get-Mailbox -ResultSize Unlimited | where {$_.PersistedCapabilities -Match "SchedulerAssistant"}
+
+```
+
+>[Important]
+>It might take several hours for the Scheduler assistant mailbox to complete full provisioning to set the SchedulerAssistant capability.
++
+## Exchange Online mailbox
+A Scheduler license is an add-on to Microsoft 365, which enables the meeting organizer to delegate their meeting scheduling tasks to their Scheduler assistant. In addition to designating a mailbox as a Scheduler assistant mailbox, meeting organizers will also need a Scheduler license and Exchange Online mailbox and calendar, typically through Microsoft 365 license for Scheduler to work. Meeting attendees do not need a Scheduler license or a Microsoft 365 license.
-A Scheduler license requires one of the following licenses:
+To purchase the Scheduler add-on, you require one of the following licenses:
- Microsoft 365 E3, A3, E5, A5 - Business Basic, Business, Business Standard, Business Premium
A Scheduler license requires one of the following licenses:
- Microsoft 365 with German cloud that uses the data trustee German Telekom - Government cloud including GCC, Consumer, GCC High, or DoD
-Scheduler does support users in Germany whose data location is not in the German datacenter.
+Scheduler does support users in Germany whose data location is not the German datacenter.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
#### [Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy](configure-real-time-protection-microsoft-defender-antivirus.md) #### [Configure remediation for Microsoft Defender Antivirus detections](configure-remediation-microsoft-defender-antivirus.md) #### [Configure Microsoft Defender Antivirus scans](schedule-antivirus-scans.md)
-##### [Schedule antivirus scans using Group Policy](schedule-antivirus-scans-group-policy.md)
-##### [Schedule antivirus scans using PowerShell](schedule-antivirus-scans-powershell.md)
-##### [Schedule antivirus scans using Windows Management Instrumentation (WMI)](schedule-antivirus-scans-wmi.md)
+##### [Schedule scans using Group Policy](schedule-antivirus-scans-group-policy.md)
+##### [Schedule scans using PowerShell](schedule-antivirus-scans-powershell.md)
+##### [Schedule scans using WMI](schedule-antivirus-scans-wmi.md)
#### [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md) #### [Compatibility with other security products](microsoft-defender-antivirus-compatibility.md)
##### [Exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) ##### [Exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) ##### [Exclusions for Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
-##### [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
+##### [Common mistakes to avoid](common-exclusion-mistakes-microsoft-defender-antivirus.md)
#### Troubleshooting Microsoft Defender Antivirus ##### [Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
##### [Customize controlled folder access](customize-controlled-folders.md) #### [Device Control]()
-##### [Device Control reports](device-control-report.md)
##### [Control USB devices](control-usb-devices-using-intune.md) ##### [Removable Storage Protection](device-control-removable-storage-protection.md) ##### [Removable Storage Access Control](device-control-removable-storage-access-control.md)
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts.md
incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the A
investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert. investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. assignedTo | String | Owner of the alert.
+rbacGroupName | String | RBAC device group name.
+mitreTechniques | String | Mitre Enterprise technique ID.
+relatedUser | String | Details of user related to a specific alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
The following steps will guide you through onboarding VDI devices and will highl
7. Use the search function by entering the device name and select **Device** as search type.
-## For downlevel SKUs
+## For downlevel SKUs (Windows Server 2008 R2/2012 R2/2016)
> [!NOTE] > The following registry is relevant only when the aim is to achieve a 'Single entry for each device'.
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
Previously updated : 08/16/2021 Last updated : 08/17/2021 # Configure Microsoft Defender Antivirus exclusions on Windows Server
Last updated 08/16/2021
**Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Microsoft Defender Antivirus
-On Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019, Microsoft Defender Antivirus automatically enrolls you in certain exclusions, as defined by your specified server role. These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+## Summary
-> [!NOTE]
-> Automatic exclusions only apply to real-time protection (RTP) scanning. Automatic exclusions are not honored during a full scan, quick scan, or on-demand scan.
-
-In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to the following articles:
-- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)-- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)-
-## A few points to keep in mind
-
-Keep the following important points in mind:
--- Custom exclusions take precedence over automatic exclusions.-- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a full scan, quick scan, or on-demand scan.-- Custom and duplicate exclusions do not conflict with automatic exclusions.-- Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.-
-## Opt out of automatic exclusions
-
-In Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-
-> [!WARNING]
-> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
-
-Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL folders to another drive or path that is *different from the original path*, you must add exclusions manually. See [Configure the list of exclusions based on folder name or file extension](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension).
+This article provides an overview of exclusions for Microsoft Defender Antivirus on Windows Server 2016 or later.
-You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
+Because Microsoft Defender Antivirus is built into Windows Server 2016 and later, exclusions for operating system files and server roles happen automatically. However, you can define custom exclusions. You can also opt out of automatic exclusions if necessary.
-### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
+This article includes the following sections: <br/><br/>
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then select **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration**, and then select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then select **OK**.
+| Section | Description |
+|||
+| [Automatic exclusions on Windows Server 2016 or later](#automatic-exclusions-on-windows-server-2016-or-later) | Describes the two main types of automatic exclusions and includes a detailed list of automatic exclusions |
+| [Opting out of automatic exclusions](#opting-out-of-automatic-exclusions) | Includes important considerations and procedures describing how to opt out of automatic exclusions |
+| [Defining custom exclusions](#defining-custom-exclusions) | Provides links to how-to information for defining custom exclusions |
-### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server
-Use the following cmdlets:
+> [!IMPORTANT]
+> Keep the following points in mind:
+> - Custom exclusions take precedence over automatic exclusions.
+> - Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a full scan, quick scan, or on-demand scan.
+> - Custom and duplicate exclusions do not conflict with automatic exclusions.
+> - Microsoft Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
-```PowerShell
-Set-MpPreference -DisableAutoExclusions $true
-```
+## Automatic exclusions on Windows Server 2016 or later
-To learn more, see the following resources:
+> [!NOTE]
+> Automatic exclusions only apply to real-time protection (RTP) scanning. Automatic exclusions are not honored during a full scan, quick scan, or on-demand scan.
-- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).-- [Use PowerShell with Microsoft Defender Antivirus](/powershell/module/defender/).
+On Windows Server 2016 or later, you should not need to define the following exclusions:
-### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server
+- Operating system files
+- Server roles and any files that are added through server roles
-Use the **Set** method of the [MSFT_MpPreference](/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
+Because Microsoft Defender Antivirus is built in, it does not require exclusions for operating system files on Windows Server 2016 or later. In addition, when you run Windows Server 2016 or later and install a role, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role.
-```WMI
-DisableAutoExclusions
-```
+Operating system exclusions and server role exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+Automatic exclusions for server roles and operating system files do not apply to Windows Server 2012 or Windows Server 2012 R2.
-## List of automatic exclusions
+### The list of automatic exclusions
The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
-### Default exclusions for all roles
+#### Default exclusions for all roles
This section lists the default exclusions for all roles in Windows Server 2016 and Windows Server 2019. > [!NOTE] > The default locations could be different than what's listed in this article.
-#### Windows "temp.edb" files
+##### Windows "temp.edb" files
- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb` - `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
-#### Windows Update files or Automatic Update files
+##### Windows Update files or Automatic Update files
- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` - `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
This section lists the default exclusions for all roles in Windows Server 2016 a
- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs` - `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
-#### Windows Security files
+##### Windows Security files
- `%windir%\Security\database\*.chk` - `%windir%\Security\database\*.edb`
This section lists the default exclusions for all roles in Windows Server 2016 a
- `%windir%\Security\database\*.log` - `%windir%\Security\database\*.sdb`
-#### Group Policy files
+##### Group Policy files
- `%allusersprofile%\NTUser.pol` - `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol` - `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
-#### WINS files
+##### WINS files
- `%systemroot%\System32\Wins\*\*.chk` - `%systemroot%\System32\Wins\*\*.log`
This section lists the default exclusions for all roles in Windows Server 2016 a
- `%systemroot%\System32\LogFiles\` - `%systemroot%\SysWow64\LogFiles\`
-#### File Replication Service (FRS) exclusions
+##### File Replication Service (FRS) exclusions
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
This section lists the default exclusions for all roles in Windows Server 2016 a
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File` > [!NOTE]
- > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
+ > For custom locations, see [Opting out of automatic exclusions](#opting-out-of-automatic-exclusions).
- `%systemdrive%\System Volume Information\DFSR\$db_normal$` - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
This section lists the default exclusions for all roles in Windows Server 2016 a
- `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs` - `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
-#### Process exclusions
+##### Process exclusions
- `%systemroot%\System32\dfsr.exe` - `%systemroot%\System32\dfsrs.exe`
-#### Hyper-V exclusions
+##### Hyper-V exclusions
The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
-|File type exclusions |Folder exclusions | Process exclusions |
-|:--|:--|:--|
-| `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
+| Exclusion type | Specifics |
+|:|:|
+| File types | `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` |
+| Folders | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` |
+| Processes | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
-#### SYSVOL files
+##### SYSVOL files
- `%systemroot%\Sysvol\Domain\*.adm` - `%systemroot%\Sysvol\Domain\*.admx`
The following table lists the file type exclusions, folder exclusions, and proce
- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
-### Active Directory exclusions
+#### Active Directory exclusions
-This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
+This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services (AD DS).
-#### NTDS database files
+##### NTDS database files
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` - `%windir%\Ntds\ntds.dit` - `%windir%\Ntds\ntds.pat`
-#### The AD DS transaction log files
+##### The AD DS transaction log files
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
- `%windir%\Ntds\Ntds*.pat` - `%windir%\Ntds\TEMP.edb`
-#### The NTDS working folder
+##### The NTDS working folder
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` - `%windir%\Ntds\Temp.edb` - `%windir%\Ntds\Edb.chk`
-#### Process exclusions for AD DS and AD DS-related support files
+##### Process exclusions for AD DS and AD DS-related support files
- `%systemroot%\System32\ntfrs.exe` - `%systemroot%\System32\lsass.exe`
-### DHCP Server exclusions
+#### DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
This section lists the exclusions that are delivered automatically when you inst
- `%systemroot%\System32\DHCP\*\*.chk` - `%systemroot%\System32\DHCP\*\*.edb`
-### DNS Server exclusions
+#### DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
-#### File and folder exclusions for the DNS Server role
+##### File and folder exclusions for the DNS Server role
- `%systemroot%\System32\Dns\*\*.log` - `%systemroot%\System32\Dns\*\*.dns` - `%systemroot%\System32\Dns\*\*.scc` - `%systemroot%\System32\Dns\*\BOOT`
-#### Process exclusions for the DNS Server role
+##### Process exclusions for the DNS Server role
- `%systemroot%\System32\dns.exe`
-### File and Storage Services exclusions
+#### File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
This section lists the file and folder exclusions that are delivered automatical
- `%clusterserviceaccount%\Local Settings\Temp` - `%SystemDrive%\mscs`
-### Print Server exclusions
+#### Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
-#### File type exclusions
+##### File type exclusions
- `*.shd` - `*.spl`
-#### Folder exclusions
+##### Folder exclusions
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory` - `%system32%\spool\printers\*`
-#### Process exclusions
+##### Process exclusions
- `spoolsv.exe`
-### Web Server exclusions
+#### Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
-#### Folder exclusions
+##### Folder exclusions
- `%SystemRoot%\IIS Temporary Compressed Files` - `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
This section lists the folder exclusions and the process exclusions that are del
- `%systemDrive%\inetpub\logs` - `%systemDrive%\inetpub\wwwroot`
-#### Process exclusions
+##### Process exclusions
- `%SystemRoot%\system32\inetsrv\w3wp.exe` - `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe` - `%SystemDrive%\PHP5433\php-cgi.exe`
-#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
+##### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
Exclude the following files from this folder and all its subfolders:
- `*.ins` - `Oscfilter.ini`
-### Windows Server Update Services exclusions
+#### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
This section lists the folder exclusions that are delivered automatically when y
- `%systemroot%\SoftwareDistribution\Datastore` - `%systemroot%\SoftwareDistribution\Download`
+## Opting out of automatic exclusions
+
+In Windows Server 2016 and later, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and later. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+
+> [!WARNING]
+> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and Windows Server 2019 roles.
+
+Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL folders to another drive or path that is *different from the original path*, you must add exclusions manually. See [Configure the list of exclusions based on folder name or file extension](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension).
+
+You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
+
+### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then select **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration**, and then select **Administrative templates**.
+
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
+
+4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then select **OK**.
+
+### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -DisableAutoExclusions $true
+```
+
+To learn more, see the following resources:
+
+- [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
+- [Use PowerShell with Microsoft Defender Antivirus](/powershell/module/defender/).
+
+### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server
+
+Use the **Set** method of the [MSFT_MpPreference](/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
+
+```WMI
+DisableAutoExclusions
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
+
+## Defining custom exclusions
+
+If necessary, you can add or remove custom exclusions. To do that, see the following articles:
+
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+ ## See also - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
security Device Control Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md
- Title: Protect your organization's data with device control
-description: Monitor your organization's data security through device control reports.
-ms.sitesec: library
-ms.pagetype: security
-localization_priority: normal
------
-# Protect your organization's data with device control
-
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-
-Microsoft Defender for Endpoint device control protects against data loss, by monitoring and controlling media use by devices in your organization, such as the use of removable storage devices and USB drives.
-
-With the device control report, you can view events that relate to media usage, such as:
--- **Audit events:** Shows the number of audit events that occur when external media is connected.-- **Policy events:** Shows the number of policy events that occur when a device control policy is triggered.-
-> [!NOTE]
-> The audit event to track media usage is enabled by default for devices onboarded to Microsoft Defender for Endpoint.
-
-## Understanding the audit events
-
-The audit events include:
--- **USB drive mount and unmount:** Audit events that are generated when a USB drive is mounted or unmounted.-- **PnP:** Plug and Play audit events are generated when removable storage, a printer, or Bluetooth media is connected.-
-## Monitor device control security
-
-Device control in Microsoft Defender for Endpoint empowers security administrators with tools that enable them to track their organization's device control security through reports. You can find the device control report in the Microsoft 365 security center by going to **Reports > Device protection**.
-
-The Device protection card on the **Reports** dashboard shows the number of audit events generated by media type, over the last 180 days.
-
-> [!div class="mx-imgBorder"]
-> ![DeviceControlReportCard](images/devicecontrolcard.png)
-
-The **View details** button shows more media usage data in the **device control report** page.
-
-The page provides a dashboard with aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID.
-
-> [!div class="mx-imgBorder"]
-> ![DeviceControlReportDetails](images/Detaileddevicecontrolreport.png)
-
-When you select an event, a flyout appears that shows you more information:
--- **General details:** Date, Action mode, and the policy of this event.-- **Media information:** Media information includes Media name, Class name, Class GUID, Device ID, Vendor ID, Volume, Serial number, and Bus type.-- **Location details:** Device name and MDATP device ID.-
-> [!div class="mx-imgBorder"]
-> ![FilterOnDeviceControlReport](images/devicecontrolreportfilter.png)
-
-To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, pre-defined query.
-
-> [!div class="mx-imgBorder"]
-> ![QueryOnDeviceControlReport](images/Devicecontrolreportquery.png)
-
-To see the security of the device, select the **Open device page** button on the flyout. This button opens the device entity page.
-
-> [!div class="mx-imgBorder"]
-> ![DeviceEntityPage](images/Devicesecuritypage.png)
-
-## Reporting delays
-
-The device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list.
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
ms.technology: mde Previously updated : 06/02/2021 Last updated : 08/17/2021 # Enable attack surface reduction rules
Example:
1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
-2. Type the following cmdlet:
+2. Type one of the following cmdlets. (Refer to [Attack surface reduction rules](attack-surface-reduction-rules.md) for more details, such as rule ID.)
```PowerShell Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
Example:
## Related articles -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+- [Attack surface reduction rules](attack-surface-reduction-rules.md)
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
security Get Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines.md
Retrieves a collection of [Machines](machine.md) that have communicated with Mi
Supports [OData V4 queries](https://www.odata.org/documentation/).
-The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
-
+The OData's `$filter` query is supported on: `computerDnsName`, `id`, `version`, `deviceValue`, `aadDeviceId`, `machineTags`, `lastSeen`,`exposureLevel`, `lastIpAddress`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
+<br>```$stop``` with max value of 10,000
+<br>```$skip```
See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md) ## Limitations
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
ms.technology: mde
Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
+## 1.1.20020101
+- UX Enhancements - Microsoft Defender for Endpoint has a new look.
+- Bug fixes.
+ ## 1.1.17240101 - Support for Mobile Application Management (MAM) via Intune is generally available with this version. For more information, see [Microsoft Defender for Endpoint risk signals available for your App protection policies](https://techcommunity.microsoft.com/t5/intune-customer-success/microsoft-defender-for-endpoint-risk-signals-available-for-your/ba-p/2186322) - **Jailbreak Detection** is generally available. For more information, see [Setup Conditional Access Policy based on device risk signals](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios).
security Linux Deploy Defender For Endpoint With Chef https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md
when 'debian'
repo_name 'microsoft-prod' components ['main'] trusted true
- uri "https://packages.microsoft.com/ubuntu/20.04/prod"
+ uri "https://packages.microsoft.com/config/ubuntu/20.04/prod"
end apt_package "mdatp" when 'rhel' yum_repository 'microsoft-prod' do
- baseurl "https://packages.microsoft.com/rhel/7/prod/"
+ baseurl "https://packages.microsoft.com/config/rhel/7/prod/"
description "Microsoft Defender for Endpoint" enabled true gpgcheck true
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
In order to preview new features and provide early feedback, it is recommended t
```bash sudo yum install yum-utils ```-- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/rhel/`.
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/rhel/`.
Use the following table to help guide you in locating the package: | Distro & version | Package | |||
- | For RHEL 8.0-8.5 | https://packages.microsoft.com/rhel/8/prod/ |
- | For RHEL 7.2-7.9 | https://packages.microsoft.com/rhel/7/prod/ |
+ | For RHEL 8.0-8.5 | https://packages.microsoft.com/config/rhel/8/prod/ |
+ | For RHEL 7.2-7.9 | https://packages.microsoft.com/config/rhel/7/prod/ |
In the following commands, replace *[version]* and *[channel]* with the information you've identified:
In order to preview new features and provide early feedback, it is recommended t
> In case of Oracle Linux, replace *[distro]* with "rhel". ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/rhel/[version]/[channel].repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/[version]/[channel].repo
``` For example, if you are running CentOS 7 and want to deploy Defender for Endpoint on Linux from the *prod* channel: ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/rhel/7/prod.repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/prod.repo
``` Or if you wish to explore new features on selected devices, you might want to deploy Microsoft Defender for Endpoint on Linux to *insiders-fast* channel: ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/rhel/7/insiders-fast.repo
+ sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/rhel/7/insiders-fast.repo
``` - Install the Microsoft GPG public key:
In order to preview new features and provide early feedback, it is recommended t
### SLES and variants -- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/sles/`.
+- Note your distribution and version, and identify the closest entry(by major, then minor) for it under `https://packages.microsoft.com/config/sles/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified: ```bash
- sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/[distro]/[version]/[channel].repo
+ sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
``` For example, if you are running SLES 12 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel: ```bash
- sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/sles/12/prod.repo
+ sudo zypper addrepo -c -f -n microsoft-prod https://packages.microsoft.com/config/sles/12/prod.repo
``` - Install the Microsoft GPG public key:
In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install libplist-utils ``` -- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/[distro]/`.
+- Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/[distro]/`.
In the below command, replace *[distro]* and *[version]* with the information you've identified: ```bash
- curl -o microsoft.list https://packages.microsoft.com/[distro]/[version]/[channel].list
+ curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
``` For example, if you are running Ubuntu 18.04 and wish to deploy Microsoft Defender for Endpoint on Linux from the *prod* channel: ```bash
- curl -o microsoft.list https://packages.microsoft.com/ubuntu/18.04/prod.list
+ curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/prod.list
``` - Install the repository configuration:
In order to preview new features and provide early feedback, it is recommended t
``` ```Output
- deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
- deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
+ deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/config/ubuntu/18.04/prod insiders-fast main
+ deb [arch=amd64] https://packages.microsoft.com/cofig/ubuntu/18.04/prod bionic main
``` ```bash
Download the onboarding package from Microsoft 365 Defender portal:
> mdatp health --field definitions_status > ``` >
- > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration#post-installation-configuration).
+ > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint on Linux for static proxy discovery: Post-installation configuration](linux-static-proxy-configuration.md#post-installation-configuration).
5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
Create a subtask or role files that contribute to a playbook or task.
> [!WARNING] > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
- Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/[distro]/`.
+ Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/[distro]/`.
In the following commands, replace *[distro]* and *[version]* with the information you've identified.
Create a subtask or role files that contribute to a playbook or task.
- name: Add Microsoft apt repository for MDATP apt_repository:
- repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
+ repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/config/[distro]/[version]/prod [channel] main
update_cache: yes state: present filename: microsoft-[channel]
Create a subtask or role files that contribute to a playbook or task.
name: packages-microsoft-com-prod-[channel] description: Microsoft Defender for Endpoint file: microsoft-[channel]
- baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
+ baseurl: https://packages.microsoft.com/config/[distro]/[version]/[channel]/
gpgcheck: yes enabled: Yes when: ansible_os_family == "RedHat"
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
In order to preview new features and provide early feedback, it is recommended t
> [!WARNING] > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/[distro]/`.
+Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/[distro]/`.
In the below commands, replace *[distro]* and *[version]* with the information you've identified:
$version = undef
case $::osfamily { 'Debian' : { apt::source { 'microsoftpackages' :
- location => "https://packages.microsoft.com/${distro}/${version}/prod",
+ location => "https://packages.microsoft.com/config/${distro}/${version}/prod",
release => $channel, repos => 'main', key => {
$version = undef
} 'RedHat' : { yumrepo { 'microsoftpackages' :
- baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}",
+ baseurl => "https://packages.microsoft.com/config/${distro}/${version}/${channel}",
descr => "packages-microsoft-com-prod-${channel}", enabled => 1, gpgcheck => 1,
security Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine.md
lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet. healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown". rbacGroupName | String | Machine group Name.
+rbacGroupId | String | Machine group ID.
riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
-exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined). machineTags | String collection | Set of [machine](machine.md) tags. exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'.
security Switch To Microsoft Defender Onboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-onboard.md
Title: Switch to Microsoft Defender for Endpoint - Onboard
-description: This is phase 3, Onboard, for migrating from a non-Microsoft solution to Microsoft Defender for Endpoint.
+description: Make the switch to Microsoft Defender for Endpoint. Onboard devices and then uninstall your non-Microsoft solution.
keywords: migration, Microsoft Defender for Endpoint, edr search.product: eADQiWindows 10XVcnh search.appverid: met150
- m365solution-symantecmigrate Previously updated : 08/12/2021 Last updated : 08/16/2021
If at this point you have:
- Onboarded your organization's devices to Defender for Endpoint, and - Microsoft Defender Antivirus is installed and enabled,
-Then your next step is to uninstall your non-Microsoft endpoint protection solution.
+Then your next step is to uninstall your non-Microsoft antivirus, antimalware, and endpoint protection solution. When you uninstall your non-Microsoft solution, Microsoft Defender Antivirus switches from passive mode to active mode. In most cases, this happens automatically.
-To get help with this task, reach out to your solution provider's technical support team.
+To get help with uninstalling your non-Microsoft solution, contact their technical support team.
## Make sure Defender for Endpoint is working correctly
security Switch To Microsoft Defender Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-prepare.md
Title: Switch to Microsoft Defender for Endpoint - Prepare
-description: This is phase 1, Prepare, for migrating to Microsoft Defender for Endpoint.
-keywords: migration, Microsoft Defender for Endpoint, edr
+description: Get ready to make the switch to Microsoft Defender for Endpoint. Update your devices and configure your network connections.
+keywords: migration, Microsoft Defender for Endpoint, best practice
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
- m365solution-symantecmigrate Previously updated : 08/11/2021 Last updated : 08/16/2021
security Switch To Microsoft Defender Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup.md
Title: Switch to Microsoft Defender for Endpoint - Setup
-description: Phase 2, the setup process, when switching to Microsoft Defender for Endpoint.
-keywords: migration, Microsoft Defender for Endpoint, edr, Windows Defender
+description: Make the switch to Defender for Endpoint. Review the setup process, which includes installing Microsoft Defender Antivirus.
+keywords: migration, Microsoft Defender for Endpoint, antivirus, passive mode, setup process
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
- m365solution-symantecmigrate Previously updated : 08/11/2021 Last updated : 08/16/2021
4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus). 5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). - ## Reinstall/enable Microsoft Defender Antivirus on your endpoints
-On certain versions of Windows, Microsoft Defender Antivirus was likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. Unless and until devices are onboarded to Defender for Endpoint, Microsoft Defender Antivirus does not run in active mode alongside a non-Microsoft antivirus solution. To learn more, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
+On certain versions of Windows, Microsoft Defender Antivirus was likely uninstalled or disabled when your non-Microsoft antivirus/antimalware solution was installed. When endpoints running Windows are onboarded to Defender for Endpoint, Microsoft Defender Antivirus can run in passive mode alongside a non-Microsoft antivirus solution. To learn more, see [Antivirus protection with Defender for Endpoint](microsoft-defender-antivirus-compatibility.md#antivirus-protection-with-defender-for-endpoint).
-Now that you're planning to switch to Defender for Endpoint, you might need to take certain steps to reinstall or enable Microsoft Defender Antivirus.
+As you're making the switch to Defender for Endpoint, you might need to take certain steps to reinstall or enable Microsoft Defender Antivirus. The following table describes what to do on your Windows clients and servers.
| Endpoint type | What to do |
security Update Machine Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-machine-method.md
deviceValue|Nullable Enum|The [value of the device](tvm-assign-device-value.md).
If successful, this method returns 200 OK, and the [machine](machine.md) entity in the response body with the updated properties.
-If machine tags collection in body doesn't contain existing machine tags - 400 Invalid Input and a message informing of the missing tag/s.
+If machine tags collection in body doesn't contain existing machine tags - replaces all tags with the tags provided in the request body.
If machine with the specified ID was not found - 404 Not Found.
security Configure Advanced Delivery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-advanced-delivery.md
The third-party phishing simulation entries that you configured are displayed on
In addition to the two scenarios that the advanced delivery policy can help you with, there are other scenarios that might require you bypass filtering: -- **Third-party filters**: If your domain's MX record *doesn't* point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) *is not available*. If you'd like to add protection, you'll need to enable Enhanced Filtering for Connectors (also known as *skip listing*). For more information, see [Manage mail flow using a third-party cloud service with Exchange Online](/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud). If you don't want Enhanced Filtering for Connectors,use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl.md).
+- **Third-party filters**: If your domain's MX record *doesn't* point to Office 365 (messages are routed somewhere else first), [secure by default](secure-by-default.md) *is not available*. If you'd like to add protection, you'll need to enable Enhanced Filtering for Connectors (also known as *skip listing*). For more information, see [Manage mail flow using a third-party cloud service with Exchange Online](/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud). If you don't want Enhanced Filtering for Connectors, use mail flow rules (also known as transport rules) to bypass Microsoft filtering for messages that have already been evaluated by third-party filtering. For more information, see [Use mail flow rules to set the SCL in messages](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl.md).
- **False positives under review**: You might want to temporarily allow certain messages that are still being analyzed by Microsoft via [admin submissions](admin-submission.md) to report known good messages that are incorrectly being marked as bad to Microsoft (false positives). As with all overrides, we ***highly recommended*** that these allowances are temporary.
This example identifies the valid rule (one) and any invalid rules.
Get-PhishSimOverrideRule | Format-Table Name,Mode ```
-After you identify the invalid rules, you can remove them by using the **Remove-PhisSimOverrideRule** cmdlet as described [later in this article](#use-powershell-to-remove-phishing-simulation-override-rules).
+After you identify the invalid rules, you can remove them by using the **Remove-PhishSimOverrideRule** cmdlet as described [later in this article](#use-powershell-to-remove-phishing-simulation-override-rules).
For detailed syntax and parameter information, see [Get-PhishSimOverrideRule](/powershell/module/exchange/get-phishsimoverriderule).
test-base Createaccount https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/createAccount.md
f1.keywords: NOCSH
# Step 1: Create a Test Base account
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/en-us/free/) before you begin.
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin.
## Enter details for test base account