Updates from: 08/25/2021 03:36:42
Category Microsoft Docs article Related commit history on GitHub Change details
admin Scoped Certified Application Installation And Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/misc/scoped-certified-application-installation-and-config.md
+
+ Title: "Scoped Certified application installation and configuration guide"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
++
+search.appverid:
+- MET150
+description: "Scoped Certified application installation and configuration guide for ServiceNow."
++
+# ­­­Scoped Certified application installation and configuration guide
+
+[Overview](#overview)
+
+[Application dependencies in ServiceNow environments](#application-dependencies-in-servicenow-environments)
+
+[Configuration instructions](#configuration-instructions)
+
+[Who can set up the Microsoft 365 support integration?](#who-can-set-up-microsoft-365-support-integration)
+
+[What features are available in Microsoft 365 support integration?](#what-features-are-available-in-microsoft-365-support-integration)
+
+[Set up Microsoft 365 support integration with ServiceNow Basic Authentication](#set-up-microsoft-365-support-integration-with-servicenow-basic-authentication)
+
+[Set up Microsoft 365 support integration with AAD OAuth Token](#set-up-microsoft-365-support-integration-with-aad-oauth-token)
+
+[Set up Microsoft 365 support integration for Insights ONLY](#set-up-microsoft-365-support-integration-for-insights-only)
+
+[Testing the configuration](#testing-the-configuration)
+
+[Troubleshooting](#troubleshooting)
+
+## Overview
+
+Microsoft 365 support integration enables you to integrate Microsoft 365 help, support, and service health with ServiceNow. You can research Microsoft known and reported issues, resolve incidents, and complete tasks by using Microsoft recommended solutions and, if necessary, escalate to Microsoft human- assisted support.
+
+## Application dependencies in ServiceNow environments
+
+Permissions required:
+
+- oauth\_entity
+
+- oauth\_entity\_profile
+
+After Microsoft 365 support integration was installed, two Application Cross-Scope accesses were created. If they're not created successfully for any reason, create them manually.
++
+## Configuration instructions
++
+To set up Microsoft 365 support integration:
+
+- Register applications in Microsoft Azure Active Directory (AAD) for authentication of both outbound and inbound API calls.
+
+- Create ServiceNow entities with Microsoft AAD applications for both outbound and inbound data flow.
+
+- Integrate ServiceNow instance with Microsoft support through Microsoft 365 Admin Portal.
+
+## Who can set up Microsoft 365 support integration?
+
+- Anyone with permissions to create AAD applications.
+
+- A ServiceNow admin.
+
+- A Helpdesk admin or Service Request admin in Microsoft 365 tenants.
+
+## What features are available in Microsoft 365 support integration?
+
+Before setting up any configuration for Microsoft 365 support integration, review your answers to these questions:
+
+**Question #1** Does your ServiceNow environment allow Basic Authentication (access with ServiceNow user credential) for inbound webservice calls?
+
+**Question #2** If you have multiple tenants, do you plan to use a single tenant integrated with your ServiceNow environment for Microsoft 365 support integration?
+
+This table identifies features available to you depending on the answers to these questions and the links to the specific instructions for how to set up Microsoft 365 support integration. For a description of each feature, see [Microsoft 365 support integration](https://store.servicenow.com/sn_appstore_store.do#!/store/application/6d05c93f1b7784507ddd4227cc4bcb9f).
+
+|Question #1 Answer|Question #2 Answer|What features are available?|Configuration Steps|
+| | | | |
+|Yes|Yes|Service Health Incidents <br/>Recommended Solutions </br>Microsoft service request|[Set up Microsoft 365 support integration with ServiceNow Basic Authentication](#set-up-microsoft-365-support-integration-with-servicenow-basic-authentication)|
+|Yes|No|Service Health Incidents <br/>Recommended Solutions </br>Microsoft service request||
+|No|Yes|Service Health Incidents <br/>Recommended Solutions </br>Microsoft service request|[Set up Microsoft 365 support integration with AAD OAuth Token](#set-up-microsoft-365-support-integration-with-aad-oauth-token)|
+|No|No|Service Health Incidents <br/>Recommended Solutions|[Set up Microsoft 365 support integration for Insights ONLY](#set-up-microsoft-365-support-integration-for-insights-only) |
+
+## Set up Microsoft 365 support integration with ServiceNow Basic Authentication
+
+### Prerequisites (Basic Authentication)
+
+Some prerequisites are necessary to set up the Microsoft 365 support integration.
+
+1. \[The person who can create AAD applications\] Create AAD Application under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to the App registrations page and create a new application.
+
+ Select **Accounts in this organizational directory only ({TenantName} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Add redirect URL: `https://&lt;your-servicenow-instance&gt;.service-now.com/oauth\_redirect.do`.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get the application Client ID and create an App Secret.
+
+2. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider in ServiceNow.
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 1. Create a new application with the values following values by selecting [Connect to a third party OAuth Provider](https://dev77417.service-now.com/wizard_view.do?sys_action=sysverb_wizard_ans&WIZARD:action=follow&wiz_referring_url=oauth_entity_list.do?sys_id=-1@99@sys_target=oauth_entity@99@sysparm_fixed_query=@99@sysparm_group_sort=@99@sysparm_parent=2c7cab53d7232100f20bc8170e61036b@99@sysparm_query=type%3dclient%5eORtype%3doauth_provider@99@sysparm_target=@99@sysparm_view=&wiz_collection_key=&wiz_collectionID=&wiz_collection=&wiz_collection_related_field=&wiz_view=&wiz_action=sysverb_new&sys_id=79ce2f53d7232100f20bc8170e610361&sysparm_query=type=client%5eORtype=oauth_provider&sysparm_target=&sys_target=oauth_entity).
+
+ - Client ID: The Client ID of the application created in step \#1
+
+ - Client Secret: The App Secret of the application created in step \#1
+
+ - Default Grant type: Client Credentials
+
+ - Token URL: `https://login.microsoftonline.com/{M365\_Tenant\_Name}/oauth2/token`
+
+ - Redirect URL:
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+3. \[The person who is a ServiceNow admin\] Set up Inbound OAuth Provider.
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+ 1. Create a new application by selecting **Create an OAuth API endpoint for external clients**. Name the inbound OAuth provider and leave other fields at their defaults.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image7.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+4. \[The person who is a ServiceNow admin\] Create integration users.
+
+ You must specify an integration user. If you donΓÇÖt have an existing integration user or if you want to create one specific for this integration, go to **Organization** > **Users** to create a new user.
+
+ If you're creating a new integration user, check the box **Web service access only**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image8.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+### \[Optional\] Whitelist the serviceΓÇÖs Ips of Microsoft 365 support integration
+
+If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by whitelisting the IP addresses below for both inbound and outbound API access.
+
+- 52.149.152.32
+
+- 40.83.232.243
+
+- 40.83.114.39
+
+- 13.76.138.31
+
+- 13.79.229.170
+
+- 20.105.151.142
+
+> [!NOTE]
+> This terminal command lists all active IPs of the service for Microsoft 365 support integration:
+> `nslookup connector.rave.microsoft.com`
+
+### Set up Microsoft 365 support integration application
+
+The Microsoft 365 support integration application can be set up under Microsoft 365 support.
+
+These steps are required to set up the integration between your ServiceNow instance and Microsoft 365 support.
+
+1. \[The person who is a ServiceNow admin\] Switch the scope to Microsoft 365 support integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image9.png" alt-text="Graphical user interface, table Description automatically generated":::
+
+2. \[The person who is a ServiceNow admin\] Go to Microsoft 365 support > **Setup** to open the integration flow.
+
+ > [!NOTE]
+ > If you see the error "Read operation against 'oauth\_entity' from scope 'x\_mioms\_m365\_assis' has been refused due to the table's cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes** > **Can read** is checked for the table oauth\_entity.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image10.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+3. \[The person who is a ServiceNow admin\] Select **Agree** to agree to the consent
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image11.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider.
+
+ Select the OAuth profile for Outbound OAuth Provider created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#2 and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image12.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+5. \[The person who is a ServiceNow admin\] Set up Inbound OAuth Provider.
+
+- Uncheck **Skip current step**.
+
+- Uncheck **External OIDC Auth Token**.
+
+- Select OAuth Client created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#3 and select **Next**.
++
+6. \[The person who is a ServiceNow admin\] Set up inbound call integration user.
+
+- Uncheck **Skip current step**.
+
+- Select the integration user created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#4 and select **Next**.
++
+7. \[The person who is a ServiceNow admin\] Set up Repository ID.
+
+Specify the repository ID, and then select **Next**.
++
+8. \[The person who is a ServiceNow admin\] Set up Application settings.
+
+Select the following settings, and then select **Next**.
+
+- SSO with Microsoft 365: Check whether the ServiceNow instance is set up as SSO with Microsoft 365 tenants, otherwise uncheck it.
+
+- Microsoft 365 admin email: The email of Microsoft 365 admin user who is contacted when Microsoft 365 support cases are created.
+
+- Test Environment: Check the box to indicate a test phase to avoid Microsoft support agents contacting you to address the issue. If you're ready to move forward officially with Microsoft 365 support integration, uncheck the box.
++
+9. \[The person who is Helpdesk Admin or Service Request Admin in Microsoft 365 tenants\] Complete Integration.
+
+ 1. Check the information below to make sure it's correct.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image17.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+ 1. Go to Microsoft 365 [Admin Portal](https://admin.microsoft.com/) > **Settings** > **Settings** > **Organization profiles**.
+
+ 1. Set up support integration settings:
+
+ 1. In the **Basic information** tab, select internal support tool **Service Now** and type **Outbound App ID** as the value of Application ID on the page Step - 6 Complete, which was created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#1.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image18.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. In the tab **Repositories**, select **Add a repository** to create a new repository with the following settings:
+
+ - Repository: The **Repository ID** value from page Step - 6 Complete the integration.
+
+ - Endpoint: The **Endpoint** value from page Step - 6 Complete the integration.
+
+ - Authentication type: Select **Basic Auth**.
+
+ - Client ID: The **Client ID** value from page Step - 6 Complete the integration.
+
+ - Client secret: The secret of the inbound OAuth provider that was created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#3.
+
+ - Refresh token expiry: 864000
+
+ - Rest username: The **User Name** value from page Step - 6 Complete the integration.
+
+ - Rest user password: The password of the integration user that was created in [Prerequisites (Basic Authentication)](#prerequisites-basic-authentication) step \#4.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image19.png" alt-text="Graphical user interface, application Description automatically generate":::
+
+ 1. Go back and select the button to save the integration.
+
+ 1. Select **Next** to complete the integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image20.png" alt-text="Graphical user interface, application, website Description automatically generated":::
+
+10. \[The person who is a ServiceNow admin\] Enable Microsoft 365 support integration for an existing user.
+
+Microsoft 365 support integration is enabled only for the user with one of these roles:
+
+- [x\_mioms\_m365\_assis.insights\_user](https://ven01306.service-now.com/sys_user_role.do?sys_id=802b2adfdb4cac507c80230bd3961911&sysparm_record_target=sys_user_role&sysparm_record_row=2&sysparm_record_rows=2&sysparm_record_list=nameSTARTSWITHx_mioms_m365%5EORDERBYname)
+
+- [x\_mioms\_m365\_assis.administrator](https://ven01306.service-now.com/sys_user_role.do?sys_id=4b25c9fb1b7784507ddd4227cc4bcb3a&sysparm_record_target=sys_user_role&sysparm_record_row=1&sysparm_record_rows=2&sysparm_record_list=nameSTARTSWITHx_mioms_m365%5EORDERBYname)
+
+> [!NOTE]
+> The user with the role x\_mioms\_m365\_assis.insights\_user role can see Service Health Incidents, Recommended Solutions. The user with the role x\_mioms\_m365\_assis.administrator can also open a case with Microsoft 365 support.
+
+11. \[Optional\] \[The person who is a ServiceNow admin\] Link Microsoft 365 Admin account.
+
+If any user has the role x\_mioms\_m365\_assis.administrator and is using different Microsoft 365 accounts to manage a Microsoft 365 support case, they must go to Microsoft 365 support > Link Account to set up their Microsoft 365 admin email.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image21.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+## Set up Microsoft 365 support integration with AAD OAuth Token
+
+### Prerequisites (AAD OAuth Token)
+
+These prerequisite steps are necessary to set up the Microsoft 365 support integration:
+
+1. \[The person who can create AAD applications\] Create an AAD Application for Outbound under your Microsoft 365 tenant.
+
+ 1. Log on [Azure Portal](https://portal.azure.com/) with Microsoft 365 tenant credentials.
+
+ 1. Go to the **App registrations** page and create a new application.
+
+ Select **Accounts in this organizational directory only ({TenantName} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Add redirect URL: `https://&lt;your-servicenow-instance&gt;.service-now.com/auth\_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get Client ID of the application and create App Secret.
+
+2. \[The person who can create AAD applications\] Create AAD Application for Rest API under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to **App registrations** and create a new application.
+
+ Select **Accounts in this organizational directory only ({TenantName} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image22.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get the application Client ID and create App Secret.
+
+3. \[The person who can create AAD applications\] Create AAD Application for Rest User under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to the **App registrations** page and create a new application.
+ 1. Select **Accounts in this organizational directory only ({TenantName} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image23.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get the application Client ID and create an App Secret.
+
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider in ServiceNow.
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 2. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 3. Create a new application with the values below by selecting [Connect to a third party OAuth Provider](https://dev77417.service-now.com/wizard_view.do?sys_action=sysverb_wizard_ans&WIZARD:action=follow&wiz_referring_url=oauth_entity_list.do?sys_id=-1@99@sys_target=oauth_entity@99@sysparm_fixed_query=@99@sysparm_group_sort=@99@sysparm_parent=2c7cab53d7232100f20bc8170e61036b@99@sysparm_query=type%3dclient%5eORtype%3doauth_provider@99@sysparm_target=@99@sysparm_view=&wiz_collection_key=&wiz_collectionID=&wiz_collection=&wiz_collection_related_field=&wiz_view=&wiz_action=sysverb_new&sys_id=79ce2f53d7232100f20bc8170e610361&sysparm_query=type=client%5eORtype=oauth_provider&sysparm_target=&sys_target=oauth_entity).
+
+ - Client ID: The Client ID of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#1.
+
+ - Client Secret: The App Secret of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#1.
+
+ - Default Grant type: Client Credentials.
+
+ - Token URL: `https://login.microsoftonline.com/{M365\_Tenan\_Name}/oauth2/token`
+
+ - Redirect URL:
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+5. \[The person who is a ServiceNow admin\] Configure OIDC provider in ServiceNow, refer to the [online documentation](https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/task/add-OIDC-entity.html), otherwise go to step 7.
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 1. Select **New** > **Create new Open ID Connect Provider**.
+
+ 1. In **OAuth OIDC Provider Configuration**, select **Search** and create a new OIDC provider configuration under ΓÇ£oidc\_provider\_configuration.listΓÇ¥ with these values:
+
+ - OIDC Provider: Contoso Azure
+
+ - OIDC Metadata URL: `https://login.microsoftonline.com/{tenant\_name}/.well-known/openid-configuration`
+
+ - UserClaim: **appId**
+
+ - User Field: **User ID**
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image24.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+ 1. Create a new application by selecting **Configure an OIDC provider to verify ID tokens** with these values:
+
+ - Name: contoso\_application\_inbound\_api
+
+ - Client ID: The Client ID of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#2.
+
+ - Client Secret: The App Secret of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#2.
+
+ - OAuth OIDC Provider Configuration: The OIDC provider created in the last step.
+
+ - Redirect URL:
+ `https://{service\_now\_instance}.service-now.com/oauth\_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image25.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+6. \[The person who is a ServiceNow admin\] Create Integration Users.
+
+ Navigate to **Organization** > **Users** to create a new user if there is no integration user. The value of **User ID** is the application Client ID created in step [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) \#3
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image26.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+### \[Optional\] Whitelist the serviceΓÇÖs Ips of Microsoft 365 support integration
+
+If your company is limiting internet access with your own policies, enable network access for the service of Microsoft 365 support integration by whitelisting these IP addresses for both inbound and outbound API access:
+
+- 52.149.152.32
+
+- 40.83.232.243
+
+- 40.83.114.39
+
+- 13.76.138.31
+
+- 13.79.229.170
+
+- 20.105.151.142
+
+> [!NOTE]
+> This terminal command lists all active IPs of the service for Microsoft 365 support integration:
+> *nslookup connector.rave.microsoft.com*
+
+### Set up Microsoft 365 support integration
+
+The Microsoft 365 support integration application can be set up through the **Setup** under the Microsoft 365 support.
+
+These steps are necessary to set up the integration between your ServiceNow instance and Microsoft 365 support.
+
+1. \[The person who is a ServiceNow admin\] Switch the scope to Microsoft 365 support integration.
++
+2. \[The person who is a ServiceNow admin\] Go to Microsoft 365 support > **Setup** to open the integration flow.
+
+> [!NOTE]
+> If you see the error "Read operation against 'oauth\_entity' from scope 'x\_mioms\_m365\_assis' has been refused due to the table's cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes** > **Can read** is checked for the table oauth\_entity.
++
+3. \[The person who is a ServiceNow admin\] Select **Agree** to agree to the consent.
++
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider.
+
+Select OAuth profile for Outbound OAuth Provider created at [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#4 and select **Next**.
++
+5. \[The person who is a ServiceNow admin\] Set up Inbound OAuth Provider.
+
+ 1. Uncheck **Skip current step**.
+
+ 1. Check **External OIDC Auth Token**.
+
+ 1. Select the OAuth Client created at [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step 5, and then select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image28.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+6. \[The person who is a ServiceNow admin\] Set up Inbound Call Integration User.
+
+ 1. Uncheck **Skip current step**.
+
+ 1. Input the Client ID of the application that was created at [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#3 and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image29.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+7. \[The person who is a ServiceNow admin\] Set up the Repository ID.
+
+ Specify the repository ID and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image15.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+8. \[The person who is a ServiceNow admin\] Set up Application Settings.
+
+ Select these settings:
+
+ 1. SSO with Microsoft 365: Check the box if the ServiceNow instance is setup SSO with Microsoft 365 tenants; otherwise uncheck it.
+
+ 1. Microsoft 365 admin email: The email of Microsoft 365 admin user to be contacted when Microsoft 365 support cases are created.
+
+ 1. Test Environment: Check the box to indicate a test phase to avoid Microsoft support agents contacting you to address the issue. If you're ready to move forward officially with Microsoft 365 support integration, uncheck the box.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image16.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+ 1. Select **Next**.
+
+9. \[The person who is Helpdesk Admin or Service Request Admin in Microsoft 365 tenants\] Complete integration.
+
+ 1. Check the following information to make sure it's correct.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image30.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Go to Microsoft 365 [Admin Portal](https://admin.microsoft.com) > **Settings** > **Settings** > **Organization profiles**.
+
+ 1. Set up support integration settings.
+
+ 1. On the **basic information** tab, select **Service Now** as the internal support tool, and type **Outbound App ID** as the value of Application ID on the Step - 6 Complete page, which was created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#1.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image18.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. On the **Repositories** tab, select **Add a repository** to create a new repository with the following information:
+
+ - Repository: Use the **Repository ID** value from the Step - 6 Complete the integration page.
+
+ - Endpoint: The **Endpoint** value from the Step - 6 Complete the integration page.
+
+ - Authentication type: Select **AAD Auth**.
+
+ - Client Id: The **Client ID** value on the Step - 6 Complete the integration page, which is the Client ID of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#2.
+
+ - Rest username: The **User Name** value on the Step - 6 Complete the integration page, which is the **Client ID** of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#3.
+
+ - Rest user password: The App Secret of the application created in [Prerequisites (AAD OAuth Token)](#prerequisites-aad-oauth-token) step \#3.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image31.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+ 1. Go back and select the button to save the integration.
+
+ 1. Select **Next** to complete the integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image32.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+10. \[The person who is a ServiceNow admin\] Enable Microsoft 365 support integration for an existing user.
+
+Microsoft 365 support integration is enabled only for users with the following roles:
+
+- [x\_mioms\_m365\_assis.insights\_user](https://ven01306.service-now.com/sys_user_role.do?sys_id=802b2adfdb4cac507c80230bd3961911&sysparm_record_target=sys_user_role&sysparm_record_row=2&sysparm_record_rows=2&sysparm_record_list=nameSTARTSWITHx_mioms_m365%5EORDERBYname)
+
+- [x\_mioms\_m365\_assis.administrator](https://ven01306.service-now.com/sys_user_role.do?sys_id=4b25c9fb1b7784507ddd4227cc4bcb3a&sysparm_record_target=sys_user_role&sysparm_record_row=1&sysparm_record_rows=2&sysparm_record_list=nameSTARTSWITHx_mioms_m365%5EORDERBYname)
+
+> [!NOTE]
+> The user with the role x\_mioms\_m365\_assis.insights\_user can see Service Health Incidents, Recommended Solutions. The user with the role x\_mioms\_m365\_assis.administrator also can open a case with Microsoft 365 support.
+
+11. **\[Optional\] \[The person who is a ServiceNow admin\] Link Microsoft 365 Admin account**
+
+If any user has the role ΓÇ£x\_mioms\_m365\_assis.administratorΓÇ¥ and they're using different Microsoft 365 accounts to manage Microsoft support cases, they must go to Microsoft 365 support > Link Account to set up their Microsoft 365 admin email.
++
+## Set up Microsoft 365 support integration for Insights ONLY
+
+### Prerequisites (Insights ONLY)
+
+These prerequisite steps are necessary to set up Microsoft 365 support integration:
+
+1. \[The person who can create AAD applications\] Create AAD Application under your Microsoft 365 tenant.
+
+ 1. Log on to the [Azure Portal](https://portal.azure.com/) with your Microsoft 365 tenant credentials.
+
+ 1. Go to the **App registrations** page and create a new application.
+
+ 1. Select **Accounts in this organizational directory only ({TenantName} only ΓÇô Single tenant**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image3.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Add redirect URL: `https://&lt;your-servicenow-instance&gt;.service-now.com/auth\_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image4.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Get Client ID of the application and create an App Secret.
+
+1. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider in ServiceNow.
+
+ 1. Go to **System OAuth** > **Application Registry**.
+
+ 1. If the scope is not set to **Global**, open **Settings** > **Developer** > **Applications** to switch to **Global**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image5.png" alt-text="Graphical user interface, text, application, chat or text message Description automatically generated":::
+
+ 1. Create a new application with the values below by selecting [Connect to a third party OAuth Provider](https://dev77417.service-now.com/wizard_view.do?sys_action=sysverb_wizard_ans&WIZARD:action=follow&wiz_referring_url=oauth_entity_list.do?sys_id=-1@99@sys_target=oauth_entity@99@sysparm_fixed_query=@99@sysparm_group_sort=@99@sysparm_parent=2c7cab53d7232100f20bc8170e61036b@99@sysparm_query=type%3dclient%5eORtype%3doauth_provider@99@sysparm_target=@99@sysparm_view=&wiz_collection_key=&wiz_collectionID=&wiz_collection=&wiz_collection_related_field=&wiz_view=&wiz_action=sysverb_new&sys_id=79ce2f53d7232100f20bc8170e610361&sysparm_query=type=client%5eORtype=oauth_provider&sysparm_target=&sys_target=oauth_entity).
+
+ - Client ID: The **Client ID** of the application created in [Prerequisites (Insights ONLY)](#prerequisites-insights-only) step \#1
+
+ - Client Secret: The App Secret of the application created in [Prerequisites (Insights ONLY)](#prerequisites-insights-only) step \#1
+
+ - Default Grant type: Client Credentials
+
+ - Token URL: `https://login.microsoftonline.com/{M365\_Tenan\_Name}/oauth2/token`
+
+ - Redirect URL: `https://{ServiceNow\_Istance\_Name}.service-now.com/oauth\_redirect.do`
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image6.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+### Set up Microsoft 365 support integration
+
+The Microsoft 365 support integration application can be set up through **Setup** under Microsoft 365 support.
+
+The following steps are needed to set up the integration between your ServiceNow instance and Microsoft support.
+
+1. \[The person who is a ServiceNow admin\] Switch the scope to Microsoft 365 support integration.
++
+2. \[The person who is a ServiceNow admin\] Go to Microsoft 365 support > **Setup** to open the integration flow.
+
+> [!NOTE]
+> If you see the error "Read operation against 'oauth\_entity' from scope 'x\_mioms\_m365\_assis' has been refused due to the table's cross-scope access policy," it was caused by your table access policy. You must make sure **All application scopes** > **Can read** is checked for the table oauth\_entity.
++
+3. \[The person who is a ServiceNow admin\] Select **Agree** to agree to the consent.
++
+4. \[The person who is a ServiceNow admin\] Set up Outbound OAuth Provider.
+
+Select OAuth profile for Outbound OAuth Provider and select **Next**.
++
+5. \[The person who is a ServiceNow admin\] Skip Inbound OAuth Provider.
+
+ Check **Skip current step**, and then select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image33.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+6. \[The person who is a ServiceNow admin\] Skip Integration User.
+
+ Check **Skip current step** and select **Next**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image34.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+7. \[The person who is a ServiceNow admin\] Set up Repository ID.
+
+Specify the repository ID and select **Next**.
++
+8. \[The person who is a ServiceNow admin\] Set up Application Settings.
+
+ Select the right settings and select **Next**.
+
+ - SSO with Microsoft 365: Check whether the ServiceNow instance is set up as SSO with Microsoft 365 tenants; otherwise uncheck it.
+
+ - Microsoft 365 Admin Email: The email of Microsoft 365 admin user to be contacted when Microsoft 365 support cases are created.
+
+ - Test Environment: Check the box to indicate a test phase to avoid Microsoft support agents contacting you to address the issue. If you're ready to move forward officially with Microsoft 365 support integration, uncheck the box.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image16.png" alt-text="Graphical user interface, text, application Description automatically generated":::
+
+9. \[The person who is Helpdesk Admin or Service Request Admin in Microsoft 365 tenants\] Complete Integration.
+
+ 1. Check the information here to make sure it's correct.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image35.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. Go to Microsoft 365 [Admin Portal](https://admin.microsoft.com) > **Settings** > **Settings** > **Organization profiles**.
+
+ 1. Set up support integration settings with the information shown in setup flow.
+
+ 1. On the **basic information** tab, select **Service Now** as the internal support tool, and type **Outbound App ID** as the Application ID to issue an OAuth token.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image18.png" alt-text="Graphical user interface, text, application, email Description automatically generated":::
+
+ 1. On the **Repositories** tab, select **Add a repository** to create a new repository with the following information:
+
+ - Repository: The **Repository ID** value from the Step - 6 Complete the integration page.
+
+ - Endpoint: The **Endpoint** value from the Step - 6 Complete the integration page.
+
+ - Authentication type: Select **AAD Auth**.
+
+ - Client ID: A random value, such as **ignored**.
+
+ - Rest username: A random value, such as **ignored**.
+
+ - Rest user password: A random value, such as **ignored**.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image36.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+ 1. Go back and select the button to save the integration.
+
+ 1. Select **Next** to complete the integration.
+
+ :::image type="content" source="../../media/ServiceNow-guide/ServiceNow-guide-image37.png" alt-text="Graphical user interface, application Description automatically generated":::
+
+10. \[The person who is a ServiceNow admin\] Enable Microsoft 365 support integration for an existing user.
+
+Microsoft 365 support integration is enabled only for these user roles:
+
+- [x\_mioms\_m365\_assis.insights\_user](https://ven01306.service-now.com/sys_user_role.do?sys_id=802b2adfdb4cac507c80230bd3961911&sysparm_record_target=sys_user_role&sysparm_record_row=2&sysparm_record_rows=2&sysparm_record_list=nameSTARTSWITHx_mioms_m365%5EORDERBYname)
+
+- [x\_mioms\_m365\_assis.administrator](https://ven01306.service-now.com/sys_user_role.do?sys_id=4b25c9fb1b7784507ddd4227cc4bcb3a&sysparm_record_target=sys_user_role&sysparm_record_row=1&sysparm_record_rows=2&sysparm_record_list=nameSTARTSWITHx_mioms_m365%5EORDERBYname)
+
+> [!NOTE]
+> The user with the role x\_mioms\_m365\_assis.insights\_user can see Service Health Incidents, Recommended Solutions. The user with the role x\_mioms\_m365\_assis.administrator also can open a case with Microsoft 365 support.
+
+11. \[Optional\] \[The person who is a ServiceNow admin\] Link Microsoft 365 Admin account.
+
+If any user has the role ΓÇ£x\_mioms\_m365\_assis.administrator and is using different Microsoft 365 accounts to manage a Microsoft support case, they must go to Microsoft 365 support > Link Account to set up their Microsoft 365 admin email.
++
+## Testing the configuration
+
+If your application requires successful communication with external systems, outline how to test the connection to ensure a successful configuration.
+
+Here are the steps to test the configuration of Microsoft 365 support integration:
+
+1. Log on to ServiceNow portal as admin.
+
+2. Open any incident.
+
+3. Focus on **Microsoft 365 support** tab, and select **Microsoft 365 Insights** to determine if the recommended solutions were retrieved successfully.
++
+## Troubleshooting
+
+|#|Problem|Diagnostics action|
+| | | |
+|1|Can't see **Microsoft 365 support** tab|Verify the current view and **System Logs** > **All** with filter x_mioms_m365_assit|
+|2|Select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the setup steps for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|3|Select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the final set up step for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|4|Type the problem in search box and select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the setup steps for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|5|Type problem in search box and select **Microsoft recommended solutions** but get error "Please contact your ServiceNow admin and ask them to complete the final set up step for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|6|Select **Contact Microsoft support**, but get the error "Please contact your ServiceNow admin and ask them to complete the setup steps for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|7|Select **Contact Microsoft support**, but get the error "Please contact your ServiceNow admin and ask them to complete the final set up step for the app."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|8|Select **Contact Microsoft support** but get the error "{EmailAddress} is not a valid Microsoft 365 admin account. You need Microsoft 365 admin privileges to open a service request. In the app, link the admin account."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|9|Select **Microsoft recommended solutions** but nothing shows up|Check **System Logs ΓÇô Outbound HTTP logs** with filter login.microsoftonline.com and connector.rave.microsoft.com|
+|10|Select **Microsoft recommended solutions** but get error "Please contact app support."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|11|Type problem in search box and select **Microsoft recommended solutions** but nothing shows up|Check **System Logs ΓÇô Outbound HTTP logs** with filter login.microsoftonline.com and connector.rave.microsoft.com|
+|12|Type problem in search box and select **Microsoft recommended solutions** but get error "Please contact app support."|Check the error message on top of the form and **System Logs** > **All** with filter x_mioms_m365_assit|
+|13|User selects **Contact Microsoft support**, but nothing happens|Check **System Logs ΓÇô Outbound HTTP logs** with filter login.microsoftonline.com and connector.rave.microsoft.com|
+|14|CanΓÇÖt see Microsoft recommended solution after reopening the incident|Check **System Logs** > **All** with filter x_mioms_m365_assit|
+|15|CanΓÇÖt see Microsoft cases when reopening the incident that was transferred to Microsoft support|Check **System Logs** > **All** with filter x_mioms_m365_assit|
+|16|Can't save ticket details, get error "Unable to save ticket details. Please contact App support."|Check the error message on top of form|
admin Troubleshoot Windows 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/troubleshoot-windows-365-business.md
Make sure **Users may join devices to Azure AD** is set to **All**.
## Step 2. Verify that the CloudPCBRT system account is active
-The first time a Windows 365 license is assigned in your organization, a system account called "CloudPCBPRT" is automatically created in Azure AD. Do not delete this account. If the system account is deleted, the setup will fail. This system account ensures a smooth setup process and doesn't have any write capabilities or access to your organization beyond the scoped service capabilities of Windows 365 Business. If you delete this system account, you must open a new support request to have it restored.
+The first time a Windows 365 license is assigned in your organization, a system account called "CloudPCBPRT" is automatically created in Azure AD. Do not delete this account or make any changes to it (such as changing the name or UPN). If the system account is deleted, the setup will fail. This system account ensures a smooth setup process and doesn't have any write capabilities or access to your organization beyond the scoped service capabilities of Windows 365 Business. If you delete this system account, you must open a new support request to have it restored.
To make sure the CloudPCBRT system account is active in Azure AD, use the following steps.
If you already use Microsoft Intune, or plan to use it to manage your Windows 36
3. On the **Configure** page, next to **MDM user scope**, select **Some** or **All**, then select **Save**. 4. In the left nav, under **Manage**, select **Mobility (MDM and MAM)**, select **Microsoft Intune Enrollment**, then repeat step 3.
-You also must assign an Intune license to the CloudPCBPRT system account and to any other users who are assigned a Cloud PC.
+Users who are assigned a Cloud PC must have an Intune license assigned to them. The CloudPCBPRT system account does not need to be assigned an Intune license.
> [!IMPORTANT] > To assign licenses, you must be a Global or Licensing admin, or have a role with licensing permissions.
compliance Add Or Remove Members From A Case In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/add-or-remove-members-from-a-case-in-advanced-ediscovery.md
# Add or remove members from a case
-You can add or remove members to manage who can access the case. However, before a member can access a Advanced eDiscovery case (and perform tasks in the case), you must add the user to the eDiscovery Manager role group on the **Permissions** page in the security and compliance center. For more information, see [Assign eDiscovery permissions in the Security & Compliance Center](./assign-ediscovery-permissions.md).
+You can add or remove members to manage who can access the case. However, before a member can access a Advanced eDiscovery case (and perform tasks in the case), you must add the user to the eDiscovery Manager role group on the **Permissions** page in the security and compliance center. For more information, see [Assign eDiscovery permissions](./assign-ediscovery-permissions.md).
1. On the **Advanced eDiscovery** page, go to the case that you want to add a member to.
compliance Advanced Ediscovery Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/advanced-ediscovery-dashboard.md
For some cases in Advanced eDiscovery, you may have a large volume of documents
## Step 1: Create a widget on the review set dashboard
-1. In the Security & Compliance Center, go to **eDiscovery > Advanced eDiscovery** to display the list of cases in your organization.
+1. In the Microsoft 365 compliance center, go to **eDiscovery > Advanced eDiscovery** to display the list of cases in your organization.
2. Select an existing case.
compliance Apply Retention Labels Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
You can apply retention labels to content automatically when that content contai
- [A match for trainable classifiers](#auto-apply-labels-to-content-by-using-trainable-classifiers)
-All three conditions can automatically apply retention labels to emails as they are sent and received (data in transit), but not to existing items in the mailbox (data at rest). For items in SharePoint and OneDrive, use the following table to identify when retention labels can be automatically applied to them:
+Use the following table to identify when retention labels can be automatically applied to items for Exchange:
+
+|Condition|Items in transit (sent or received) |Existing items (data at rest)|
+|:--|:--|:--|
+|Sensitive info types - built-in| Yes | No |
+|Sensitive info types - custom| Yes | No |
+|Specific keywords or searchable properties| Yes |Yes |
+|Trainable classifiers| Yes | Yes (last six months only) |
+
+Use the following table to identify when retention labels can be automatically applied to items for SharePoint and OneDrive:
|Condition|New or modified items |Existing items (data at rest)| |:--|:--|:--|
compliance Archive Facebook Data With Sample Connector https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-facebook-data-with-sample-connector.md
Complete the following prerequisites before you can set up and configure a conne
- [Sign up for a Pay-As-You-Go Azure subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/) > [!NOTE]
- > The [free Azure Active Directory subscription](use-your-free-azure-ad-subscription-in-office-365.md) that's included with your Microsoft 365 subscription doesn't support the connectors in the Security & Compliance Center.
+ > The [free Azure Active Directory subscription](use-your-free-azure-ad-subscription-in-office-365.md) that's included with your Microsoft 365 subscription doesn't support the connectors in the Microsoft 365 compliance center.
- The connector for Facebook Business pages can import a total of 200,000 items in a single day. If there are more than 200,000 Facebook Business items in a day, none of those items will be imported to Microsoft 365.
compliance Archive Twitter Data With Sample Connector https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-twitter-data-with-sample-connector.md
Complete the following prerequisites before you can set up and configure a conne
- [Sign up for a Pay-As-You-Go Azure subscription](https://azure.microsoft.com/pricing/purchase-options/pay-as-you-go/) > [!NOTE]
- > The [free Azure Active Directory subscription](use-your-free-azure-ad-subscription-in-office-365.md) that's included with your Microsoft 365 subscription doesn't support the connectors in the Security & Compliance Center.
+ > The [free Azure Active Directory subscription](use-your-free-azure-ad-subscription-in-office-365.md) that's included with your Microsoft 365 subscription doesn't support the connectors in the Microsoft 365 compliance center.
- The Twitter connector can import a total of 200,000 items in a single day. If there are more than 200,000 Twitter items in a day, none of those items will be imported to Microsoft 365.
compliance Attorney Privilege Detection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/attorney-privilege-detection.md
To enable the attorney-client privilege detection model, your organization has t
A person who is an eDiscovery Administrator in your organization (a member of the eDiscovery Administrator subgroup in the eDiscovery Manager role group) must make the model available in your Advanced eDiscovery cases.
-1. In the Security & Compliance Center, go to **eDiscovery > Advanced eDiscovery**.
+1. In the Microsoft 365 compliance center, go to **eDiscovery > Advanced**.
2. On the **Advanced eDiscovery** home page, in the **Settings** tile, click **Configure global analytics settings**.
compliance Audit Log Retention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md
description: "Audit log retention policies are part of the new Advanced Audit ca
# Manage audit log retention policies
-You can create and manage audit log retention policies in the Security & Compliance Center. Audit log retention policies are part of the new Advanced Audit capabilities in Microsoft 365. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years. You can create policies based on the following criteria:
+You can create and manage audit log retention policies in the Microsoft 365 compliance center. Audit log retention policies are part of the new Advanced Audit capabilities in Microsoft 365. An audit log retention policy lets you specify how long to retain audit logs in your organization. You can retain audit logs for up to 10 years. You can create policies based on the following criteria:
- All activities in one or more Microsoft 365 services - Specific activities (in a Microsoft 365 service) performed by all users or by specific users
Advanced Audit in Microsoft 365 provides a default audit log retention policy fo
## Before you create an audit log retention policy -- You have to be assigned the Organization Configuration role in the Security & Compliance Center to create or modify an audit retention policy.
+- You have to be assigned the Organization Configuration role in the Microsoft 365 compliance center to create or modify an audit retention policy.
- You can have a maximum of 50 audit log retention policies in your organization.
Advanced Audit in Microsoft 365 provides a default audit log retention policy fo
## Create an audit log retention policy
-1. Go to <https://compliance.microsoft.com> and sign in with a user account that's assigned the Organization Configuration role on the Permissions page in the Security & Compliance Center.
+1. Go to <https://compliance.microsoft.com> and sign in with a user account that's assigned the Organization Configuration role on the Permissions page in the Microsoft 365 compliance center.
-2. In the left pane of the Microsoft 365 compliance center, click **Show all**, and then click **Audit**.
+2. In the left pane of the Microsoft 365 compliance center, click **Audit**.
3. Click the **Audit retention policies** tab.
compliance Auditing Troubleshooting Scenarios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/auditing-troubleshooting-scenarios.md
This article describes how to use the audit log search tool to help you investig
## Using the audit log search tool
-Each of the troubleshooting scenarios described in this article is based on using the audit log search tool in the Security & Compliance Center. This section lists the permissions required to search the audit log and describes the steps to access and run audit log searches. Each scenario section explains how to configure an audit log search query and what to look for in the detailed information in the audit records that match the search criteria.
+Each of the troubleshooting scenarios described in this article is based on using the audit log search tool in the Microsoft 365 compliance center. This section lists the permissions required to search the audit log and describes the steps to access and run audit log searches. Each scenario section explains how to configure an audit log search query and what to look for in the detailed information in the audit records that match the search criteria.
### Permissions required to use the audit log search tool
compliance Change The Hold Duration For An Inactive Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/change-the-hold-duration-for-an-inactive-mailbox.md
An inactive mailbox is used to retain a former employee's email after he or she
## Connect to PowerShell -- You have to use Exchange Online PowerShell to change the hold duration for a Litigation Hold on an inactive mailbox. You can't use the Exchange admin center (EAC). But you can use Exchange Online PowerShell or the EAC to change the hold duration for an In-Place Hold. You can use the security and compliance center or the Security & Compliance Center PowerShell to change the hold duration for a Microsoft 365 retention policy.
+- You have to use Exchange Online PowerShell to change the hold duration for a Litigation Hold on an inactive mailbox. You can't use the Exchange admin center (EAC). But you can use Exchange Online PowerShell or the EAC to change the hold duration for an In-Place Hold. You can use the security and compliance center or Security & Compliance Center PowerShell to change the hold duration for a Microsoft 365 retention policy.
- To connect to Exchange Online PowerShell or Security & Compliance Center PowerShell, see one of the following topics:
The following table identifies the five different hold types that were used to m
|:--|:--|:--| |Ann Beebe <br/> |Litigation Hold <br/> |The *LitigationHoldEnabled* property is set to `True`. <br/> | |Pilar Pinilla <br/> |In-Place Hold <br/> |The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the inactive mailbox. You can tell this is an In-Place Hold because the ID doesn't start with a prefix. <br/> You can use the `Get-MailboxSearch -InPlaceHoldIdentity <hold GUID> | FL` command in Exchange Online PowerShell to get information about the In-Place Hold on the inactive mailbox. <br/> |
-|Mario Necaise <br/> |Organization-wide Microsoft 365 retention policy in the Security & Compliance Center <br/> |The *InPlaceHolds* property is empty. This indicates that one or more organization-wide or (Exchange-wide) Microsoft 365 retention policy is applied to the inactive mailbox. In this case, you can run the `Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds` command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide Microsoft 365 retention policies. The GUID for organization-wide retention policies that are applied to Exchange mailboxes start with the `mbx` prefix; for example, `mbxa3056bb15562480fadb46ce523ff7b02`. <br/> <br/>To identity the Microsoft 365 retention policy that's applied to the inactive mailbox, run the following command in Security & Compliance Center PowerShell. <br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>
-|Carol Olson <br/> |Microsoft 365 retention policy in the Security & Compliance Center applied to specific mailboxes <br/> |The *InPlaceHolds* property contains the GUID of the Microsoft 365 retention policy that's applied to the inactive mailbox. You can tell this is a retention policy that applied to specific mailboxes because the GUID starts with the `mbx` prefix. If the GUID of the retention policy applied to the inactive mailbox started with the `skp` prefix, it would indicate that the retention policy is applied to Skype for Business conversations. <br/><br/> To identity the Microsoft 365 retention policy that's applied to the inactive mailbox, run the following command in Security & Compliance Center PowerShell.<br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name` <br/><br/>Be sure to remove the `mbx` or `skp` prefix when you run this command. <br/> |
-|Abraham McMahon <br/> |eDiscovery case hold in the Security & Compliance Center <br/> |The *InPlaceHolds* property contains the GUID of the eDiscovery case hold that's placed on the inactive mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the `UniH` prefix. <br/> You can use the `Get-CaseHoldPolicy` cmdlet in Security & Compliance Center PowerShell to get information about the eDiscovery case that the hold on the inactive mailbox is associated with. For example, you can run the command `Get-CaseHoldPolicy <hold GUID without prefix> | FL Name` to display the name of the case hold that's on the inactive mailbox. Be sure to remove the `UniH` prefix when you run this command. <br/><br/> To identity the eDiscovery case that the hold on the inactive mailbox is associated with, run the following commands. <br/><br/> `$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>`<br/><br/> `Get-ComplianceCase $CaseHold.CaseId | FL Name`<br/><br/><br/> **Note:** We don't recommend using eDiscovery holds for inactive mailboxes. That's because eDiscovery cases are intended for specific, time-bound cases related to a legal issue. At some point, a legal case will probably end and the holds associated with the case will be removed and the eDiscovery case will be closed (or deleted). In fact, if a hold that's placed on an inactive mailbox is associated with an eDiscovery case, and the hold is released or the eDiscovery case is closed or deleted, the inactive mailbox will be permanently deleted.
+|Mario Necaise <br/> |Organization-wide Microsoft 365 retention policy in the Microsoft 365 compliance center <br/> |The *InPlaceHolds* property is empty. This indicates that one or more organization-wide or (Exchange-wide) Microsoft 365 retention policy is applied to the inactive mailbox. In this case, you can run the `Get-OrganizationConfig | Select-Object -ExpandProperty InPlaceHolds` command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide Microsoft 365 retention policies. The GUID for organization-wide retention policies that are applied to Exchange mailboxes start with the `mbx` prefix; for example, `mbxa3056bb15562480fadb46ce523ff7b02`. <br/> <br/>To identity the Microsoft 365 retention policy that's applied to the inactive mailbox, run the following command in Security & Compliance Center PowerShell. <br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>
+|Carol Olson <br/> |Microsoft 365 retention policy in the Microsoft 365 compliance center applied to specific mailboxes <br/> |The *InPlaceHolds* property contains the GUID of the Microsoft 365 retention policy that's applied to the inactive mailbox. You can tell this is a retention policy that applied to specific mailboxes because the GUID starts with the `mbx` prefix. If the GUID of the retention policy applied to the inactive mailbox started with the `skp` prefix, it would indicate that the retention policy is applied to Skype for Business conversations. <br/><br/> To identity the Microsoft 365 retention policy that's applied to the inactive mailbox, run the following command in Security & Compliance Center PowerShell.<br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name` <br/><br/>Be sure to remove the `mbx` or `skp` prefix when you run this command. <br/> |
+|Abraham McMahon <br/> |eDiscovery case hold in the Microsoft 365 compliance center <br/> |The *InPlaceHolds* property contains the GUID of the eDiscovery case hold that's placed on the inactive mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the `UniH` prefix. <br/> You can use the `Get-CaseHoldPolicy` cmdlet in Security & Compliance Center PowerShell to get information about the eDiscovery case that the hold on the inactive mailbox is associated with. For example, you can run the command `Get-CaseHoldPolicy <hold GUID without prefix> | FL Name` to display the name of the case hold that's on the inactive mailbox. Be sure to remove the `UniH` prefix when you run this command. <br/><br/> To identity the eDiscovery case that the hold on the inactive mailbox is associated with, run the following commands. <br/><br/> `$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>`<br/><br/> `Get-ComplianceCase $CaseHold.CaseId | FL Name`<br/><br/><br/> **Note:** We don't recommend using eDiscovery holds for inactive mailboxes. That's because eDiscovery cases are intended for specific, time-bound cases related to a legal issue. At some point, a legal case will probably end and the holds associated with the case will be removed and the eDiscovery case will be closed (or deleted). In fact, if a hold that's placed on an inactive mailbox is associated with an eDiscovery case, and the hold is released or the eDiscovery case is closed or deleted, the inactive mailbox will be permanently deleted.
For more information about Microsoft 365 retention policies, see [Learn about retention policies and retention labels](retention.md).
compliance Change The Size Of Pst Files When Exporting Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/change-the-size-of-pst-files-when-exporting-results.md
description: "You can change the default size of PST files that are downloaded t
When you use the eDiscovery Export tool to export the email results of an eDiscovery search from the different Microsoft eDiscovery tools, the default size of a PST file that can be exported is 10 GB. If you want to change this default size, you can edit the Windows Registry on the computer that you use to export the search results. One reason to do this is so a PST file can fit on removable media, such a DVD, a compact disc, or a USB drive. > [!NOTE]
-> The eDiscovery Export tool is used to export the search results when using the Content Search tool in the Security & Compliance Center, In-Place eDiscovery in Exchange Online, and the eDiscovery Center in SharePoint Online.
+> The eDiscovery Export tool is used to export the search results when using the Content search tool in the Microsoft 365 compliance center.
## Create a registry setting to change the size of PST files when you export eDiscovery search results
compliance Clone A Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/clone-a-content-search.md
Why clone Content Searches?
## Script information -- You have to be a member of the eDiscovery Manager role group in the Security & Compliance Center to run the script described in this topic.
+- You have to be a member of the eDiscovery Manager role group in the Microsoft 365 compliance center to run the script described in this topic.
- The script includes minimal error handling. The primary purpose of the script is to quickly clone a content search.
Why clone Content Searches?
The script in this step will create a new Content Search by cloning an existing one. When you run this script, you'll be prompted for the following information: -- **Your user credentials** - The script will use your credentials to connect to the Security & Compliance Center for your organization with Windows PowerShell. As previously stated, you have to be a member of the eDiscovery Manager role group in the Security & compCompliance Center to run the script.
+- **Your user credentials** - The script will use your credentials to connect to Security & Compliance Center PowerShell. As previously stated, you have to be a member of the eDiscovery Manager role group in the Security & compCompliance Center to run the script.
- **The name of the existing search** - This is the Content Search that you want to clone.
compliance Content Search Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/content-search-reference.md
You can use the **ItemClass** email property or the **Type** search condition to
## Searching inactive mailboxes
-You can search inactive mailboxes in a content search. To get a list of the inactive mailboxes in your organization, run the command `Get-Mailbox -InactiveMailboxOnly` in Exchange Online PowerShell. Alternatively, you can go to **Information governance** \> **Retention** in the Security & Compliance Center, and then click **More**![Navigation Bar ellipses](../media/9723029d-e5cd-4740-b5b1-2806e4f28208.gif) \> **Inactive mailboxes**.
+You can search inactive mailboxes in a content search. To get a list of the inactive mailboxes in your organization, run the command `Get-Mailbox -InactiveMailboxOnly` in Exchange Online PowerShell. Alternatively, you can go to **Information governance** \> **Retention** in the Microsoft 365 compliance center, and then click **More**![Navigation Bar ellipses](../media/9723029d-e5cd-4740-b5b1-2806e4f28208.gif) \> **Inactive mailboxes**.
Here are a few things to keep in mind when searching inactive mailboxes.
compliance Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/content-search.md
After you run a search, the number of content locations and an estimated number
## Create and run a search
-To access to the **Content search** page in the Microsoft 365 compliance center (to run searches and preview results and export results), an administrator, compliance officer, or eDiscovery manager must be a member of the eDiscovery Manager role group in Security & Compliance Center. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
+To access to the **Content search** page in the Microsoft 365 compliance center (to run searches and preview results and export results), an administrator, compliance officer, or eDiscovery manager must be a member of the eDiscovery Manager role group in the Microsoft 365 compliance center. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
1. Go to <https://compliance.microsoft.com> and sign in using the credentials of an account that's been assigned the appropriate permissions.
compliance Create A Report On Holds In Ediscovery Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-report-on-holds-in-ediscovery-cases.md
See the [More information](#more-information) section for a detailed description
- The sample scripts provided in this topic aren't supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
-## Step 1: Connect to the Security & Compliance Center PowerShell
+## Step 1: Connect to Security & Compliance Center PowerShell
The first step is to connect to Security & Compliance Center PowerShell for your organization. For step-by-step instructions, see [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
compliance Create Activity Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-activity-alerts.md
search.appverid:
- MET150 ms.assetid: 72bbad69-035b-4d33-b8f4-549a2743e97d
-description: Add and manage activity alerts in the Security & Compliance Center so that Microsoft 365 will send you email notifications when users perform specific activities
+description: Add and manage activity alerts in the Microsoft 365 compliance center so that Microsoft 365 will send you email notifications when users perform specific activities
# Create activity alerts
You can create an activity alert that will send you an email notification when u
## Confirm roles and configure audit logging -- You must be assigned the Organization Configuration role in the Security & Compliance Center to manage activity alerts. By default, this role is assigned to the Compliance Administrator and Organization Management role groups. For more information about adding members to role groups, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
+- You must be assigned the Organization Configuration role in the Microsoft 365 compliance center to manage activity alerts. By default, this role is assigned to the Compliance Administrator and Organization Management role groups. For more information about adding members to role groups, see [Give users access to the Microsoft 365 compliance center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
-- You (or another admin) must first turn on audit logging for your organization before you can start using activity alerts. To do this, just click **Start recording user and admin activity** on the **Activity alerts** page. (If you don't see this link, auditing has already been turned on for your organization.) You can also turn on auditing on the **Audit log search** page in the Security & Compliance Center (go to **Search** \> **Audit log search**). You only have to do this once for your organization.
+- You (or another admin) must first turn on audit logging for your organization before you can start using activity alerts. To do this, just click **Start recording user and admin activity** on the **Activity alerts** page. (If you don't see this link, auditing has already been turned on for your organization.) You can also turn on auditing on the **Audit log search** page in the Microsoft 365 compliance center (go to **Audit**). You only have to do this once for your organization.
- You can create alerts for the same activities that you can search for in the audit log. See the [More information](#more-information) section for a list of common scenarios (and the specific activity to monitor) that you can create alerts for. -- You can use the **Activity alerts** page in the Security & Compliance Center to create alerts only for activity performed by users who are listed in your organization's address book. You can't use this page to create alerts for activities performed by external users who aren't listed in the address book.
+- You can use the **Activity alerts** page in the Microsoft 365 compliance center to create alerts only for activity performed by users who are listed in your organization's address book. You can't use this page to create alerts for activities performed by external users who aren't listed in the address book.
## Create an activity alert
To turn an activity alert back on, just repeat these steps and click the **Off**
## More information -- Here's an example of the email notification that is sent to the users that are specified in the Sent this alert to field (and listed under **Recipients** on the **Activity alerts** page) in the Security & Compliance Center.
+- Here's an example of the email notification that is sent to the users that are specified in the Sent this alert to field (and listed under **Recipients** on the **Activity alerts** page) in the Microsoft 365 compliance center.
![Example of an email notification sent for an activity alert](../media/a5f91611-fae6-4fe9-82f5-58521a2e2541.png)
compliance Create And Manage Inactive Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-and-manage-inactive-mailboxes.md
Get-Mailbox -InactiveMailboxOnly | Select Displayname,PrimarySMTPAddress,Disting
## Search and export the contents of an inactive mailbox
-You can access the contents of the inactive mailbox by using the Content Search tool in the Security & Compliance Center. When you search an inactive mailbox, you can create a keyword search query to search for specific items or you can return the entire contents of the inactive mailbox. You can preview the search results or export the search results to an Outlook Data (PST) file or as individual email messages. For step-by-step procedures for searching mailboxes and exporting search results, see the following topics:
+You can access the contents of the inactive mailbox by using the Content Search tool in the Microsoft 365 compliance center. When you search an inactive mailbox, you can create a keyword search query to search for specific items or you can return the entire contents of the inactive mailbox. You can preview the search results or export the search results to an Outlook Data (PST) file or as individual email messages. For step-by-step procedures for searching mailboxes and exporting search results, see the following topics:
- [Content search](content-search.md)
compliance Create Ediscovery Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-ediscovery-holds.md
To create an eDiscovery hold that's associated with a Core eDiscovery case:
1. **Exchange mailboxes**: Set the toggle to **On** and then click **Choose users, groups, or teams** to specify the mailboxes to place on hold. Use the search box to find user mailboxes and distribution groups (to place a hold on the mailboxes of group members) to place on hold. You can also place a hold on the associated mailbox for a Microsoft Team, Office 365 Group, and Yammer Group. For more information about the application data that is preserved when a mailbox is placed on hold, see [Content stored in mailboxes for eDiscovery](what-is-stored-in-exo-mailbox.md).
- 1. **SharePoint sites**: Set the toggle to **On** and then click **Choose sites** to specify SharePoint sites and OneDrive accounts to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft Team, Office 365 Group or a Yammer Group.
+ 2. **SharePoint sites**: Set the toggle to **On** and then click **Choose sites** to specify SharePoint sites and OneDrive accounts to place on hold. Type the URL for each site that you want to place on hold. You can also add the URL for the SharePoint site for a Microsoft Team, Office 365 Group or a Yammer Group.
- 1. **Exchange public folders**: Set the toggle to **On** to put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the toggle switch off if you don't want to put a hold on public folders.
+ 3. **Exchange public folders**: Set the toggle to **On** to put all public folders in your Exchange Online organization on hold. You can't choose specific public folders to put on hold. Leave the toggle switch off if you don't want to put a hold on public folders.
> [!NOTE] > You must add at least one content location to the hold. Otherwise, the eDiscovery hold statistics will show that no items are on hold.
compliance Create Hold Notification https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-hold-notification.md
The first step is to specify the appropriate details for legal hold notices or o
![Name Communication Page](../media/NameCommunication.PNG)
-1. In the Security & Compliance Center, go to **eDiscovery > Advanced eDiscovery** to display the list of cases in your organization.
+1. In the Microsoft 365 compliance center, go to **eDiscovery > Advanced** to display the list of cases in your organization.
2. Select a case, click the **Communications** tab, and then click **New communication**.
compliance Create Report On And Delete Multiple Content Searches https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-report-on-and-delete-multiple-content-searches.md
search.appverid:
- MOE150 - MET150 ms.assetid: 1d463dda-a3b5-4675-95d4-83db19c9c4a3
-description: "Learn how to automate Content Search tasks like creating searches and running reports via PowerShell scripts in the Security & Compliance Center in Office 365."
+description: "Learn how to automate Content Search tasks like creating searches and running reports using Security & Compliance Center PowerShell."
# Create, report on, and delete multiple Content Searches
- Quickly creating and reporting discovery searches is often an important step in eDiscovery and investigations when you're trying to learn about the underlying data, and the richness and quality of your searches. To help you do this, the Security & Compliance Center PowerShell offers a set of cmdlets to automate time-consuming Content Search tasks. These scripts provide a quick and easy way to create a number of searches, and then run reports of the estimated search results that can help you determine the quantity of data in question. You can also use the scripts to create different versions of searches to compare the results each one produces. These scripts can help you to quickly and efficiently identify and cull your data.
+ Quickly creating and reporting discovery searches is often an important step in eDiscovery and investigations when you're trying to learn about the underlying data, and the richness and quality of your searches. To help you do this, Security & Compliance Center PowerShell offers a set of cmdlets to automate time-consuming Content Search tasks. These scripts provide a quick and easy way to create a number of searches, and then run reports of the estimated search results that can help you determine the quantity of data in question. You can also use the scripts to create different versions of searches to compare the results each one produces. These scripts can help you to quickly and efficiently identify and cull your data.
## Before you create a Content Search -- You have to be a member of the eDiscovery Manager role group in the Security & Compliance Center to run the scripts that are described in this topic.
+- You have to be a member of the eDiscovery Manager role group in the Microsoft 365 compliance center to run the scripts that are described in this topic.
- To collect a list of the URLs for the OneDrive for Business sites in your organization that you can add to the CSV file in Step 1, see [Create a list of all OneDrive locations in your organization](/onedrive/list-onedrive-urls).
compliance Create Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-sensitivity-labels.md
For example:
- Use the *LocaleSettings* parameter for multinational deployments so that users see the label name and tooltip in their local language. The [following section](#example-configuration-to-configure-a-sensitivity-label-for-different-languages) has an example configuration that specifies the label name and tooltip text for French, Italian, and German. -- For the Azure Information Protection unified labeling client only, specify [advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations) that include setting a label color, and applying a custom property when a label is applied. For the full list, see [Available advanced settings for labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-labels) from this client's admin guide.
+- The Azure Information Protection unified labeling client supports an extensive list of [advanced settings](/azure/information-protection/rms-client/clientv2-admin-guide-customizations) that include setting a label color, and applying a custom property when a label is applied. For the full list, see [Available advanced settings for labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#available-advanced-settings-for-labels) from this client's admin guide.
#### Example configuration to configure a sensitivity label for different languages
This button starts the **Create policy** wizard, which lets you edit which label
When you use built-in labeling for Office apps on Windows, macOS, iOS, and Android, users see new labels within four hours, and within one hour for Word, Excel, and PowerPoint on the web when you refresh the browser. However, allow up to 24 hours for changes to replicate to all apps and services.
-> [!NOTE]
-> Other apps and services that support sensitivity labels might update more frequently than 24 hours with their own update schedules and triggers for policy updates. Check their documentation for details. For example, for the Azure Information Protection unified labeling client, see the **Policy update** row in the [Detailed comparisons for the Azure Information Protection clients](/azure/information-protection/rms-client/use-client#detailed-comparisons-for-the-azure-information-protection-clients) table.
+Other apps and services that support sensitivity labels might update more frequently than 24 hours with their own update schedules and triggers for policy updates. Check their documentation for details. For example, for the Azure Information Protection unified labeling client, see the **Policy update** row in the [Detailed comparisons for the Azure Information Protection clients](/azure/information-protection/rms-client/use-client#detailed-comparisons-for-the-azure-information-protection-clients) table.
+
+> [!TIP]
+> Remember to factor in timing dependencies that can sometimes delay sensitivity labels and label policies from working as expected. For example, populating a new group and group membership changes, network replication latency and bandwidth restrictions, and [group membership caching by the Azure Information Protection service](/azure/information-protection/prepare#group-membership-caching-by-azure-information-protection) for labels that apply encryption.
+>
+> With many external dependencies that each have their own timing cycles, itΓÇÖs a good idea to wait 24 hours before you spend time troubleshooting labels and label policies for recent changes.
### Additional label policy settings with Security & Compliance Center PowerShell
compliance Data Spillage Scenariosearch And Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-spillage-scenariosearch-and-purge.md
Here's a how to manage a data spillage incident:
- To create a case, you must be a member of the eDiscovery Manager role group or be a member of a custom role group that's assigned the Case Management role. If you're not a member, ask a Microsoft 365 administrator to [add you to the eDiscovery manager role group](assign-ediscovery-permissions.md). -- To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions in the Security & Compliance Center](./assign-ediscovery-permissions.md).
+- To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions](./assign-ediscovery-permissions.md).
- To search the audit log eDiscovery activities in Step 8, auditing must be turned on for your organization. You can search for activities that were performed within the last 90 days. To learn more about how to enable and use auditing, see the [Auditing the data spillage investigation process](#auditing-the-data-spillage-investigation-process) section in Step 8. ## (Optional) Step 1: Manage who can access the case and set compliance boundaries
-Depending on your organizational practice, you need to control who can access the eDiscovery case used to investigate a data spillage incident and set up compliance boundaries. The easiest way to do this is to add investigators as members of an existing role group in the Security & Compliance Center and then add the role group as a member of the eDiscovery case. For information about the built-in eDiscovery role groups and how to add members to an eDiscovery case, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
+Depending on your organizational practice, you need to control who can access the eDiscovery case used to investigate a data spillage incident and set up compliance boundaries. The easiest way to do this is to add investigators as members of an existing role group in the Microsoft 365 compliance center and then add the role group as a member of the eDiscovery case. For information about the built-in eDiscovery role groups and how to add members to an eDiscovery case, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
You can also create a new role group that aligns with your organizational needs. For example, you might want a group of data spillage investigators in the organization to access and collaborate on all data spillage cases. You can do this by creating a "Data Spillage Investigator" role group, assigning the appropriate roles (Export, RMS Decrypt, Review, Preview, Compliance Search, and Case Management), adding the data spillage investigators to the role group, and then adding the role group as a member of the data spillage eDiscovery case. See [Set up compliance boundaries for eDiscovery investigations in Office 365](set-up-compliance-boundaries.md) for detailed instructions on how to do this.
Be sure to revert the mailbox to previous configurations after you verify that t
## Step 7: Permanently delete the spilled data
-Using the mailbox locations that you collected and prepared in Step 6 and the search query that was created and refined in Step 3 to find email messages that contain the spilled data, you can now permanently delete the spilled data. As previously explained, to delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions in the Security & Compliance Center](./assign-ediscovery-permissions.md).
+Using the mailbox locations that you collected and prepared in Step 6 and the search query that was created and refined in Step 3 to find email messages that contain the spilled data, you can now permanently delete the spilled data. As previously explained, to delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions](./assign-ediscovery-permissions.md).
To delete the spilled messages, see [Search for and delete email messages](search-for-and-delete-messages-in-your-organization.md).
compliance Delete Items In The Recoverable Items Folder Of Mailboxes On Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/delete-items-in-the-recoverable-items-folder-of-mailboxes-on-hold.md
This article explains how admins can delete items from the Recoverable Items fol
## Before you delete items -- To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions in the Security & Compliance Center](./assign-ediscovery-permissions.md).
+- To create and run a Content Search, you have to be a member of the eDiscovery Manager role group or be assigned the Compliance Search management role. To delete messages, you have to be a member of the Organization Management role group or be assigned the Search And Purge management role. For information about adding users to a role group, see [Assign eDiscovery permissions](./assign-ediscovery-permissions.md).
- The procedure described in this article isn't supported for inactive mailboxes. That's because you can't reapply a hold (or retention policy) to an inactive mailbox after you remove it. When you remove a hold from an inactive mailbox, it's changed to a normal soft-deleted mailbox and will be permanently deleted from your organization after it's processed by the Managed Folder Assistant.
Run the following command in [Security & Compliance Center PowerShell](/powershe
Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name ```
-After you identify the retention policy, go to the **Information governance** > **Retention** page in the Security & Compliance Center, edit the retention policy that you identified in the previous step, and remove the mailbox from the list of recipients that are included in the retention policy.
+After you identify the retention policy, go to the **Information governance** > **Retention** page in the Microsoft 365 compliance center, edit the retention policy that you identified in the previous step, and remove the mailbox from the list of recipients that are included in the retention policy.
### Organization-wide retention policies
Organization-wide, Exchange-wide, and Teams-wide retention policies are applied
Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name ```
-After you identify the organization-wide retention policies, go to the **Information governance** > **Retention** page in the Security & Compliance Center, edit each organization-wide retention policy that you identified in the previous step, and add the mailbox to the list of excluded recipients. Doing this will remove the user's mailbox from the retention policy. It may take up to 24 hours to replicate the change.
+After you identify the organization-wide retention policies, go to the **Information governance** > **Retention** page in the Microsoft 365 compliance center, edit each organization-wide retention policy that you identified in the previous step, and add the mailbox to the list of excluded recipients. Doing this will remove the user's mailbox from the retention policy. It may take up to 24 hours to replicate the change.
### Retention labels
Perform the following steps (in the specified sequence) in Exchange Online Power
**Retention policies applied to specific mailboxes**
- Use the Security & Compliance Center to add the mailbox back to the retention policy. Go to the **Information governance** > **Retention** page in the Security & Compliance Center, edit the retention policy, and add the mailbox back to the list of recipients that the retention policy is applied to.
+ Use the Microsoft 365 compliance center to add the mailbox back to the retention policy. Go to the **Information governance** > **Retention** page in the compliance center, edit the retention policy, and add the mailbox back to the list of recipients that the retention policy is applied to.
**Organization-wide Retention policies**
- If you removed an organization-wide or Exchange-wide retention policy by excluding it from the policy, then use the Security & Compliance Center to remove the mailbox from the list of excluded users. Go to the **Information governance** > **Retention** page in the Security & Compliance Center, edit the organization-wide retention policy, and remove the mailbox from the list of excluded recipients. Doing this will reapply the retention policy to the user's mailbox.
+ If you removed an organization-wide or Exchange-wide retention policy by excluding it from the policy, then use the Microsoft 365 compliance center to remove the mailbox from the list of excluded users. Go to the **Information governance** > **Retention** page in the compliance center, edit the organization-wide retention policy, and remove the mailbox from the list of excluded recipients. Doing this will reapply the retention policy to the user's mailbox.
**eDiscovery case holds**
- Use the Security & Compliance Center to add the mailbox back the hold that's associated with an eDiscovery case. Go to the **eDiscovery** > **eDiscovery** page, open the case, and add the mailbox back to the hold.
+ Use the Microsoft 365 compliance center to add the mailbox back the hold that's associated with an eDiscovery case. Go to the **eDiscovery** > **Core** page, open the case, and add the mailbox back to the hold.
5. Run the following command to allow the Managed Folder Assistant to process the mailbox again. As previously stated, we recommend that you wait 24 hours after reapplying a hold or retention policy (and verifying that it's in place) before you re-enable the Managed Folder Assistant.
As previously explained, you have to remove all holds and retention policies fro
|:--|:--|:--| |Litigation Hold <br/> | `True` <br/> |The *LitigationHoldEnabled* property is set to `True`. <br/> | |In-Place Hold <br/> | `c0ba3ce811b6432a8751430937152491` <br/> |The *InPlaceHolds* property contains the GUID of the In-Place Hold that's placed on the mailbox. You can tell this is an In-Place Hold because the GUID doesn't start with a prefix. <br/> You can use the `Get-MailboxSearch -InPlaceHoldIdentity <hold GUID> | FL` command in Exchange Online PowerShell to get information about the In-Place Hold on the mailbox. <br/> |
-| Retention policies in the Security & Compliance Center applied to specific mailboxes <br/> | `mbxcdbbb86ce60342489bff371876e7f224` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f` <br/> |When you run the **Get-Mailbox** cmdlet, the *InPlaceHolds* property also contains GUIDs of retention policies applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` prefix. If the GUID of the retention policy starts with the `skp` prefix, that indicates that the retention policy is applied to Skype for Business conversations. <br/> To identity the retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell: <br/> <br/>`Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>Be sure to remove the `mbx` or `skp` prefix when you run this command. <br/> |
-|Organization-wide retention policies in the Security & Compliance Center <br/> |No value <br/> or <br/> `-mbxe9b52bf7ab3b46a286308ecb29624696` (indicates that the mailbox is excluded from an organization-wide policy) <br/> |Even if the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still might be one or more organization-wide retention policies applied to the mailbox. <br/> To verify this, you can run the `Get-OrganizationConfig | FL InPlaceHolds` command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide retention policies. The GUID for organization-wide retention policies applied to Exchange mailboxes starts with the `mbx` prefix; for example, `mbxa3056bb15562480fadb46ce523ff7b02`. <br/> To identity the organization-wide retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell: <br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>If a mailbox is excluded from an organization-wide retention policy, the GUID for the retention policy is displayed in the *InPlaceHolds* property of the user's mailbox when you run the **Get-Mailbox** cmdlet; it's identified by the prefix `-mbx`; for example, `-mbxe9b52bf7ab3b46a286308ecb29624696` <br/> |
-|eDiscovery case hold in the Security & Compliance Center <br/> | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` <br/> |The *InPlaceHolds* property also contains the GUID of any hold associated with an eDiscovery case in the Security & Compliance Center that might be placed on the mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the `UniH` prefix. <br/> You can use the `Get-CaseHoldPolicy` cmdlet in Security & Compliance Center PowerShell to get information about the eDiscovery case that the hold on the mailbox is associated with. For example, you can run the command `Get-CaseHoldPolicy <hold GUID without prefix> | FL Name` to display the name of the case hold that's on the mailbox. Be sure to remove the `UniH` prefix when you run this command. <br/><br/> To identity the eDiscovery case that the hold on the mailbox is associated with, run the following commands:<br/><br/>`$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>`<br/><br/>`Get-ComplianceCase $CaseHold.CaseId | FL Name`
+| Retention policies in the Microsoft 365 compliance center applied to specific mailboxes <br/> | `mbxcdbbb86ce60342489bff371876e7f224` <br/> or <br/> `skp127d7cf1076947929bf136b7a2a8c36f` <br/> |When you run the **Get-Mailbox** cmdlet, the *InPlaceHolds* property also contains GUIDs of retention policies applied to the mailbox. You can identify retention policies because the GUID starts with the `mbx` prefix. If the GUID of the retention policy starts with the `skp` prefix, that indicates that the retention policy is applied to Skype for Business conversations. <br/> To identity the retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell: <br/> <br/>`Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>Be sure to remove the `mbx` or `skp` prefix when you run this command. <br/> |
+|Organization-wide retention policies in the Microsoft 365 compliance center <br/> |No value <br/> or <br/> `-mbxe9b52bf7ab3b46a286308ecb29624696` (indicates that the mailbox is excluded from an organization-wide policy) <br/> |Even if the *InPlaceHolds* property is empty when you run the **Get-Mailbox** cmdlet, there still might be one or more organization-wide retention policies applied to the mailbox. <br/> To verify this, you can run the `Get-OrganizationConfig | FL InPlaceHolds` command in Exchange Online PowerShell to get a list of the GUIDs for organization-wide retention policies. The GUID for organization-wide retention policies applied to Exchange mailboxes starts with the `mbx` prefix; for example, `mbxa3056bb15562480fadb46ce523ff7b02`. <br/> To identity the organization-wide retention policy that's applied to the mailbox, run the following command in Security & Compliance Center PowerShell: <br/><br/> `Get-RetentionCompliancePolicy <retention policy GUID without prefix> | FL Name`<br/><br/>If a mailbox is excluded from an organization-wide retention policy, the GUID for the retention policy is displayed in the *InPlaceHolds* property of the user's mailbox when you run the **Get-Mailbox** cmdlet; it's identified by the prefix `-mbx`; for example, `-mbxe9b52bf7ab3b46a286308ecb29624696` <br/> |
+|eDiscovery case hold in the Microsoft 365 compliance center <br/> | `UniH7d895d48-7e23-4a8d-8346-533c3beac15d` <br/> |The *InPlaceHolds* property also contains the GUID of any hold associated with an eDiscovery case in the Microsoft 365 compliance center that might be placed on the mailbox. You can tell this is an eDiscovery case hold because the GUID starts with the `UniH` prefix. <br/> You can use the `Get-CaseHoldPolicy` cmdlet in Security & Compliance Center PowerShell to get information about the eDiscovery case that the hold on the mailbox is associated with. For example, you can run the command `Get-CaseHoldPolicy <hold GUID without prefix> | FL Name` to display the name of the case hold that's on the mailbox. Be sure to remove the `UniH` prefix when you run this command. <br/><br/> To identity the eDiscovery case that the hold on the mailbox is associated with, run the following commands:<br/><br/>`$CaseHold = Get-CaseHoldPolicy <hold GUID without prefix>`<br/><br/>`Get-ComplianceCase $CaseHold.CaseId | FL Name`
compliance Detailed Properties In The Office 365 Audit Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log.md
# Detailed properties in the audit log
-When you export the results of an audit log search from the Security & Compliance Center, you have the option to download all the results that meet your search criteria. You do this by selecting **Export results** \> **Download all results** on the **Audit log search** page. For more information, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md).
+When you export the results of an audit log search from the Microsoft 365 compliance center, you have the option to download all the results that meet your search criteria. You do this by selecting **Export results** \> **Download all results** on the **Audit log search** page. For more information, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md).
When your export all results for an audit log search, the raw data from the unified audit log is copied to a comma-separated value (CSV) file that is downloaded to your local computer. This file contains additional information from each audit record in a column named **AuditData**. This column contains a multi-value property for multiple properties from the audit log record. Each of the **property: value** pairs in this multi-value property are separated by a comma.
The following table describes the properties that are included (depending on the
|Parameters|For Exchange admin activity, the name and value for all parameters that were used with the cmdlet that is identified in the Operation property.|Exchange (admin activity)| |RecordType|The type of operation indicated by the record. This property indicates the service or feature that the operation was triggered in. For a list of record types and their corresponding ENUM value (which is the value displayed in the **RecordType** property in an audit record), see [Audit log record type](/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype).| |ResultStatus|Indicates whether the action (specified in the **Operation** property) was successful or not. <br/> For Exchange admin activity, the value is either **True** (successful) or **False** (failed).|All <br/>|
-|SecurityComplianceCenterEventType|Indicates that the activity was a Security & Compliance Center event. All Security & Compliance Center activities will have a value of **0** for this property.|Security & Compliance Center|
+|SecurityComplianceCenterEventType|Indicates that the activity was a Microsoft 365 compliance center event. All compliance center activities will have a value of **0** for this property.|Security & Compliance Center|
|SharingType|The type of sharing permissions that was assigned to the user that the resource was shared with. This user is identified in the **UserSharedWith** property.|SharePoint| |Site|The GUID of the site where the file or folder accessed by the user is located.|SharePoint| |SiteUrl|The URL of the site where the file or folder accessed by the user is located.|SharePoint|
compliance Disable Reports When You Export Content Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disable-reports-when-you-export-content-search-results.md
search.appverid:
ms.assetid: c9b0ff0c-282b-4a44-b43f-cfc5b96557f9 - seo-marvel-apr2020
-description: Edit the Windows Registry on your local computer to disable reports when you export the results of a Content Search from the Security & Compliance Center.
+description: Edit the Windows Registry on your local computer to disable reports when you export the results of a Content Search from the Microsoft 365 compliance center.
# Disable reports when you export Content Search results
-When you use the eDiscovery Export tool to export the results of a Content Search in the Security & Compliance Center, the tool automatically creates and exports two reports that contain additional information about the exported content. These reports are the Results.csv file and the Manifest.xml file (see the [Frequently asked questions about disabling export reports](#frequently-asked-questions-about-disabling-export-reports) section in this topic for detailed descriptions of these reports). Because these files can be very large, you can speed up the download time and save disk space by preventing these files from being exported. You can do this by changing the Windows Registry on the computer that you use to export the search results. If you want to include the reports at a later time, you can edit the registry setting.
+When you use the eDiscovery Export tool to export the results of a Content Search in the Microsoft 365 compliance center, the tool automatically creates and exports two reports that contain additional information about the exported content. These reports are the Results.csv file and the Manifest.xml file (see the [Frequently asked questions about disabling export reports](#frequently-asked-questions-about-disabling-export-reports) section in this topic for detailed descriptions of these reports). Because these files can be very large, you can speed up the download time and save disk space by preventing these files from being exported. You can do this by changing the Windows Registry on the computer that you use to export the search results. If you want to include the reports at a later time, you can edit the registry setting.
## Create registry settings to disable the export reports
compliance Ediscovery Decryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery-decryption.md
Documents encrypted with the previous settings can still be returned by an eDisc
You have to be assigned the RMS Decrypt role to preview, review, and export files encrypted with Microsoft encryption technologies. You also have to be assigned this role to review and query encrypted files that are added to a review set in Advanced eDiscovery.
-This role is assigned by default to the eDiscovery Manager role group on the **Permissions** page in the Office 365 Security & Compliance Center. For more information about the RMS Decrypt role, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md#rms-decrypt).
+This role is assigned by default to the eDiscovery Manager role group on the **Permissions** page in the Microsoft 365 compliance center. For more information about the RMS Decrypt role, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md#rms-decrypt).
compliance Enable Archive Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-archive-mailboxes.md
Title: "Enable archive mailboxes in the Security & Compliance Center"
+ Title: "Enable archive mailboxes in the Microsoft 365 compliance center"
f1.keywords: - NOCSH
Archiving in Microsoft 365 (also called *In-Place Archiving*) provides users wit
## Get the necessary permissions
-You have to be assigned the Mail Recipients role in Exchange Online to enable or disable archive mailboxes. By default, this role is assigned to the Recipient Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. If you don't see the **Archive** page in the Security & Compliance Center, ask your administrator to assign you the necessary permissions.
+You have to be assigned the Mail Recipients role in Exchange Online to enable or disable archive mailboxes. By default, this role is assigned to the Recipient Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. If you don't see the **Archive** page in the Microsoft 365 compliance center, ask your administrator to assign you the necessary permissions.
## Enable an archive mailbox
You have to be assigned the Mail Recipients role in Exchange Online to enable or
## Disable an archive mailbox
-You can also use the **Archive** page in the Security & Compliance Center to disable a user's archive mailbox. After you disable an archive mailbox, you can reconnect it to the user's primary mailbox within 30 days of disabling it. In this case, the original contents of the archive mailbox are restored. After 30 days, the contents of the original archive mailbox are permanently deleted and can't be recovered. So if you re-enable the archive more than 30 days after disabling it, a new archive mailbox is created.
+You can also use the **Archive** page in the Microsoft 365 compliance center to disable a user's archive mailbox. After you disable an archive mailbox, you can reconnect it to the user's primary mailbox within 30 days of disabling it. In this case, the original contents of the archive mailbox are restored. After 30 days, the contents of the original archive mailbox are permanently deleted and can't be recovered. So if you re-enable the archive more than 30 days after disabling it, a new archive mailbox is created.
The default archive policy assigned to users' mailboxes moves items to the archive mailbox two years after the date the item is delivered. If you disable a user's archive mailbox, no action will be taken on mailbox items and they will remain in the user's primary mailbox.
Get-Mailbox -Filter {ArchiveGuid -Ne "00000000-0000-0000-0000-000000000000" -AND
For a list of Outlook licenses that support In-Place Archiving, see [Outlook license requirements for Exchange features](https://support.microsoft.com/office/46b6b7c5-c3ca-43e5-8424-1e2807917c99). -- Archive mailboxes help you and your users to meet your organization's retention, eDiscovery, and hold requirements. For example, you can use your organization's Exchange retention policy to move mailbox content to users' archive mailbox. When you use the Content Search tool in the Security & Compliance Center to search a user's mailbox for specific content, the user's archive mailbox will also be searched. And, when you place a Litigation Hold or apply a retention policy to a user's mailbox, items in the archive mailbox are also retained.
+- Archive mailboxes help you and your users to meet your organization's retention, eDiscovery, and hold requirements. For example, you can use your organization's Exchange retention policy to move mailbox content to users' archive mailbox. When you use the Content search tool in the Microsoft 365 compliance center to search a user's mailbox for specific content, the user's archive mailbox will also be searched. And, when you place a Litigation Hold or apply a retention policy to a user's mailbox, items in the archive mailbox are also retained.
- After archive mailboxes are enabled, your organization can take advantage of the default Exchange retention policy (also called Messaging Records Management or MRM policy) that is automatically assigned to every mailbox. When an archive mailbox is enabled, the default Exchange retention policy automatically does the following:
compliance Enable Mailbox Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-mailbox-auditing.md
Here are some benefits of mailbox auditing on by default:
> [!NOTE] > > - The important thing to remember about the release of mailbox auditing on by default is: you don't need to do anything to manage mailbox auditing. However, to learn more, customize mailbox auditing from the default settings, or turn it off altogether, this article can help you.
-> - By default, only mailbox audit events for E5 users are available in audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API. For more information, see the [More information](#more-information) section in this article.
+> - By default, only mailbox audit events for E5 users are available in audit log searches in the Microsoft 365 compliance center or via the Office 365 Management Activity API. For more information, see the [More information](#more-information) section in this article.
## Verify mailbox auditing on by default is turned on
The value **True** indicates that mailbox audit logging is bypassed for the user
## More information -- Although mailbox audit logging on by default is enabled for all organizations, only users with E5 licenses will return mailbox audit log events in [audit log searches in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md) or via the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference) **by default**.
+- Although mailbox audit logging on by default is enabled for all organizations, only users with E5 licenses will return mailbox audit log events in [audit log searches in the Microsoft 365 compliance center](search-the-audit-log-in-security-and-compliance.md) or via the [Office 365 Management Activity API](/office/office-365-management-api/office-365-management-activity-api-reference) **by default**.
To retrieve mailbox audit log entries for users without E5 licenses, you can:
- - Manually enable mailbox auditing on individual mailboxes (run the command, `Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true`). After you do this, you can use audit log searches in the Security & Compliance Center or via the Office 365 Management Activity API.
+ - Manually enable mailbox auditing on individual mailboxes (run the command, `Set-Mailbox -Identity <MailboxIdentity> -AuditEnabled $true`). After you do this, you can use audit log searches in the Microsoft 365 compliance center or via the Office 365 Management Activity API.
> [!NOTE] > If mailbox auditing already appears to be enabled on the mailbox, but your searches return no results, change the value of the _AuditEnabled_ parameter to `$false` and then back to `$true`.
compliance Enable Unlimited Archiving https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/enable-unlimited-archiving.md
You can use the Exchange Online auto-expanding archiving feature to enable unlim
- You have to be a global administrator in your organization or a member of the Organization Management role group in your Exchange Online organization to enable auto-expanding archiving for your entire organization or for specific users. Alternately, you have to be a member of a role group that's assigned the Mail Recipients role to enable auto-expanding archiving for specific users. -- A user's archive mailbox has to be enabled before you can enable auto-expanding archiving. A user must be assigned an Exchange Online Plan 2 license to enable the archive mailbox. If a user is assigned an Exchange Online Plan 1 license, you would have to assign them a separate Exchange Online Archiving license to enable their archive mailbox. See [Enable archive mailboxes in the Security & Compliance Center](enable-archive-mailboxes.md).
+- A user's archive mailbox has to be enabled before you can enable auto-expanding archiving. A user must be assigned an Exchange Online Plan 2 license to enable the archive mailbox. If a user is assigned an Exchange Online Plan 1 license, you would have to assign them a separate Exchange Online Archiving license to enable their archive mailbox. See [Enable archive mailboxes](enable-archive-mailboxes.md).
- You can also use PowerShell to enable archive mailboxes. See the [More information](#more-information) section for an example of the PowerShell command that you can use to enable archive mailboxes for all users in your organization.
You can use the Exchange Online auto-expanding archiving feature to enable unlim
- Auto-expanding archiving prevents you from recovering or restoring an [inactive mailbox](inactive-mailboxes-in-office-365.md#what-are-inactive-mailboxes). That means if you enable auto-expanding archiving for a mailbox and the mailbox is made inactive at a later date, you won't be able to [recover the inactive mailbox](recover-an-inactive-mailbox.md) (by converting it to an active mailbox) or [restore it](restore-an-inactive-mailbox.md) (by merging the contents to an existing mailbox). If auto-expanding archiving is enabled on an inactive mailbox, the only way to recover data is by using the Content search tool in the Microsoft 365 compliance center to export the data from the mailbox and import to another mailbox. For more information, see the "Inactive mailboxes and auto-expanding archives" section in [Overview of inactive mailboxes](inactive-mailboxes-in-office-365.md#inactive-mailboxes-and-auto-expanding-archives). -- You can't use the Exchange admin center or the Security & Compliance Center to enable auto-expanding archiving. You have to use Exchange Online PowerShell. To connect to your Exchange Online organization using remote PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
+- You can't use the Exchange admin center or the Microsoft 365 compliance center to enable auto-expanding archiving. You have to use Exchange Online PowerShell. To connect to your Exchange Online organization using remote PowerShell, see [Connect to Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
## Enable auto-expanding archiving for your entire organization
compliance Export A Content Search Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-a-content-search-report.md
search.appverid:
- MBS150 - MET150 ms.assetid: 5c8c1db6-d8ac-4dbb-8a7a-f65d452169b9
-description: "Instead of exporting the actual results of a Content Search in the Security & Compliance Center in Office 365, you can export a search results report. The report contains a summary of the search results and a document with detailed information about each item that would be exported."
+description: "Instead of exporting the actual results of a Content Search in the Microsoft 365 compliance center, you can export a search results report. The report contains a summary of the search results and a document with detailed information about each item that would be exported."
When you export a report, the report files are downloaded to a folder on your lo
## Before you export a search report -- To export a search report, you have to be assigned the Compliance Search management role in Security & Compliance Center. This role is assigned by default to the built-in eDiscovery Manager and Organization Management role groups. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
+- To export a search report, you have to be assigned the Compliance Search management role in Microsoft 365 compliance center. This role is assigned by default to the built-in eDiscovery Manager and Organization Management role groups. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
- When you export a report, the data is temporarily stored in an Azure Storage location in the Microsoft cloud before it's downloaded to your local computer. Be sure that your organization can connect to the endpoint in Azure, which is **\*.blob.core.windows.net** (the wildcard represents a unique identifier for your export). The search results data is deleted from the Azure Storage location two weeks after it's created.
compliance Export Search Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-search-results.md
Exporting the results of a Content search involves preparing the results, and th
## Before you export search results -- To export search results, you have to be assigned the Export management role in Security & Compliance Center. This role is assigned to the built-in eDiscovery Manager role group. It isn't assigned by default to the Organization Management role group. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
+- To export search results, you have to be assigned the Export management role in Microsoft 365 compliance center. This role is assigned to the built-in eDiscovery Manager role group. It isn't assigned by default to the Organization Management role group. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
- The computer you use to export the search results has to meet the following system requirements:
For information about limits when exporting content search results, see the "Exp
- If you're exporting mailbox items from a content search that returns all mailbox items in the search results (because no keywords where included in the search query), partially indexed items won't be copied to the PST file that contains the unindexed items. This is because all items, including any partially indexed items, are automatically included in the regular search results. This means that partially indexed items will be included in a PST file (or as individual messages) that contains the other, indexed items.
- If you export both the indexed and partially indexed items or if you export only the indexed items from a content search that returns all items, the same number of items will be downloaded. This happens even though the estimated search results for the content search (displayed in the search statistics in the Security & Compliance Center) will still include a separate estimate for the number of partially indexed items. For example, let's say that the estimate for a search that includes all items (no keywords in the search query) shows that 1,000 items were found and that 200 partially indexed items were also found. In this case, the 1,000 items include the partially indexed items because the search returns all items. In other words, there are 1,000 total items returned by the search, and not 1,200 items (as you might expect). If you export the results of this search and choose to export indexed and partially indexed items (or export only partially indexed items), then 1,000 items will be downloaded. Again, that's because partially indexed items are included with the regular (indexed) results when you use a blank search query to return all items. In this same example, if you choose to export only partially indexed items, then only the 200 unindexed items would be downloaded.
+ If you export both the indexed and partially indexed items or if you export only the indexed items from a content search that returns all items, the same number of items will be downloaded. This happens even though the estimated search results for the content search (displayed in the search statistics in the Microsoft 365 compliance center) will still include a separate estimate for the number of partially indexed items. For example, let's say that the estimate for a search that includes all items (no keywords in the search query) shows that 1,000 items were found and that 200 partially indexed items were also found. In this case, the 1,000 items include the partially indexed items because the search returns all items. In other words, there are 1,000 total items returned by the search, and not 1,200 items (as you might expect). If you export the results of this search and choose to export indexed and partially indexed items (or export only partially indexed items), then 1,000 items will be downloaded. Again, that's because partially indexed items are included with the regular (indexed) results when you use a blank search query to return all items. In this same example, if you choose to export only partially indexed items, then only the 200 unindexed items would be downloaded.
Also note that in the previous example (when you export indexed and partially indexed items or you export only indexed items), the **Export Summary** report included with the exported search results would list 1,000 items estimated items and 1,000 downloaded items for the same reasons as previously described.
compliance Export View Audit Log Records https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-view-audit-log-records.md
The next step is to use the JSON transform feature in the Power Query Editor in
## Use PowerShell to search and export audit log records
-Instead of using the audit log search tool in the Security & Compliance Center, you can use the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet in Exchange Online PowerShell to export the results of an audit log search to a CSV file. Then you can follow the same procedure described in Step 2 to format the audit log using the Power Query editor. One advantage of using the PowerShell cmdlet is that you can search for events from a specific service by using the *RecordType* parameter. Here are few examples of using PowerShell to export audit records to a CSV file so you can use the Power Query editor to transform the JSON object in the **AuditData** column as described in Step 2.
+Instead of using the audit log search tool in the Microsoft 365 compliance center, you can use the [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) cmdlet in Exchange Online PowerShell to export the results of an audit log search to a CSV file. Then you can follow the same procedure described in Step 2 to format the audit log using the Power Query editor. One advantage of using the PowerShell cmdlet is that you can search for events from a specific service by using the *RecordType* parameter. Here are few examples of using PowerShell to export audit records to a CSV file so you can use the Power Query editor to transform the JSON object in the **AuditData** column as described in Step 2.
In this example, run the following commands to return all records related to SharePoint sharing operations.
Here are some tips and examples of exporting and viewing the audit log before an
- Filter the **RecordType** column to display only the records from a specific service or functional area. For example, to show events related to SharePoint sharing, you would select **14** (the enum value for records triggered by SharePoint sharing activities). For a list of the services that correspond to the enum values displayed in the **RecordType** column, see [Detailed properties in the audit log](detailed-properties-in-the-office-365-audit-log.md). -- Filter the **Operations** column to display the records for specific activities. For a list of most operations that correspond to a searchable activity in the audit log search tool in the Security & Compliance Center, see the "Audited activities" section in [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md#audited-activities).
+- Filter the **Operations** column to display the records for specific activities. For a list of most operations that correspond to a searchable activity in the audit log search tool in the Microsoft 365 compliance center, see the "Audited activities" section in [Search the audit log](search-the-audit-log-in-security-and-compliance.md#audited-activities).
compliance Filter Data When Importing Pst Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/filter-data-when-importing-pst-files.md
The following graphic shows the Intelligent Import process, and highlights the t
- [Use drive shipping to import PST files to Office 365](use-drive-shipping-to-import-pst-files-to-office-365.md) -- After you create an import job by using network upload, the status for the import job on the Import page in the Security & Compliance Center is set to **Analysis in progress**, which means that Microsoft 365 is analyzing the data in the PST files that you uploaded. Click **Refresh**![refresh](../media/165fb3ad-38a8-4dd9-9e76-296aefd96334.png) to update the status for the import job.
+- After you create an import job by using network upload, the status for the import job on the Import page in the Microsoft 365 compliance center is set to **Analysis in progress**, which means that Microsoft 365 is analyzing the data in the PST files that you uploaded. Click **Refresh**![refresh](../media/165fb3ad-38a8-4dd9-9e76-296aefd96334.png) to update the status for the import job.
- For drive shipping import jobs, the data will be analyzed by Microsoft 365 after Microsoft datacenter personnel receive your hard drive and upload the PST files to the Azure storage area for your organization.
compliance Get Started Core Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-core-ediscovery.md
This article discusses the steps necessary to set up Core eDiscovery. This inclu
Licensing for Core eDiscovery requires the appropriate organization subscription and per-user licensing. -- **Organization subscription:** To access Core eDiscovery in the Microsoft 365 compliance center or the Office 365 Security & Compliance Center and use the hold and export features, your organization must have a Microsoft 365 E3 or Office 365 E3 subscription or higher.
+- **Organization subscription:** To access Core eDiscovery in the Microsoft 365 compliance center and use the hold and export features, your organization must have a Microsoft 365 E3 or Office 365 E3 subscription or higher.
- **Per-user licensing:** To place an eDiscovery hold on mailboxes and sites, a user must be assigned one of the following licenses, depending on your organization subscription:
For information about licensing:
## Step 2: Assign eDiscovery permissions
-To access Core eDiscovery or be added as a member of a Core eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Office 365 Security & Compliance Center. Members of this role group can create and manage Core eDiscovery cases. They can add and remove members, place an eDiscovery hold on users, create and edit searches, and export content from a Core eDiscovery case.
+To access Core eDiscovery or be added as a member of a Core eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Microsoft 365 compliance center. Members of this role group can create and manage Core eDiscovery cases. They can add and remove members, place an eDiscovery hold on users, create and edit searches, and export content from a Core eDiscovery case.
Complete the following steps to add users to the eDiscovery Manager role group:
compliance Get Started With Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-advanced-ediscovery.md
Licensing for Advanced eDiscovery requires the appropriate organization subscrip
## Step 2: Assign eDiscovery permissions
-To access Advanced eDiscovery or added as a member of an Advanced eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Security & Compliance Center. Members of this role group can create and manage Advanced eDiscovery cases. They can add and remove members, place custodians and content locations on hold, manage legal hold notifications, create and edit searches associated in a case, add search results to a review set, analyze data in a review set, and export and download from an Advanced eDiscovery case.
+To access Advanced eDiscovery or added as a member of an Advanced eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Microsoft 365 compliance center. Members of this role group can create and manage Advanced eDiscovery cases. They can add and remove members, place custodians and content locations on hold, manage legal hold notifications, create and edit searches associated in a case, add search results to a review set, analyze data in a review set, and export and download from an Advanced eDiscovery case.
Complete the following steps to add users to the eDiscovery Manager role group:
compliance Importing Pst Files To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/importing-pst-files-to-office-365.md
search.appverid: MET150
ms.assetid: ba688e0a-0fcb-4bd7-8e57-2b669564ea84 - seo-marvel-apr2020
-description: Learn how to use the Import service in the Security & Compliance Center to bulk-import email data (PST files) to user mailboxes.
+description: Learn how to use the Import service in the Microsoft 365 compliance center to bulk-import email data (PST files) to user mailboxes.
# Overview of importing your organization's PST files
description: Learn how to use the Import service in the Security & Compliance Ce
> [!NOTE] > This article is for administrators. Are you trying to import PST files to your own mailbox? See [Import email, contacts, and calendar from an Outlook .pst file](https://go.microsoft.com/fwlink/p/?LinkID=785075).
-You can use the Import service in the Security & Compliance Center to quickly bulk-import PST files to Exchange Online mailboxes in your organization. There are two ways you can import PST files to Office 365:
+You can use the Import service in the Microsoft 365 compliance center to quickly bulk-import PST files to Exchange Online mailboxes in your organization. There are two ways you can import PST files to Office 365:
- **Network upload** ![Cloud upload](../media/54ab16ee-3822-4551-abef-3d926f4e1c01.png) - Upload the PST files over the network to a temporary Azure Storage location in the Microsoft cloud. Then you use the Office 365 Import service to import the PST data to mailboxes in your organization.
Here's an illustration and description of the complete PST import process. The i
![Workflow of PST import process](../media/76997b69-67d7-433a-a0ca-9389f85a36a1.png)
-1. **Download the PST import tools and key to private Azure Storage location** - The first step is to download the tool and access key used to upload the PST files or copy them to a hard drive. You obtain these from the **Import** page in the Security & Compliance Center. The key provides you (or Microsoft data center personnel in the case of drive shipping) with the necessary permissions to upload PST files to a private and secure Azure Storage location. This access key is unique to your organization and helps prevent unauthorized access to your PST files after they're uploaded to the Microsoft cloud. Importing PST files to Microsoft 365 doesn't require your organization to have a separate Azure subscription.
+1. **Download the PST import tools and key to private Azure Storage location** - The first step is to download the tool and access key used to upload the PST files or copy them to a hard drive. You obtain these from the **Import** page in the Microsoft 365 compliance center. The key provides you (or Microsoft data center personnel in the case of drive shipping) with the necessary permissions to upload PST files to a private and secure Azure Storage location. This access key is unique to your organization and helps prevent unauthorized access to your PST files after they're uploaded to the Microsoft cloud. Importing PST files to Microsoft 365 doesn't require your organization to have a separate Azure subscription.
2. **Upload or copy the PST files** - The next step depends on whether you're using network upload or drive shipping to import PST files. In both cases, you'll use the tool and secure storage key that you obtained in the previous step.
Here's an illustration and description of the complete PST import process. The i
3. **Create a PST import mapping file** - After the PST files have been uploaded to the Azure Storage location or copied to a hard drive, the next step is to create a comma-separated value (CSV) file that specifies which user mailboxes the PST files will be imported to (and a PST file can be imported to a user's primary mailbox or their archive mailbox). [Download a copy of the PST Import mapping file](https://go.microsoft.com/fwlink/p/?LinkId=544717). The Office 365 Import service will use the information to import the PST files.
-4. **Create a PST import job** - The next step is to create a PST import job on the **Import PST files** page in the Security & Compliance Center and submit the PST import mapping file created in the previous step. For network upload (because the PST files have been uploaded to Azure) Microsoft 365 analyzes the data in the PST files and then gives you an opportunity to set filters that control what data actually gets imported to the mailboxes specified in the PST import mapping file.
+4. **Create a PST import job** - The next step is to create a PST import job on the **Import PST files** page in the Microsoft 365 compliance center and submit the PST import mapping file created in the previous step. For network upload (because the PST files have been uploaded to Azure) Microsoft 365 analyzes the data in the PST files and then gives you an opportunity to set filters that control what data actually gets imported to the mailboxes specified in the PST import mapping file.
For drive shipping, a few other things happen at this point in the process.
Here's an illustration and description of the complete PST import process. The i
5. **Filter the PST data that will be imported to mailboxes** - After the import job is created (and after the PST files from a drive shipping job are uploaded to the Azure Storage location) Microsoft 365 analyzes the data in the PST files (safely and securely) by identifying the age of the items and the different message types included in the PST files. When the analysis is completed and the data is ready to import, you have the option to import all the data contained in the PST files or you can trim the data that's imported by setting filters that control what data gets imported.
-6. **Start the PST import job** - After the import job is started, Microsoft 365 uses the information in the PST import mapping file to import the PSTs files from the he Azure Storage location to user mailboxes. Status information about the import job (including information about each PST file being imported) is displayed on the **Import PST files** page in the Security & Compliance Center. When the import job is finished, the status for the job is set to **Complete**.
+6. **Start the PST import job** - After the import job is started, Microsoft 365 uses the information in the PST import mapping file to import the PSTs files from the he Azure Storage location to user mailboxes. Status information about the import job (including information about each PST file being imported) is displayed on the **Import PST files** page in the Microsoft 365 compliance center. When the import job is finished, the status for the job is set to **Complete**.
## Why import email data to Microsoft 365?
Here's an illustration and description of the complete PST import process. The i
- Use [eDiscovery cases](./get-started-core-ediscovery.md) to manage your organization's legal investigations
- - Use [retention policies](retention.md) in the Security & Compliance Center to control how long mailbox content is retained, and then delete content after the retention period expires.
+ - Use [retention policies](retention.md) in the Microsoft 365 compliance center to control how long mailbox content is retained, and then delete content after the retention period expires.
- Use [Communication compliance policies](communication-compliance.md) to examine messages to make sure they are compliant with message standards and add a classification type.
Here are some frequently asked questions about using the Office 365 Import servi
You have to be assigned the Mailbox Import Export role in Exchange Online to import PST files to Microsoft 365 mailboxes. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group. Or you can create a new role group, assign the Mailbox Import Export role, and then add yourself or other users as a member. For more information, see the "Add a role to a role group" or the "Create a role group" sections in [Manage role groups in Exchange Online](/Exchange/permissions-exo/role-groups).
-Additionally, to create import jobs in the Security & Compliance Center, one of the following must be true:
+Additionally, to create import jobs in the Microsoft 365 compliance center, one of the following must be true:
- You have to be assigned the Mail Recipients role in Exchange Online. By default, this role is assigned to the Organization Management and Recipient Management roles groups.
Additionally, PST files from Outlook 2007 and later versions can be imported to
#### After I upload my PST files to the Azure Storage area, how long are they kept in Azure before they're deleted?
-When you use the network upload method to import PST files, you upload them to an Azure blob container named `ingestiondata`. If there are no import jobs in progress on the **Import PST files** page in the Security & Compliance Center), then all PST files in the `ingestiondata` container in Azure are deleted 30 days after the most recent import job was created in the Security & Compliance Center. That also means you have to create a new import job in the Security & Compliance Center (described in Step 5 in the network upload instructions) within 30 days of uploading PST files to Azure.
+When you use the network upload method to import PST files, you upload them to an Azure blob container named `ingestiondata`. If there are no import jobs in progress on the **Import PST files** page in the Microsoft 365 compliance center), then all PST files in the `ingestiondata` container in Azure are deleted 30 days after the most recent import job was created in the Microsoft 365 compliance center. That also means you have to create a new import job in the Microsoft 365 compliance center (described in Step 5 in the network upload instructions) within 30 days of uploading PST files to Azure.
-This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the Security & Compliance Center. Although an import job might still be listed on the **Import PST files** page in the Security & Compliance Center, the list of PST files might be empty when you view the details of older import jobs.
+This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the Microsoft 365 compliance center. Although an import job might still be listed on the **Import PST files** page in the Microsoft 365 compliance center, the list of PST files might be empty when you view the details of older import jobs.
#### How long does it take to import a PST file to a mailbox using network upload?
No, you can't import PST files to public folders.
You have to be assigned the Mailbox Import Export role to import PST files to Microsoft 365 mailboxes. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group. Or you can create a new role group, assign the Mailbox Import Export role, and then add yourself or other users as a member. For more information, see the "Add a role to a role group" or the "Create a role group" sections in [Manage role groups in Exchange Online](/Exchange/permissions-exo/role-groups).
-Additionally, to create import jobs in the Security & Compliance Center, one of the following must be true:
+Additionally, to create import jobs in the Microsoft 365 compliance center, one of the following must be true:
- You have to be assigned the Mail Recipients role in Exchange Online. By default, this role is assigned to the Organization Management and Recipient Management roles groups.
If different PST files are imported to different target mailboxes, the import pr
#### After Microsoft uploads my PST files to Azure, how long are they kept in Azure before they're deleted?
-All PST files in the Azure Storage location for your organization (in blob container named `ingestiondata`), are deleted 30 days after the most recent import job was created on the **Import PST files** page in the Security & Compliance Center.
+All PST files in the Azure Storage location for your organization (in blob container named `ingestiondata`), are deleted 30 days after the most recent import job was created on the **Import PST files** page in the Microsoft 365 compliance center.
-This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the Security & Compliance Center. Although an import job might still be listed on the **Import PST files** page in the Security & Compliance Center, the list of PST files might be empty when you view the details of older import jobs.
+This also means that after PST files are deleted from the Azure Storage area, they're no longer displayed in the list of files for a completed import job in the Microsoft 365 compliance center. Although an import job might still be listed on the **Import PST files** page in the Microsoft 365 compliance center, the list of PST files might be empty when you view the details of older import jobs.
#### What version of the PST file format is supported for importing to Microsoft 365?
compliance Inactive Mailboxes In Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/inactive-mailboxes-in-office-365.md
Your organization might need to retain former employees' email after they leave
When an employee leaves your organization (or goes on an extended leave of absence), you can remove their Microsoft 365 account. The employee's mailbox data is retained for 30 days after the account is removed. During this period, you can still recover the mailbox data by undeleting the account. After 30 days, the data is permanently removed.
-But if your organization needs to retain mailbox content for former employees, you can turn the mailbox into an inactive mailbox by placing the mailbox on Litigation Hold or applying a Microsoft 365 retention policy to the mailbox in the Security & Compliance Center and then removing the corresponding Microsoft 365 account. The contents of an inactive mailbox are retained for the duration of the Litigation Hold placed on the mailbox or the retention period of the retention policy applied to it before the mailbox was deleted. You can still recover the corresponding user account for a 30-day period. However, after 30 days, the inactive mailbox is retained in Microsoft 365 until the hold or retention policy is removed.
+But if your organization needs to retain mailbox content for former employees, you can turn the mailbox into an inactive mailbox by placing the mailbox on Litigation Hold or applying a Microsoft 365 retention policy to the mailbox in the Microsoft 365 compliance center and then removing the corresponding Microsoft 365 account. The contents of an inactive mailbox are retained for the duration of the Litigation Hold placed on the mailbox or the retention period of the retention policy applied to it before the mailbox was deleted. You can still recover the corresponding user account for a 30-day period. However, after 30 days, the inactive mailbox is retained in Microsoft 365 until the hold or retention policy is removed.
> [!IMPORTANT] > As we continue to invest in different ways to preserve mailbox content, we're announcing the retirement of In-Place Holds in the Exchange admin center. That means you should use Litigation Holds and Microsoft 365 retention policies to create an inactive mailbox. Starting July 1, 2020 you won't be able to create new In-Place Holds in Exchange Online. But you'll still be able to change the hold duration of an In-Place Hold placed on an inactive mailbox. However, starting October 1, 2020, you won't be able to change the hold duration. You'll only be able to delete an inactive mailbox by removing the In-Place Hold. Existing inactive mailboxes that are on In-Place Hold will still be preserved until the hold is removed. For more information about when In-Place Holds will be retired, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md).
You might consider creating a Microsoft 365 retention policy specifically for in
- It's a good way to identify inactive mailboxes because the retention policy will only be applied to inactive mailboxes. -- You are able to quickly identify the retention policy that's assigned to inactive mailboxes in your organization. This makes it easier to change the retention (or deletion) settings if necessary. It will also make it easier to permanently delete an inactive mailbox because you can remove it from the policy by using the Security & Compliance Center. Otherwise, you have to use Exchange Online PowerShell to remove a Litigation Hold from an inactive mailbox or use Security & Compliance Center PowerShell to exclude an inactive mailbox from an organization-wide Microsoft 365 retention policy.
+- You are able to quickly identify the retention policy that's assigned to inactive mailboxes in your organization. This makes it easier to change the retention (or deletion) settings if necessary. It will also make it easier to permanently delete an inactive mailbox because you can remove it from the policy by using the Microsoft 365 compliance center. Otherwise, you have to use Exchange Online PowerShell to remove a Litigation Hold from an inactive mailbox or use Security & Compliance Center PowerShell to exclude an inactive mailbox from an organization-wide Microsoft 365 retention policy.
- If you create a Microsoft 365 retention policy specifically for inactive mailboxes, you can add a maximum of 1,000 mailboxes to the policy. If you're a large organization, you might have to create more than one Microsoft 365 retention policy to use for inactive mailboxes.
You might consider creating a Microsoft 365 retention policy specifically for in
## Inactive mailboxes and eDiscovery case holds
-If a hold that's associated with an eDiscovery case in the Security & Compliance Center is placed on a mailbox and then the mailbox or the user's account is deleted, the mailbox becomes an inactive mailbox. However, we don't recommend using eDiscovery case holds to make a mailbox inactive. That's because eDiscovery cases are intended for specific, time-bound cases related to a legal issue. At some point, a legal case will probably end and the holds associated with the case will be removed and the eDiscovery case will be closed. In fact, if a hold that's placed on an inactive mailbox is associated with an eDiscovery case, and then the hold is released or the eDiscovery case is closed (or deleted), the inactive mailbox will be permanently deleted. Also, you can't create a time-based eDiscovery hold. That's means that content in an inactive mailbox is retained forever or until the hold is removed and the inactive mailbox is deleted. Therefore, we recommend using a Litigation Hold or a retention policy for inactive mailboxes.
+If a hold that's associated with an eDiscovery case in Microsoft 365 compliance center is placed on a mailbox and then the mailbox or the user's account is deleted, the mailbox becomes an inactive mailbox. However, we don't recommend using eDiscovery case holds to make a mailbox inactive. That's because eDiscovery cases are intended for specific, time-bound cases related to a legal issue. At some point, a legal case will probably end and the holds associated with the case will be removed and the eDiscovery case will be closed. In fact, if a hold that's placed on an inactive mailbox is associated with an eDiscovery case, and then the hold is released or the eDiscovery case is closed (or deleted), the inactive mailbox will be permanently deleted. Also, you can't create a time-based eDiscovery hold. That's means that content in an inactive mailbox is retained forever or until the hold is removed and the inactive mailbox is deleted. Therefore, we recommend using a Litigation Hold or a retention policy for inactive mailboxes.
For more information about eDiscovery cases and holds, see [eDiscovery cases](./get-started-core-ediscovery.md).
compliance Increase The Recoverable Quota For Mailboxes On Hold https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/increase-the-recoverable-quota-for-mailboxes-on-hold.md
To help reduce the chance of exceeding this limit, the storage quota for the Rec
When the storage quota for the Recoverable Items folder in the primary mailbox of a mailbox on hold is close to reaching its limit, you can do the following things: -- **Enable the archive mailbox and turn on auto-expanding archiving.** You can enable an unlimited storage capacity for the Recoverable Items folder simply by enabling the archive mailbox and then turning on the auto-expanding archiving feature in Exchange Online. This results in 110 GB for the Recoverable Items folder in the primary mailbox and an unlimited amount of storage capacity for the Recoverable Items folder in the user's archive. See how: [Enable archive mailboxes in the Security & Compliance Center](enable-archive-mailboxes.md) and [Enable unlimited archiving in Office 365](enable-unlimited-archiving.md).
+- **Enable the archive mailbox and turn on auto-expanding archiving.** You can enable an unlimited storage capacity for the Recoverable Items folder simply by enabling the archive mailbox and then turning on the auto-expanding archiving feature in Exchange Online. This results in 110 GB for the Recoverable Items folder in the primary mailbox and an unlimited amount of storage capacity for the Recoverable Items folder in the user's archive. See how: [Enable archive mailboxes](enable-archive-mailboxes.md) and [Enable unlimited archiving](enable-unlimited-archiving.md).
> [!NOTE] > After you enable the archive for a mailbox that's close to exceeding the storage quota for the Recoverable Items folder, you might want to run the Managed Folder Assistant to manually trigger the assistant to process the mailbox so that expired items are moved to the Recoverable Items folder in the archive mailbox. See [Step 4](#optional-step-4-run-the-managed-folder-assistant-to-apply-the-new-retention-settings) for instructions. Note that other items in the user's mailbox might be moved to the new archive mailbox. Consider telling the user that this may happen after you enable the archive mailbox.
compliance Investigating Partially Indexed Items In Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/investigating-partially-indexed-items-in-ediscovery.md
The following steps show you how to run a PowerShell script that searches for al
```powershell write-host "**************************************************"
- write-host " Security & Compliance Center " -foregroundColor yellow -backgroundcolor darkgreen
+ write-host " Security & Compliance Center PowerShell " -foregroundColor yellow -backgroundcolor darkgreen
write-host " eDiscovery Partially Indexed Item Statistics " -foregroundColor yellow -backgroundcolor darkgreen write-host "**************************************************" " "
compliance Legacy Ediscovery Retirement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/legacy-ediscovery-retirement.md
As a result of this new and improved eDiscovery functionality in the Microsoft 3
- [GetHoldOnMailboxes](/exchange/client-developer/web-service-reference/getholdonmailboxes-operation) -- [Office 365 Advanced eDiscovery v1.0](./overview-ediscovery-20.md), which is the first version of Advanced eDiscovery that's accessed through a Core eDiscovery case in the Office 365 Security & Compliance Center. The retirement of Advanced eDiscovery v1.0 doesn't impact your ability to create and manage Core eDiscovery cases.
+- [Office 365 Advanced eDiscovery v1.0](./overview-ediscovery-20.md), which is the first version of Advanced eDiscovery that's accessed through a Core eDiscovery case in the Microsoft 365 compliance center. The retirement of Advanced eDiscovery v1.0 doesn't impact your ability to create and manage Core eDiscovery cases.
> [!NOTE] > The eDiscovery functionality being retired only applies to cloud-based versions of Microsoft 365 and Office 365. eDiscovery functionality in on-premises versions of Exchange and SharePoint will still be supported until further notice.
compliance Load Non Office 365 Data Into A Review Set https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/load-non-Office-365-data-into-a-review-set.md
Using the upload non-Microsoft 365 feature described in this article requires th
> [!NOTE] > As previously stated, you must use AzCopy v8.1 to successfully use the command that's provided on the **Upload files** page. If the supplied AzCopy command fails, please see [Troubleshoot AzCopy in Advanced eDiscovery](troubleshooting-azcopy.md).
-8. Go back to the Security & Compliance Center, and click **Next: Process files** in the wizard. This initiates processing, text extraction, and indexing of the non-Microsoft 365 files that were uploaded to the Azure Storage location.
+8. Go back to the Microsoft 365 compliance center, and click **Next: Process files** in the wizard. This initiates processing, text extraction, and indexing of the non-Microsoft 365 files that were uploaded to the Azure Storage location.
9. Track the progress of processing the files on the **Process files** page or on the **Jobs** tab by viewing a job named **Adding non-Microsoft 365 data to a review set**. After the job is finished, the new files will be available in the review set.
compliance Manage Legal Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-legal-investigations.md
search.appverid:
ms.assetid: 2e5fbe9f-ee4d-4178-8ff8-4356bc1b168e - seo-marvel-apr2020
-description: "Use eDiscovery cases in the Security & Compliance Center in Office 365 to manage your organization's legal investigation."
+description: "Use eDiscovery cases in the Microsoft 365 compliance center to manage your organization's legal investigation."
# Manage legal investigations in Microsoft 365
compliance Migrate Legacy Ediscovery Searches And Holds https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/migrate-legacy-eDiscovery-searches-and-holds.md
To help customers take advantage of the new and improved functionality, this art
## Before you begin -- You have to be a member of the eDiscovery Manager role group in the Security & Compliance Center to run the PowerShell commands described in this article. You also have to be a member of the Discovery Management role group in the Exchange admin center.
+- You have to be a member of the eDiscovery Manager role group in the Microsoft 365 compliance center to run the PowerShell commands described in this article. You also have to be a member of the Discovery Management role group in the Exchange admin center.
- This article provides guidance on how to create an eDiscovery hold. The hold policy will be applied to mailboxes through an asynchronous process. When creating an eDiscovery hold, you must create both a CaseHoldPolicy and CaseHoldRule, otherwise the hold will not be created and content locations will not be placed on hold.
compliance Partially Indexed Items In Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/partially-indexed-items-in-content-search.md
Not every email message with a partially indexed file attachment or every partia
Similarly, messages with partially indexed file attachments and documents of a partially indexed file type are included in search results when other message or document properties, which are indexed and searchable, match the search criteria. Message properties that are indexed for search include sent and received dates, sender and recipient, the file name of an attachment, and text in the message body. Document properties indexed for search include created and modified dates. So even though a message attachment may be a partially indexed item, the message will be included in the regular search results if the value of other message or document properties matches the search criteria.
-For a list of email and document properties that you can search for by using the Search feature in the Security & Compliance Center, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md).
+For a list of email and document properties that you can search for by using eDiscovery tools in the Microsoft 365 compliance center, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md).
> [!NOTE] > If a mailbox item is moved from a folder that is indexed to a folder that is not indexed, a flag is set to unindex the item and the item is removed from the index and will not be searchable. Later, if that same item is moved back to a folder that is indexed, the flag is not reset. That means the item will remain unindexed, and not searchable.
compliance Permissions Filtering For Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/permissions-filtering-for-content-search.md
You can use search permissions filtering to let an eDiscovery manager search onl
You can also use search permissions filtering to create logical boundaries (called *compliance boundaries*) within an organization that control the user content locations (such as mailboxes, SharePoint sites, and OneDrive accounts) that specific eDiscovery managers can search. For more information, see [Set up compliance boundaries for eDiscovery investigations in Office 365](tagging-and-assessment-in-advanced-ediscovery.md).
-Search permissions filtering is supported by the Content search feature in the Security & Compliance Center. These four cmdlets let you configure and manage search permissions filters:
+Search permissions filtering is supported by the Content search feature in the Microsoft 365 compliance center. These four cmdlets let you configure and manage search permissions filters:
[New-ComplianceSecurityFilter](#new-compliancesecurityfilter)
Search permissions filtering is supported by the Content search feature in the S
## Requirements to configure permissions filtering -- To run the compliance security filter cmdlets, you have to be a member of the Organization Management role group in the Security & Compliance Center. For more information, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
+- To run the compliance security filter cmdlets, you have to be a member of the Organization Management role group in the Microsoft 365 compliance center. For more information, see [Permissions in the Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).
- You have to connect to both Exchange Online and Security & Compliance Center PowerShell to use the compliance security filter cmdlets. This is necessary because these cmdlets require access to mailbox properties, which is why you have to connect to Exchange Online PowerShell. See the steps in the next section.
Before you can successfully run the script in this section, you have to download
.\ConnectEXO-SCC.ps1 ```
-How do you know if this worked? After you run the script, cmdlets from Exchange Online and Security & Compliance PowerShell are imported to your local Windows PowerShell session. If you don't receive any errors, you connected successfully. A quick test is to run an Exchange Online and Security & Compliance Center cmdlet. For example, you can run and **Get-Mailbox** and **Get-ComplianceSearch**.
+How do you know if this worked? After you run the script, cmdlets from Exchange Online and Security & Compliance PowerShell are imported to your local Windows PowerShell session. If you don't receive any errors, you connected successfully. A quick test is to run Exchange Online and Security & Compliance Center PowerShell cmdlets. For example, you can run and **Get-Mailbox** and **Get-ComplianceSearch**.
For troubleshooting PowerShell connection errors, see:
The **New-ComplianceSecurityFilter** is used to create a search permissions filt
| _Action_ <br/> | The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> | | _FilterName_ <br/> |The _FilterName_ parameter specifies the name of the permissions filter. This name is used to identity a filter when using the **Get-ComplianceSecurityFilter**, **Set-ComplianceSecurityFilter,** and **Remove-ComplianceSecurityFilter** cmdlets. <br/> | | _Filters_ <br/> | The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create three different types of filters: <br/><br/> **Mailbox or OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes and OneDrive accounts that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes and OneDrive accounts that have the value "OttawaUsers" in the CustomAttribute10 property. <br/> Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/> **Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName: value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. <br/> For a list of searchable message properties, see [Keyword queries and search conditions for Content search](keyword-queries-and-search-conditions.md). <br/> <br/> **Important:** A single search filter can't contain a mailbox filter and a mailbox content filter. To combine these in a single filter, you have to use a [filters list](#using-a-filters-list-to-combine-filter-types). But a filter can contain a more complex query of the same type. For example, `"Mailbox_CustomAttribute10 -eq 'FTE' -and Mailbox_MemberOfGroup -eq '$($DG.DistinguishedName)'"` <br/><br/> **Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/> - **Site_** _SearchableSiteProperty_ <br/> - **SiteContent_** _SearchableSiteProperty_ <br/><br/> These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` return the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.sharepoint.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.sharepoint.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/> For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> **Important:** <br/><br/> - Setting up a site filter with one of the supported properties does not mean the site property in the filter will propagate to all files on that site. This means the user is still responsible for populating the specific property fields associated with the files on that site in order for the site filter to work and capture the right content. For example, if the user has a security filter "Site_RefineableString00 -eq 'abc'" applied and then the user runs a search using keyword query "xyz". The security filter gets appended to the query and the actual query running would be "xyz **AND RefineableString0:'abc'**". The user needs to ensure the files on the site indeed have values in the RefineableString00 field as abc. If not, this search query will not return any results. <br/><br/>- You have to create a search permissions filter to explicitly prevent users from searching content locations in a specific service (such as preventing a user from searching any Exchange mailbox or any SharePoint site). In other words, creating a search permissions filter that allows a user to search all SharePoint sites in the organization doesn't prevent that user from searching mailboxes. For example, to allow SharePoint admins to only search SharePoint sites, you have to create a filter that prevents them from searching mailboxes. Similarly, to allow Exchange admins to only search mailboxes, you have to create a filter that prevents them from searching sites. |
-| _Users_ <br/> |The _Users_ parameter specifies the users who get this filter applied to their Content searches. Identify users by their alias or primary SMTP address. You can specify multiple values separated by commas, or you can assign the filter to all users by using the value **All**. <br/> You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/> You can't specify distribution groups with this parameter. <br/> |
+| _Users_ <br/> |The _Users_ parameter specifies the users who get this filter applied to their Content searches. Identify users by their alias or primary SMTP address. You can specify multiple values separated by commas, or you can assign the filter to all users by using the value **All**. <br/> You can also use the _Users_ parameter to specify a Microsoft 365 compliance center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/> You can't specify distribution groups with this parameter. <br/> |
### Using a filters list to combine filter types
The **Set-ComplianceSecurityFilter** is used to modify an existing search permis
| _Action_| The _Action_ parameter specifies that type of search action that the filter is applied to. The possible Content search actions are: <br/><br/> **Export:** The filter is applied when exporting search results. <br/> **Preview:** The filter is applied when previewing search results. <br/> **Purge:** The filter is applied when purging search results. <br/> **Search:** The filter is applied when running a search. <br/> **All:** The filter is applied to all search actions. <br/> | | _FilterName_|The _FilterName_ parameter specifies the name of the permissions filter. | | _Filters_| The _Filters_ parameter specifies the search criteria for the compliance security filter. You can create two different types of filters: <br/><br/>**Mailbox and OneDrive filtering:** This type of filter specifies the mailboxes and OneDrive accounts the assigned users (specified by the _Users_ parameter) can search. The syntax for this type of filter is **Mailbox_** _MailboxPropertyName_, where _MailboxPropertyName_ specifies a mailbox property used to scope the mailboxes that can be searched. For example, the mailbox filter `"Mailbox_CustomAttribute10 -eq 'OttawaUsers'"` would allow the user assigned this filter to search only the mailboxes that have the value "OttawaUsers" in the CustomAttribute10 property. Any supported filterable recipient property can be used for the _MailboxPropertyName_ property. For a list of supported properties, see [Filterable properties for the -RecipientFilter parameter](/powershell/exchange/recipientfilter-properties). <br/><br/>**Mailbox content filtering:** This type of filter is applied on the content that can be searched. It specifies the mailbox content the assigned users can search for. The syntax for this type of filter is **MailboxContent_** _SearchablePropertyName:value_, where _SearchablePropertyName_ specifies a Keyword Query Language (KQL) property that can be specified in a Content search. For example, the mailbox content filter `MailboxContent_recipients:contoso.com` would allow the user assigned this filter to only search for messages sent to recipients in the contoso.com domain. For a list of searchable message properties, see [Keyword queries for Content search](keyword-queries-and-search-conditions.md). <br/><br/>**Site and site content filtering:** There are two SharePoint and OneDrive for Business site-related filters that you can use to specify what site or site content the assigned users can search: <br/><br/>- **Site_** *SearchableSiteProperty* <br/>- **SiteContent**_*SearchableSiteProperty*<br/><br/>These two filters are interchangeable. For example, `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` and `"SiteContent_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` returns the same results. But to help you identify what a filter does, you can use `Site_` to specify site-related properties (such as a site URL) and `SiteContent_` to specify content-related properties (such as document types. For example, the filter `"Site_Path -like 'https://contoso.spoppe.com/sites/doctors*'"` would allow the user assigned this filter to only search for content in the https://contoso.spoppe.com/sites/doctors site collection. The filter `"SiteContent_FileExtension -eq 'docx'"` would allow the user assigned this filter to only search for Word documents (Word 2007 and later). <br/><br/>For a list of searchable site properties, see [Overview of crawled and managed properties in SharePoint](/SharePoint/technical-reference/crawled-and-managed-properties-overview). Properties marked with a **Yes** in the **Queryable** column can be used to create a site or site content filter. <br/><br/> |
-| _Users_|The _Users_ parameter specifies the users who get this filter applied to their Content searches. Because this is a multi-value property, specifying a user or group of users with this parameter overwrite the existing list of users. See the following examples for the syntax to add and remove selected users. <br/><br/>You can also use the _Users_ parameter to specify a Security & Compliance Center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/><br/>You can't specify distribution groups with this parameter. |
+| _Users_|The _Users_ parameter specifies the users who get this filter applied to their Content searches. Because this is a multi-value property, specifying a user or group of users with this parameter overwrite the existing list of users. See the following examples for the syntax to add and remove selected users. <br/><br/>You can also use the _Users_ parameter to specify a Microsoft 365 compliance center role group. This lets you create a custom role group and then assign that role group a search permissions filter. For example, let's say you have a custom role group for eDiscovery managers for the U.S. subsidiary of a multi-national corporation. You can use the _Users_ parameter to specify this role group (by using the Name property of the role group) and then use the _Filter_ parameter to allow only mailboxes in the U.S. to be searched. <br/><br/>You can't specify distribution groups with this parameter. |
## Examples of changing search permissions filters
compliance Preserve Bcc And Expanded Distribution Group Recipients For Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/preserve-bcc-and-expanded-distribution-group-recipients-for-ediscovery.md
description: "In-Place Hold, Litigation Hold, and Microsoft 365 retention polici
# Preserve Bcc and expanded distribution group recipients for eDiscovery
-In-Place Hold, Litigation Hold, and [Microsoft 365 retention policies](./retention.md) (created in the Security & Compliance Center) allow you to preserve mailbox content to meet regulatory compliance and eDiscovery requirements. Information about recipients directly addressed in the To and Cc fields of a message is included in all messages by default. But your organization may require the ability to search for and reproduce details about all recipients of a message. This includes:
+Litigation holds, eDiscovery holds, and [Microsoft 365 retention policies](./retention.md) (created in the Microsoft 365 compliance center) allow you to preserve mailbox content to meet regulatory compliance and eDiscovery requirements. Information about recipients directly addressed in the To and Cc fields of a message is included in all messages by default. But your organization may require the ability to search for and reproduce details about all recipients of a message. This includes:
- **Recipients addressed using the Bcc field of a message:** Bcc recipients are stored in the message in the sender's mailbox, but not included in headers of the message delivered to recipients. - **Expanded distribution group recipients:** Recipients who receive the message because they're members of a distribution group to which the message was addressed, either in the To, Cc or Bcc fields.
-Exchange Online and Exchange Server 2013 (Cumulative Update 7 and later versions) retain information about Bcc and expanded distribution group recipients. You can search for this information by using an In-Place eDiscovery search in the Exchange admin center (EAC) or a Content Search in the Security & Compliance Center.
+Exchange Online and Exchange Server 2013 (Cumulative Update 7 and later versions) retain information about Bcc and expanded distribution group recipients. You can search for this information by using an eDiscovery tool in the Microsoft 365 compliance center.
## How Bcc recipients and expanded distribution group recipients are preserved
compliance Privacy Management Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-permissions.md
Roles include:
## Privacy Management Administrators role group
-Members of this role group focus on configuration and administration tasks, and have broad access to privacy management functions, including creating, reading, updating, and deleting privacy management policies, subject rights requests, privacy management permissions, and privacy management settings.
+Members of this role group have broad access to privacy management functions, including creating, reading, updating, and deleting privacy management policies, subject rights requests, privacy management permissions, and privacy management settings.
Roles include:
Roles include:
### Privacy Management Investigators role group
-Members of this group act as privacy management data investigators. They can investigate policy matches, view the associated file content, and take remediation actions. This group can access files through the Content Explorer.
+Members of this group act as privacy management data investigators. They can investigate policy matches, view the associated file content, and take remediation actions. This group can access files through the Content Explorer.
Roles include:
compliance Privacy Management Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/privacy-management-setup.md
For detailed licensing guidance, see [Microsoft 365 licensing guidance for secur
## Set up privacy management
-To get started with privacy management, first get your trial license. Then you can sign in to privacy management, assign permissions for your users, and review settings.
+To get started with privacy management, first get your free trial license. Then you can sign in, assign permissions for your users, review settings, and start using privacy management's features.
-### Get trial license
+### Get free trial license
To get started with the public preview, your global admin can obtain the free privacy management trial license from the [admin center](https://aka.ms/purchasem365privacy). Select ΓÇ£Start trialΓÇ¥ to begin. Your license lasts for one month and you can renew it at no cost as needed during the public preview. After obtaining your subscription, allow up to 30 minutes for it to activate. Then return to privacy management in the compliance center to get started.
-### Accept privacy management terms
- When you first open privacy management, you will be asked to confirm that you agree to the terms and the personal data evaluation process ([learn more](privacy-management.md#where-privacy-management-identifies-personal-data)). You can review the provided links in full before proceeding. Once you agree, it may take up to 24 hours before privacy management starts providing insights about your organizationΓÇÖs data. If you donΓÇÖt hold the required role to obtain the subscription or consent to the terms of using privacy management, youΓÇÖll be prompted to contact your global admin for assistance.
To learn more about role groups and how to grant access, see [Set user permissio
### Manage settings
-The Settings page is accessible via the gear wheel in the upper right corner of privacy managementΓÇÖs main pages. It allows privacy management administrators to configure essential properties across privacy management.
+The Settings page is accessible via the gear wheel in the upper right corner of privacy managementΓÇÖs main pages. It allows privacy management administrators to configure essential properties across privacy management, like global settings for anonymization, email notifications, and more.
You may wish to review the default configuration and make any desired adjustments before you begin. To learn more about your options, see [Manage privacy management settings](privacy-management-settings.md).
-## Get initial data insights
+## Start visualizing your data
After signing into privacy management, youΓÇÖll arrive at the **Overview** page. This page provides insights about the personal data stored in your Microsoft 365 environment in order to help you quickly spot issues, identify risk indicators, and take action to fix issues. Your Overview should populate with initial insights within the first 24 hours of signing up. As you continue to use privacy management, the overview page will refresh to continue to provide current information.
For further insights into your data over time, your **Data profile** page will p
To learn more about these pages, see [Find and visualize your data](privacy-management-data-profile.md).
-## Get started with default policies
+## Start managing risks with default policies
+
+Privacy management will kickstart evaluating your data and help give you a look into key risk scenarios by creating three policies with default settings, using the templates for data minimization, data overexposure, and data transfers. These policies will be on by default, but will not automatically trigger notification mails or remediation prompts. After your initial setup, you can proceed to create and customize your own policies. To learn more, see [Create and manage policies](privacy-management-policies.md).
+
+## Get started with subject rights requests
-Privacy management will help kickstart your data evaluation process by creating three policies with default settings, using the templates for data minimization, data overexposure, and data transfers. These policies will be on by default, but will not automatically trigger notification mails or remediation prompts. After your initial setup, you can proceed to create and customize your own policies. To learn more, see [Create and manage policies](privacy-management-policies.md).
+Privacy management's subject rights requests solution can help you handle requests from individuals who want to review or manage the personal data you store about them. To learn more about using these features, see [Manage subject rights requests](privacy-management-subject-rights-requests.md).
compliance Put An In Place Hold On A Soft Deleted Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/put-an-in-place-hold-on-a-soft-deleted-mailbox.md
Learn how to create an In-Place Hold for a soft-deleted mailbox to make it inact
> [!IMPORTANT] > As we continue to invest in different ways to preserve mailbox content, we're announcing the retirement of In-Place Holds in the Exchange admin center (EAC). Starting July 1, 2020 you won't be able to create new In-Place Holds in Exchange Online. But you'll still be able to manage In-Place Holds in the EAC or by using the **Set-MailboxSearch** cmdlet in Exchange Online PowerShell. However, starting October 1, 2020, you won't be able to manage In-Place Holds. You'll only be remove them in the EAC or by using the **Remove-MailboxSearch** cmdlet. For more information about the retirement of In-Place Holds, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md).
-You might have a situation where a person has left your organization, and their corresponding user account and mailbox were deleted. Afterwards, you realize there's information in the mailbox that needs to be preserved. What can you do? If the deleted mailbox retention period hasn't expired, you can put an In-Place Hold on the deleted mailbox (called a soft-deleted mailbox) and make it an inactive mailbox. An *inactive mailbox* is used to preserve a former employee's email after he or she leaves your organization. The contents of an inactive mailbox are preserved for the duration of the In-Place Hold that was is placed on the soft-deleted mailbox when it was made inactive. After the mailbox is made inactive, you can search the mailbox by using In-Place eDiscovery in Exchange Online, Content Search in the Security & Compliance Center, or the eDiscovery Center in SharePoint Online.
+You might have a situation where a person has left your organization, and their corresponding user account and mailbox were deleted. Afterwards, you realize there's information in the mailbox that needs to be preserved. What can you do? If the deleted mailbox retention period hasn't expired, you can put an In-Place Hold on the deleted mailbox (called a soft-deleted mailbox) and make it an inactive mailbox. An *inactive mailbox* is used to preserve a former employee's email after he or she leaves your organization. The contents of an inactive mailbox are preserved for the duration of the In-Place Hold that was is placed on the soft-deleted mailbox when it was made inactive. After the mailbox is made inactive, you can search the mailbox by using an eDiscovery tool in the Microsoft 365 compliance center.
> [!NOTE] > In Exchange Online, a soft-deleted mailbox is a mailbox that's been deleted but can be recovered within a specific retention period. The soft-deleted mailbox retention period in Exchange Online is 30 days. This means that the mailbox can be recovered (or made an inactive mailbox) within 30 days of being deleted. After 30 days, a soft-deleted mailbox is marked for permanent deletion and can't be recovered or made inactive.
compliance Record Versioning https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/record-versioning.md
For more information about how the Preservation Hold library works, see [How ret
The actions of locking and unlocking records are logged in the audit log. From **File and page activities**, select **Changed record status to locked** and **Changed record status to unlocked**.
-For more information about searching for these events, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md#file-and-page-activities).
+For more information about searching for these events, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md#file-and-page-activities).
## Next steps
compliance Search Cloud Based Mailboxes For On Premises Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-cloud-based-mailboxes-for-on-premises-users.md
Here are the requirements and limitations for enabling cloud-based storage for o
## How it works
-If a Microsoft Teams-enabled user has an on-premises mailbox and their user account/identity has been synched to the cloud, Microsoft creates cloud-based storage to associate the on-premises user's 1xN Teams chat data with. Teams chat data for on-premises users is indexed for search. This lets you Use Content search (and searches associated with Core eDiscovery and Advanced eDiscovery cases) to search, preview, and export Teams chat data for on-premises users. You can also use **\*ComplianceSearch** cmdlets in the Security & Compliance Center PowerShell to search for Teams chat data for on-premises users.
+If a Microsoft Teams-enabled user has an on-premises mailbox and their user account/identity has been synched to the cloud, Microsoft creates cloud-based storage to associate the on-premises user's 1xN Teams chat data with. Teams chat data for on-premises users is indexed for search. This lets you Use Content search (and searches associated with Core eDiscovery and Advanced eDiscovery cases) to search, preview, and export Teams chat data for on-premises users. You can also use **\*ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for Teams chat data for on-premises users.
The following graphic shows the workflow of how Teams chat data for on-premises users is available to search, preview, and export.
Here's how to use Content search in the Microsoft 365 compliance center to searc
## Using PowerShell to search for Teams chat data for on-premises users
-You can use the **New-ComplianceSearch** and **Set-ComplianceSearch** cmdlets in the Security & Compliance Center PowerShell to search for Teams chat data for on-premises users. As previously explained, you don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users.
+You can use the **New-ComplianceSearch** and **Set-ComplianceSearch** cmdlets in Security & Compliance Center PowerShell to search for Teams chat data for on-premises users. As previously explained, you don't have to submit a support request to use PowerShell to search for Teams chat data for on-premises users.
1. [Connect to Security & Compliance Center PowerShell](/powershell/exchange/connect-to-scc-powershell).
compliance Search For Content https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-for-content.md
Content search is easy to use, but it's also a powerful tool. Behind-the-scenes,
## Use scripts for advanced scenarios
-Sometimes you have to perform more advanced, complex, and repetitive content search tasks. In these cases, it's easier and fast to use PowerShell commands in the Security & Compliance Center. To help make this easier, we've created a number of Security & Compliance Center PowerShell scripts to help you complete complex content search-related tasks.
+Sometimes you have to perform more advanced, complex, and repetitive content search tasks. In these cases, it's easier and faster to use commands in Security & Compliance Center PowerShell. To help make this easier, we've created a number of Security & Compliance Center PowerShell scripts to help you complete complex content search-related tasks.
- [Search specific mailbox and site folders](use-content-search-for-targeted-collections.md) (called a *targeted collection) when you're confident that items responsive to a case are located in that folder
compliance Search The Mailbox And Onedrive For Business For A List Of Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-mailbox-and-onedrive-for-business-for-a-list-of-users.md
# Use Content Search to search the mailbox and OneDrive for Business site for a list of users
-The Security & Compliance Center provides a number of Windows PowerShell cmdlets that let you automate time-consuming eDiscovery-related tasks. Currently, creating a Content Search in the Security & Compliance Center to search a large number of custodian content locations takes time and preparation. Before you create a search, you have to collect the URL for each OneDrive for Business site and then add each mailbox and OneDrive for Business site to the search. In future releases, this will be easier to do in the Security & Compliance Center. Until then, you can use the script in this article to automate this process. This script prompts you for the name of your organization's MySite domain (for example, **contoso** in the URL `https://contoso-my.sharepoint.com`), a list of user email addresses, the name of the new Content Search, and the search query to use. The script gets the OneDrive for Business URL for each user in the list, and then it creates and starts a Content Search that searches the mailbox and OneDrive for Business site for each user in the list, using the search query that you provide.
+Security & Compliance Center PowerShell provides a number of cmdlets that let you automate time-consuming eDiscovery-related tasks. Currently, creating a Content search in the Microsoft 365 compliance center to search a large number of custodian content locations takes time and preparation. Before you create a search, you have to collect the URL for each OneDrive for Business site and then add each mailbox and OneDrive for Business site to the search. In future releases, this will be easier to do in the Microsoft 365 compliance center. Until then, you can use the script in this article to automate this process. This script prompts you for the name of your organization's MySite domain (for example, **contoso** in the URL `https://contoso-my.sharepoint.com`), a list of user email addresses, the name of the new Content Search, and the search query to use. The script gets the OneDrive for Business URL for each user in the list, and then it creates and starts a Content Search that searches the mailbox and OneDrive for Business site for each user in the list, using the search query that you provide.
## Permissions and script information -- You have to be a member of the eDiscovery Manager role group in the Security & Compliance Center and a SharePoint Online global administrator to run the script in Step 3.
+- You have to be a member of the eDiscovery Manager role group in the Microsoft 365 compliance center and a SharePoint Online global administrator to run the script in Step 3.
- Be sure to save the list of users that you create in Step 2 and the script in Step 3 to the same folder. That will make it easier to run the script.
After you run this command, be sure to open the file and remove the header that
When you run the script in this step, it will prompt you for the following information. Be sure to have this information ready before you run the script. -- **Your user credentials** - The script will use your credentials to access SharePoint Online to get the OneDrive for Business URLs and to connect to the Security & Compliance Center with remote PowerShell.
+- **Your user credentials** - The script will use your credentials to access SharePoint Online to get the OneDrive for Business URLs and to connect to Security & Compliance Center PowerShell.
- **Name of your MySite domain** - The MySite domain is the domain that contains all the OneDrive for Business sites in your organization. For example, if the URL for your MySite domain is **https://contoso-my.sharepoint.com**, then you would enter `contoso` when the script prompts you for the name of your MySite domain.
When you run the script in this step, it will prompt you for the following infor
- **Name of the Content Search** - The name of the Content Search that will be created by the script. -- **Search query** - The search query that will be used with the Content Search is created and run. For more information about search queries, see [Keyword queries and search conditions for Content Search](keyword-queries-and-search-conditions.md).
+- **Search query** - The search query that will be used with the Content Search is created and run. For more information about search queries, see [Keyword queries and search conditions for eDiscovery](keyword-queries-and-search-conditions.md).
**To run the script:**
When you run the script in this step, it will prompt you for the following infor
- The search query (leave this blank to return all items in the content locations).
- The script gets the URLs for each OneDrive for Business site and then creates and starts the search. You can either run the **Get-ComplianceSearch** cmdlet in Security & Compliance Center PowerShell to display the search statistics and results, or you can go to the **Content search** page in the Security & Compliance Center to view information about the search.
+ The script gets the URLs for each OneDrive for Business site and then creates and starts the search. You can either run the **Get-ComplianceSearch** cmdlet in Security & Compliance Center PowerShell to display the search statistics and results, or you can go to the **Content search** page in the Microsoft 365 compliance center to view information about the search.
compliance Sensitive Information Type Entity Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md
Any term from the Dictionary_icd_9_updated keyword dictionary, which is based on
Any term from the Dictionary_icd_9_codes keyword dictionary, which is based on the [International Classification of Diseases,Ninth Revision, Clinical Modification (ICD-9-CM)](https://go.microsoft.com/fwlink/?linkid=852605). This type looks only for insurance codes, not the description.
-## IP address
+<!-- ## IP address
### Format
For IPv6, a DLP policy has high confidence that it's detected this type of sensi
- No keyword from Keyword_ipaddress is found. ```xml
- <!-- IP Address -->
- <Entity id="1daa4ad5-e2dd-4ca4-a788-54722c09efb2" patternsProximity="300" recommendedConfidence="85">
+ <!-- IP Address -->
+<!-- <Entity id="1daa4ad5-e2dd-4ca4-a788-54722c09efb2" patternsProximity="300" recommendedConfidence="85">
<Pattern confidenceLevel="85"> <IdMatch idRef="Regex_ipv6_address" /> <Any minMatches="0" maxMatches="0">
For IPv6, a DLP policy has high confidence that it's detected this type of sensi
- ip addresses - internet protocol - IP-כתובת ה
+ -->
## Ireland driver's license number
compliance Sensitivity Labels Coauthoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-coauthoring.md
This preview version of co-authoring for files encrypted with sensitivity labels
- Users won't be able to apply any labels in Office for the web for Word, Excel, and PowerPoint files that are bigger than 300 MB. For these files, you can use the Office desktop apps to apply a label but you must be the only person who has the file open.
+- Currently rolling out: Support for [DLP policies that use sensitivity labels as conditions](dlp-sensitivity-label-as-condition.md) and unencrypted attachments for emails.
+ - Some documents are incompatible with sensitivity labels because of features such as [password-protection](https://support.microsoft.com/office/require-a-password-to-open-or-modify-a-workbook-10579f0e-b2d9-4c05-b9f8-4109a6bce643), [shared workbooks](https://support.microsoft.com/office/about-the-shared-workbook-feature-49b833c0-873b-48d8-8bf2-c1c59a628534), or content that includes ActiveX controls. Other reasons are documented in [Troubleshoot co-authoring in Office](https://support.microsoft.com/office/troubleshoot-co-authoring-in-office-bd481512-3f3a-4b6d-b7eb-ebf9d3626ae7). For these documents, you see a message **UPLOAD FAILED** and should select the **Discard Changes** option. Until this issue is addressed, do not label these documents that are identified with this failure message. - Office apps for iOS and Android are not supported.
compliance Set Up Compliance Boundaries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-compliance-boundaries.md
For a complete list, see the full list of supported [mailbox filters](/powershel
## Step 2: Create a role group for each agency
-The next step is to create the role groups in the Security & Compliance Center that will align with your agencies. We recommend that you create a role group by copying the built-in eDiscovery Managers group, adding the appropriate members, and removing roles that may not be applicable to your needs. For more information about eDiscovery-related roles, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
+The next step is to create the role groups in the Microsoft 365 compliance center that will align with your agencies. We recommend that you create a role group by copying the built-in eDiscovery Managers group, adding the appropriate members, and removing roles that may not be applicable to your needs. For more information about eDiscovery-related roles, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
-To create the role groups, go to the **Permissions** page in the Security & Compliance Center and create a role group for each team in each agency that will use compliance boundaries and eDiscovery cases to manage investigations.
+To create the role groups, go to the **Permissions** page in the Microsoft 365 compliance center and create a role group for each team in each agency that will use compliance boundaries and eDiscovery cases to manage investigations.
Using the Contoso compliance boundaries scenario, four role groups need to be created and the appropriate members added to each one.
New-ComplianceSecurityFilter -FilterName "Coho Winery Security Filter" -Users "C
The final step is to create a Core eDiscovery case or Advanced eDiscovery case in the Microsoft 365 compliance center and then add the role group that you created in Step 2 as a member of the case. This results in two important characteristics of using compliance boundaries: -- Only members of the role group added to the case will be able to see and access the case in the Security & Compliance Center. For example, if the Fourth Coffee Investigators role group is the only member of a case, then members of the Fourth Coffee eDiscovery Managers role group (or members of any other role group) won't be able to see or access the case.
+- Only members of the role group added to the case will be able to see and access the case in the Microsoft 365 compliance center. For example, if the Fourth Coffee Investigators role group is the only member of a case, then members of the Fourth Coffee eDiscovery Managers role group (or members of any other role group) won't be able to see or access the case.
- When a member of the role group assigned to a case runs a search associated with the case, they will only be able to search the content locations within their agency (which is defined by the search permissions filter that you created in Step 3.)
compliance Use A Script To Add Users To A Hold In Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-a-script-to-add-users-to-a-hold-in-ediscovery.md
description: "Learn how to run a script to add mailboxes & OneDrive for Business
# Use a script to add users to a hold in a Core eDiscovery case
-Security & Compliance Center PowerShell provides cmdlets that let you automate time-consuming tasks related to creating and managing eDiscovery cases. Currently, using the Core eDiscovery case in the Security & Compliance Center to place a large number of custodian content locations on hold takes time and preparation. For example, before you create a hold, you have to collect the URL for each OneDrive for Business site that you want to place on hold. Then for each user you want to place on hold, you have to add their mailbox and their OneDrive for Business site to the hold. You can use the script in this article to automate this process.
+Security & Compliance Center PowerShell provides cmdlets that let you automate time-consuming tasks related to creating and managing eDiscovery cases. Currently, using the Core eDiscovery case in the Microsoft 365 compliance center to place a large number of custodian content locations on hold takes time and preparation. For example, before you create a hold, you have to collect the URL for each OneDrive for Business site that you want to place on hold. Then for each user you want to place on hold, you have to add their mailbox and their OneDrive for Business site to the hold. You can use the script in this article to automate this process.
The script prompts you for the name of your organization's My Site domain (for example, `contoso` in the URL https://contoso-my.sharepoint.com), the name of an existing eDiscovery case, the name of the new hold that associated with the case, a list of email addresses of the users you want to put on hold, and a search query to use if you want to create a query-based hold. The script then gets the URL for the OneDrive for Business site for each user in the list, creates the new hold, and then adds the mailbox and OneDrive for Business site for each user in the list to the hold. The script also generates log files that contain information about the new hold.
Here are the steps to make this happen:
## Before you add users to a hold -- You have to be a member of the eDiscovery Manager role group in the Security & Compliance Center and a SharePoint Online administrator to run the script in Step 3. For more information, see [Assign eDiscovery permissions in the OfficeΓÇì 365 Security & Compliance Center](assign-ediscovery-permissions.md).
+- You have to be a member of the eDiscovery Manager role group in the Microsoft 365 compliance center and a SharePoint Online administrator to run the script in Step 3. For more information, see [Assign eDiscovery permissions in the OfficeΓÇì 365 Security & Compliance Center](assign-ediscovery-permissions.md).
-- A maximum of 1,000 mailboxes and 100 sites can be added to a hold that's associated with an eDiscovery case in the Security & Compliance Center. Assuming that every user that you want to place on hold has a OneDrive for Business site, you can add a maximum of 100 users to a hold using the script in this article.
+- A maximum of 1,000 mailboxes and 100 sites can be added to a hold that's associated with an eDiscovery case in the Microsoft 365 compliance center. Assuming that every user that you want to place on hold has a OneDrive for Business site, you can add a maximum of 100 users to a hold using the script in this article.
- Be sure to save the list of users that you create in Step 2 and the script in Step 3 to the same folder. That will make it easier to run the script.
When you run the script in this step, it will prompt you for the following infor
- **Search query for a query-based hold:** You can create a query-based hold so that only the content that meets the specified search criteria is placed on hold. To place all content on hold, just press **Enter** when you're prompted for a search query. -- **Turning on the hold or not:** You can have the script turn on the hold after it's created or you can have the script create the hold without enabling it. If you don't have the script turn on the hold, you can turn it on later in the Security & Compliance Center or by running the following PowerShell commands:
+- **Turning on the hold or not:** You can have the script turn on the hold after it's created or you can have the script create the hold without enabling it. If you don't have the script turn on the hold, you can turn it on later in the Microsoft 365 compliance center or by running the following PowerShell commands:
```powershell Set-CaseHoldPolicy -Identity <name of the hold> -Enabled $true
Write-host "Script complete!" -foregroundColor Yellow
4. Enter the information that the script prompts you for.
- The script connects to Security & Compliance Center PowerShell, and then creates the new hold in the eDiscovery case and adds the mailboxes and OneDrive for Business for the users in the list. You can go to the case on the **eDiscovery** page in the Security & Compliance Center to view the new hold.
+ The script connects to Security & Compliance Center PowerShell, and then creates the new hold in the eDiscovery case and adds the mailboxes and OneDrive for Business for the users in the list. You can go to the case on the **eDiscovery** page in the Microsoft 365 compliance center to view the new hold.
After the script is finished running, it creates the following log files, and saves them to the folder where the script is located.
compliance Use Content Search For Targeted Collections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-content-search-for-targeted-collections.md
The Content search tool in the Microsoft 365 compliance center doesn't provide a
## Before you run a targeted collection -- You have to be a member of the eDiscovery Manager role group in Security & Compliance Center to run the script in Step 1. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
+- You have to be a member of the eDiscovery Manager role group in the Microsoft 365 compliance center to run the script in Step 1. For more information, see [Assign eDiscovery permissions](assign-ediscovery-permissions.md).
- You also have to be assigned the Mail Recipients role in your Exchange Online organization. This is required to run the **Get-MailboxFolderStatistics** cmdlet, which is included in the script. By default, the Mail Recipients role is assigned to the Organization Management and Recipient Management role groups in Exchange Online. For more information about assigning permissions in Exchange Online, see [Manage role group members](/exchange/manage-role-group-members-exchange-2013-help). You could also create a custom role group, assign the Mail Recipients role to it, and then add the members who need to run the script in Step 1. For more information, see [Manage role groups](/Exchange/permissions-exo/role-groups).
To display a list of mailbox folders or site documentlink (path) names:
######################################################################################################### # This PowerShell script will prompt you for: # # * Admin credentials for a user who can run the Get-MailboxFolderStatistics cmdlet in Exchange #
- # Online and who is an eDiscovery Manager in the Security & Compliance Center. #
+ # Online and who is an eDiscovery Manager in the Microsoft 365 compliance center. #
# The script will then: # # * If an email address is supplied: list the folders for the target mailbox. # # * If a SharePoint or OneDrive for Business site is supplied: list the documentlinks (folder paths) #
To display a list of mailbox folders or site documentlink (path) names:
######################################################################################################### # Collect the target email address or SharePoint Url $addressOrSite = Read-Host "Enter an email address or a URL for a SharePoint or OneDrive for Business site"
- # Authenticate with Exchange Online and the Security & Compliance Center (Exchange Online Protection - EOP)
+ # Authenticate with Exchange Online and the Microsoft 365 compliance center (Exchange Online Protection - EOP)
if ($addressOrSite.IndexOf("@") -ige 0) { # List the folder Ids for the target mailbox
compliance Use Content Search To Search Third Party Data That Was Imported https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-content-search-to-search-third-party-data-that-was-imported.md
# Use Content Search to search third-party data imported by a custom partner connector
-You can use the [Content Search eDiscovery tool](content-search.md) in the Security & Compliance Center to search for items imported to mailboxes in Microsoft 365 from a third-party data source. You can create a query to search all imported third-party data items or you can create a query to search specific third-party data items. Also, you can also create a query-based retention policy or a query-based eDiscovery hold to preserve third-party data.
+You can use the [Content search eDiscovery tool](content-search.md) in the Microsoft 365 compliance center to search for items imported to mailboxes in Microsoft 365 from a third-party data source. You can create a query to search all imported third-party data items or you can create a query to search specific third-party data items. Also, you can also create a query-based retention policy or a query-based eDiscovery hold to preserve third-party data.
For more information about working with a partner to import third-party data and a list of the third-party data types that you can import to Microsoft 365, see [Work with a partner to archive third-party data in Office 365](work-with-partner-to-archive-third-party-data.md).
compliance Use Sharing Auditing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-sharing-auditing.md
A common requirement for administrators is creating a list of all resources that
### Step 1: Search for sharing events and export the results to a CSV file
-The first step is to search the audit log for sharing events. For more information (including the required permissions) about searching the audit log, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md).
+The first step is to search the audit log for sharing events. For more information (including the required permissions) about searching the audit log, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md).
1. Go to <https://compliance.microsoft.com>.
compliance View Custodian Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-custodian-activity.md
# View custodian audit activity
-Need to find if a user viewed a specific document or purged an item from their mailbox? Advanced eDiscovery is now integrated with the existing audit log search tool in the Security & Compliance Center. Using this embedded experience, you can use the Advanced eDiscovery Custodian Management tool to facilitate your investigation by easily accessing and searching the activity for custodians within your case.
+Need to find if a user viewed a specific document or purged an item from their mailbox? Advanced eDiscovery is now integrated with the existing audit log search tool in the Microsoft 365 compliance center. Using this embedded experience, you can use the Advanced eDiscovery Custodian Management tool to facilitate your investigation by easily accessing and searching the activity for custodians within your case.
## Get permissions You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. To give a user the ability to search the Advanced eDiscovery audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online. > [!IMPORTANT]
-> If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the Security & Compliance Center, they won't be able to search the audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.
+> If you assign a user the View-Only Audit Logs or Audit Logs role on the Permissions page in the Microsoft 365 compliance center, they won't be able to search the audit log. You have to assign the permissions in Exchange Online. This is because the underlying cmdlet used to search the audit log is an Exchange Online cmdlet.
## Step 1: Search the audit log for activities performed by a custodian
You can export the results of an audit log search to a comma separated value (CS
3. After you select an export option, a message is displayed at the bottom of the window that prompts you to open the CSV file, save it to the Downloads folder, or save it to a specific folder
-For more information about viewing, filtering, or exporting audit log search results, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md).
+For more information about viewing, filtering, or exporting audit log search results, see [Search the audit log](search-the-audit-log-in-security-and-compliance.md).
enterprise Microsoft 365 Exchange Monitoring https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-exchange-monitoring.md
Title: "Exchange Online monitoring for Microsoft 365"
Previously updated : 12/03/2020 audience: Admin
description: "Use Exchange Online monitoring for information about email inciden
# Exchange Online monitoring for Microsoft 365
-You can use Exchange Online monitoring in the Microsoft 365 admin center to monitor the health of the Exchange service for your organizationΓÇÖs Microsoft 365 subscription. Exchange Online monitoring provides you with information about incidents and advisories that are collected in these categories:
+You can use Exchange Online monitoring in the Microsoft 365 admin center to monitor the health of the Exchange service for your organization's Microsoft 365 subscription. Exchange Online monitoring provides you with information about incidents and advisories that are collected in these categories:
- **Infrastructure**: Issue is detected in the Microsoft 365 infrastructure that Microsoft owns for providing regular updates and resolving the issue. For example, users cannot access Exchange Online because of issues with Exchange or other Microsoft 365 cloud infrastructure. - **Third-party infrastructure**: Issue is detected in third-party infrastructure on which your organization has taken a dependency and requires action from your organization for resolution. For example, user authentication transactions are getting throttled by a third-party security token service (STS) provider that prevents users from connecting to Exchange Online. - **Customer infrastructure**: Issue is detected in your organization's infrastructure and requires action from your organization for resolution. For example, users cannot access Exchange Online because they are unable to obtain an authentication token from STS provider hosted by your organization because of an expired certificate.
-Here is an example of the **Service health** page in the Microsoft 365 admin center, available from **Health > Service health**.
+Here is an example of the **Service health** page in the Microsoft 365 admin center, available from **Health > Service health** for organization scenarios.
-![The Service health page in the Microsoft 365 admin center](../media/microsoft-365-exchange-monitoring/service-health-dashboard-example.png)
+**Issues in your organization** will be identified and used by organizational-level monitoring.
-The value of the **Status** column indicates whether the service is healthy or has advisories or incidents based on the cloud services that Microsoft maintains.
-The value of the **Your org and 3rd party issues** column indicates that your organization's infrastructure or third-party software affects your users service health experience with Exchange Online. Advisories or incidents require *your* actions to resolve.
+The value of the **Health** column under **Issues in your organization** indicates whether organization's infrastructure or third-party software affects your organization's users' service health experience with Exchange Online. Advisories or incidents require *your* actions to resolve.
-Here is an example of the **Exchange Online** monitoring page in the Microsoft 365 admin center, available from **Health > Service health > Exchange Online**.
+The value of the **Health** column under **Microsoft service health** indicates that the service is healthy or has advisories or incidents based on the cloud services that Microsoft maintains.
-![The Exchange Online monitoring page in the Microsoft 365 admin center](../media/microsoft-365-exchange-monitoring/exhange-monitoring-example.png)
+Here is an example of the Exchange Online monitoring page in the Microsoft 365 admin center that shows the health of organization-level scenarios, available from **Health > Service health > Exchange Online**.
-With the **Exchange Online** monitoring page, you can see whether the Exchange Online service is healthy or not and whether there are any associated incidents or advisories. With Exchange Online monitoring, you can look at the service health for specific email scenarios and view near real-time signals to determine the impact by scenario.
+
+With the **Exchange Online** monitoring page, you can see whether the Exchange Online service is healthy or not and whether there are any associated incidents or advisories. With Exchange Online monitoring, you can look at the service health for specific email scenarios and view near real-time signals to determine the impact by organization-level scenario.
## Requirements This preview is enabled for customers who meet these requirements: -- Your organization needs to have a license count of at least 5,000, from one or a combination of these products: Office 365 E3, Microsoft 365 E3, Office 365 E5, Microsoft 365 E5.
+- Your organization needs to have a license count of at least 5,000 from one or a combination of these products: Office 365 E3, Microsoft 365 E3, Office 365 E5, Microsoft 365 E5.
For example, your organization can have 3,000 Office 365 E3 licenses and 2,500 Microsoft 365 E5, for a total of 5,500 licenses from the qualifying products. - Your organization needs to have at least 50 monthly active Exchange Online users.
-With Exchange Online monitoring you can view the health for the following email clients based on email read activity:
+- Any role with Service Health Dashboard level permissions can access Exchange Online Monitoring. For more information, see [How to check Microsoft 365 service health](view-service-health.md).
+
+## Organization-level scenarios
+
+With Exchange Online monitoring supports the following scenarios:
-- Outlook Desktop-- Outlook on the Web-- Native mail clients of iOS and Android -- Outlook Mobile app in iOS and Android -- Outlook Mac client
+- **Email clients**: You can view the health for the following email clients based on email read activity:
-For these clients, you can see the number of active users in the last 30 minutes based on users reading an email, along with number of incidents and advisories in the dashboard. This data is compared to the same interval for the previous week to see if thereΓÇÖs an issue.
+ - Outlook desktop
+ - Outlook on the web
+ - Native mail clients of iOS and Android
+ - Outlook Mobile app in iOS and Android
+ - Outlook Mac client
+ - Open Outlook on the web
->[!Note]
-> Active user count is measured by a single activity, for example, when a user reads an email. It only accounts for the last 30 minutes of activity.
->
+ For these clients, you can see the number of active users in the last 30 minutes based on users reading an email, along with number of incidents and advisories in the dashboard. This data is compared to the same interval for the previous week to see if there's an issue.
-You can also monitor Exchange Online health for the following scenarios:
+ >[!Note]
+ > Active user count is measured by a single activity, for example, when a user reads an email. It only accounts for the last 30 minutes of activity.
+
+- **App connectivity**: Estimated connectivity is based on the percentage of successful, synthetic connections between your organization's devices and Exchange Online, and may include issues outside of Microsoft's control.
-- **Mail flow**: The number of messages successfully delivered to a mailbox without any delay after the message reached the Microsoft 365 network. - **Basic Authentication and Modern Authentication**: The number of users successfully validated in the Exchange Online service.
-![An example of monitoring Exchange health for mail delivery](../media/microsoft-365-exchange-monitoring/exhange-monitoring-scenario-example.png)
+- **Mail flow**: The number of messages successfully delivered to a mailbox without any delay after the message reached the Microsoft 365 network.
+
+ ![An example of monitoring Exchange health for mail delivery](../media/microsoft-365-exchange-monitoring/exchange-monitoring-scenario-example.png)
-For all these scenarios, the key numbers are for the last 30 minutes in the main dashboard. Detailed views for each of these scenarios shows the near real-time trend for seven days with the 30-minute aggregate compared with the previous week.
+For these scenarios, the key numbers are for the last 30 minutes in the main dashboard. Detailed views for each of these scenarios show the near real-time trend for seven days with the 30-minute aggregate compared with the previous week.
## Send us feedback There are two ways you can provide feedback: - Use the **Give feedback** option available on every page of the Microsoft 365 admin center.+ - Submit feedback using the **Is this post helpful?** link for a specific incident or advisory.
-![The "Is this post helpful?" link for a specific incident or advisory](../media/microsoft-365-exchange-monitoring/exhange-monitoring-example-incident-feedback.png)
+![The "Is this post helpful?" link for a specific incident or advisory](../media/microsoft-365-exchange-monitoring/exchange-monitoring-example-incident-feedback.png)
## Frequently asked questions
-#### 1. Why donΓÇÖt I see ΓÇ£Exchange Online monitoringΓÇ¥ under Health in the Microsoft 365 admin center?
+#### 1. Why don't I see "Exchange Online monitoring" under Health in the Microsoft 365 admin center?
-First, make sure youΓÇÖve enabled the new admin center on the **Home** page of the Microsoft 365 admin center.
+First, make sure you've enabled the new admin center on the **Home** page of the Microsoft 365 admin center.
Then make sure you meet both of the following requirements: - Your organization needs to have a license count of at least 5,000, from one or a combination of these products: Office 365 E3, Microsoft 365 E3, Office 365 E5, Microsoft 365 E5. + - Your organization needs to have at least 50 monthly active Exchange Online users.
-If the license count for your organization goes below 5,000 users and the monthly active users goes below 50 users, Exchange Online monitoring wonΓÇÖt be enabled until these requirements are met.
+If the license count for your organization falls below 5,000 users and the monthly active users falls below 50 users, Exchange Online monitoring won't be enabled until these requirements are met.
-#### 2. The active user count in the dashboard for each client appears to be low. We have a lot of active licenses assigned to users. What does this mean?
+#### 2. The active user count in the dashboard for each client appears to be low. We have a lot of active licenses assigned to users. What does this mean?
-The active user count shown in monitoring is based on a 30-minute window where users have performed the activity called out in the feature. This shouldnΓÇÖt be confused with usage numbers. To view usage numbers, use activity reports in the Microsoft 365 admin center (**Reports > Usage**).
+The active user count shown in monitoring is based on a 30-minute window where users have performed the activity called out in the feature. This shouldn't be confused with usage numbers. To view usage numbers, use activity reports in the Microsoft 365 admin center (**Reports > Usage**).
-#### 3. Will there be other monitoring scenarios for other services such as Teams and SharePoint?
+#### 3. Will there be other monitoring scenarios for other services such as Teams and SharePoint?
-Microsoft is integrating this experience directly inside the Service Health dashboard in the Microsoft 365 admin center. This will provide opportunities for Microsoft to extend monitoring scenarios for other services, which will be announced when there is news to share.
+Microsoft is integrating this experience directly inside the Service Health dashboard in the Microsoft 365 admin center. This will provide opportunities for Microsoft to extend monitoring scenarios for other services, which will be announced when there is news to share.
-#### 4. What is the plan for general availability of this experience?
+#### 4. What is the plan for general availability of this experience?
-Microsoft has integrated Exchange Online monitoring directly on the **Service Health** dashboard in the Microsoft 365 admin center.
+Microsoft has integrated Exchange Online monitoring directly on the **Service Health** dashboard in the Microsoft 365 admin center.
With this new integrated experience, Microsoft's plan is to collect your feedback and then define our plan for general availability. #### 5. Is this a free (included) or paid (extra) feature?
-This feature is in Public preview and only available for customers that meet the requirements in question 1.
-
-<!--
->[!Note]
->INTERNAL: That decision is pending
->
>
+This is a free feature that is in preview and only available for customers that meet the requirements in question 1. There isn't a paid option to receive this content.
-#### 6. How do I provide feedback?
+#### 6. How do I provide feedback?
For general feedback, use the **Give feedback** icon on the bottom-right corner of the **Exchange Online** monitoring page.
For feedback on incidents or advisories, use the **Is this post helpful?** link.
#### 7. Where is the data instrumented for the scenarios that show activity trends? The data is instrumented in the Exchange Online service. If there is a failure that happens before the request reaches Exchange Online or there is a failure in Exchange Online, you will see a drop in the activity signal.+
+#### 8. Are there any privacy concerns?
+
+Monitoring focuses on service metadata and user content is not monitored.
+
+## See also
+
+- [How to check Microsoft 365 service health](view-service-health.md)
+- [Exchange Online limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#mailbox-storage-limits)
enterprise Microsoft 365 Mailbox Utilization Service Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts.md
+
+ Title: "Mailbox utilization service alerts"
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+search.appverid:
+- MET150
+
+- Ent_O365
+- Strat_O365_Enterprise
+f1.keywords:
+- NOCSH
+description: "Use mailbox utilization service alerts to monitor mailboxes on hold that are reaching their mailbox quota."
++
+# Service alerts for mailbox utilization in Exchange Online monitoring
+
+We've released a new Exchange Online service alert that informs you of mailboxes that are on hold that are at risk of reaching or exceeding their quota. These service alerts provide visibility to the number of mailboxes in your organization that may require admin intervention.
+
+These service alerts are displayed in the Microsoft 365 admin center. To view these service alerts, go to **Health** > **Service health** > **Exchange Online** and then click the **Active issues** tab. Here's an example of a mailbox utilization service alert.
+
+![Mailbox utilization service alert](../media/MailboxUtilizationServiceAlert.png)
+
+To display a list of mailboxes that are nearing their storage quota (called the *mailbox usage report*), click the highlighted link in the following screenshot. This link is displayed in the service alert.
+
+![Link to mailbox usage report](../media/LinkToMailboxUsageReport.png)
+
+Alternatively, the direct URL to the mailbox usage report is <https://admin.microsoft.com/Adminportal/Home?source=applauncher#/reportsUsage/MailboxUsage>.
+
+## What do these service alerts indicate?
+
+The service alerts for mailbox utilization inform admins about mailboxes on hold that are nearing the mailbox storage quota. The type of holds that that can be placed on mailboxes include Litigation holds, eDiscovery hold, and Microsoft 365 retention policies (that are configured to retain data). When a mailbox is on hold, users (or automated processes) can't permanently remove data from their mailbox. Instead, admins must configure MRM retention policies in Exchange Online (inline with their organization's compliance policies related to data retention) to move data from a user's primary mailbox to their archive mailbox. If not and a mailbox on a hold reaches a critical or warning state, admins have to [enable archive mailboxes](../compliance/enable-archive-mailboxes.md) and [enable auto-expanding archiving](../compliance/enable-unlimited-archiving.md) and then make sure that the retention period for the archive policy assigned to the mailbox (that moves email from the primary mailbox to the archive mailbox) is short enough. If nothing is done to resolve the quota issues that are identified by the mailbox utilization service alerts, then users might not be able to send or receive email messages or meeting invites.
+
+A service alert for mailbox utilization contains tables about the number of mailboxes that are nearing their quota. The following sections describe the information in these tables and the action admins can take to help ensure these mailboxes don't exceed their quota.
+
+> [!NOTE]
+> Service alerts contain descriptions of the mailbox quota properties that appear in the columns in the tables described in the following sections.
+
+### Mailboxes on hold without an archive
+
+The following table lists the number of mailboxes on hold that are nearing their quota but don't have an archive mailbox enabled. Each column in the table identifies the specific quota and the number of mailboxes nearing that quota.
+
+| # Mailboxes ProhibitSendReceiveQuota (Warning)| # Mailboxes ProhibitSendReceiveQuota (Critical)** |# Mailboxes RecoverableItemsQuota (Warning)|# Mailboxes RecoverableItemsQuota (Critical)** |
+|:--|:--|:|: |
+| 2 | 2 | 1 | 0 |
+||||
+
+The action admins can take for these mailboxes is to enable the archive mailbox and ensure that an MRM archive policy (which is an MRM retention policy in Exchange Online that moves items to the archive mailbox) is applied to the mailbox so that items are moved to the archive mailbox. For more information, see [Set up an archive and deletion policy for mailboxes](../compliance/set-up-an-archive-and-deletion-policy-for-mailboxes.md).
+
+After you enable an archive mailbox, we recommend that you consider increasing the quota for the Recoverable Items folder. This helps prevents exceeding the quota for the Recoverable Items folder for mailboxes that are placed on hold. For more information, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/increase-the-recoverable-quota-for-mailboxes-on-hold.md).
+
+### Mailboxes on hold with an archive
+
+The following table lists the number of mailboxes on hold that are nearing their quota and have an archive mailbox enabled.
+
+|# Mailboxes ProhibitSendReceiveQuota (Warning) |# Mailboxes ProhibitSendReceiveQuota (Critical) |# Mailboxes RecoverableItemsQuota (Warning) |# Mailboxes RecoverableItemsQuota (Critical)** |
+|:--|:--|:|: |
+| 1 | 1 | 6 | 0 |
+||||
+
+The action admins can take for these mailboxes is to increase the quota for the Recoverable Items folder. For more information, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/increase-the-recoverable-quota-for-mailboxes-on-hold.md).
+
+Admins should also make sure that an MRM archive policy that moves items to the archive mailbox is also applied to the mailboxes, and that the retention period for the archive policy is short enough so that items aren't retained too long in the primary mailbox before they're moved to the archive.
+
+> [!NOTE]
+> MRM archive policies also move items from the Recoverable Items folder in the primary mailbox to the Recoverable Items folder in the corresponding archive mailbox. This capability helps prevent the mailbox from exceeding the quota for the Recoverable Items quota.
+
+### MRM retention policies in your organization
+
+Service alerts for mailbox utilization may also contain a table with information about the MRM retention policies in your organization and whether or not the mailboxes that are a retention policy have an archive mailbox. For more information about retention policies, see [Retention tags and retention policies in Exchange Online](/exchange/security-and-compliance/messaging-records-management/retention-tags-and-policies).
+
+| RetentionPolicyGuid | MailboxType | HasMoveDumpsterToArchiveTag | HasMovePrimaryToArchiveTag | HasPersonalArchiveTag | Mailboxes |
+|:--|:--|:|:|:|: |
+| 6c041498-1611-5011-a058-1156ce60890c | PrimaryWithArchive | True | False | True | 398 |
+| 6c041498-1611-5011-a058-1156ce60890c | Primary | True | False | True | 10 |
+| 749ceecc-d49d-4000-a9d5-594dbaea1e56 | PrimaryWithArchive | False | True | False | 7 |
+| 269f6a85-1234-4648-8cde-59bbc7bc67d0 | PrimaryWithArchive | True | True | True | 1 |
+| 13fb778d-e1cb-4c44-5768-ad4282906c1f | PrimaryWithArchive | True | True | False | 1 |
+|||||||
+
+The following list describes each column in the previous table.
+
+- **RetentionPolicyGuid**: The GUID of the retention policy assigned to mailboxes in your organization. In the previous example, there are two separate rows for the same retention policy. The first row indicates the number of mailboxes with an archive that are assigned the policy. The second row indicates the number of mailboxes without an archive that are assigned the same policy.
+
+ To obtain more information about the retention policy listed in this column, run the following command in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell).
+
+ ```powershell
+ Get-RetentionPolicy <GUID> | FL
+ ```
+
+ The value of the **Name** property is the name of the retention policy that's displayed on the **Retention policies** page in the Exchange admin center.
+
+- **MailboxType**: Specifies what type of mailboxes the policy is assigned to. Values include *Primary* (mailboxes without an archive) or *PrimaryWithArchive* (mailboxes with an archive). If the value in this column is *Primary*, then you should enable the archive for the mailboxes (the **Mailbox** column indicates the number of these mailboxes) that are assigned the policy. Otherwise, an archive policy or personal archive tag won't work because there isn't an archive to move items to.
+
+- **HasMoveDumpsterToArchiveTag**: Indicates that the retention policy includes a retention tag that move items in the Recoverable Items folder (also called the *dumpster*) in the primary mailbox to the Recoverable Items folder in the archive. This type of retention tag is set by an admin. If the retention period for the recoverable items tag is too long, then reducing the retention period should help prevent mailboxes from nearing the quota for Recoverable Items folder. For example, if the retention period is set to 30 days, reducing it to three or five days may help. For more information, see [Increase the Recoverable Items quota for mailboxes on hold](../compliance/increase-the-recoverable-quota-for-mailboxes-on-hold.md).
+
+- **HasMovePrimaryToArchiveTag**: Indicates if there is a default "move to archive" retention tag (also called an *archive policy*) included in the retention policy. In this case, messages will be moved from the regular folders in the primary mailbox to the archive mailbox. This type of retention tag is set by an admin. Again, if the retention period for this tag is too short, users may have problems with continually reaching the quota for their primary mailbox. Reducing the retention period for an archive policy may help solve this issue.
+
+- **HasPersonalArchiveTag**: Indicates if the retention policy includes a personal "move to archive" tag. If the retention policy does include a personal "move to archive" tag, then users can apply this tag to folders and messages in their mailbox to move items to the archive. Users can also set up an inbox rule to move messages to a folder with this tagged applied to it. In both cases, this can help move items to the archive to help avoid reaching the quota for their primary mailbox.
+
+- **Mailboxes**: Indicates the number of mailboxes (those with or without an archive, which is indicated in the **MailboxType** column) the retention policy is assigned to.
+
+## How often will I see these service alerts?
+
+If you don't take action to resolve the quota issues, you can expect to see this type of service alert every four days. Subsequent service alerts may contain higher mailbox counts for other mailboxes that are nearing their quota. If you take action to resolve quota issues, this service alert will only occur when another mailbox with quota issues is identified.
+
+## More information
+
+- For information about troubleshooting and resolving archive mailbox issues, see [Microsoft 365 compliance troubleshooting](/office365/troubleshoot/microsoft-365-compliance-welcome).
+
+- For guidance about identifying the holds placed on a mailbox, see [How to identify the type of hold placed on a mailbox](../compliance/identify-a-hold-on-an-exchange-online-mailbox.md).
enterprise Multi Geo User Experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-user-experience.md
The following search clients are supported:
## SharePoint Home
-In SharePoint Multi-Geo your SharePoint home is hosted in the location where the user resides as determined by their OneDrive location. For example: if the user has their OneDrive hosted in an European satellite location, their SharePoint Home will be rendered from Europe. SharePoint home includes all content relevant to the user regardless of its geo location.
+In SharePoint Multi-Geo your SharePoint home is hosted in the location where the user resides as determined by their OneDrive location. For example: if the user has their OneDrive hosted in a European satellite location, their SharePoint Home will be rendered from Europe. SharePoint home includes all content relevant to the user regardless of its geo location.
**Followed Sites, News from Sites, Recent Sites, Frequent Sites, and Suggested sites**
lighthouse M365 Lighthouse Configure Portal Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-configure-portal-security.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Protecting access to customer data when a Managed Service Provider (MSP) has delegated access permissions to its tenants is a cybersecurity priority. Microsoft 365 Lighthouse comes with both required and optional capabilities to help you configure Microsoft 365 Lighthouse portal security.
+Protecting access to customer data when a Managed Service Provider (MSP) has delegated access permissions to its tenants is a cybersecurity priority. Microsoft 365 Lighthouse comes with both required and optional capabilities to help you configure Lighthouse portal security.
## Set up multifactor authentication (MFA)
As mentioned in the blog post [Your Pa$$word doesn't matter](https://techcommun
> "Your password doesn't matter, but MFA does. Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA."
-When users access Microsoft 365 Lighthouse for the first time, they'll be prompted to set up MFA if their Microsoft 365 account doesn't already have it configured. Users won't be able to access Microsoft 365 Lighthouse until the required MFA setup step is completed. To learn more about authentication methods, see [Set up your Microsoft 365 sign-in for multifactor authentication](https://support.microsoft.com/office/ace1d096-61e5-449b-a875-58eb3d74de14).
+When users access Lighthouse for the first time, they'll be prompted to set up MFA if their Microsoft 365 account doesn't already have it configured. Users won't be able to access Lighthouse until the required MFA setup step is completed. To learn more about authentication methods, see [Set up your Microsoft 365 sign-in for multifactor authentication](https://support.microsoft.com/office/ace1d096-61e5-449b-a875-58eb3d74de14).
## Set up roles to manage customer tenants
-Access to customer tenant data and settings in Microsoft 365 Lighthouse is restricted to the Admin Agent and Helpdesk Agent roles from the Cloud Solutions Provider (CSP) program.
+Access to customer tenant data and settings in Lighthouse is restricted to the Admin Agent and Helpdesk Agent roles from the Cloud Solutions Provider (CSP) program.
You can check which users in the partner tenant have the Admin Agent and Helpdesk Agent roles by reviewing the security group memberships on the [Azure AD ΓÇô All Groups](https://portal.azure.com/#blade/Microsoft_AAD_IAM/GroupsManagementMenuBlade/AllGroups) page. To learn how to assign CSP program roles and other permissions to users, see [Assign roles and permissions to users](/partner-center/permissions-overview). As an MSP, if you don't already have delegated access privileges to customer tenants, learn how to get them in the article [Obtain permissions to manage a customer's service or subscription](/partner-center/customers-revoke-admin-privileges).
-The following table lists the different Microsoft 365 Lighthouse pages and the permissions required to view and act on customer tenant data and settings for the Admin Agent and Helpdesk Agent roles.<br><br>
+The following table lists the different Lighthouse pages and the permissions required to view and act on customer tenant data and settings for the Admin Agent and Helpdesk Agent roles.<br><br>
-| Microsoft 365 Lighthouse page | Admin Agent permissions | Helpdesk Agent permissions |
+| Lighthouse page | Admin Agent permissions | Helpdesk Agent permissions |
|--|--|--| | Home | <ul><li>View all</li></ul> | <ul><li>View all</li></ul> | | Tenants | <ul><li>View all</li><li>Update customer contacts and website</li><li>View and apply deployment plans</li></ul> | <ul><li>View all</li><li>Update customer contacts and website</li><li>View deployment plans</li></ul> |
The following table lists partner tenant roles and their associated permissions.
| Partner tenant roles | Permissions within partner tenant | |--|--|
-| Global Administrator of partner tenant | <ul><li>Sign up for Microsoft 365 Lighthouse in the Microsoft 365 admin center.</li><li>Accept partner contract amendments during the first-run experience.</li><li>View customer tenants on the Tenants page.\*</li><li>Activate and inactivate a tenant.\*</li><li>Update customer contacts and website.\*</li><li>Create, update, and delete tags.\*</li><li>Assign and remove tags from a customer tenant.\*</li></ul> |
-| Administrator of partner tenant with at least one<br> Azure AD role assigned with the following property set:<br> **microsoft.office365.supportTickets/allEntities/allTasks**<br> (For a list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).) | <ul><li>Create Microsoft 365 Lighthouse service requests.</li></ul> |
+| Global Administrator of partner tenant | <ul><li>Sign up for Lighthouse in the Microsoft 365 admin center.</li><li>Accept partner contract amendments during the first-run experience.</li><li>View customer tenants on the Tenants page.\*</li><li>Activate and inactivate a tenant.\*</li><li>Update customer contacts and website.\*</li><li>Create, update, and delete tags.\*</li><li>Assign and remove tags from a customer tenant.\*</li></ul> |
+| Administrator of partner tenant with at least one<br> Azure AD role assigned with the following property set:<br> **microsoft.office365.supportTickets/allEntities/allTasks**<br> (For a list of Azure AD roles, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference).) | <ul><li>Create Lighthouse service requests.</li></ul> |
> [!NOTE] > Currently, to take the actions marked with * in the table, the Global Administrator must assume the Admin Agent role.
lighthouse M365 Lighthouse Deploy Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-baselines.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse baselines let you deploy standard managed-tenant configurations to secure users, devices, and data within customer tenants. There are six default baseline configurations that come standard with Microsoft 365 Lighthouse:
+Microsoft 365 Lighthouse baselines let you deploy standard managed-tenant configurations to secure users, devices, and data within customer tenants. There are six default baseline configurations that come standard with Lighthouse:
- Require MFA for admins - Require MFA for end users
lighthouse M365 Lighthouse Deploy Standard Tenant Configurations Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
Microsoft 365 Lighthouse baselines provide a repeatable and scalable way for you to assess and manage Microsoft 365 security settings across multiple customer tenants. Baselines also help monitor core security policies and tenant compliance standards with configurations that secure users, devices, and data.
-Designed to help partners enable customer adoption of security at their own pace, Microsoft 365 Lighthouse provides a standard set of baseline parameters and pre-defined configurations for Microsoft 365 services. These security configurations help measure your tenants' Microsoft 365 security and compliance progress.
+Designed to help partners enable customer adoption of security at their own pace, Lighthouse provides a standard set of baseline parameters and pre-defined configurations for Microsoft 365 services. These security configurations help measure your tenants' Microsoft 365 security and compliance progress.
-You can view the default baseline and its deployment steps from within Microsoft 365 Lighthouse. To apply baselines to a tenant, select **Tenants** in the left navigation pane, and then select a tenant. Next, go to the **Deployment plans** tab and implement the desired baseline.
+You can view the default baseline and its deployment steps from within Lighthouse. To apply baselines to a tenant, select **Tenants** in the left navigation pane, and then select a tenant. Next, go to the **Deployment plans** tab and implement the desired baseline.
## Standard baseline security templates
-Microsoft 365 Lighthouse standard baseline configurations for security workloads are designed to help all managed tenants reach an acceptable state of security coverage and compliance.
+Lighthouse standard baseline configurations for security workloads are designed to help all managed tenants reach an acceptable state of security coverage and compliance.
-The baseline configurations in the following table come standard with the Microsoft 365 Lighthouse default baseline.<br><br>
+The baseline configurations in the following table come standard with the Lighthouse default baseline.<br><br>
| Baseline configuration | Description | |--|--|
lighthouse M365 Lighthouse Get Help And Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-get-help-and-support.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
Several options are available if you need help. Start by checking the current health of customer tenant
-1. In the left navigation pane of Microsoft 365 Lighthouse, select **Service health**.
+1. In the left navigation pane of Lighthouse, select **Service health**.
2. View detailed information about current and past issues.
-To check the current health of the Microsoft 365 Lighthouse tenant
+To check the current health of the Lighthouse tenant
1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a>. 2. In the left navigation pane, select **Health** > **Service health**.
To check the current health of the Microsoft 365 Lighthouse tenant
If you're experiencing an issue that isn't listed in either of the Service health dashboards, follow the instructions in this article to view self-help options or to create a service request. > [!NOTE]
-> Support is limited to English while Microsoft 365 Lighthouse is in Preview.
+> Support is limited to English while Lighthouse is in Preview.
## Before you begin
If you're experiencing an issue that isn't listed in either of the Service healt
## Access help and support
-1. In Microsoft 365 Lighthouse, select the **?** icon at the top of the portal to open the **Help** pane, and then do one of the following:
+1. In Lighthouse, select the **?** icon at the top of the portal to open the **Help** pane, and then do one of the following:
- If you're on the page of the portal where the issue occurred, select **Show diagnostics**.
If you're experiencing an issue that isn't listed in either of the Service healt
> [!NOTE] > If the **How can we help?** pane doesn't open, you'll need to reach out to someone in your partner tenant who has Global Administrator permissions and ask them to help.
-3. In the **How can we help?** pane, enter a description of your issue, and then press **Enter**. We recommend including the full product name *Microsoft 365 lighthouse* in your description to ensure the search results include relevant help articles.
+3. In the **How can we help?** pane, enter a description of your issue, and then press **Enter**. We recommend including the full product name *Microsoft 365 Lighthouse* in your description to ensure the search results include relevant help articles.
4. Check out the list of recommended articles to see if any of them help resolve your issue.
lighthouse M365 Lighthouse Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview.md
description: "For Managed Service Providers (MSPs), learn how Microsoft 365 Ligh
Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium.
-Microsoft 365 Lighthouse simplifies onboarding of Microsoft 365 Business Premium tenants by recommending security configuration baselines tailored to SMB customers and providing multi-tenant views across all customer environments. With Microsoft 365 Lighthouse, MSPs can scale the management of their customers, focus on what's most important, quickly find and investigate risks, and take action to get their customers to a healthy and secure state.
+Lighthouse simplifies onboarding of Microsoft 365 Business Premium tenants by recommending security configuration baselines tailored to SMB customers and providing multi-tenant views across all customer environments. With Lighthouse, MSPs can scale the management of their customers, focus on what's most important, quickly find and investigate risks, and take action to get their customers to a healthy and secure state.
-No additional costs are associated with using Microsoft 365 Lighthouse to manage Microsoft 365 services and connected devices. Microsoft 365 Lighthouse is currently in Preview and available to MSPs enrolled in the Cloud Solution Provider (CSP) program and serving SMB customers with a Microsoft 365 Business Premium subscription.
+No additional costs are associated with using Lighthouse to manage Microsoft 365 services and connected devices. Lighthouse is currently in Preview and available to MSPs enrolled in the Cloud Solution Provider (CSP) program and serving SMB customers with a Microsoft 365 Business Premium subscription.
-Use of Microsoft 365 Lighthouse by Microsoft CSP channel partners that have customers using Microsoft 365 Business Premium is supported. This includes CSP partners transacting directly with Microsoft and those transacting through an indirect provider (distributor).
+Use of Lighthouse by Microsoft CSP channel partners that have customers using Microsoft 365 Business Premium is supported. This includes CSP partners transacting directly with Microsoft and those transacting through an indirect provider (distributor).
> [!IMPORTANT]
-> To use Microsoft 365 Lighthouse, MSPs and their customer tenants must meet the requirements listed in [Microsoft 365 Lighthouse requirements](m365-lighthouse-requirements.md).
+> To use Lighthouse, MSPs and their customer tenants must meet the requirements listed in [Microsoft 365 Lighthouse requirements](m365-lighthouse-requirements.md).
For more information about the CSP program, see the [Cloud Solution Provider program overview](/partner-center/csp-overview).
For more information about the CSP program, see the [Cloud Solution Provider pro
## Microsoft 365 Lighthouse benefits
-Microsoft 365 Lighthouse helps MSPs secure and manage Microsoft 365 services and connected endpoints at scale by:
+Lighthouse helps MSPs secure and manage Microsoft 365 services and connected endpoints at scale by:
- Providing tenant deployment journeys so technicians can follow a consistent set of steps to secure and configure customer tenants. - Using a default SMB security baseline that prescribes best practices targeted to small- and medium-sized business tenants.
lighthouse M365 Lighthouse Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-requirements.md
description: "For Managed Service Providers (MSPs), get a list of requirements t
Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers.
-MSPs must be enrolled in the Cloud Solution Provider (CSP) program as an Indirect Reseller or Direct Bill partner to use Microsoft 365 Lighthouse.
+MSPs must be enrolled in the Cloud Solution Provider (CSP) program as an Indirect Reseller or Direct Bill partner to use Lighthouse.
-In addition, each MSP customer tenant must qualify for Microsoft 365 Lighthouse by meeting the following requirements:
+In addition, each MSP customer tenant must qualify for Lighthouse by meeting the following requirements:
- Delegated Admin PrivilegesΓÇ»(DAP) for the MSP - At least one Microsoft 365 Business Premium license
lighthouse M365 Lighthouse Sign Up https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-sign-up.md
description: "For Managed Service Providers (MSPs), learn how to sign up for Mic
1. Select **Buy**. > [!NOTE]
- > Microsoft 365 Lighthouse requires one license for the partner tenant only. No additional per-user licenses are required for the partner, and no Microsoft 365 Lighthouse licenses are required in any customer tenant.
+ > Lighthouse requires one license for the partner tenant only. No additional per-user licenses are required for the partner, and no Lighthouse licenses are required in any customer tenant.
- To verify that Microsoft 365 Lighthouse was successfully added to your tenant, look for Microsoft 365 Lighthouse under **Billing > Your Products** in the Microsoft 365 admin center.
+ To verify that Lighthouse was successfully added to your tenant, look for Microsoft 365 Lighthouse under **Billing > Your Products** in the Microsoft 365 admin center.
-1. If you aren't redirected to the Microsoft 365 Lighthouse portal, go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">https://lighthouse.microsoft.com</a>.
+1. If you aren't redirected to the Lighthouse portal, go to <a href="https://go.microsoft.com/fwlink/p/?linkid=2168110" target="_blank">https://lighthouse.microsoft.com</a>.
1. Select **Agree & Continue** to complete the partner agreement amendment. > [!NOTE]
- > After you complete sign-up, it can take up to 48 hours for customer data to appear in Microsoft 365 Lighthouse.
+ > After you complete sign-up, it can take up to 48 hours for customer data to appear in Lighthouse.
## Next steps
lighthouse M365 Lighthouse Tenant List Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-tenant-list-overview.md
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-The Microsoft 365 Lighthouse tenant list provides insights into the different tenants you have a contract with, including tenant onboarding status relative to Microsoft 365 Lighthouse. The tenant list also lets you tag tenants to provide different filters throughout Microsoft 365 Lighthouse, and drill down to learn more about a given tenant and the status of their deployment plan.
+The Microsoft 365 Lighthouse tenant list provides insights into the different tenants you have a contract with, including tenant onboarding status relative to Lighthouse. The tenant list also lets you tag tenants to provide different filters throughout Lighthouse, and drill down to learn more about a given tenant and the status of their deployment plan.
-After your tenants meet the [Microsoft 365 Lighthouse onboarding requirements](m365-lighthouse-requirements.md), their status will show as **Active** in the tenant list.
+After your tenants meet the [Lighthouse onboarding requirements](m365-lighthouse-requirements.md), their status will show as **Active** in the tenant list.
-To access the tenant list in Microsoft 365 Lighthouse, select **Tenants** in the left navigation pane to open the Tenants page.
+To access the tenant list in Lighthouse, select **Tenants** in the left navigation pane to open the Tenants page.
## Tenant status
The following table shows the different status messages and their meaning.<br><b
| Ineligible, license | Tenant does not have required license. | | Inactive | Tenant is no longer active. |
-Once you inactivate a tenant, you can't take action on the tenant while Microsoft 365 Lighthouse completes the inactivation process. It may take up to 48 hours for inactivation to complete.
+Once you inactivate a tenant, you can't take action on the tenant while Lighthouse completes the inactivation process. It may take up to 48 hours for inactivation to complete.
If you decide to reactivate a tenant, it may take up to 48 hours for data to reappear. ## Tenant tags
-You can tag your customer tenants with a custom label within Microsoft 365 Lighthouse. These tags can be used to organize your tenants and can also help you easily filter the existing views and insights available to relevant sets of customer tenants. You can also manage your tags and which tenants they're assigned to from the Tenants page.
+You can tag your customer tenants with a custom label within Lighthouse. These tags can be used to organize your tenants and can also help you easily filter the existing views and insights available to relevant sets of customer tenants. You can also manage your tags and which tenants they're assigned to from the Tenants page.
## Related content
lighthouse M365 Lighthouse Win365 Page Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-win365-page-overview.md
Windows 365 is a cloud-based service that lets Microsoft Endpoint Manager (MEM)
For more information about Windows 365, see [What is Windows 365?](/windows-365/overview) For a list of Windows 365 requirements, see [Requirements for Windows 365](/windows-365/requirements). > [!IMPORTANT]
-> You must go to [MEM](https://go.microsoft.com/fwlink/p/?linkid=2150463) to provision Cloud PCs for each customer tenant before you can manage them in Microsoft 365 Lighthouse. You can't provision from within Microsoft 365Lighthouse.
+> You must go to [MEM](https://go.microsoft.com/fwlink/p/?linkid=2150463) to provision Cloud PCs for each customer tenant before you can manage them in Lighthouse. You can't provision from within Lighthouse.
Once you've provisioned Cloud PCs for your customer tenant, the Windows 365 card on the Microsoft 365 Home page provides a brief alert on the Cloud PCs in need of action, such as the number of Cloud PCs that failed to provision and on-premises network connection failures. To get a detailed status, select the button on the Windows 365 card (or select **Windows 365** in the left navigation pane) to open the Windows 365 page. From this page, you can get a status overview of the Cloud PCs assigned to your customer tenants, view a list of all the Cloud PCs you manage and the tenants they're assigned to, and view the on-premises network connections between your customer tenants and Azure Active Directory (Azure AD) and their status.
managed-desktop Privacy Personal Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/privacy-personal-data.md
Microsoft Managed Desktop stores its data in the Azure data centers in the Unite
Microsoft Managed Desktop Engineering Operations and Security Operations teams are located in the United States and India.
-## Microsoft Windows 10 diagnostic data
+### Microsoft Windows 10 diagnostic data
Microsoft Managed Desktop uses [Windows 10 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements. The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Microsoft Managed Desktop and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. See [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) for more information about the Windows 10 diagnostic data setting and data collection.
Microsoft Managed Desktop only processes and stores system-level data from Windo
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
-## Microsoft Windows Update for Business
+### Microsoft Windows Update for Business
Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Microsoft Managed Desktop leverages this data and uses it to mitigate and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence.
-## Microsoft Azure Active Directory
+### Microsoft Azure Active Directory
Identifying data used by Microsoft Managed Desktop is stored by Azure Active Directory (Azure AD) in a geographical location based on the location provided by the organization when subscribing to Microsoft online services, such as Microsoft Apps for enterprise and Azure. Identifying data used by Microsoft Managed Desktop is stored by Azure AD in a geographical location based on the location provided by the organization when subscribing to Microsoft online services such as Microsoft Apps for enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9)
-## Microsoft Intune
+### Microsoft Intune
Microsoft Intune collects, processes, and shares data to Microsoft Managed Desktop to support business operations and services. See [Data collection in Intune](/mem/intune/protect/privacy-data-collect) for more information about the data collected in Intune. For more information on Microsoft Intune data locations, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Intune respects the storage location selections made by the administrator for customer data.
-## Microsoft Defender for Endpoint
+### Microsoft Defender for Endpoint
Microsoft Defender for Endpoint collects and stores information for devices enrolled in Microsoft Managed Desktop for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, size, and hashes), process data (running processes, hashes), registry data, network connection data, and device details (such as device identifiers, device names, and the operating system version). See [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect) for more information on Microsoft Defender for EndpointΓÇÖs data collection and storage locations.
-## Microsoft 365 Apps for enterprise
+### Microsoft 365 Apps for enterprise
Microsoft 365 Apps for enterprise collects and shares data with Microsoft Managed Desktop to ensure those apps are up to date with the latest version based on predefined update channels managed by Microsoft Managed Desktop. See [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect) for more information on Microsoft 365 Apps's data collection and storage locations. ## Major data change notification
Microsoft Managed Desktop follows a change control process as outlined in our se
## Compliance Microsoft Managed Desktop has undergone external audits and obtained a comprehensive set of compliance offerings. You can find more information in Microsoft Managed Desktop [Compliance](/microsoft-365/managed-desktop/intro/compliance). Audit reports are available for download at the Microsoft [Service Trust Portal](https://aka.ms/stp), which serves as a central repository for Microsoft Enterprise Online Services. (Microsoft Managed Desktop is listed within these documents under the category ΓÇ£Monitoring and Management.ΓÇ¥)
-## Data Subject Rights
-
+### Data subject requests
Microsoft Managed Desktop follows GDPR and CCPA privacy regulations, which give data subjects specific rights to their personal data. These rights include obtaining copies of personal data, requesting corrections to it, restricting the processing of it, deleting it, or receiving it in an electronic format so it can be moved to another controller. For more information about Data Subject Requests (DSRs) generally, see [Data Subject Requests and the GDPR and CCPA](/compliance/regulatory/gdpr-data-subject-requests).
-To exercise Data Subject Rights (DSRs) on data collected by the Microsoft Managed Desktop case management system, see the following:
+To exercise data subject requests on data collected by the Microsoft Managed Desktop case management system, see the following:
- Data from Microsoft Defender for Endpoint alerts: Your security administrator can request deletion or extraction of personal data related to Microsoft Defender for Endpoint alerts by submitting a report request at the [Admin Portal](https://aka.ms/memadmin). In the request, select request type **Change request**, category **Security**, and subcategory **Other**. Provide the relevant device names in the request description. - Data from Microsoft Managed Desktop support requests: Your IT administrator can request deletion or extraction of personal data related support requests by submitting a report request at the [Admin Portal](https://aka.ms/memadmin). In the request, select request type **Change request**, category **Security**, and subcategory **Other**. Provide the relevant device names or user names in the request description.
scheduler Scheduler Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/scheduler/scheduler-overview.md
After a user sends a meeting request to Cortana, the Scheduler service:
## Pricing and licensing
-Learn more: [Scheduler for Microsoft 365 licensing](https://wwww.microsoft.com/microsoft-365/meeting-scheduler-pricing)
+Learn more: [Scheduler for Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/meeting-scheduler-pricing)
>[Note: >Meeting attendees do not need a Scheduler or Microsoft 365 license. <br>The Scheduler assistant mailbox does not require a Microsoft 365 or a Scheduler license.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
####### [Alert methods and properties](alerts.md) ####### [List alerts](get-alerts.md) ####### [Create alert](create-alert-by-reference.md)
+####### [Batch update alerts](batch-update-alerts.md)
####### [Update Alert](update-alert.md) ####### [Get alert information by ID](get-alert-info-by-id.md) ####### [Get alert related domains information](get-alert-related-domain-info.md)
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
Depending on the Microsoft security products that you use, some advanced feature
## Enable advanced features
-1. In the navigation pane, select **Settings** > **Endpoints** > **Advanced features**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Advanced features**.
2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. 3. Click **Save preferences**.
Turn on this feature so that users with the appropriate permissions can start a
For more information about role assignments, see [Create and manage roles](user-roles.md). ## Live response for servers+ Turn on this feature so that users with the appropriate permissions can start a live response session on servers. For more information about role assignments, see [Create and manage roles](user-roles.md). - ## Live response unsigned script execution Enabling this feature allows you to run unsigned scripts in a live response session. ## Always remediate PUA
-Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted.
-Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This will help protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration.
+Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted.
+Turn on this feature so that potentially unwanted applications (PUA) are remediated on all devices in your tenant even if PUA protection is not configured on the devices. This will help protect users from inadvertently installing unwanted applications on their device. When turned off, remediation is dependent on the device configuration.
## Restrict correlation to within scoped device groups
-This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization
->[!NOTE]
->Changing this setting impacts future alert correlations only.
+
+This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access. By turning on this setting, an incident composed of alerts that cross device groups will no longer be considered a single incident. The local SOC can then take action on the incident because they have access to one of the device groups involved. However, global SOC will see several different incidents by device group instead of one incident. We don't recommend turning on this setting unless doing so outweighs the benefits of incident correlation across the entire organization.
+
+> [!NOTE]
+> Changing this setting impacts future alert correlations only.
## Enable EDR in block mode
-Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
+Endpoint detection and response (EDR) in block mode provides protection from malicious artifacts, even when Microsoft Defender Antivirus is running in passive mode. When turned on, EDR in block mode blocks malicious artifacts or behaviors that are detected on a device. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
## Autoresolve remediated alerts
-For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
+For tenants created on or after Windows 10, version 1809, the automated investigation, and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
> [!TIP] > For tenants created prior to that version, you'll need to manually turn this feature on from the [Advanced features](https://security.microsoft.com//preferences2/integration) page.
This feature enables you to block potentially malicious files in your network. B
To turn **Allow or block** files on:
-1. In the navigation pane, select **Settings** > **Endpoints** > **General** > **Advanced features** > **Allow or block file**.
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **General** \> **Advanced features** \> **Allow or block file**.
1. Toggle the setting between **On** and **Off**.
-
+ :::image type="content" source="../../media/alloworblockfile.png" alt-text="Image of advanced settings for block file feature"::: 1. Select **Save preferences** at the bottom of the page.
This feature is available if your organization uses Microsoft Defender Antivirus
Keep tamper protection turned on to prevent unwanted changes to your security solution and its essential features. - ## Show user details
-Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
+Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
- Security operations dashboard - Alert queue
Turn on this feature so that you can see user details stored in Azure Active Dir
For more information, see [Investigate a user account](investigate-user.md). - ## Skype for Business integration Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
Out of the two Microsoft Threat Expert components, targeted attack notification
> [!NOTE] > The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).+ ## Microsoft Cloud App Security Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud
Forwards Microsoft Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the device's security posture. Forwarded data is stored and processed in the same location as your Microsoft Secure Score data. - ### Enable the Microsoft Defender for Endpoint integration from the Microsoft Defender for Identity portal To receive contextual device integration in Microsoft Defender for Identity, you'll also need to enable the feature in the Microsoft Defender for Identity portal.
To receive contextual device integration in Microsoft Defender for Identity, you
After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page. ## Web content filtering+ Block access to websites containing unwanted content and track web activity across all domains. To specify the web content categories you want to block, create a [web content filtering policy](https://security.microsoft.com/preferences2/web_content_filtering_policy). Ensure you've network protection in block mode when deploying the [Microsoft Defender for Endpoint security baseline](https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Workflows/SecurityBaselineSummaryMenu/overview/templateType/2). ## Share endpoint alerts with Microsoft Compliance Center+ Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data. After configuring the [Security policy violation indicators](/microsoft-365/compliance/insider-risk-management-settings#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users. -- ## Microsoft Intune connection Defender for Endpoint can be integrated with [Microsoft Intune](/intune/what-is-intune) to [enable device risk-based conditional access](/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement.
This feature is only available if you've the following:
- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5) - An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](/azure/active-directory/devices/concept-azure-ad-join/). - ### Conditional Access policy When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It shouldn't be deleted.
When you enable Intune integration, Intune will automatically create a classic C
Helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Using onboarded devices, you can find unmanaged devices in your network and assess vulnerabilities and risks. For more information, see [Device discovery](device-discovery.md). > [!NOTE]
-> You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
+> You can always apply filters to exclude unmanaged devices from the device inventory list. You can also use the onboarding status column on API queries to filter out unmanaged devices.
## Preview features
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-overview.md
We recommend going through several steps to quickly get up and running with adva
|**Learn how to use the query results**|Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information.|[Work with query results](advanced-hunting-query-results.md)| |**Understand the schema**|Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries.|[Schema reference](advanced-hunting-schema-reference.md)| |**Use predefined queries**|Explore collections of predefined queries covering different threat hunting scenarios.|[Shared queries](advanced-hunting-shared-queries.md)|
-|**Optimize queries and handle errors**|Understand how to create efficient and error-free queries.|- [Query best practices](advanced-hunting-best-practices.md)<br>- [Handle errors](advanced-hunting-errors.md)|
-|**Get the most complete coverage**|Use audit settings to provide better data coverage for your organization.|- [Extend advanced hunting coverage](advanced-hunting-extend-data.md)|
-|**Run a quick investigation**|Quickly run an advanced hunting query to investigate suspicious activity.|- [Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md)|
-|**Contain threats and address compromises**|Respond to attacks by quarantining files, restricting app execution, and other actions|- [Take action on advanced hunting query results](advanced-hunting-take-action.md)|
-|**Create custom detection rules**|Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically.|- [Custom detections overview](overview-custom-detections.md)<br>- [Custom detection rules](custom-detection-rules.md)|
+|**Optimize queries and handle errors**|Understand how to create efficient and error-free queries.|[Query best practices](advanced-hunting-best-practices.md) <p> [Handle errors](advanced-hunting-errors.md)|
+|**Get the most complete coverage**|Use audit settings to provide better data coverage for your organization.|[Extend advanced hunting coverage](advanced-hunting-extend-data.md)|
+|**Run a quick investigation**|Quickly run an advanced hunting query to investigate suspicious activity.|[Quickly hunt for entity or event information with *go hunt*](advanced-hunting-go-hunt.md)|
+|**Contain threats and address compromises**|Respond to attacks by quarantining files, restricting app execution, and other actions|[Take action on advanced hunting query results](advanced-hunting-take-action.md)|
+|**Create custom detection rules**|Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically.|[Custom detections overview](overview-custom-detections.md) <p> [Custom detection rules](custom-detection-rules.md)|
| - ## Data freshness and update frequency Advanced hunting data can be categorized into two distinct types, each consolidated differently.
security Alerts Queue Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response.md
Title: Alerts queue in Microsoft 365 Defender-+ description: View and manage the alerts surfaced in Microsoft 365 Defender
-keywords:
+keywords:
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
ms.technology: mde
Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts. ## In this section
-Topic | Description
-:|:
-[View and organize the Alerts queue](alerts-queue.md) | Shows a list of alerts that were flagged in your network.
-[Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
-[Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behavior, or event.
-[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behavior, or event.
-[Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses.
-[Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain.
-[Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
-
+Topic|Description
+:|:
+[View and organize the Alerts queue](alerts-queue.md)|Shows a list of alerts that were flagged in your network.
+[Manage alerts](manage-alerts.md)|Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
+[Investigate alerts](investigate-alerts.md)|Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
+[Investigate files](investigate-files.md)|Investigate the details of a file associated with a specific alert, behavior, or event.
+[Investigate devices](investigate-machines.md)|Investigate the details of a device associated with a specific alert, behavior, or event.
+[Investigate an IP address](investigate-ip.md)|Examine possible communication between devices in your network and external internet protocol (IP) addresses.
+[Investigate a domain](investigate-domain.md)|Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain.
+[Investigate a user account](investigate-user.md)|Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
security Alerts Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md
The **Alerts queue** shows a list of alerts that were flagged from devices in yo
> [!NOTE] > The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
-There are several options you can choose from to customize the alerts queue view.
+There are several options you can choose from to customize the alerts queue view.
On the top navigation you can: - Select grouped view or list view-- Customize columns to add or remove columns
+- Customize columns to add or remove columns
- Select the items to show per page - Navigate between pages - Apply filters
You can apply the following filters to limit the list of alerts and get a more f
### Severity
-Alert severity | Description
-:|:
-High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
-Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
-Low </br>(Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
-Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
+Alert severity|Description
+|
+High <br> (Red)|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
+Medium <br> (Orange)|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
+Low <br> (Yellow)|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
+Informational <br> (Grey)|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
#### Understanding alert severity
The Defender for Endpoint alert severity represents the severity of the detected
So, for example: - The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.-- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.
+- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
So, for example:
We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
-The table below lists the current categories and how they generally map to previous categories.
-
-| New category | API category name | Detected threat activity or component |
-|-||--|
-| Collection | Collection | Locating and collecting data for exfiltration |
-| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
-| Credential access | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network |
-| Defense evasion | DefenseEvasion | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
-| Discovery | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
-| Execution | Execution | Launching attacker tools and malicious code, including RATs and backdoors |
-| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
-| Exploit | Exploit | Exploit code and possible exploitation activity |
-| Initial access | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
-| Lateral movement | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence |
-| Malware | Malware | Backdoors, trojans, and other types of malicious code |
-| Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
-| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
-| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
-| Suspicious activity | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack |
-| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
+The table below lists the current categories and how they generally map to previous categories.
+
+|New category|API category name|Detected threat activity or component|
+||||
+|Collection|Collection|Locating and collecting data for exfiltration.|
+|Command and control|CommandAndControl|Connecting to attacker-controlled network infrastructure to relay data or receive commands.|
+|Credential access|CredentialAccess|Obtaining valid credentials to extend control over devices and other resources in the network.|
+|Defense evasion|DefenseEvasion|Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits.|
+|Discovery|Discovery|Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers.|
+|Execution|Execution|Launching attacker tools and malicious code, including RATs and backdoors.|
+|Exfiltration|Exfiltration|Extracting data from the network to an external, attacker-controlled location.|
+|Exploit|Exploit|Exploit code and possible exploitation activity.|
+|Initial access|InitialAccess|Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails.|
+|Lateral movement|LateralMovement|Moving between devices in the target network to reach critical resources or gain network persistence.|
+|Malware|Malware|Backdoors, trojans, and other types of malicious code.|
+|Persistence|Persistence|Creating autostart extensibility points (ASEPs) to remain active and survive system restarts.|
+|Privilege escalation|PrivilegeEscalation|Obtaining higher permission levels for code by running it in the context of a privileged process or account.|
+|Ransomware|Ransomware|Malware that encrypts files and extorts payment to restore access.|
+|Suspicious activity|SuspiciousActivity|Atypical activity that could be malware activity or part of an attack.|
+|Unwanted software|UnwantedSoftware|Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs).|
### Status
You can choose between showing alerts that are assigned to you or automation.
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
->[!NOTE]
->The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
-
-| Detection source | API value |
-|--|-|
-| 3rd party sensors | ThirdPartySensors |
-| Antivirus | WindowsDefenderAv |
-| Automated investigation | AutomatedInvestigation |
-| Custom detection | CustomDetection |
-| Custom TI | CustomerTI |
-| EDR | WindowsDefenderAtp |
-| Microsoft 365 Defender | MTP |
-| Microsoft Defender for Office 365 | OfficeATP |
-| Microsoft Threat Experts | ThreatExperts |
-| SmartScreen | WindowsDefenderSmartScreen |
+> [!NOTE]
+> The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
+
+|Detection source|API value|
+|||
+|3rd party sensors|ThirdPartySensors|
+|Antivirus|WindowsDefenderAv|
+|Automated investigation|AutomatedInvestigation|
+|Custom detection|CustomDetection|
+|Custom TI|CustomerTI|
+|EDR|WindowsDefenderAtp|
+|Microsoft 365 Defender|MTP|
+|Microsoft Defender for Office 365|OfficeATP|
+|Microsoft Threat Experts|ThreatExperts|
+|SmartScreen|WindowsDefenderSmartScreen|
### OS platform
Limit the alerts queue view by selecting the OS platform that you're interested
### Device group
-If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view.
+If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view.
### Associated threat
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts.md
[!include[Improve request performance](../../includes/improve-request-performance.md)] - ## Methods
-Method |Return Type |Description
-:|:|:
-[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
-[List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
-[Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md).
-[Batch update alerts](batch-update-alerts.md) | | Update a batch of [alerts](alerts.md).
-[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
-[List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
-[List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md).
-[List related IPs](get-alert-related-ip-info.md) | IP collection | List IPs that are associated with the alert.
-[Get related machines](get-alert-related-machine-info.md) | [Machine](machine.md) | The [machine](machine.md) that is associated with the [alert](alerts.md).
-[Get related users](get-alert-related-user-info.md) | [User](user.md) | The [user](user.md) that is associated with the [alert](alerts.md).
+<br>
+
+****
+
+|Method|Return Type|Description|
+||||
+|[Get alert](get-alert-info-by-id.md)|[Alert](alerts.md)|Get a single [alert](alerts.md) object.|
+|[List alerts](get-alerts.md)|[Alert](alerts.md) collection|List [alert](alerts.md) collection.|
+|[Update alert](update-alert.md)|[Alert](alerts.md)|Update specific [alert](alerts.md).|
+|[Batch update alerts](batch-update-alerts.md)||Update a batch of [alerts](alerts.md).|
+|[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).|
+|[List related domains](get-alert-related-domain-info.md)|Domain collection|List URLs associated with the alert.|
+|[List related files](get-alert-related-files-info.md)|[File](files.md) collection|List the [file](files.md) entities that are associated with the [alert](alerts.md).|
+|[List related IPs](get-alert-related-ip-info.md)|IP collection|List IPs that are associated with the alert.|
+|[Get related machines](get-alert-related-machine-info.md)|[Machine](machine.md)|The [machine](machine.md) that is associated with the [alert](alerts.md).|
+|[Get related users](get-alert-related-user-info.md)|[User](user.md)|The [user](user.md) that is associated with the [alert](alerts.md).|
+|
## Properties
-Property | Type | Description
-:|:|:
-id | String | Alert ID.
-title | String | Alert title.
-description | String | Alert description.
-alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created.
-lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device.
-firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
-lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
-resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
-investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
-investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
-assignedTo | String | Owner of the alert.
-rbacGroupName | String | RBAC device group name.
-mitreTechniques | String | Mitre Enterprise technique ID.
-relatedUser | String | Details of user related to a specific alert.
-severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
-status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
-classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
-determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
-category| String | Category of the alert.
-detectionSource | String | Detection source.
-threatFamilyName | String | Threat family.
-threatName | String | Threat name.
-machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
-computerDnsName | String | [machine](machine.md) fully qualified name.
-aadTenantId | String | The Azure Active Directory ID.
-detectorId | String | The ID of the detector that triggered the alert.
-comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time.
-Evidence | List of Alert evidence | Evidence related to the alert. See example below.
+<br>
+
+****
+
+|Property|Type|Description|
+||||
+|id|String|Alert ID.|
+|title|String|Alert title.|
+|description|String|Alert description.|
+|alertCreationTime|Nullable DateTimeOffset|The date and time (in UTC) the alert was created.|
+|lastEventTime|Nullable DateTimeOffset|The last occurrence of the event that triggered the alert on the same device.|
+|firstEventTime|Nullable DateTimeOffset|The first occurrence of the event that triggered the alert on that device.|
+|lastUpdateTime|Nullable DateTimeOffset|The date and time (in UTC) the alert was last updated.|
+|resolvedTime|Nullable DateTimeOffset|The date and time in which the status of the alert was changed to 'Resolved'.|
+|incidentId|Nullable Long|The [Incident](view-incidents-queue.md) ID of the Alert.|
+|investigationId|Nullable Long|The [Investigation](automated-investigations.md) ID related to the Alert.|
+|investigationState|Nullable Enum|The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.|
+|assignedTo|String|Owner of the alert.|
+|rbacGroupName|String|RBAC device group name.|
+|mitreTechniques|String|Mitre Enterprise technique ID.|
+|relatedUser|String|Details of user related to a specific alert.|
+|severity|Enum|Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.|
+|status|Enum|Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.|
+|classification|Nullable Enum|Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.|
+|determination|Nullable Enum|Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.|
+|category|String|Category of the alert.|
+|detectionSource|String|Detection source.|
+|threatFamilyName|String|Threat family.|
+|threatName|String|Threat name.|
+|machineId|String|ID of a [machine](machine.md) entity that is associated with the alert.|
+|computerDnsName|String|[machine](machine.md) fully qualified name.|
+|aadTenantId|String|The Azure Active Directory ID.|
+|detectorId|String|The ID of the detector that triggered the alert.|
+|comments|List of Alert comments|Alert Comment object contains: comment string, createdBy string and createTime date time.|
+|Evidence|List of Alert evidence|Evidence related to the alert. See example below.|
+|
### Response example for getting single alert:
security Analyzer Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md
ms.technology: m365d
-# Provide feedback on the Microsoft Defender for Endpoint client analyzer tool
+# Provide feedback on the Microsoft Defender for Endpoint client analyzer tool
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, please use either of these options to submit feedback:
+If you have feedback or suggestions that would help us improve the Microsoft Defender for Endpoint client analyzer, please use either of these options to submit feedback:
-1. Microsoft Defender for Endpoint portal (securitycenter.windows.com):
+1. Microsoft Defender for Endpoint portal (securitycenter.windows.com):
![Image of smiley feedback icon](images/3e2db5015cd4f47436b4765b2303f4f5.png)
-2. Microsoft 365 Defender portal (security.microsoft.com):
+2. Microsoft 365 Defender portal (security.microsoft.com):
![Image of give feedback button](images/1d5b3c010b4b5c0e9d5eb43f71fa95e3.png)
security Analyzer Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
failing to reach one of the required Microsoft Defender for Endpoint URLs:
![Image of client analyzer result](images/147cbcf0f7b6f0ff65d200bf3e4674cb.png) -- On the top the script version and script runtime are listed for reference
+- On the top the script version and script runtime are listed for reference
+- The **Device Information** section provides basic OS and device identifiers to uniquely identify the device on which the analyzer has run.
+- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor process. If important processes are not online as expected, the color will change to red.
-- The **Device Information** section provides basic OS and device identifiers
- to uniquely identify the device on which the analyzer has run.
+ ![Image of client analyzer detailed result](images/85f56004dc6bd1679c3d2c063e36cb80.png)
-- The **Endpoint Security Details** provides general information about Microsoft Defender for Endpoint-related processes including Microsoft Defender Antivirus and the sensor
- process. If important processes are not online as expected, the color will change to red.
-
-![Image of client analyzer detailed result](images/85f56004dc6bd1679c3d2c063e36cb80.png)
--- On **Check Results Summary** you will have an aggregated count for error,
- warning, or informational events detected by the analyzer.
--- On the **Detailed Results** you will see a list (sorted by severity) with
- the results and the guidance based on the observations made by the analyzer.
+- On **Check Results Summary** you will have an aggregated count for error, warning, or informational events detected by the analyzer.
+- On the **Detailed Results** you will see a list (sorted by severity) with the results and the guidance based on the observations made by the analyzer.
## Open a support ticket to Microsoft and include the Analyzer results
-To include analyzer result files [when opening a support
-ticket](contact-support.md#open-a-service-request),
-make sure you use the **Attachments** section and include the
+To include analyzer result files [when opening a support ticket](contact-support.md#open-a-service-request), make sure you use the **Attachments** section and include the
`MDEClientAnalyzerResult.zip` file: ![Image of attachment prompt](images/508c189656c3deb3b239daf811e33741.png) > [!NOTE]
-> If the file size is larger than 25 MB, the support engineer assigned to your
-case will provide a dedicated secure workspace to upload large files for
-analysis.
+> If the file size is larger than 25 MB, the support engineer assigned to your case will provide a dedicated secure workspace to upload large files for analysis.
security Android Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-## Conditional Access with Defender for Endpoint on Android
-Microsoft Defender for Endpoint on Android along with Microsoft Intune and Azure Active
-Directory enables enforcing Device compliance and Conditional Access policies
-based on device risk levels. Defender for Endpoint is a Mobile Threat Defense
-(MTD) solution that you can deploy to leverage this capability via Intune.
+## Conditional Access with Defender for Endpoint on Android
-For more information about how to set up Defender for Endpoint on Android and Conditional Access, see [Defender for Endpoint and
-Intune](/mem/intune/protect/advanced-threat-protection).
+Microsoft Defender for Endpoint on Android along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune.
-## Configure custom indicators
+For more information about how to set up Defender for Endpoint on Android and Conditional Access, see [Defender for Endpoint and Intune](/mem/intune/protect/advanced-threat-protection).
+
+## Configure custom indicators
> [!NOTE] > Defender for Endpoint on Android only supports creating custom indicators for IP addresses and URLs/domains.
Defender for Endpoint on Android enables admins to configure custom indicators t
Defender for Endpoint on Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. > [!NOTE]
-> Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-For more information, see [Configure web protection on devices that run Android](/mem/intune/protect/advanced-threat-protection-manage-android).
+> Defender for Endpoint on Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
+> For more information, see [Configure web protection on devices that run Android](/mem/intune/protect/advanced-threat-protection-manage-android).
## Related topics+ - [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md)
security Android Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
![Image of Microsoft Endpoint Manager Admin Center notification of defender endpoint app](images/86cbe56f88bb6e93e9c63303397fc24f.png)
-5. In the app information page that is displayed, in the **Monitor** section,
-select **Device install status** to verify that the device installation has
-completed successfully.
+5. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager Admin Center device install](images/513cf5d59eaaef5d2b5bc122715b5844.png)
completed successfully.
![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg)
-2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen instructions
-to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint on Android.
+2. Tap the Microsoft Defender for Endpoint app icon and follow the on-screen instructions to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint on Android.
-3. Upon successful onboarding, the device will start showing up on the Devices
-list in Microsoft Defender Security Center.
+3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
![Image of device in Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
list in Microsoft Defender Security Center.
Defender for Endpoint on Android supports Android Enterprise enrolled devices.
-For more information on the enrollment options supported by Intune, see
-[Enrollment Options](/mem/intune/enrollment/android-enroll).
+For more information on the enrollment options supported by Intune, see [Enrollment Options](/mem/intune/enrollment/android-enroll).
**Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
For more information on the enrollment options supported by Intune, see
Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play.
-1. In [Microsoft Endpoint Manager admin
-center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add** and select **Managed Google Play app**.
+1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> **Android Apps** \> **Add** and select **Managed Google Play app**.
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager admin center managed google play](images/579ff59f31f599414cedf63051628b2e.png)
-2. On your managed Google Play page that loads subsequently, go to the search
-box and lookup **Microsoft Defender.** Your search should display the Microsoft
-Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
+2. On your managed Google Play page that loads subsequently, go to the search box and lookup **Microsoft Defender.** Your search should display the Microsoft Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result.
![Image of Microsoft Endpoint Manager admin center Apps search](images/0f79cb37900b57c3e2bb0effad1c19cb.png)
-3. In the App description page that comes up next, you should be able to see app
-details on Defender for Endpoint. Review the information on the page and then
-select **Approve**.
+3. In the App description page that comes up next, you should be able to see app details on Defender for Endpoint. Review the information on the page and then select **Approve**.
> [!div class="mx-imgBorder"] > ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png)
obtains for it to work. Review them and then select **Approve**.
![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
-5. You'll be presented with the Approval settings page. The page confirms
-your preference to handle new app permissions that Defender for Endpoint on
-Android might ask. Review the choices and select your preferred option. Select
-**Done**.
+5. You'll be presented with the Approval settings page. The page confirms your preference to handle new app permissions that Defender for Endpoint on Android might ask. Review the choices and select your preferred option. Select **Done**.
By default, managed Google Play selects *Keep approved when app requests new permissions*
Defender for Endpoint to your apps list.
> [!div class="mx-imgBorder"] > ![Image of android auto grant create app configuration policy](images/android-auto-grant.png)
- 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
+ 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
> [!div class="mx-imgBorder"] > ![Image of the create app configuration policy](images/android-select-group.png)
- 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
+ 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
The app configuration policy for Defender for Endpoint autogranting the storage permission is now assigned to the selected user group.
Defender for Endpoint to your apps list.
Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding.
-1. On **Devices**, select **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
+1. On **Devices**, select **Configuration Profiles** \> **Create Profile** \> **Platform** \> **Android Enterprise**
Select **Device restrictions** under one of the following, based on your device enrollment type: - **Fully Managed, Dedicated, and Corporate-Owned Work Profile**
The device configuration profile is now assigned to the selected user group.
![Image of devices configuration profile Review and Create](images/5autosetupofvpn.png)
-## Complete onboarding and check status
+## Check status and complete onboarding
-1. Confirm the installation status of Microsoft Defender for Endpoint on Android by
-clicking on the **Device Install Status**. Verify that the device is
-displayed here.
+1. Confirm the installation status of Microsoft Defender for Endpoint on Android by clicking on the **Device Install Status**. Verify that the device is displayed here.
> [!div class="mx-imgBorder"] > ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
-2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
+2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
-3. When the app is installed, open the app and accept the permissions
-and then your onboarding should be successful.
+3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful.
![Image of mobile device with Microsoft Defender for Endpoint app](images/mda-devicesafe.png)
-4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft Defender Security
-Center](https://securitycenter.microsoft.com)
-by navigating to the **Devices** page.
+4. At this stage the device is successfully onboarded onto Defender for Endpoint on Android. You can verify this on the [Microsoft Defender Security Center](https://securitycenter.microsoft.com) by navigating to the **Devices** page.
![Image of Microsoft Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
security Android Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md
ms.technology: mde
-# Microsoft Defender for Endpoint on Android - Privacy information
+# Microsoft Defender for Endpoint on Android - Privacy information
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
For more information on most common privacy questions about Microsoft Defender f
## Required Data
-Required data consists of data that is necessary to make Defender for Endpoint
-for Android work as expected. This data is essential to the operation of the
-service and can include data related to the end user, organization, device, and
-apps. Here's a list of the types of data being collected:
+Required data consists of data that is necessary to make Defender for Endpoint for Android work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected:
### App information
The following information is collected only for Microsoft Defender for Endpoint
## Optional Data
-Optional data includes diagnostic data and feedback data. Optional diagnostic
-data is additional data that helps us make product improvements and provides
-enhanced information to help us detect, diagnose, and fix issues. Optional
-diagnostic data includes:
+Optional data includes diagnostic data and feedback data. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. Optional diagnostic data includes:
- App, CPU, and network usage. - State of the device from the app perspective, including scan status, scan timings, app permissions granted, and upgrade status.
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
When onboarding a device, you might see sign in issues after the app is installe
During onboarding, you might encounter sign in issues after the app is installed on your device.
-This article provides solutions to help address the sign-on issues.
+This article provides solutions to help address the sign-on issues.
## Sign in failed - unexpected error+ **Sign in failed:** *Unexpected error, try later* ![Image of sign in failed error Unexpected error](images/f9c3bad127d636c1f150d79814f35d4c.png)
Phishing websites impersonate trustworthy websites for the purpose of obtaining
**Applies to:** Specific OEMs only -- **Xiaomi**
+- **Xiaomi**
Phishing and harmful web threats that are detected by Defender for Endpoint for Android are not blocked on some Xiaomi devices. The following functionality doesn't work on these devices. ![Image of site reported unsafe](images/0c04975c74746a5cdb085e1d9386e713.png) - **Cause:** Xiaomi devices include a new permission model. This prevents Defender for Endpoint
Enable the required permission on Xiaomi devices.
- Display pop-up windows while running in the background. - ## Unable to allow permission for 'Permanent protection' during onboarding on some OEM devices **Applies to:** Specific OEM devices only. -- **Xiaomi with Android 11**
+- **Xiaomi with Android 11**
Defender App asks for Battery Optimization/Permanent Protection permission on devices as part of app onboarding, and selecting **Allow** returns an error that the permission couldn't be set. It only affects the last permission called "Permanent Protection."
-
+ **Cause:**+ Xiomi changed the battery optimization permissions in Android 11. Defender is not allowed to configure this setting to ignore battery optimizations. **Solution:**+ We are working with OEM to find a solution to enable this permission from the app onboarding screen. We will update the documentation when this is resolved. Users can follow these steps to enable the same permissions from the device settings: 1. Go to **Settings** on your device.
-
+ 2. Search for and select **Battery Optimization**.
-
+ ![Search for and select "Battery Optimisation".](images/search-battery-optimisation.png) 3. In **Special app access**, select **Battery Optimization**.
-
+ ![In Special app access, select "Battery Optimisation".](images/special-app-access.png) 4. Change the Dropdown to show **All Apps**.
- ![Change dropdown to show "All Apps".](images/show-all-apps-2.png)
+ ![Step one to change the dropdown to show "All Apps".](images/show-all-apps-2.png)
- ![Change dropdown to show "All Apps".](images/show-all-apps-1.png)
+ ![Step two to change dropdown to show "All Apps".](images/show-all-apps-1.png)
5. Locate ΓÇ£Microsoft Defender EndpointΓÇ¥ and select **DonΓÇÖt Optimize**. ![Locate "Microsoft Defender Endpoint" and select "Don't Optimise".](images/select-dont-optimise.png) - Return to the Microsoft Defender Endpoint onboarding screen, select **Allow**, and you will be redirected to the dashboard screen.
security Android Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-terms.md
ms.technology: mde
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) - ## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT
-These license terms ("Terms") are an agreement between Microsoft Corporation (or
-based on where you live, one of its affiliates) and you. Please read them. They
-apply to the application named above. These Terms also apply to any Microsoft
+These license terms ("Terms") are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the application named above. These Terms also apply to any Microsoft
-- updates,
+- updates,
+- supplements,
+- Internet-based services, and
+- support services
-- supplements,
+for this application, unless other terms accompany those items. If so, those terms apply.
-- Internet-based services, and
+**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, DO NOT USE THE APPLICATION.**
-- support services
+**If you comply with these Terms, you have the perpetual rights below.**
-for this application, unless other terms accompany those items. If so, those
-terms apply.
+1. **INSTALLATION AND USE RIGHTS.**
-**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
-DO NOT USE THE APPLICATION.**
+ 1. **Installation and Use.** You may install and use any number of copies of this application on Android enabled device or devices that you own or control.
-**If you comply with these Terms, you have the perpetual rights below.**
+ 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full functionality. Some functionality may not be available in all countries.
+
+ 3. **Third-Party Programs.** The application may include third-party programs that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third-party program are included for your information only.
+
+2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to Internet access, data transfer, and other services per the terms of the data service plan and any other agreement you have with your network operator due to use of the application. You are solely responsible for any network operator charges.
+
+3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with the application. It may change or cancel them at any time.
+
+ 1. Consent for Internet-Based or Wireless Services. The application may connect to Internet-based wireless services. Your use of the application operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for Internet-based or wireless services. If other terms are provided in connection with your use of the services, those terms also apply.
+
+ - Data. Some online services require, or may be enhanced by, the installation of local software like this one. At your, or your admin's direction, this software may send data from a device to or from an online service.
+
+ - Usage Data. Microsoft automatically collects usage and performance data over the internet. This data will be used to provide and improve Microsoft products and services and enhance your experience. You may limit or control collection of some usage and performance data through your device settings. Doing so may disrupt your use of certain features of the application. For more information about Microsoft data collection and use, see the [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
+
+ 2. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone else's use of it or the wireless network. You may not use the service to try to gain unauthorized access to any service, data, account, or network by any means.
+
+4. **FEEDBACK.** If you give feedback about the application to Microsoft, you give to Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies, and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.
-1. **INSTALLATION AND USE RIGHTS.**
-
- 1. **Installation and Use.** You may install and use any number of copies
- of this application on Android enabled device or devices that you own
- or control.
-
- 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full
- functionality. Some functionality may not be available in all countries.
-
- 3. **Third-Party Programs.** The application may include third-party
- programs that Microsoft, not the third party, licenses to you under this
- agreement. Notices, if any, for the third-party program are included for
- your information only.
-
-2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
- Internet access, data transfer, and other services per the terms of the data
- service plan and any other agreement you have with your network operator due
- to use of the application. You are solely responsible for any network
- operator charges.
-
-3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
- the application. It may change or cancel them at any time.
-
- 1. Consent for Internet-Based or Wireless Services. The application may
- connect to Internet-based wireless services. Your use of the application
- operates as your consent to the transmission of standard device
- information (including but not limited to technical information about
- your device, system and application software, and peripherals) for
- Internet-based or wireless services. If other terms are provided in
- connection with your use of the services, those terms also apply.
-
- - Data. Some online services require, or may be enhanced by, the
- installation of local software like this one. At your, or your
- admin's direction, this software may send data from a device to or
- from an online service.
-
- - Usage Data. Microsoft automatically collects usage and performance
- data over the internet. This data will be used to provide and
- improve Microsoft products and services and enhance your experience.
- You may limit or control collection of some usage and performance
- data through your device settings. Doing so may disrupt your use of
- certain features of the application. For more information about
- Microsoft data collection and use, see the [Online Services
- Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
-
- 2. Misuse of Internet-based Services. You may not use any Internet-based
- service in any way that could harm it or impair anyone else's use of it
- or the wireless network. You may not use the service to try to gain
- unauthorized access to any service, data, account, or network by any
- means.
-
-4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
- give to Microsoft, without charge, the right to use, share, and commercialize
- your feedback in any way and for any purpose. You also give to third
- parties, without charge, any patent rights needed for their products,
- technologies, and services to use or interface with any specific parts of a
- Microsoft software or service that includes the feedback. You will not give
- feedback that is subject to a license that requires Microsoft to license its
- software or documentation to third parties because we include your feedback
- in them. These rights survive this agreement.
-
-5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
- only gives you some rights to use the application. Microsoft reserves all
- other rights. Unless applicable law gives you more rights despite this
- limitation, you may use the application only as expressly permitted in this
- agreement. In doing so, you must comply with any technical limitations in
- the application that only allow you to use it in certain ways. You may not
-
- - work around any technical limitations in the application;
-
- - reverse engineer, decompile or disassemble the application, except and
- only to the extent that applicable law expressly permits, despite this
- limitation;
-
- - make more copies of the application than specified in this agreement or
- allowed by applicable law, despite this limitation;
-
- - publish the application for others to copy;
-
- - rent, lease, or lend the application; or
-
- - transfer the application or this agreement to any third party.
-
-6. **EXPORT RESTRICTIONS.** The application is subject to United States export
- laws and regulations. You must comply with all domestic and international
- export laws and regulations that apply to the application. These laws
- include restrictions on destinations, end users, and end use. For more
- information,
+5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement only gives you some rights to use the application. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the application only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the application that only allow you to use it in certain ways. You may not
+
+ - work around any technical limitations in the application;
+
+ - reverse engineer, decompile or disassemble the application, except and only to the extent that applicable law expressly permits, despite this limitation;
+
+ - make more copies of the application than specified in this agreement or allowed by applicable law, despite this limitation;
+
+ - publish the application for others to copy;
+
+ - rent, lease, or lend the application; or
+
+ - transfer the application or this agreement to any third party.
+
+6. **EXPORT RESTRICTIONS.** The application is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the application. These laws include restrictions on destinations, end users, and end use. For more information,
see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
-7. **SUPPORT SERVICES.** Because this application is "as is," we may not
- provide support services for it. If you have any issues or questions about
- your use of this application, including questions about your company's
- privacy policy, contact your company's admin. Do not contact the
- application store, your network operator, device manufacturer, or Microsoft.
- The application store provider has no obligation to furnish support or
- maintenance with respect to the application.
+7. **SUPPORT SERVICES.** Because this application is "as is," we may not provide support services for it. If you have any issues or questions about your use of this application, including questions about your company's privacy policy, contact your company's admin. Do not contact the application store, your network operator, device manufacturer, or Microsoft. The application store provider has no obligation to furnish support or maintenance with respect to the application.
-8. **APPLICATION STORE.**
+8. **APPLICATION STORE.**
- 1. If you obtain the application through an application store (for example, Google
- Play), review the applicable application store terms to ensure
- your download and use of the application complies with such terms.
- Note that these Terms are between you and Microsoft and not with
- the application store.
+ 1. If you obtain the application through an application store (for example, Google Play), review the applicable application store terms to ensure your download and use of the application complies with such terms. Note that these Terms are between you and Microsoft and not with the application store.
- 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these
- Terms, the application store provider(s) will have the right to directly
- enforce and rely upon any provision of these Terms that grants them a
- benefit or rights.
+ 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these Terms, the application store provider(s) will have the right to directly enforce and rely upon any provision of these Terms that grants them a benefit or rights.
-9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint, and
- Microsoft 365 are registered or common-law trademarks of Microsoft
- Corporation in the United States and/or other countries.
+9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint, and Microsoft 365 are registered or common-law trademarks of Microsoft Corporation in the United States and/or other countries.
-10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
- Internet-based services, and support services that you use are the entire
- agreement for the application and support services.
+10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates, Internet-based services, and support services that you use are the entire agreement for the application and support services.
11. **APPLICABLE LAW.**
- 1. **United States.** If you acquired the application in the United States,
- Washington state law governs the interpretation of this agreement and
- applies to claims for breach of it, regardless of conflict of laws
- principles. The laws of the state where you live govern all other
- claims, including claims under state consumer protection laws, unfair
- competition laws, and in tort.
-
- 2. **Outside the United States.** If you acquired the application in any
- other country, the laws of that country apply.
-
-12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
- have other rights under the laws of your country. You may also have rights
- with respect to the party from whom you acquired the application. This
- agreement does not change your rights under the laws of your country if the
- laws of your country do not permit it to do so.
-
-13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
- FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
- WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
- EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
- EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
- APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
- ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
- CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
- THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
- IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NON-INFRINGEMENT.**
+ 1. **United States.** If you acquired the application in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
+
+ 2. **Outside the United States.** If you acquired the application in any other country, the laws of that country apply.
+
+12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the application. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
+
+13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.**
**FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
-14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
- PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
- ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
- DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
- INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
+14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
This limitation applies to: -- anything related to the application, services, content (including code) on
- third-party internet sites, or third-party programs; and
+- anything related to the application, services, content (including code) on third-party internet sites, or third-party programs; and
-- claims for breach of contract, warranty, guarantee, or condition; consumer
- protection; deception; unfair competition; strict liability, negligence,
- misrepresentation, omission, trespass, or other tort; violation of statute or
- regulation; or unjust enrichment; all to the extent permitted by applicable
- law.
+- claims for breach of contract, warranty, guarantee, or condition; consumer protection; deception; unfair competition; strict liability, negligence, misrepresentation, omission, trespass, or other tort; violation of statute or regulation; or unjust enrichment; all to the extent permitted by applicable law.
It also applies even if:
-a. Repair, replacement, or refund for the application does not fully compensate
- you for any losses; or
+a. Repair, replacement, or refund for the application does not fully compensate you for any losses; or
-b. Covered Parties knew or should have known about the possibility of the
- damages.
+b. Covered Parties knew or should have known about the possibility of the damages.
The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages.
security Api Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-explorer.md
Title: API Explorer in Microsoft Defender for Endpoint-+ description: Use the API Explorer to construct and do API queries, test, and send requests for any available API keywords: api, explorer, send, request, get, post, search.product: eADQiWindows 10XVcnh
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -
-The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively.
+The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively.
The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
With the API Explorer, you can:
## Access API Explorer
-From the left navigation menu, select **Partners & APIs** > **API Explorer**.
+From the left navigation menu, select **Partners & APIs** \> **API Explorer**.
## Supported APIs API Explorer supports all the APIs offered by Defender for Endpoint.
-
-The list of supported APIs is available in the [APIs documentation](apis-intro.md).
+
+The list of supported APIs is available in the [APIs documentation](apis-intro.md).
## Get started with the API Explorer
-1. In the left pane, there is a list of sample requests that you can use.
-2. Follow the links and click **Run query**.
+1. In the left pane, there is a list of sample requests that you can use.
+2. Follow the links and click **Run query**.
Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}.
Credentials to access an API aren't needed. The API Explorer uses the Defender f
The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.
-Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.
+Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md
## Get Alerts using a simple PowerShell script ### How long it takes to go through this example?+ It only takes 5 minutes done in two steps:+ - Application registration - Use examples: only requires copy/paste of a short PowerShell script ### Do I need a permission to connect?+ For the Application registration stage, you must have a **Global administrator** role in your Azure Active Directory (Azure AD) tenant. ### Step 1 - Create an App in Azure Active Directory 1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.
-2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
+2. Navigate to **Azure Active Directory** \> **App registrations** \> **New registration**.
![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png)
For the Application registration stage, you must have a **Global administrator**
4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission:
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+ - On your application page, click **API Permissions** \> **Add permission** \> **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. ![Image of API access and API selection1](images/add-permission.png)
- - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
+ - Choose **Application permissions** \> **Alert.Read.All** > Click on **Add permissions**
![Image of API access and API selection2](images/application-permissions.png)
security Api Microsoft Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md
The following example demonstrates how to create a Flow that is triggered any ti
1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
-2. Go to **My flows** > **New** > **Automated-from blank**.
+2. Go to **My flows** \> **New** \> **Automated-from blank**.
![Image of edit credentials2](images/api-flow-1.png)
security Api Portal Mapping https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-portal-mapping.md
Field numbers match the numbers in the images below.
> ||LogOnUsers|sourceUserId|contoso\liz-bean; contoso\jay-hardee|The domain and user of the interactive logon users at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available.| > ||InternalIPv4List|No mapping|192.168.1.7, 10.1.14.1|List of IPV4 internal IPs for active network interfaces.| > ||InternalIPv6List|No mapping|fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C|List of IPV6 internal IPs for active network interfaces.|
-||LinkToMTP|No mapping|`https://securitycenter.windows.com/alert/da637370718981685665_16349121`|Value available for every Detection.
-||IncidentLinkToMTP|No mapping|`"https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
-||IncidentLinkToWDATP|No mapping|`https://securitycenter.windows.com/preferences2/integration/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
+> ||LinkToMTP|No mapping|`https://securitycenter.windows.com/alert/da637370718981685665_16349121`|Value available for every Detection.
+> ||IncidentLinkToMTP|No mapping|`"https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
+> ||IncidentLinkToWDATP|No mapping|`https://securitycenter.windows.com/preferences2/integration/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
> |Internal field|LastProcessedTimeUtc|No mapping|2017-05-07T01:56:58.9936648Z|Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved.| > ||Not part of the schema|deviceVendor||Static value in the ArcSight mapping - 'Microsoft'.| > ||Not part of the schema|deviceProduct||Static value in the ArcSight mapping - 'Microsoft Defender ATP'.|
security Api Power Bi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md
The first example demonstrates how to connect Power BI to Advanced Hunting API a
- Open Microsoft Power BI -- Click **Get Data** > **Blank Query**
+- Click **Get Data** \> **Blank Query**
![Image of create blank query](images/power-bi-create-blank-query.png)
The first example demonstrates how to connect Power BI to Advanced Hunting API a
![Image of edit credentials0](images/power-bi-edit-credentials.png) -- Select **Organizational account** > **Sign in**
+- Select **Organizational account** \> **Sign in**
![Image of set credentials1](images/power-bi-set-credentials-organizational.png)
security Apis Intro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/apis-intro.md
Title: Access the Microsoft Defender for Endpoint APIs-+ description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender for Endpoint capabilities keywords: apis, api, wdatp, open api, microsoft defender for endpoint api, microsoft defender atp, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh
MS.technology: mde
-# Access the Microsoft Defender for Endpoint APIs
+# Access the Microsoft Defender for Endpoint APIs
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Defender for Endpoint exposes much of its data and actions through a set of prog
Watch this video for a quick overview of Defender for Endpoint's APIs.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4d73M]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4d73M]
In general, you'll need to take the following steps to use the APIs:
You can access Defender for Endpoint API with **Application Context** or **User
Steps that need to be taken to access Defender for Endpoint API with application context: 1. Create an AAD Web-Application.
- 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
+ 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
3. Create a key for this Application. 4. Get token using the application with its key. 5. Use the token to access the Microsoft Defender for Endpoint API
You can access Defender for Endpoint API with **Application Context** or **User
Steps to take to access Defender for Endpoint API with application context: 1. Create AAD Native-Application.
- 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
+ 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials. 4. Use the token to access the Microsoft Defender for Endpoint API
security Assign Portal Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/assign-portal-access.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink) Defender for Endpoint supports two ways to manage permissions:
Defender for Endpoint supports two ways to manage permissions:
> [!NOTE] > If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
->
-> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC.
+>
+> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC.
> - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. > - After switching to RBAC, you will not be able to switch back to using basic permissions management.
security Attack Simulations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-simulations.md
Read the walkthrough document provided with each attack scenario. Each document
## Run a simulation
-1. In **Endpoints** > **Evaluation & tutorials** > **Tutorials & simulations**, select which of the available attack scenarios you would like to simulate:
+1. In **Endpoints** \> **Evaluation & tutorials** \> **Tutorials & simulations**, select which of the available attack scenarios you would like to simulate:
- **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control. - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity. - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity. 2. Download and read the corresponding walkthrough document provided with your selected scenario.
-3. Download the simulation file or copy the simulation script by navigating to **Evaluation & tutorials** > **Tutorials & simulations**. You can choose to download the file or script on the test device but it's not mandatory.
+3. Download the simulation file or copy the simulation script by navigating to **Evaluation & tutorials** \> **Tutorials & simulations**. You can choose to download the file or script on the test device but it's not mandatory.
4. Run the simulation file or script on the test device as instructed in the walkthrough document.
security Attack Surface Reduction Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules.md
Title: Attack surface reduction rules description: Lists details about attack surface reduction rules on a per-rule basis.
-keywords: Attack surface reduction rules, ASR, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit rules, antiexploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules, ASR rule description
+keywords: Attack surface reduction rules, ASR, asr rules, hips, host intrusion prevention system, protection rules, anti-exploit rules, antiexploit, exploit rules, infection prevention rules, Microsoft Defender for Endpoint, configure ASR rules, ASR rule description
search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: manage
# Attack surface reduction rules
-This article provides information about attack reduction rules:
+This article provides information about attack reduction rules:
- [Supported operating system versions](#supported-operating-systems) - [Supported configuration management systems](#supported-configuration-management-systems)
The following table lists attack surface reduction rules in alphabetical order.
> > - \* All rules support file and folder exclusions, unless stated otherwise.
-| Rule name | Windows&nbsp;10 | Windows&nbsp;Server 2019 | Windows&nbsp;Server | Windows&nbsp;Server 2016 | Windows&nbsp;Server 2012 R2 |
+|Rule name|Windows&nbsp;10|Windows&nbsp;Server 2019|Windows&nbsp;Server|Windows&nbsp;Server 2016|Windows&nbsp;Server 2012 R2|
||::|::|::|::|::|
-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> version 1803 (Semi-Annual Channel) or later | | |
-|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | ![supported](images/checkmark.png) <br><br> version 1809 or later | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) <br><br> | | |
-|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) <br><br> | | |
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) <br><br> \* _File and folder exclusions not supported._ | ![supported](images/checkmark.png) <br><br> version 1903 (build 18362) or later| ![supported](images/checkmark.png) | ![supported](images/checkmark.png) <br><br> version 1903 (build 18362) or later | | |
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | ![supported](images/checkmark.png) <br><br> version 1803 or later | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> | | |
-| **Rule name** | **Windows&nbsp;10** | **Windows&nbsp;Server 2019** | **Windows&nbsp;Server** | **Windows&nbsp;Server 2016** | **Windows&nbsp;Server 2012 R2** |
+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br> version 1803 (Semi-Annual Channel) or later|||
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)|![supported](images/checkmark.png) <br><br> version 1809 or later|![supported](images/checkmark.png)|![supported](images/checkmark.png) <br><br>|||
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png)|![supported](images/checkmark.png) <br><br>|||
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|![supported](images/checkmark.png) <br><br> version 1803 or later|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)|![supported](images/checkmark.png) <br><br> version 1803 or later|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) <br><br> \* _File and folder exclusions not supported._|![supported](images/checkmark.png) <br><br> version 1903 (build 18362) or later|![supported](images/checkmark.png)|![supported](images/checkmark.png) <br><br> version 1903 (build 18362) or later|||
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)|![supported](images/checkmark.png) <br><br> version 1803 or later|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)|![supported](images/checkmark.png) <br><br> version 1803 or later|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br>|||
+|**Rule name**|**Windows&nbsp;10**|**Windows&nbsp;Server 2019**|**Windows&nbsp;Server**|**Windows&nbsp;Server 2016**|**Windows&nbsp;Server 2012 R2**|
## Supported configuration management systems Links to information about configuration management system versions referenced in this table are listed below this table.
-|Rule name | Intune | Microsoft Endpoint Manager | Microsoft Endpoint Configuration Manager | Group Policy | PowerShell |
+|Rule name|Intune|Microsoft Endpoint Manager|Microsoft Endpoint Configuration Manager|Group Policy|PowerShell|
||::|::|::|::|::|
-|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers) | ![supported](images/checkmark.png) <br><br> | ![supported](images/checkmark.png) <br><br> MEM OMA-URI | | | ![supported](images/checkmark.png) <br><br> |
-|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) | | |
-|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | | |
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | ![supported](images/checkmark.png) | |
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | | |
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
-|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | ![supported](images/checkmark.png) <br><br> | | ![supported](images/checkmark.png) <br><br> CB 1710 <br><br> | | |
-|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 | | |
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | | | | | |
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | ![supported](images/checkmark.png) | | | | |
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 <br><br> | | |
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1710 <br><br> | | |
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | ![supported](images/checkmark.png) | | ![supported](images/checkmark.png) <br><br> CB 1802 | | |
-| **Rule name** | **Intune** | **Microsoft Endpoint Manager** | **Microsoft Endpoint Configuration Manager** | **Group Policy** | **PowerShell** |
+|[Block abuse of exploited vulnerable signed drivers](#block-abuse-of-exploited-vulnerable-signed-drivers)|![supported](images/checkmark.png) <br><br>|![supported](images/checkmark.png) <br><br> MEM OMA-URI|||![supported](images/checkmark.png) <br><br>|
+|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes)|![supported](images/checkmark.png)||![supported](images/checkmark.png)|||
+|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1710|||
+|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1802|||
+|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1710|![supported](images/checkmark.png)||
+|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1802|||
+|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1710|||
+|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1710|||
+|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content)|![supported](images/checkmark.png) <br><br>||![supported](images/checkmark.png) <br><br> CB 1710 <br><br>|||
+|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1710|||
+|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1710|||
+|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription)||||||
+|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands)|![supported](images/checkmark.png)|||||
+|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1802 <br><br>|||
+|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1710 <br><br>|||
+|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware)|![supported](images/checkmark.png)||![supported](images/checkmark.png) <br><br> CB 1802|||
+|**Rule name**|**Intune**|**Microsoft Endpoint Manager**|**Microsoft Endpoint Configuration Manager**|**Group Policy**|**PowerShell**|
- [Configuration Manager CB 1710](/configmgr/core/servers/manage/updates) - [Configuration Manager CB 1802](/configmgr/core/servers/manage/updates)
This rule prevents an application from writing a vulnerable signed driver to dis
The **Block abuse of exploited vulnerable signed drivers** rule does not block a driver already existing on the system from being loaded.
->[!NOTE]
+> [!NOTE]
> > You can configure this rule using MEM OMA-URI. See [MEM OMA-URI](enable-attack-surface-reduction.md#mem) for configuring custom rules. >
security Audit Windows Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/audit-windows-defender.md
localization_priority: Normal
audience: ITPro -+ ms.technology: mde
You can enable audit mode when testing how the features will work. This will hel
The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what affect the feature would have had if it was enabled.
-To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
+To find the audited entries, go to **Applications and Services** \> **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational**.
Use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](investigate-alerts.md).
You can enable audit mode using Group Policy, PowerShell, and configuration serv
> [!TIP] > You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-| Audit options | How to enable audit mode | How to view events |
-||||
-| Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
-| Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-| Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
-| Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
+|Audit options|How to enable audit mode|How to view events|
+||||
+|Audit applies to all events|[Enable controlled folder access](enable-controlled-folders.md)|[Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
+|Audit applies to individual rules|[Enable attack surface reduction rules](enable-attack-surface-reduction.md)|[Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
+|Audit applies to all events|[Enable network protection](enable-network-protection.md)|[Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
+|Audit applies to individual mitigations|[Enable exploit protection](enable-exploit-protection.md)|[Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
security Auto Investigation Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
ms.technology: mde
# Visit the Action center to see remediation actions
-During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how [Microsoft Defender for Endpoint](/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center**.
+During and after an automated investigation, remediation actions for threat detections are identified. Depending on the particular threat and how [Microsoft Defender for Endpoint](/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically, and others require approval. If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center**.
**Applies to:**
We are pleased to announce a new, unified Action center ([https://security.micro
The following table compares the new, unified Action center to the previous Action center.
-|The new, unified Action center |The previous Action center |
-|||
-|Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) plus [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp))|Lists pending and completed actions for devices <br/> ([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) only) |
-|Is located at:<br/>[https://security.microsoft.com/action-center](https://security.microsoft.com/action-center) |Is located at:<br/>[https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center) |
-| In the Microsoft 365 security center, choose **Action center**. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 security center"::: | In the Microsoft Defender Security Center, choose **Automated investigations** > **Action center**. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft Defender Security Center"::: |
+|The new, unified Action center|The previous Action center|
+|||
+|Lists pending and completed actions for devices and email in one location <br/>([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) plus [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp))|Lists pending and completed actions for devices <br> ([Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) only)|
+|Is located at:<br/><https://security.microsoft.com/action-center>|Is located at:<br/><https://securitycenter.windows.com/action-center>|
+|In the Microsoft 365 security center, choose **Action center**. <p>:::image type="content" source="images/action-center-nav-new.png" alt-text="Navigating to the Action Center in the Microsoft 365 security center":::|In the Microsoft Defender Security Center, choose **Automated investigations** \> **Action center**. <p>:::image type="content" source="images/action-center-nav-old.png" alt-text="Navigating to the Action center from the Microsoft Defender Security Center":::|
-The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience.
+The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience.
You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:+ - [Defender for Endpoint](microsoft-defender-endpoint.md) - [Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp)-- [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)
+- [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)
> [!TIP] > To learn more, see [Requirements](/microsoft-365/security/mtp/prerequisites).
You can use the unified Action center if you have appropriate permissions and on
## Using the Action center To get to the unified Action center in the improved Microsoft 365 security center:
-1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-2. In the navigation pane, select **Action center**.
+
+1. Go to the Microsoft 365 security center (<https://security.microsoft.com>) and sign in.
+2. In the navigation pane, select **Action center**.
When you visit the Action center, you see two tabs: **Pending actions** and **History**. The following table summarizes what you'll see on each tab:
-|Tab |Description |
-|||
-|**Pending** | Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as **Quarantine file**). <br/>**TIP**: Make sure to [review and approve (or reject) pending actions](manage-auto-investigation.md) as soon as possible so that your automated investigations can complete in a timely manner. |
-|**History** | Serves as an audit log for actions that were taken, such as: <br/>- Remediation actions that were taken as a result of automated investigations <br>- Remediation actions that were approved by your security operations team <br/>- Commands that were run and remediation actions that were applied during Live Response sessions <br/>- Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus <p>Provides a way to undo certain actions (see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions)). |
+|Tab|Description|
+|||
+|**Pending**|Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as **Quarantine file**). <p> **TIP**: Make sure to [review and approve (or reject) pending actions](manage-auto-investigation.md) as soon as possible so that your automated investigations can complete in a timely manner.|
+|**History**|Serves as an audit log for actions that were taken, such as: <ul><li>Remediation actions that were taken as a result of automated investigations</li><li>Remediation actions that were approved by your security operations team</li><li>Commands that were run and remediation actions that were applied during Live Response sessions</li><li>Remediation actions that were taken by threat protection features in Microsoft Defender Antivirus</li></ul> <p> Provides a way to undo certain actions (see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions)).|
You can customize, sort, filter, and export data in the Action center.
You can customize, sort, filter, and export data in the Action center.
- Choose the columns that you want to view. - Specify how many items to include on each page of data. - Use filters to view just the items you want to see.-- Select **Export** to export results to a .csv file.
+- Select **Export** to export results to a .csv file.
## Next steps - [View and approve remediation actions](manage-auto-investigation.md) - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
-
+ ## See also - [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
security Autoir Investigation Results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/autoir-investigation-results.md
ms.technology: mde
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security
+f1.keywords:
- NOCSH localization_priority: Normal audience: ITPro-+ - M365-security-compliance - m365initiative-m365-defender
**Applies to:** - Microsoft Defender for Endpoint
-With Microsoft Defender for Endpoint, when an [automated investigation](automated-investigations.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.
+With Microsoft Defender for Endpoint, when an [automated investigation](automated-investigations.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the necessary permissions, you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.
## (NEW!) Unified investigation page
-The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp).
+The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) and [Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp).
> [!TIP] > To learn more about what's changing, see [(NEW!) Unified investigation page](/microsoft-365/security/mtp/mtp-autoir-results).
You can open the investigation details view by using one of the following method
The improved [Action center](auto-investigation-action-center.md) brings together [remediation actions](manage-auto-investigation.md#remediation-actions) across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page.
-1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
-2. In the navigation pane, choose **Action center**.
+1. Go to <https://security.microsoft.com> and sign in.
+2. In the navigation pane, choose **Action center**.
3. On either the **Pending** or **History** tab, select an item. Its flyout pane opens. 4. Review the information in the flyout pane, and then take one of the following steps: - Select **Open investigation page** to view more details about the investigation.
The improved [Action center](auto-investigation-action-center.md) brings togethe
Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.
-1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
-2. In the navigation pane, choose **Incidents & alerts** > **Incidents**.
+1. Go to <https://security.microsoft.com> and sign in.
+2. In the navigation pane, choose **Incidents & alerts** \> **Incidents**.
3. Select an item in the list, and then choose **Open incident page**. 4. Select the **Investigations** tab, and then select an investigation in the list. Its flyout pane opens.
-5. Select **Open investigation page**.
+5. Select **Open investigation page**.
## Investigation details
In the Investigation details view, you can see information on the **Investigatio
> [!NOTE] > The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.
-| Tab | Description |
-|:--|:--|
-| **Investigation graph** | Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.<br/>You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts. |
-| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.|
-| **Devices** | Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the [automation level for device groups](automation-levels.md).) |
-| **Mailboxes** |Lists mailboxes that are impacted by detected threats. |
-| **Users** | Lists user accounts that are impacted by detected threats. |
-| **Evidence** | Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status. |
-| **Entities** | Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).|
-|**Log** | Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.|
-| **Pending actions** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. |
+|Tab|Description|
+|||
+|**Investigation graph**|Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval. <p> You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts.|
+|**Alerts**|Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.|
+|**Devices**|Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to the [automation level for device groups](automation-levels.md).)|
+|**Mailboxes**|Lists mailboxes that are impacted by detected threats.|
+|**Users**|Lists user accounts that are impacted by detected threats.|
+|**Evidence**|Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status.|
+|**Entities**|Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).|
+|**Log**|Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.|
+|**Pending actions**|Lists items that require approval to proceed. Go to the Action center (<https://security.microsoft.com/action-center>) to approve pending actions.|
## See also - [Review remediation actions following an automated investigation](manage-auto-investigation.md)-- [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md)
+- [View and organize the Microsoft Defender for Endpoint Incidents queue](view-incidents-queue.md)
security Automated Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md
Last updated 02/02/2021
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - Want to see how it works? Watch the following video: > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh]
This article provides an overview of AIR and includes links to next steps and ad
An automated investigation can start when an alert is triggered or when a security operator initiates the investigation.
+<br>
+
+****
+ |Situation|What happens| ||| |An alert is triggered|In general, an automated investigation starts when an [alert](review-alerts.md) is triggered, and an [incident](view-incidents-queue.md) is created. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and incident is created. An automated investigation process begins on the device. As other alerts are generated because of the same file on other devices, they are added to the associated incident and to the automated investigation.| |An investigation is started manually|An automated investigation can be started manually by your security operations team. For example, suppose a security operator is reviewing a list of devices and notices that a device has a high risk level. The security operator can select the device in the list to open its flyout, and then select **Initiate Automated Investigation**.|
+|
## How an automated investigation expands its scope
As alerts are triggered, and an automated investigation runs, a verdict is gener
- *Suspicious*; or - *No threats found*.
-As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see [Remediation actions](manage-auto-investigation.md#remediation-actions).
+As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. To learn more, see [Remediation actions](manage-auto-investigation.md#remediation-actions).
-Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA).
+Depending on the [level of automation](automation-levels.md) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Additional security settings that can affect automatic remediation include [protection from potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (PUA).
All remediation actions, whether pending or completed, are tracked in the [Action center](auto-investigation-action-center.md). If necessary, your security operations team can undo a remediation action. To learn more, see [Review and approve remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation).
security Automation Levels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md
Last updated 10/22/2020
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.
+Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.
+ - *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. - *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).)-- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
> [!TIP] > For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives.
Automated investigation and remediation (AIR) capabilities in Microsoft Defender
The following table describes each level of automation and how it works.
-|Automation level | Description|
-|:|:|
-|**Full - remediate threats automatically** <br/>(also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.<br/><br/>***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* |
-|**Semi - require approval for any remediation** <br/>(also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>*This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined.*|
-|**Semi - require approval for core folders remediation** <br/>(also a type of *semi-automation*) | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).<br/><br/>Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <br/><br/>Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <br/><br/>Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
-|**Semi - require approval for non-temp folders remediation** <br/>(also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <br/><br/>Temporary folders can include the following examples: <br/>- `\users\*\appdata\local\temp\*`<br/>- `\documents and settings\*\local settings\temp\*` <br/>- `\documents and settings\*\local settings\temporary\*`<br/>- `\windows\temp\*`<br/>- `\users\*\downloads\*`<br/>- `\program files\` <br/>- `\program files (x86)\*`<br/>- `\documents and settings\*\users\*`<br/><br/>Remediation actions can be taken automatically on files or executables that are in temporary folders. <br/><br/>Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.<br/><br/>Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab. |
-|**No automated response** <br/>(also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.<br/><br/>***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](/microsoft-365/security/defender-endpoint/machine-groups)*. |
+<br>
+
+****
+
+|Automation level|Description|
+|||
+|**Full - remediate threats automatically** <br> (also referred to as *full automation*)|With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone. <p> ***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*|
+|**Semi - require approval for any remediation** <br> (also referred to as *semi-automation*)|With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <p> *This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined.*|
+|**Semi - require approval for core folders remediation** <br> (also a type of *semi-automation*)|With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). <p> Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. <p> Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <p> Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.|
+|**Semi - require approval for non-temp folders remediation** <br> (also a type of *semi-automation*)|With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders. <p> Temporary folders can include the following examples: <ul><li>`\users\*\appdata\local\temp\*`</li><li>`\documents and settings\*\local settings\temp\*`</li><li>`\documents and settings\*\local settings\temporary\*`</li><li>`\windows\temp\*`</li><li>`\users\*\downloads\*`</li><li>`\program files\`</li><li>`\program files (x86)\*`</li><li>`\documents and settings\*\users\*`</li></ul> <p> Remediation actions can be taken automatically on files or executables that are in temporary folders. <p> Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab. <p> Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab.|
+|**No automated response** <br> (also referred to as *no automation*)|With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured. <p> ***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](/microsoft-365/security/defender-endpoint/machine-groups).|
+|
## Important points about automation levels
The following table describes each level of automation and how it works.
- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. -- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out.
+- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out.
- You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation#set-up-device-groups). ## Next steps - [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md)- - [Visit the Action Center](/microsoft-365/security/defender-endpoint/auto-investigation-action-center#the-action-center)
security Basic Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/basic-permissions.md
ms.technology: mde
Refer to the instructions below to use basic permissions management. You can use either of the following solutions:+ - Azure PowerShell - Azure portal For granular control over permissions, [switch to role-based access control](rbac.md). ## Assign user access using Azure PowerShell+ You can assign users with one of the following levels of permissions:+ - Full access (Read and Write) - Read-only access ### Before you begin -- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
+- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
- > [!NOTE]
- > You need to run the PowerShell cmdlets in an elevated command-line.
+ > [!NOTE]
+ > You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](/powershell/module/msonline/connect-msolservice).
-**Full access** <br>
-Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
-Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles.
+ - **Full access**: Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles.
+ - **Read-only access**: Users with read-only access can log in, view all alerts, and related information.
-**Read-only access** <br>
-Users with read-only access can log in, view all alerts, and related information.
-They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
-Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role.
+ They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
+
+ Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role.
Use the following steps to assign security roles:
Use the following steps to assign security roles:
```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ```
-
+ - For **read-only** access, assign users to the security reader role by using the following command: ```PowerShell
security Cancel Machine Action https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cancel-machine-action.md
Title: Cancel machine action API description: Learn how to cancel an already launched machine action
-keywords: apis, graph api,
+keywords: apis, graph api,
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
localization_priority: normal audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
MS.technology: mde
started](apis-intro.md).
|Application|Machine.CollectForensics <br> Machine.Isolate <br> Machine.RestrictExecution <br> Machine.Scan <br> Machine.Offboard <br> Machine.StopAndQuarantine <br> Machine.LiveResponse|Collect forensics <br>Isolate machine<br>Restrict code execution<br> Scan machine<br> Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine| |Delegated (work or school account)|Machine.CollectForensics<br> Machine.Isolate <br>Machine.RestrictExecution<br> Machine.Scan<br> Machine.Offboard<br> Machine.StopAndQuarantineMachine.LiveResponse|Collect forensics<br> Isolate machine<br> Restrict code execution<br> Scan machine<br>Offboard machine<br> Stop And Quarantine<br> Run live response on a specific machine| - ## HTTP request
+```http
+POST https://api.securitycenter.microsoft.com/api/machineactions/<machineactionid>/cancel
```
-POST https://api.securitycenter.microsoft.com/api/machineactions/<machineactionid>/cancel
-```
- ## Request headers
security Check Sensor Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md
ms.technology: mde
The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device's ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service:+ - **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected. - **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service for more than seven days in the past month.
Clicking any of the groups directs you to **Devices list**, filtered according t
![Screenshot of Devices with sensor issues tile](images/atp-devices-with-sensor-issues-tile.png) On **Devices list**, you can filter the health state list by the following status:+ - **Active** - Devices that are actively reporting to the Defender for Endpoint service. - **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device.
On **Devices list**, you can filter the health state list by the following statu
You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md).
->[!NOTE]
->Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
+> [!NOTE]
+> Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
![Screenshot of Devices list page](images/atp-devices-list-page.png) You can view the device details when you click on a misconfigured or inactive device. ## See also+ - [Fix unhealthy sensors in Defender for Endpoint](fix-unhealthy-sensors.md) - [Client analyzer overview](overview-client-analyzer.md) - [Download and run the client analyzer](download-client-analyzer.md)
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
audience: ITPro
ms.prod: m365-security localization_priority: Normal-+ - next-gen - edr-+ - m365-security-compliance - m365initiative-defender-endpoint ms.technology: mde
ms.technology: mde
## Overview
-Client behavioral blocking is a component of [behavioral blocking and containment capabilities](behavioral-blocking-containment.md) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
+Client behavioral blocking is a component of [behavioral blocking and containment capabilities](behavioral-blocking-containment.md) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
:::image type="content" alt-text="Cloud and client protection" source="images/pre-execution-and-post-execution-detection-engines.png" lightbox="images/pre-execution-and-post-execution-detection-engines.png":::
Antivirus protection works best when paired with cloud protection.
## How client behavioral blocking works
-[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
+[Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
Whenever a suspicious behavior is detected, an [alert](alerts-queue.md) is generated, and is visible in the [Microsoft 365 Defender portal](microsoft-defender-security-center.md) (formerly Microsoft 365 Defender).
Client behavioral blocking is effective because it not only helps prevent an att
Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
-|Tactic | Detection threat name |
-|-|-|
-|Initial Access | `Behavior:Win32/InitialAccess.*!ml` |
-|Execution | `Behavior:Win32/Execution.*!ml` |
-|Persistence | `Behavior:Win32/Persistence.*!ml` |
-|Privilege Escalation | `Behavior:Win32/PrivilegeEscalation.*!ml` |
-|Defense Evasion | `Behavior:Win32/DefenseEvasion.*!ml` |
-|Credential Access | `Behavior:Win32/CredentialAccess.*!ml` |
-|Discovery | `Behavior:Win32/Discovery.*!ml` |
-|Lateral Movement | `Behavior:Win32/LateralMovement.*!ml` |
-|Collection | `Behavior:Win32/Collection.*!ml` |
-|Command and Control | `Behavior:Win32/CommandAndControl.*!ml` |
-|Exfiltration | `Behavior:Win32/Exfiltration.*!ml` |
-|Impact | `Behavior:Win32/Impact.*!ml` |
-|Uncategorized | `Behavior:Win32/Generic.*!ml` |
+|Tactic|Detection threat name|
+|||
+|Initial Access|`Behavior:Win32/InitialAccess.*!ml`|
+|Execution|`Behavior:Win32/Execution.*!ml`|
+|Persistence|`Behavior:Win32/Persistence.*!ml`|
+|Privilege Escalation|`Behavior:Win32/PrivilegeEscalation.*!ml`|
+|Defense Evasion|`Behavior:Win32/DefenseEvasion.*!ml`|
+|Credential Access|`Behavior:Win32/CredentialAccess.*!ml`|
+|Discovery|`Behavior:Win32/Discovery.*!ml`|
+|Lateral Movement|`Behavior:Win32/LateralMovement.*!ml`|
+|Collection|`Behavior:Win32/Collection.*!ml`|
+|Command and Control|`Behavior:Win32/CommandAndControl.*!ml`|
+|Exfiltration|`Behavior:Win32/Exfiltration.*!ml`|
+|Impact|`Behavior:Win32/Impact.*!ml`|
+|Uncategorized|`Behavior:Win32/Generic.*!ml`|
> [!TIP] > To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
Behavior-based detections are named according to the [MITRE ATT&CK Matrix for En
If your organization is using Defender for Endpoint, client behavioral blocking is enabled by default. However, to benefit from all Defender for Endpoint capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Defender for Endpoint are enabled and configured: - [Defender for Endpoint baselines](configure-machines-security-baseline.md)- - [Devices onboarded to Defender for Endpoint](onboard-configure.md)- - [EDR in block mode](edr-in-block-mode.md)- - [Attack surface reduction](attack-surface-reduction.md)- - [Next-generation protection](configure-microsoft-defender-antivirus-features.md) (antivirus, antimalware, and other threat protection capabilities)
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
Title: Cloud-delivered protection Microsoft Defender Antivirus sample submission
-description: Learn about cloud-delivered protection and Microsoft Defender Antivirus
+description: Learn about cloud-delivered protection and Microsoft Defender Antivirus sample submission
keywords: Microsoft Defender Antivirus, next-generation technologies, antivirus sample submission, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection search.product: eADQiWindows 10XVcnh ms.prod: m365-security
Microsoft Defender for Endpoint Antivirus (Defender for Endpoint antivirus) uses
## Microsoft Defender for Endpoint Antivirus cloud protection overview
-Cloud protection is enabled by default in Defender for Endpoint Antivirus. It is recommended that customers do not disable Cloud protection in Defender for Endpoint Antivirus. When cloud protection is enabled, you have the option of configuring what information Defender for Endpoint antivirus will provide to the cloud (including sample submission). Cloud-protection-enabled is useful when a high-confidence determination cannot be made based on other characteristics.
+Cloud protection is enabled by default in Defender for Endpoint Antivirus. It is recommended that customers do not disable Cloud protection in Defender for Endpoint Antivirus. When cloud protection is enabled, you have the option of configuring what information Defender for Endpoint antivirus will provide to the cloud (including sample submission). Cloud-protection-enabled is useful when a high-confidence determination cannot be made based on other characteristics.
Configuring Sample Submission raises questions about how it works; for example, how the data is stored and used. The three cloud protection sample submission options that raise the most questions are: -- ΓÇ£Send safe samples automatically,ΓÇ¥ (the default behavior)-- ΓÇ£Send all samples automatically,ΓÇ¥ -- ΓÇ£Do not send samples.ΓÇ¥
+- "Send safe samples automatically," (the default behavior)
+- "Send all samples automatically,"
+- "Do not send samples."
-For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud-delivered protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).
+For information about configuration options using Intune, Configuration Manager, GPO, or PowerShell, see [Turn on cloud-delivered protection in Microsoft Defender Antivirus](enable-cloud-protection-microsoft-defender-antivirus.md).
## Customer data, cloud protection, and sample submission
Defender for Endpoint antivirus and cloud protection automatically blocks most n
4. Advanced cloud-based protection is provided for cases when Defender for Endpoint antivirus running on the endpoint needs more intelligence to verify the intent of a suspicious file.
- 1. In the event Microsoft Defender for Endpoint antivirus cannot make a clear determination, file metadata is sent to the cloud protection service. Usually, the cloud protection service can determine whether the file is safe or malicious, within milliseconds.
+ 1. In the event Microsoft Defender for Endpoint antivirus cannot make a clear determination, file metadata is sent to the cloud protection service. Usually, the cloud protection service can determine whether the file is safe or malicious, within milliseconds.
- The cloud query of file metadata can be a result of behavior, mark of the web, or other characteristics where a clear verdict is not determined. - A small metadata payload is sent, with the goal of reaching a clean vs malware verdict - Metadata can include PE attributes, static file attributes, dynamic and contextual attributes, and more (Figure 1).
Defender for Endpoint antivirus and cloud protection automatically blocks most n
3. **Send all samples automatically** - If configured, all samples will be sent automatically
- - If you would like sample submission to include macros embedded in Word docs, you must choose ΓÇ£Send all samples automaticallyΓÇ¥
+ - If you would like sample submission to include macros embedded in Word docs, you must choose "Send all samples automatically"
- This setting isn't available on macOS cloud protection 4. **Do not send**
- - Prevents ΓÇ£block at first sightΓÇ¥ based on file sample analysis
- - "Do not send" is the equivalent to the ΓÇ£DisabledΓÇ¥ setting in macOS policy
+ - Prevents "block at first sight" based on file sample analysis
+ - "Do not send" is the equivalent to the "Disabled" setting in macOS policy
- Metadata is sent for detections even when sample submission is disabled 3. After metadata and/or files are submitted to the Defender for Endpoint cloud, you can use **samples**, **detonation**, or **big data analysis** machine learning models to reach a verdict. This model is illustrated in Figure 3. Turning off Cloud-delivered Protection will limit analysis to only what the client can provide through local machine learning models, and similar functions.
-_Figure 1 - Examples of Metadata Sent to Microsoft Defender Cloud Protection_
+_Figure 1 - Examples of Metadata Sent to Microsoft Defender Cloud Protection_:
:::image type="content" source="images/cloud-protection-metadata-sample.png" alt-text="Figure 1. Examples of metadata sent to Microsoft Defender Cloud Protection":::
-_Figure 2. Cloud-delivered protection flow_
+_Figure 2. Cloud-delivered protection flow_:
:::image type="content" source="images/cloud-protection-flow.png" alt-text="Figure 2. Cloud-delivered protection flow":::
-_Figure 3. Cloud-delivered protection and layered machine learning_
+_Figure 3. Cloud-delivered protection and layered machine learning_:
:::image type="content" source="images/cloud-protection-detection-layered-machine-learning.png" lightbox="images/cloud-protection-detection-layered-machine-learning.png" alt-text="Figure 3. Cloud-delivered protection and layered machine learning":::
-> [!Note]
+> [!NOTE]
>
-> You may also have heard the phrase ΓÇ£Block at first sight (BAFS).ΓÇ¥ BAFS refers to the more extensive analysis that the cloud can provide, including things like detonation to provide a more accurate verdict. This can also include delaying the opening of a file that is under interrogation by cloud protection until a verdict is reached. If you disable ΓÇ£Sample Submission,ΓÇ¥ BAFS is disabled, and you cannot do the more extensive analysis and are limited to analyzing file metadata only.
+> You may also have heard the phrase "Block at first sight (BAFS)." BAFS refers to the more extensive analysis that the cloud can provide, including things like detonation to provide a more accurate verdict. This can also include delaying the opening of a file that is under interrogation by cloud protection until a verdict is reached. If you disable "Sample Submission," BAFS is disabled, and you cannot do the more extensive analysis and are limited to analyzing file metadata only.
## Cloud Delivered Protection Levels
-Malware detection requires striking a balance between providing the strongest possible protection, while minimizing the number of false positives. Different environments may have tolerance for protection versus risk of false positive. Cloud-delivered protection levels allow the customer to define the tolerance level appropriate for the specific environment. When you enable Cloud Delivered Protection, the protection level is automatically configured to provide strong detection without increasing the risk of detecting legitimate files. If you want to configure a different protection level, see [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](specify-cloud-protection-level-microsoft-defender-antivirus.md).
+Malware detection requires striking a balance between providing the strongest possible protection, while minimizing the number of false positives. Different environments may have tolerance for protection versus risk of false positive. Cloud-delivered protection levels allow the customer to define the tolerance level appropriate for the specific environment. When you enable Cloud Delivered Protection, the protection level is automatically configured to provide strong detection without increasing the risk of detecting legitimate files. If you want to configure a different protection level, see [Specify the cloud-delivered protection level for Microsoft Defender Antivirus](specify-cloud-protection-level-microsoft-defender-antivirus.md).
-> [!Note]
+> [!NOTE]
> > Changing the protection level can result in a higher level of false positives and should be carefully evaluated before changing. > ## Other File Sample Submission Scenarios
-There are two more scenarios where Defender for Endpoint may request a file sample not related to the cloud protection settings discussed above.
+There are two more scenarios where Defender for Endpoint may request a file sample not related to the cloud protection settings discussed above.
### Manual File Sample Collection by Security Admin from Defender for Endpoint Management Portal
security Collect Diagnostic Data Update Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md
Last updated 09/03/2018-+ ms.technology: mde
Before attempting this process, ensure you have read [Troubleshoot Microsoft Def
On at least two devices that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by taking the following steps: 1. Open an administrator-level version of the command prompt as follows:
-
+ a. Open the **Start** menu. b. Type **cmd**. Right-click on **Command Prompt** and then select **Run as administrator**. c. Specify administrator credentials or approve the prompt.
-
+ 2. Navigate to the Windows Defender directory. By default, this is `C:\Program Files\Windows Defender`. 3. Type the following command, and then press **Enter**
-
+ ```Dos mpcmdrun -getfiles ```
-
+ 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. 5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. 6. Send an email using the <a href="mailto:ucsupport@microsoft.com?subject=MDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">update compliance support email template</a>, and fill out the template with the following information:
-
- ```
+
+ ```text
I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
-
+ I have provided at least 2 support .cab files at the following location: <accessible share, including access details such as password> My OMS workspace ID is:
On at least two devices that are not reporting or showing up in Update Complianc
## See also -- [Troubleshoot Windows Defender Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
+- [Troubleshoot Windows Defender Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
Last updated 06/29/2020-+ ms.technology: mde
On at least two devices that are experiencing the same issue, obtain the .cab di
2. Navigate to the Microsoft Defender directory. By default, this is `C:\Program Files\Windows Defender`.
-> [!NOTE]
-> If you're running an [updated Microsoft Defender Platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
+ > [!NOTE]
+ > If you're running an [updated Microsoft Defender Platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
-3. Type the following command, and then press **Enter**
+3. Type the following command, and then press **Enter**
```Dos mpcmdrun.exe -GetFiles ```
-
+ 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
-> [!NOTE]
-> To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
+ > [!NOTE]
+ > To redirect the cab file to a a different path or UNC share, use the following command: `mpcmdrun.exe -GetFiles -SupportLogLocation <path>` <br/>For more information, see [Redirect diagnostic data to a UNC share](#redirect-diagnostic-data-to-a-unc-share).
5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. > [!NOTE]
->If you have a problem with Update compliance, send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
->```
+> If you have a problem with Update compliance, send an email using the <a href="mailto:ucsupport@microsoft.com?subject=WDAV assessment issue&body=I%20am%20encountering%20the%20following%20issue%20when%20using%20Windows%20Defender%20AV%20in%20Update%20Compliance%3a%20%0d%0aI%20have%20provided%20at%20least%202%20support%20.cab%20files%20at%20the%20following%20location%3a%20%3Caccessible%20share%2c%20including%20access%20details%20such%20as%20password%3E%0d%0aMy%20OMS%20workspace%20ID%20is%3a%20%0d%0aPlease%20contact%20me%20at%3a">Update Compliance support email template</a>, and fill out the template with the following information:
+>
> I am encountering the following issue when using Microsoft Defender Antivirus in Update Compliance:
-> I have provided at least 2 support .cab files at the following location:
-> <accessible share, including access details such as password>
>
-> My OMS workspace ID is:
+> I have provided at least 2 support .cab files at the following location:
>
-> Please contact me at:
+> \<accessible share, including access details such as password\>
+>
+> My OMS workspace ID is:
+>
+> Please contact me at:
## Redirect diagnostic data to a UNC share+ To collect diagnostic data on a central repository, you can specify the SupportLogLocation parameter. ```Dos
When the SupportLogLocation parameter is used, a folder structure like as follow
<path>\<MMDD>\MpSupport-<hostname>-<HHMM>.cab ```
-| field | Description |
-|:-|:-|
-| path | The path as specified on the command line or retrieved from configuration
-| MMDD | Month and day when the diagnostic data was collected (for example, 0530)
-| hostname | The hostname of the device on which the diagnostic data was collected
-| HHMM | Hours and minutes when the diagnostic data was collected (for example, 1422)
+<br>
+
+****
+
+|field|Description|
+|||
+|path|The path as specified on the command line or retrieved from configuration|
+|MMDD|Month and day when the diagnostic data was collected (for example, 0530)|
+|hostname|The hostname of the device on which the diagnostic data was collected|
+|HHMM|Hours and minutes when the diagnostic data was collected (for example, 1422)|
+|
> [!NOTE]
-> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
+> When using a file share please make sure that account used to collect the diagnostic package has write access to the share.
## Specify location where diagnostic data is created
-You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
+You can also specify where the diagnostic .cab file will be created using a Group Policy Object (GPO).
+
+1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`.
+
+2. Select **Define the directory path to copy support log files**.
+
+ ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)
-1. Open the Local Group Policy Editor and find the SupportLogLocation GPO at: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SupportLogLocation`
-
-1. Select **Define the directory path to copy support log files**.
+ ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)
- ![Screenshot of local group policy editor](images/GPO1-SupportLogLocationDefender.png)
-
- ![Screenshot of define path for log files setting](images/GPO2-SupportLogLocationGPPage.png)
3. Inside the policy editor, select **Enabled**.
-
+ 4. Specify the directory path where you want to copy the support log files in the **Options** field.
- ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png)
+
+ ![Screenshot of Enabled directory path custom setting](images/GPO3-SupportLogLocationGPPageEnabledExample.png)
+ 5. Select **OK** or **Apply**. ## See also -- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
+- [Troubleshoot Microsoft Defender Antivirus reporting](troubleshoot-reporting.md)
security Command Line Arguments Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md
Here's an example:
```console MpCmdRun.exe -Scan -ScanType 2
-```
+```
In our example, the MpCmdRun utility starts a full antivirus scan on the device. ## Commands
-| Command | Description |
-|:-|:-|
-| `-?` **or** `-h` | Displays all available options for the MpCmdRun tool |
-| `-Scan [-ScanType [<value>]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]` | Scans for malicious software. Values for **ScanType** are:<p>**0** Default, according to your configuration<p>**1** Quick scan<p>**2** Full scan<p>**3** File and directory custom scan.<p>CpuThrottling runs according to policy configurations |
-| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
-| `-GetFiles [-SupportLogLocation <path>]` | Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)' |
-| `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |
-| `-RemoveDefinitions [-All]` | Restores the installed Security intelligence to a previous backup copy or to the original default set |
-| `-RemoveDefinitions [-DynamicSignatures]` | Removes only the dynamically downloaded Security intelligence |
-| `-RemoveDefinitions [-Engine]` | Restores the previous installed engine |
-| `-SignatureUpdate [-UNC \| -MMPC]` | Checks for new Security intelligence updates |
-| `-Restore [-ListAll \| [[-Name <name>] [-All] \| [-FilePath <filePath>]] [-Path <path>]]` | Restores or lists quarantined item(s) |
-| `-AddDynamicSignature [-Path]` | Loads dynamic Security intelligence |
-| `-ListAllDynamicSignatures` | Lists the loaded dynamic Security intelligence |
-| `-RemoveDynamicSignature [-SignatureSetID]` | Removes dynamic Security intelligence |
-| `-CheckExclusion -path <path>` | Checks whether a path is excluded |
-| `-ValidateMapsConnection` | Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
-
-## Common errors in running commands via mpcmdrun.exe
+|Command|Description|
+|||
+|`-?` **or** `-h`|Displays all available options for the MpCmdRun tool|
+|`-Scan [-ScanType [<value>]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]`|Scans for malicious software. Values for **ScanType** are:<p>**0** Default, according to your configuration<p>**1** Quick scan<p>**2** Full scan<p>**3** File and directory custom scan.<p>CpuThrottling runs according to policy configurations|
+|`-Trace [-Grouping #] [-Level #]`|Starts diagnostic tracing|
+|`-GetFiles [-SupportLogLocation <path>]`|Collects support information. See '[collecting diagnostic data](collect-diagnostic-data.md)'|
+|`-GetFilesDiagTrack`|Same as `-GetFiles`, but outputs to temporary DiagTrack folder|
+|`-RemoveDefinitions [-All]`|Restores the installed Security intelligence to a previous backup copy or to the original default set|
+|`-RemoveDefinitions [-DynamicSignatures]`|Removes only the dynamically downloaded Security intelligence|
+|`-RemoveDefinitions [-Engine]`|Restores the previous installed engine|
+|`-SignatureUpdate [-UNC \|-MMPC]`|Checks for new Security intelligence updates|
+|`-Restore [-ListAll \|[[-Name <name>] [-All] \|[-FilePath <filePath>]] [-Path <path>]]`|Restores or lists quarantined item(s)|
+|`-AddDynamicSignature [-Path]`|Loads dynamic Security intelligence|
+|`-ListAllDynamicSignatures`|Lists the loaded dynamic Security intelligence|
+|`-RemoveDynamicSignature [-SignatureSetID]`|Removes dynamic Security intelligence|
+|`-CheckExclusion -path <path>`|Checks whether a path is excluded|
+|`-ValidateMapsConnection`|Verifies that your network can communicate with the Microsoft Defender Antivirus cloud service. This command will only work on Windows 10, version 1703 or higher.|
+
+## Common errors in running commands via mpcmdrun.exe
The following table lists common errors that can occur while using the MpCmdRun tool.
-|Error message | Possible reason |
-|:-|:-|
-| **ValidateMapsConnection failed (800106BA)** or **0x800106BA** | The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-microsoft-defender-setup.md#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> **TIP**: In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*. |
-| **0x80070667** | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
-| **MpCmdRun is not recognized as an internal or external command, operable program, or batch file.** | The tool must be run from either `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
-| **ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)** | The command was attempted using insufficient privileges. Use the command prompt (cmd.exe) as an administrator.|
-| **ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)** | The firewall is blocking the connection or conducting SSL inspection. |
-| **ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)** | Possible network-related issues, like name resolution problems|
-| **ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015** | The firewall is blocking the connection or conducting SSL inspection. |
-| **ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D** | The firewall is blocking the connection or conducting SSL inspection. |
-| **ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)** | The firewall is blocking the connection or conducting SSL inspection. |
+|Error message|Possible reason|
+|||
+|**ValidateMapsConnection failed (800106BA)** or **0x800106BA**|The Microsoft Defender Antivirus service is disabled. Enable the service and try again. If you need help re-enabling Microsoft Defender Antivirus, see [Reinstall/enable Microsoft Defender Antivirus on your endpoints](switch-to-microsoft-defender-setup.md#reinstallenable-microsoft-defender-antivirus-on-your-endpoints).<p> **TIP**: In Windows 10 1909 or older, and Windows Server 2019 or older, the service was formerly called *Windows Defender Antivirus*.|
+|**0x80070667**|You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
+|**MpCmdRun is not recognized as an internal or external command, operable program, or batch file.**|The tool must be run from either `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
+|**ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)**|The command was attempted using insufficient privileges. Use the command prompt (cmd.exe) as an administrator.|
+|**ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)**|The firewall is blocking the connection or conducting SSL inspection.|
+|**ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)**|Possible network-related issues, like name resolution problems|
+|**ValidateMapsConnection failed to establish a connection to MAPS (hr=0x80508015**|The firewall is blocking the connection or conducting SSL inspection.|
+|**ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D**|The firewall is blocking the connection or conducting SSL inspection.|
+|**ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)**|The firewall is blocking the connection or conducting SSL inspection.|
## See also
security Common Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-errors.md
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
-Error code |HTTP status code |Message
-:|:|:
-BadRequest | BadRequest (400) | General Bad Request error message.
-ODataError | BadRequest (400) | Invalid OData URI query (the specific error is specified).
-InvalidInput | BadRequest (400) | Invalid input {the invalid input}.
-InvalidRequestBody | BadRequest (400) | Invalid request body.
-InvalidHashValue | BadRequest (400) | Hash value {the invalid hash} is invalid.
-InvalidDomainName | BadRequest (400) | Domain name {the invalid domain} is invalid.
-InvalidIpAddress | BadRequest (400) | IP address {the invalid IP} is invalid.
-InvalidUrl | BadRequest (400) | URL {the invalid URL} is invalid.
-MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.
-MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing.
-OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action.
-ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above.
-Unauthorized | Unauthorized (401) | Unauthorized (invalid or expired authorization header).
-Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action).
-DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
-DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}.
-NotFound | Not Found (404) | General Not Found error message.
-ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
-InternalServerError | Internal Server Error (500) | (No error message, retry the operation)
-TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU.
+Error code|HTTP status code|Message
+||
+BadRequest|BadRequest (400)|General Bad Request error message.
+ODataError|BadRequest (400)|Invalid OData URI query (the specific error is specified).
+InvalidInput|BadRequest (400)|Invalid input {the invalid input}.
+InvalidRequestBody|BadRequest (400)|Invalid request body.
+InvalidHashValue|BadRequest (400)|Hash value {the invalid hash} is invalid.
+InvalidDomainName|BadRequest (400)|Domain name {the invalid domain} is invalid.
+InvalidIpAddress|BadRequest (400)|IP address {the invalid IP} is invalid.
+InvalidUrl|BadRequest (400)|URL {the invalid URL} is invalid.
+MaximumBatchSizeExceeded|BadRequest (400)|Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.
+MissingRequiredParameter|BadRequest (400)|Parameter {the missing parameter} is missing.
+OsPlatformNotSupported|BadRequest (400)|OS Platform {the client OS Platform} is not supported for this action.
+ClientVersionNotSupported|BadRequest (400)|{The requested action} is supported on client version {supported client version} and above.
+Unauthorized|Unauthorized (401)|Unauthorized (invalid or expired authorization header).
+Forbidden|Forbidden (403)|Forbidden (valid token but insufficient permission for the action).
+DisabledFeature|Forbidden (403)|Tenant feature is not enabled.
+DisallowedOperation|Forbidden (403)|{the disallowed operation and the reason}.
+NotFound|Not Found (404)|General Not Found error message.
+ResourceNotFound|Not Found (404)|Resource {the requested resource} was not found.
+InternalServerError|Internal Server Error (500)|(No error message, retry the operation)
+TooManyRequests|Too Many Requests (429)|Response will represent reaching quota limit either by number of requests or by CPU.
## Body parameters are case-sensitive The submitted body parameters are currently case-sensitive.
-<br>If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.
-<br>Review the API documentation page and check that the submitted parameters match the relevant example.
+
+If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.
+
+Review the API documentation page and check that the submitted parameters match the relevant example.
## Correlation request ID Each error response contains a unique ID parameter for tracking.
-<br>The property name of this parameter is "target".
-<br>When contacting us about an error, attaching this ID will help find the root cause of the problem.
+
+The property name of this parameter is "target".
+
+When contacting us about an error, attaching this ID will help find the root cause of the problem.
## Examples
Each error response contains a unique ID parameter for tracking.
} ``` - ```json { "error": {
security Common Exclusion Mistakes Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md
localization_priority: Normal
-+ ms.technology: mde
Last updated 06/15/2021
# Common mistakes to avoid when defining exclusions
-You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. This article describes some common mistake that you should avoid when defining exclusions.
+You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. This article describes some common mistake that you should avoid when defining exclusions.
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions). ## Excluding certain trusted items
-Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
+Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following sections: - Folder locations
Do not define exclusions for the folder locations, file extensions, and processe
In general, do not define exclusions for the following folder locations:
-`%systemdrive%`
+`%systemdrive%`
`C:`
In general, do not define exclusions for the following folder locations:
`%ProgramFiles%\Java`
-`C:\Program Files\Java`
+`C:\Program Files\Java`
-`%ProgramFiles%\Contoso\`
+`%ProgramFiles%\Contoso\`
-`C:\Program Files\Contoso\`
+`C:\Program Files\Contoso\`
-`%ProgramFiles(x86)%\Contoso\`
+`%ProgramFiles(x86)%\Contoso\`
`C:\Program Files (x86)\Contoso\`
In general, do not define exclusions for the following folder locations:
`C:\Users\*`
-`C:\Users\<UserProfileName>\AppData\Local\Temp\` **Note the following exception for SharePoint**: Do exclude
+`C:\Users\<UserProfileName>\AppData\Local\Temp\` **Note the following exception for SharePoint**: Do exclude
`C:\Users\ServiceAccount\AppData\Local\Temp` when you use [file-level antivirus protection in SharePoint](https://support.microsoft.com/office/certain-folders-may-have-to-be-excluded-from-antivirus-scanning-when-you-use-file-level-antivirus-software-in-sharepoint-01cbc532-a24e-4bba-8d67-0b1ed733a3d9). `C:\Users\<UserProfileName>\AppData\LocalLow\Temp\` **Note the following exception for SharePoint**: Do exclude `C:\Users\Default\AppData\Local\Temp` when you use [file-level antivirus protection in SharePoint](https://support.microsoft.com/office/certain-folders-may-have-to-be-excluded-from-antivirus-scanning-when-you-use-file-level-antivirus-software-in-sharepoint-01cbc532-a24e-4bba-8d67-0b1ed733a3d9).
In general, do not define exclusions for the following file extensions:
`.cmd`
-`.com`
+`.com`
`.cpl`
In general, do not define exclusions for the following file extensions:
`.zip`
-### Processes
+### Processes
In general, do not define exclusions for the following processes:
-`AcroRd32.exe`
+`AcroRd32.exe`
-`bitsadmin.exe`
+`bitsadmin.exe`
-`excel.exe`
+`excel.exe`
-`iexplore.exe`
+`iexplore.exe`
-`java.exe`
+`java.exe`
-`outlook.exe`
+`outlook.exe`
-`psexec.exe`
+`psexec.exe`
-`powerpnt.exe`
+`powerpnt.exe`
-`powershell.exe`
+`powershell.exe`
`schtasks.exe`
-`svchost.exe`
+`svchost.exe`
-`wmic.exe`
+`wmic.exe`
-`winword.exe`
+`winword.exe`
-`wuauclt.exe`
+`wuauclt.exe`
-`addinprocess.exe`
+`addinprocess.exe`
-`addinprocess32.exe`
+`addinprocess32.exe`
-`addinutil.exe`
+`addinutil.exe`
-`bash.exe`
+`bash.exe`
-`bginfo.exe`
+`bginfo.exe`
-`cdb.exe`
+`cdb.exe`
-`csi.exe`
+`csi.exe`
-`dbghost.exe`
+`dbghost.exe`
-`dbgsvc.exe`
+`dbgsvc.exe`
`dnx.exe` `dotnet.exe`
-`fsi.exe`
+`fsi.exe`
-`fsiAnyCpu.exe`
+`fsiAnyCpu.exe`
-`kd.exe`
+`kd.exe`
-`ntkd.exe`
+`ntkd.exe`
-`lxssmanager.dll`
+`lxssmanager.dll`
-`msbuild.exe`
+`msbuild.exe`
-`mshta.exe`
+`mshta.exe`
-`ntsd.exe`
+`ntsd.exe`
-`rcsi.exe`
+`rcsi.exe`
-`system.management.automation.dll`
+`system.management.automation.dll`
`windbg.exe`
Do not use a single exclusion list to define exclusions for multiple server work
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables. See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.-
security Community https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/community.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink)
-The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.
+The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product.
There are several spaces you can explore to learn about specific information:-- Announcements +
+- Announcements
- What's new - Threat Intelligence There are several ways you can access the Community Center:-- In the Microsoft 365 Defender portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page. -- Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
+- In the Microsoft 365 Defender portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page.
+- Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
-You can instantly view and read conversations that have been posted in the community.
+You can instantly view and read conversations that have been posted in the community.
To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15).
security Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/conditional-access.md
ms.technology: mde
-# Enable Conditional Access to better protect users, devices, and data
+# Enable Conditional Access to better protect users, devices, and data
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
Conditional Access is a capability that helps you better protect your users and
With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
-You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state.
+You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state.
-The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies.
+The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies.
-The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications.
+The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications.
## Understand the Conditional Access flow
-Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
-The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
+Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
+
+The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
For example, you can configure Intune to apply Conditional Access on devices tha
In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.
- A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.
+ A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.
-To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it.
+To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it.
There are three ways to address a risk:+ 1. Use Manual or automated remediation. 2. Resolve active alerts on the device. This will remove the risk from the device.
-3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.
+3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).
The following example sequence of events explains Conditional Access in action:
4. The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications.
-
## Related topic+ - [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md)
security Configuration Management Reference Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md
Last updated 07/13/2021-+ ms.technology: mde
You can manage and configure Microsoft Defender Antivirus with the following too
The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
-| Article | Description |
+|Article|Description|
|:|:|
-|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus |
-|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates |
-|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters |
-|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
-|[Manage Microsoft Defender Antivirus with the MpCmdRun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)| Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |
+|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus|
+|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates|
+|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters|
+|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)|Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)|
+|[Manage Microsoft Defender Antivirus with the MpCmdRun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus|
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
localization_priority: Normal
-+ ms.technology: mde Last updated 05/26/2021
## Use Microsoft Intune to configure scanning options
-For more information, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
+For more information, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
## Use Microsoft Endpoint Manager to configure scanning options
For details on configuring Microsoft Endpoint Manager (current branch), see [How
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-4. Expand the tree to **Windows components** > **Microsoft Defender Antivirus**, and then select a location (refer to [Settings and locations](#settings-and-locations) in this article).
+4. Expand the tree to **Windows components** \> **Microsoft Defender Antivirus**, and then select a location (refer to [Settings and locations](#settings-and-locations) in this article).
-
-5. Edit the policy object.
+5. Edit the policy object.
6. Click **OK**, and repeat for any other settings. ### Settings and locations
-| Policy item and location | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class |
+<br>
+
+****
+
+|Policy item and location|Default setting (if not configured)|PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class|
||||
-| Email scanning <p> **Scan** > **Turn on e-mail scanning**<p>See [Email scanning limitations](#email-scanning-limitations) (in this article) | Disabled | `-DisableEmailScanning` |
-|Scan [reparse points](/windows/win32/fileio/reparse-points) <p> **Scan** > **Turn on reparse point scanning** | Disabled | Not available <p>See [Reparse points](/windows/win32/fileio/reparse-points) |
-| Scan mapped network drives <p> **Scan** > **Run full scan on mapped network drives** | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`|
-| Scan archive files (such as .zip or .rar files). <p> **Scan** > **Scan archive files** | Enabled | `-DisableArchiveScanning` <p>The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting.|
-| Scan files on the network <p> **Scan** > **Scan network files** | Disabled | `-DisableScanningNetworkFiles` |
-| Scan packed executables <p> **Scan** > **Scan packed executables** | Enabled | Not available |
-| Scan removable drives during full scans only <p> **Scan** > **Scan removable drives** | Disabled | `-DisableRemovableDriveScanning` |
-| Specify the level of subfolders within an archive folder to scan <p>**Scan** > **Specify the maximum depth to scan archive files** | 0 | Not available |
-| Specify the maximum CPU load (as a percentage) during a scan. <p> **Scan** > **Specify the maximum percentage of CPU utilization during a scan** | 50 | `-ScanAvgCPULoadFactor` <p>**NOTE**: The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manually run scans will ignore this setting and run without any CPU limits. |
-| Specify the maximum size (in kilobytes) of archive files that should be scanned. <p> **Scan** > **Specify the maximum size of archive files to be scanned** | No limit | Not available <p>The default value of 0 applies no limit |
-| Configure low CPU priority for scheduled scans <p> **Scan** > **Configure low CPU priority for scheduled scans** | Disabled | Not available |
-
-
+|Email scanning <p> **Scan** \> **Turn on e-mail scanning**<p>See [Email scanning limitations](#email-scanning-limitations) (in this article)|Disabled|`-DisableEmailScanning`|
+|Scan [reparse points](/windows/win32/fileio/reparse-points) <p> **Scan** \> **Turn on reparse point scanning**|Disabled|Not available <p>See [Reparse points](/windows/win32/fileio/reparse-points)|
+|Scan mapped network drives <p> **Scan** \> **Run full scan on mapped network drives**|Disabled|`-DisableScanningMappedNetworkDrivesForFullScan`|
+|Scan archive files (such as .zip or .rar files). <p> **Scan** \> **Scan archive files**|Enabled|`-DisableArchiveScanning` <p>The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting.|
+|Scan files on the network <p> **Scan** \> **Scan network files**|Disabled|`-DisableScanningNetworkFiles`|
+|Scan packed executables <p> **Scan** \> **Scan packed executables**|Enabled|Not available|
+|Scan removable drives during full scans only <p> **Scan** \> **Scan removable drives**|Disabled|`-DisableRemovableDriveScanning`|
+|Specify the level of subfolders within an archive folder to scan <p>**Scan** \> **Specify the maximum depth to scan archive files**|0|Not available|
+|Specify the maximum CPU load (as a percentage) during a scan. <p> **Scan** \> **Specify the maximum percentage of CPU utilization during a scan**|50|`-ScanAvgCPULoadFactor` <p>**NOTE**: The maximum CPU load is not a hard limit, but is guidance for the scanning engine to not exceed the maximum on average. Manually run scans will ignore this setting and run without any CPU limits.|
+|Specify the maximum size (in kilobytes) of archive files that should be scanned. <p> **Scan** \> **Specify the maximum size of archive files to be scanned**|No limit|Not available <p>The default value of 0 applies no limit|
+|Configure low CPU priority for scheduled scans <p> **Scan** \> **Configure low CPU priority for scheduled scans**|Disabled|Not available|
+|
+ > [!NOTE] > If real-time protection is turned on, files are scanned before they are accessed and executed. The scanning scope includes all files, including files on mounted removable media, such as USB drives. If the device performing the scan has real-time protection or on-access protection turned on, the scan will also include network shares. ## Use PowerShell to configure scanning options - For more information on how to use PowerShell with Microsoft Defender Antivirus, see - [Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)
If Microsoft Defender Antivirus detects a threat inside an email message, it wil
- Email subject - Attachment name - ## Scanning mapped network drives On any OS, only the network drives that are mapped at system level, are scanned. User-level mapped network drives aren't scanned. User-level mapped network drives are those that a user maps in their session manually and using their own credentials. ## See also - - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Configure and run on-demand Microsoft Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md) - [Configure scheduled Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
security Configure Arcsight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-arcsight.md
You'll need to install and configure some files and tools to use Micro Focus Arc
> [!NOTE] >
->- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections
->- [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
+> - [Defender for Endpoint Alert](alerts.md) is composed from one or more detections
+> - [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
## Before you begin
This section guides you in getting the necessary information to set and use the
- OAuth 2.0 Client secret - Have the following configuration files ready:
+-
- WDATP-connector.properties - WDATP-connector.jsonparser.properties
The following steps assume that you have completed all the required steps in [Be
3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example: - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\- - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ > [!NOTE]
The following steps assume that you have completed all the required steps in [Be
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
- If the <code>redirect_uri</code> is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
+ If the `redirect_uri` is an https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
- If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
+ If however you specify an http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
The following steps assume that you have completed all the required steps in [Be
8. Login to the Micro Focus ArcSight console.
-9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
+9. Navigate to **Active channel set** \> **New Condition** \> **Device** \> **Device Product**.
10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
Defender for Endpoint detections will appear as discrete events, with "Microsoft
1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?". 2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:+ `reauthenticate=true`.
-3. Restart the connector by running the following command: `arcsight.bat connectors`.
+3. Restart the connector by running the following command:
+
+ `arcsight.bat connectors`.
A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
-This article describes an antivirus/antimalware feature known as "block at first sight", and describes how to enable block at first sight for your organization.
+This article describes an antivirus/antimalware feature known as "block at first sight", and describes how to enable block at first sight for your organization.
> [!TIP] > This article is intended for enterprise admins and IT Pros who manage security settings for organizations. If you are not an enteprise admin or IT Pro but you have questions about block at first sight, see the [Not an enterprise admin or IT Pro?](#not-an-enterprise-admin-or-it-pro) section.
This article describes an antivirus/antimalware feature known as "block at first
Block at first sight is a threat protection feature of next-generation protection that detects new malware and blocks it within seconds. Block at first sight is enabled when certain security settings are enabled. These settings include: -- Cloud-delivered protection; -- A specified sample submission timeout (such as 50 seconds); and -- A file-blocking level of high.
+- Cloud-delivered protection;
+- A specified sample submission timeout (such as 50 seconds); and
+- A file-blocking level of high.
-In most enterprise organizations, the settings needed to enable block at first sight are configured with Microsoft Defender Antivirus deployments.
+In most enterprise organizations, the settings needed to enable block at first sight are configured with Microsoft Defender Antivirus deployments.
## How it works When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection.
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection.
-![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
+![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
> [!TIP] > To learn more, see [(Blog) Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
Microsoft Defender Antivirus uses multiple detection and prevention technologies
> [!TIP] > Microsoft Intune is now part of Microsoft Endpoint Manager.
-1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
+1. In the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>), navigate to **Devices** \> **Configuration profiles**.
2. Select or create a profile using the **Device restrictions** profile type.
Microsoft Defender Antivirus uses multiple detection and prevention technologies
4. Save your settings. > [!TIP]
+>
> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, your security operations team can [restore quarantined files](./restore-quarantined-files-microsoft-defender-antivirus.md). > - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure). > - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
Microsoft Defender Antivirus uses multiple detection and prevention technologies
> [!TIP] > If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
-1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
+1. In Microsoft Endpoint Manager (<https://endpoint.microsoft.com>), go to **Endpoint security** \> **Antivirus**.
2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
Microsoft Defender Antivirus uses multiple detection and prevention technologies
## Turn on block at first sight with Group Policy > [!NOTE]
-> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight.
+> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight.
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
-2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration** \> **Administrative templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **MAPS**.
3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
You can confirm that block at first sight is enabled on individual client device
3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on. > [!NOTE]
-> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints.
+>
+> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints.
> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. ## Validate block at first sight is working To validate that the feature is working, download the [Block at first sight sample file](https://demo.wd.microsoft.com/Page/BAFS). To download the file, you will need an account in Azure AD that has either the Security Administrator or Global Administrator role assigned.
-To validate that cloud-enabled protection is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
+To validate that cloud-enabled protection is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
## Turn off block at first sight
You might choose to disable block at first sight if you want to retain the prere
### Turn off block at first sight with Microsoft Endpoint Manager
-1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+1. Go to Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com>) and sign in.
-2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
+2. Go to **Endpoint security** \> **Antivirus**, and then select your Microsoft Defender Antivirus policy.
3. Under **Manage**, choose **Properties**.
You might choose to disable block at first sight if you want to retain the prere
2. Using the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
+3. Expand the tree through **Windows components** \> **Microsoft Defender Antivirus** \> **MAPS**.
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
If you have a personal device that is not managed by an organization, you might
- To enable block at first sight, make sure that both **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
- - To disable block at first sight, turn off **Cloud-delivered protection** or **Automatic sample submission**. <br/>
-
+ - To disable block at first sight, turn off **Cloud-delivered protection** or **Automatic sample submission**.
+ > [!CAUTION]
- > Turning off block at first sight lowers the level of protection for your device. We do not recommend permanently disabling block at first sight.
+ > Turning off block at first sight lowers the level of protection for your device. We do not recommend permanently disabling block at first sight.
## See also
security Configure Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md
localization_priority: normal audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
ms.technology: m365d
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - [!include[Prerelease information](../../includes/prerelease.md)]
-Discovery can be configured to be on standard or basic mode. Use the standard option to actively find devices in your network, which will better guarantee the discovery of endpoints and provide richer device classification.
+Discovery can be configured to be on standard or basic mode. Use the standard option to actively find devices in your network, which will better guarantee the discovery of endpoints and provide richer device classification.
You can customize the list of devices that are used to perform standard discovery. You can either enable standard discovery on all the onboarded devices that also support this capability (currently - Windows 10 devices only) or select a subset or subsets of your devices by specifying their device tags.
Take the following configuration steps in Microsoft 365 security center:
## Exclude devices from being actively probed in standard discovery
-If there are devices on your network which shouldn't be actively scanned (for example, devices used as honeypots for another security tool), you can also define a list of exclusions to prevent them from being scanned. Note that devices can still be discovered using Basic discovery mode. Those devices will be passively discovered but won't be actively probed.
+If there are devices on your network which shouldn't be actively scanned (for example, devices used as honeypots for another security tool), you can also define a list of exclusions to prevent them from being scanned. Note that devices can still be discovered using Basic discovery mode. Those devices will be passively discovered but won't be actively probed.
## Select networks to monitor
- Microsoft Defender for Endpoint analyzes a network and determines if it's a corporate network that needs to be monitored or a non-corporate network that can be ignored. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor non-corporate networks where onboarded devices are found.
-You can configure where device discovery can be performed by specifying which networks to monitor. When a network is monitored, device discovery can be performed on it.
+ Microsoft Defender for Endpoint analyzes a network and determines if it's a corporate network that needs to be monitored or a non-corporate network that can be ignored. Corporate networks are typically chosen to be monitored. However, you can override this decision by choosing to monitor non-corporate networks where onboarded devices are found.
+
+You can configure where device discovery can be performed by specifying which networks to monitor. When a network is monitored, device discovery can be performed on it.
-A list of networks where device discovery can be performed is shown in the **Monitored networks** page.
+A list of networks where device discovery can be performed is shown in the **Monitored networks** page.
> [!NOTE]
-> Only top 50 networks (according to the number of associated devices) will be available in the network list.
+> Only top 50 networks (according to the number of associated devices) will be available in the network list.
The list of monitored networks is sorted based upon the total number of devices seen on the network in the last 7 days.
You can apply a filter to view any of the following network discovery states:
- **Monitored networks** - Networks where device discovery is performed. - **Ignored networks** - This network will be ignored and device discovery won't be performed on it.-- **All** - Both monitored and ignored networks will be displayed.
+- **All** - Both monitored and ignored networks will be displayed.
### Configure the network monitor state
Choosing the initial discovery classification means applying the default system-
5. Choose whether you want to monitor, ignore, or use the initial discovery classification. > [!WARNING]
- > - Choosing to monitor a network that was not identified by Microsoft Defender for Endpoint as a corporate network can cause device discovery outside of your corporate network, and may therefore detect home or other non-corporate devices.
+ >
+ > - Choosing to monitor a network that was not identified by Microsoft Defender for Endpoint as a corporate network can cause device discovery outside of your corporate network, and may therefore detect home or other non-corporate devices.
> - Choosing to ignore a network will stop monitoring and discovering devices in that network. Devices that were already discovered won't be removed from the inventory, but will no longer be updated, and details will be retained until the data retention period of the Defender for Endpoint expires. > - Before choosing to monitor non-corporate networks, you must ensure you have permission to do so. <br>
-6. Confirm that you want to make the change.
+6. Confirm that you want to make the change.
## Explore devices in the network
You can use the following advanced hunting query to get more context about each
```kusto DeviceNetworkInfo | where Timestamp > ago(7d)
-| summarize arg_max(Timestamp, *) by DeviceId
| where ConnectedNetworks != "" | extend ConnectedNetworksExp = parse_json(ConnectedNetworks) | mv-expand bagexpansion = array ConnectedNetworks=ConnectedNetworksExp | extend NetworkName = tostring(ConnectedNetworks ["Name"]), Description = tostring(ConnectedNetworks ["Description"]), NetworkCategory = tostring(ConnectedNetworks ["Category"]) | where NetworkName == "<your network name here>"
+| summarize arg_max(Timestamp, *) by DeviceId
``` ## Get information on device
You can use the following advanced hunting query to get the latest complete info
```kusto DeviceInfo | where DeviceName == "<device name here>" and isnotempty(OSPlatform)
-| summarize arg_max(Timestamp, *) by DeviceId
+| summarize arg_max(Timestamp, *) by DeviceId
``` --- ## See also - [Device discovery overview](device-discovery.md)
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
****
-| Privilege | Permission |
-|:|:|
-| Access | Read, Write, Execute |
-| Action Mode | Audit, Allow, Prevent |
-| CSP Support | Yes |
-| GPO Support | Yes |
-| User-based Support | Yes |
-| Machine-based Support | Yes |
+|Privilege|Permission|
+|||
+|Access|Read, Write, Execute|
+|Action Mode|Audit, Allow, Prevent|
+|CSP Support|Yes|
+|GPO Support|Yes|
+|User-based Support|Yes|
+|Machine-based Support|Yes|
+|
## Prepare your endpoints
Deploy Removable Storage Access Control on Windows 10 devices that have antimalw
You can use the following properties to create a removable storage group:
-#### Removable Storage Group
-|Property Name |Description |Options |
-||||
-|**GroupId** | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy. | |
-|**DescriptorIdList** | List the device properties you want to use to cover in the group. For each device property, see [Device Properties](/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide&preserve-view=true) for more detail.ΓÇï | - **PrimaryId**ΓÇï: RemovableMediaDevices, CdRomDevices, WpdDevices</br> - **DeviceIdΓÇï** </br>- **HardwareIdΓÇï**</br>- **InstancePathId**ΓÇï: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*</br>- **FriendlyNameIdΓÇï**</br>- **SerialNumberIdΓÇï**</br>- **VIDΓÇï**</br>- **PIDΓÇï**</br>- **VID_PID**</br> 0751_55E0: match this exact VID/PID pair </br>_55E0: match any media with PID=55E0 </br>0751_: match any media with VID=0751 |
-|**MatchType** | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. | **MatchAll**: </br>ΓÇïAny attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.ΓÇï </br> </br>**MatchAny**:</br> ΓÇïThe attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.ΓÇï |
+### Removable Storage Group
+
+<br>
+
+****
+
+|Property Name|Description|Options|
+||||
+|**GroupId**|[GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy.||
+|**DescriptorIdList**|List the device properties you want to use to cover in the group. For each device property, see [Device Properties](device-control-removable-storage-protection.md) for more detail.ΓÇï|<ul><li>**PrimaryId**ΓÇï: RemovableMediaDevices, CdRomDevices, WpdDevices</li><li>**DeviceIdΓÇï**</li><li>**HardwareIdΓÇï**</li><li>**InstancePathId**ΓÇï: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.</li><li>**FriendlyNameIdΓÇï**</li><li>**SerialNumberIdΓÇï**</li><li>**VIDΓÇï**</li><li>**PIDΓÇï**</li><li>**VID_PID**<ul><li>0751_55E0: match this exact VID/PID pair</li><li>55E0: match any media with PID=55E0 </li><li>0751: match any media with VID=0751</li></ul></li></ul>|
+|**MatchType**|When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.|**MatchAll**: ΓÇïAny attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: ΓÇïThe attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.ΓÇï|
||||
-#### Access Control Policy
+### Access Control Policy
+
+<br>
+
+****
-|Property Name |Description |Options |
-||||
-|PolicyRuleIdΓÇï | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting. | |
-|IncludedIdList | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups. | The Group ID/GUID must be used at this instance.ΓÇï </br> ΓÇïThe following example shows the usage of GroupID:ΓÇï </br> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>ΓÇï` |
-|ExcludedIDList | The group(s) that the policy will not be applied to. | The Group ID/GUID must be used at this instance. |
-|Entry Id | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.ΓÇï | |
-|Type|Defines the action for the removable storage groups in IncludedIDList.ΓÇï </br>- Enforcement: Allow or DenyΓÇï </br>- Audit: AuditAllowed or AuditDeniedΓÇï|- AllowΓÇï </br>- DenyΓÇï</br> - AuditAllowed: Defines notification and event when access is allowedΓÇï</br>- AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.ΓÇï </br></br> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.ΓÇï|
+|Property Name|Description|Options|
+||||
+|PolicyRuleIdΓÇï|[GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting.||
+|IncludedIdList|The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.|The Group ID/GUID must be used at this instance. <p> ΓÇïThe following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>ΓÇï`|
+|ExcludedIDList|The group(s) that the policy will not be applied to.|The Group ID/GUID must be used at this instance.|
+|Entry Id|One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.ΓÇï||
+|Type|Defines the action for the removable storage groups in IncludedIDList. <ul><li>Enforcement: Allow or DenyΓÇï</li><li>Audit: AuditAllowed or AuditDenied</ul></li>ΓÇï|<ul><li>Allow</li><li>DenyΓÇï</li><li>AuditAllowed: Defines notification and event when access is allowedΓÇï</li><li>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.</li></ul> <p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.ΓÇï|
|Sid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine.ΓÇï|| |ComputerSid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.ΓÇï||
-|Options|Defines whether to display notification or notΓÇï|**0-4**: When Type Allow or Deny is selected.</br>ΓÇï</br>0: nothingΓÇï</br>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification.ΓÇï </br> </br>When Type **AuditAllowed** or **AuditDenied** is selected:ΓÇï</br>0: nothingΓÇï</br>1: show notificationΓÇï</br>2: send eventΓÇï</br>3: show notification and send eventΓÇï|
-|AccessMask|Defines the access.ΓÇï|**1-7**:ΓÇï </br></br>1: ReadΓÇï</br>2: WriteΓÇï</br>3: Read and WriteΓÇï</br>4: ExecuteΓÇï</br>5: Read and ExecuteΓÇï</br>6: Write and ExecuteΓÇï</br>7: Read and Write and ExecuteΓÇï|
+|Options|Defines whether to display notification or notΓÇï|**0-4**: When Type Allow or Deny is selected. <ul><li>0: nothing</li><li>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification.ΓÇï</li></ul> <p> When Type **AuditAllowed** or **AuditDenied** is selected: <ul><li>0: nothingΓÇï</li><li>1: show notificationΓÇï</li><li>2: send event</li><li>3: show notification and send eventΓÇï</li></ul>|
+|AccessMask|Defines the access.ΓÇï|**1-7**: <ol><li>ReadΓÇï</li><li>WriteΓÇï</li><li>Read and WriteΓÇï</li><li>ExecuteΓÇï</li><li>Read and Execute</li><li>Write and ExecuteΓÇï</li><li>Read and Write and Execute</li></ol>ΓÇï|
|||| ## Common Removable Storage Access Control scenarios
For policy deployment in Intune, the account must have permissions to create, ed
### Deploying policy via OMA-URI
-**Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com/) -> Devices -> Configuration profiles -> Create profile -> Platform: Windows 10 and later & Profile: Custom**
+Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> **Devices** \> **Configuration profiles** \> **Create profile** \> **Platform: Windows 10 and later & Profile: Custom**
1. For each Group, create an OMA-URI rule: - OMA-URI:
This capability (in Microsoft Endpoint Manager admin center (<https://endpoint.m
## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint
-The Microsoft 365 security portal shows removable storage blocked by the Device Control Removable Storage Access Control. To access the Microsoft 365 security, you must have the following subscription:
+The [Microsoft 365 Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control. To access the Microsoft 365 security, you must have the following subscription:
- Microsoft 365 for E5 reporting
DeviceEvents
| extend MediaProductId = tostring(parsed.ProductId)  | extend MediaVendorId = tostring(parsed.VendorId)  | extend MediaSerialNumber = tostring(parsed.SerialNumber) 
-| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber
+|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber
| order by Timestamp desc ```
security Enable Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md
Confirm network protection is enabled on a local computer by using Registry edit
## See also - [Network protection](network-protection.md)+
+- [Network protection and the TCP three-way handshake](network-protection.md#network-protection-and-the-tcp-three-way-handshake)
+ - [Evaluate network protection](evaluate-network-protection.md)+ - [Troubleshoot network protection](troubleshoot-np.md)
security Evaluate Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md
Enable network protection in audit mode to see which IP addresses and domains wo
1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
-1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
+2. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
The network connection will be allowed and a test message will be displayed. ![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png)
+> [!NOTE]
+> Network connections can be successful even though a site is blocked by network protection. To learn more, see [Network protection and the TCP three-way handshake](network-protection.md#network-protection-and-the-tcp-three-way-handshake).
+ ## Review network protection events in Windows Event Viewer To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events. | Event ID | Provide/Source | Description |
-|-|-|-|
-|5007 | Windows Defender (Operational) | Event when settings are changed |
-|1125 | Windows Defender (Operational) | Event when a network connection is audited |
-|1126 | Windows Defender (Operational) | Event when a network connection is blocked |
+||||
+| 5007 | Windows Defender (Operational) | Event when settings are changed |
+| 1125 | Windows Defender (Operational) | Event when a network connection is audited |
+| 1126 | Windows Defender (Operational) | Event when a network connection is blocked |
## See also
-* [Network protection](network-protection.md)
-* [Enable network protection](enable-network-protection.md)
-* [Troubleshoot network protection](troubleshoot-np.md)
+- [Network protection](network-protection.md)
+
+- [Network protection and the TCP three-way handshake](network-protection.md#network-protection-and-the-tcp-three-way-handshake)
+
+- [Enable network protection](enable-network-protection.md)
+
+- [Troubleshoot network protection](troubleshoot-np.md)
security Get All Vulnerabilities By Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities-by-machines.md
Retrieves a list of all the vulnerabilities affecting the organization per [mach
- If the vulnerability has a fixing KB, it will appear in the response. - Supports [OData V4 queries](https://www.odata.org/documentation/).-- The OData ```$filter``` is supported on all properties.
+- The OData's `$filter` query is supported on: `id`, `cveId`, `machineId`, `fixingKbId`, `productName`, `productVersion`, `severity`, and `productVendor` properties.
+<br>```$stop``` with max value of 10,000
+<br>```$skip```
> [!TIP] > This is great API for [Power BI integration](api-power-bi.md).
security Get All Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities.md
[!include[Prerelease information](../../includes/prerelease.md)]
-Retrieves a list of all the vulnerabilities.
+## API description
+
+Retrieves a list of all vulnerabilities.
+<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
+<br>OData supported operators:
+<br>```$filter``` on: ```id```, ```name```, ```description```, ```cvssV3```, ```publishedOn```, ```severity```, and ```updatedOn``` properties.
+<br>```$top``` with max value of 10,000.
+<br>```$skip```.
+<br>See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md).
## Permissions
security Get Machine Group Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-group-exposure-score.md
[!include[Prerelease information](../../includes/prerelease.md)]
-Retrieves a collection of alerts related to a given domain address.
+Retrieves the exposure score for each machine group.
## Permissions
security Get Recommendation Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-vulnerabilities.md
One of the following permissions is required to call this API. To learn more, in
Permission type|Permission|Permission display name :|:|:
-Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information'
+Application|Vulnerability.Read.All |'Read Threat and Vulnerability Management security recommendation information'
+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management security recommendation information'
## HTTP request
security Get Remediation All Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-all-activities.md
Returns information about all remediation activities.
[Learn more about remediation activities](tvm-remediation.md). **URL:** GET: /api/remediationTasks
+<br>Supports [OData V4 queries](https://www.odata.org/documentation/).
+<br>OData supported operators:
+<br>```$filter``` on: ```createdon``` and ```status``` properties.
+<br>```$top``` with max value of 10,000.
+<br>```$skip```.
+<br>See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md).
## Permissions
security Get Vuln By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vuln-by-software.md
One of the following permissions is required to call this API. To learn more, in
Permission type|Permission|Permission display name :|:|:
-Application|Software.Read.All|'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account)|Software.Read|'Read Threat and Vulnerability Management Software information'
+Application|Vulnerability.Read.All|'Read Threat and Vulnerability Management Software information'
+Delegated (work or school account)|Vulnerability.Read|'Read Threat and Vulnerability Management Software information'
## HTTP request
security Gov https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/gov.md
Microsoft Defender for Endpoint for US Government customers requires one of the
### Desktop licensing
-GCC|GCC High|DoD
-:|:|:
-Microsoft 365 GCC G5|Microsoft 365 E5 for GCC High|Microsoft 365 G5 for DOD
-Microsoft 365 G5 Security GCC|Microsoft 365 G5 Security for GCC High|Microsoft 365 G5 Security for DOD
-Microsoft Defender for Endpoint - GCC|Microsoft Defender for Endpoint for GCC High|Microsoft Defender for Endpoint for DOD
-Windows 10 Enterprise E5 GCC|Windows 10 Enterprise E5 for GCC High|Windows 10 Enterprise E5 for DOD
+<br>
+
+****
+
+|GCC|GCC High|DoD|
+||||
+|Microsoft 365 GCC G5|Microsoft 365 E5 for GCC High|Microsoft 365 G5 for DOD|
+|Microsoft 365 G5 Security GCC|Microsoft 365 G5 Security for GCC High|Microsoft 365 G5 Security for DOD|
+|Microsoft Defender for Endpoint - GCC|Microsoft Defender for Endpoint for GCC High|Microsoft Defender for Endpoint for DOD|
+|Windows 10 Enterprise E5 GCC|Windows 10 Enterprise E5 for GCC High|Windows 10 Enterprise E5 for DOD|
+|
### Server licensing
-GCC|GCC High|DoD
-:|:|:
-Microsoft Defender for Endpoint Server GCC|Microsoft Defender for Endpoint Server for GCC High|Microsoft Defender for Endpoint Server for DOD
-Azure Defender for Servers|Azure Defender for Servers - Government|Azure Defender for Servers - Government
+<br>
+
+****
+
+|GCC|GCC High|DoD|
+||||
+|Microsoft Defender for Endpoint Server GCC|Microsoft Defender for Endpoint Server for GCC High|Microsoft Defender for Endpoint Server for DOD|
+|Azure Defender for Servers|Azure Defender for Servers - Government|Azure Defender for Servers - Government|
+|
## Portal URLs The following are the Microsoft Defender for Endpoint portal URLs for US Government customers:
-Customer type|Portal URL
-:|:
-GCC|<https://gcc.securitycenter.microsoft.us>
-GCC High|<https://securitycenter.microsoft.us>
-DoD|<https://securitycenter.microsoft.us>
+<br>
+
+****
+
+|Customer type|Portal URL|
+|||
+|GCC|<https://gcc.securitycenter.microsoft.us>|
+|GCC High|<https://securitycenter.microsoft.us>|
+|DoD|<https://securitycenter.microsoft.us>|
+|
## Endpoint versions
DoD|<https://securitycenter.microsoft.us>
The following OS versions are supported:
-OS version|GCC|GCC High|DoD
-:|::|::|::
-Windows 10, version 21H1 and above|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 10, version 1709|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![Yes](images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147) <p> Note: [Deprecated](/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade|![No](images/svg/check-no.svg) <p> Note: Won't be supported
-Windows 10, version 1703 and earlier|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![No](images/svg/check-no.svg) <p> Note: Won't be supported
-Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows Server 2016|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows Server 2012 R2|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows Server 2008 R2 SP1|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 8.1 Enterprise|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 8 Pro|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 7 SP1 Enterprise|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows 7 SP1 Pro|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Linux|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-macOS|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Android|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
-iOS|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
+<br>
+
+****
+
+|OS version|GCC|GCC High|DoD|
+||::|::|::|
+|Windows 10, version 21H1 and above|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 10, version 1709|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![Yes](images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147) <p> Note: [Deprecated](/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade|![No](images/svg/check-no.svg) <p> Note: Won't be supported|
+|Windows 10, version 1703 and earlier|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![No](images/svg/check-no.svg) <p> Note: Won't be supported|![No](images/svg/check-no.svg) <p> Note: Won't be supported|
+|Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839))|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows Server 2016|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows Server 2012 R2|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows Server 2008 R2 SP1|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 8.1 Enterprise|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 8 Pro|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 7 SP1 Enterprise|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows 7 SP1 Pro|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Linux|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|macOS|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Android|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|
+|iOS|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|
+|
> [!NOTE] > Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.
iOS|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg)
The following OS versions are supported when using [Azure Defender for Servers](/azure/security-center/security-center-wdatp):
-OS version|GCC|GCC High|DoD
-:|::|::|::
-Windows Server 2019|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows Server 2016|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows Server 2012 R2|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Windows Server 2008 R2 SP1|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
+<br>
+
+****
+
+|OS version|GCC|GCC High|DoD|
+||::|::|::|
+|Windows Server 2019|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows Server 2016|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows Server 2012 R2|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Windows Server 2008 R2 SP1|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|
## Required connectivity settings
If a proxy or firewall is blocking all traffic by default and allowing only spec
The following downloadable spreadsheet lists the services and their associated URLs your network must be able to connect to. Verify there are no firewall or network filtering rules that would deny access to these URLs, or create an *allow* rule specifically for them.
-Spreadsheet of domains list|Description
-:--|:--
-![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)
+<br>
+
+****
+
+|Spreadsheet of domains list|Description|
+|||
+|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)|Spreadsheet of specific DNS records for service locations, geographic locations, and OS. <p> [Download the spreadsheet here.](https://download.microsoft.com/download/8/e-urls.xlsx)|
+|
For more information, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
You can find the Azure IP ranges in [Azure IP Ranges and Service Tags - US Gover
Instead of the public URIs listed in our [API documentation](apis-intro.md), you'll need to use the following URIs:
-Endpoint type|GCC|GCC High & DoD
-:|:|:
-Login|`https://login.microsoftonline.com`|`https://login.microsoftonline.us`
-Defender for Endpoint API|`https://api-gcc.securitycenter.microsoft.us`|`https://api-gov.securitycenter.microsoft.us`
-SIEM|`https://wdatp-alertexporter-us.gcc.securitycenter.windows.us`|`https://wdatp-alertexporter-us.securitycenter.windows.us`
+<br>
+
+****
+
+|Endpoint type|GCC|GCC High & DoD|
+||||
+|Login|`https://login.microsoftonline.com`|`https://login.microsoftonline.us`|
+|Defender for Endpoint API|`https://api-gcc.securitycenter.microsoft.us`|`https://api-gov.securitycenter.microsoft.us`|
+|SIEM|`https://wdatp-alertexporter-us.gcc.securitycenter.windows.us`|`https://wdatp-alertexporter-us.securitycenter.windows.us`|
+|
## Feature parity with commercial
Defender for Endpoint for US Government customers doesn't have complete parity w
These are the known gaps:
-Feature name|GCC|GCC High|DoD
-:|::|::|::
-Network discovery|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
-Web content filtering|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
-Integrations: Azure Sentinel|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In preview|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In preview
-Integrations: Microsoft Cloud App Security|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development
-Integrations: Microsoft Compliance Manager|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)
-Integrations: Microsoft Defender for Identity|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out
-Integrations: Microsoft Endpoint DLP|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) Rolling out
-Integrations: Microsoft Power Automate & Azure Logic Apps|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Azure Logic Apps <p> ![No](images/svg/check-no.svg) Power Automate: In development
-Microsoft Threat Experts|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog
+<br>
+
+****
+
+|Feature name|GCC|GCC High|DoD|
+||::|::|::|
+|Network discovery|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|
+|Web content filtering|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|![No](images/svg/check-no.svg) In development|
+|Integrations: Azure Sentinel|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In private preview|![Yes](images/svg/check-yes.svg) Alerts <p> ![Yes](images/svg/check-yes.svg) Incidents & Raw data: In private preview|
+|Integrations: Microsoft Cloud App Security|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) Rolling out|![No](images/svg/check-no.svg) Rolling out|
+|Integrations: Microsoft Defender for Identity|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|
+|Integrations: Microsoft Endpoint DLP|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![No](images/svg/check-no.svg) Rolling out|
+|Integrations: Microsoft Power Automate & Azure Logic Apps|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg)|![Yes](images/svg/check-yes.svg) Azure Logic Apps <p> ![No](images/svg/check-no.svg) Power Automate: In development|
+|Microsoft Threat Experts|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog|![No](images/svg/check-no.svg) On engineering backlog|
+|
security List Recommendation Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/list-recommendation-software.md
One of the following permissions is required to call this API. To learn more, in
Permission type|Permission|Permission display name :|:|:
-Application|SecurityRecommendation.Read.All|'Read Threat and Vulnerability Management security recommendation information'
+Application|Software.Read.All|'Read Threat and Vulnerability Management Software information'
Delegated (work or school account)|SecurityRecommendation.Read|'Read Threat and Vulnerability Management security recommendation information' ## HTTP request
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
Title: Microsoft Defender for Endpoint on Android-+ description: Describes how to install and use Microsoft Defender for Endpoint on Android keywords: microsoft, defender, Microsoft Defender for Endpoint, android, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
This topic describes how to install, configure, update, and use Defender for End
> [!CAUTION] > Running other third-party endpoint protection products alongside Defender for Endpoint on Android is likely to cause performance problems and unpredictable system errors. - ## How to install Microsoft Defender for Endpoint on Android ### Prerequisites -- **For end users**-
- - Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements)
-
- - Intune Company Portal app can be downloaded from [Google
- Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
- and is available on the Android device.
+- **For end users**:
+ - Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](/microsoft-365/security/defender-endpoint/minimum-requirements#licensing-requirements)
+ - Intune Company Portal app can be downloaded from [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) and is available on the Android device.
+ - Additionally, device(s) can be [enrolled](/mem/intune/user-help/enroll-device-android-company-portal) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
+ - For more information on how to assign licenses, see [Assign licenses to users](/azure/active-directory/users-groups-roles/licensing-groups-assign).
- - Additionally, device(s) can be
- [enrolled](/mem/intune/user-help/enroll-device-android-company-portal)
- via the Intune Company Portal app to enforce Intune device compliance
- policies. This requires the end user to be assigned a Microsoft Intune license.
+- **For Administrators**
+ - Access to the Microsoft 365 Defender portal.
- - For more information on how to assign licenses, see [Assign licenses to
- users](/azure/active-directory/users-groups-roles/licensing-groups-assign).
-
+ > [!NOTE]
+ > - Microsoft Defender for Endpoint now extends protection to an organizationΓÇÖs data within a managed application for those who arenΓÇÖt using mobile device management (MDM) but are using Intune to manage mobile applications. It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for [mobile application management (MAM)](/mem/intune/apps/mam-faq).
+ > - In addition, Microsoft Defender for Endpoint already supports devices that are enrolled using Intune mobile device management (MDM).
-- **For Administrators**
+ - Access [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
- - Access to the Microsoft 365 Defender portal.
-
- > [!NOTE]
- > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint on Android. Currently only enrolled devices are supported for enforcing Defender for Endpoint on Android related device compliance policies in Intune.
-
- - Access [Microsoft Endpoint Manager admin
- center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the
- app to enrolled user groups in your organization.
-
### Network Requirements - For Microsoft Defender for Endpoint on Android to function when connected to a network the firewall/proxy will need to be configured to [enable access to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). ### System Requirements -- Mobile phones running Android 6.0 and above. **Tablets and other mobile devices running Android are not currently supported.** --- Intune Company Portal app is downloaded from [Google
- Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
- and installed. Device enrollment is required for Intune device compliance policies to be enforced.
+- Mobile phones running Android 6.0 and above. **Tablets and other mobile devices running Android are not currently supported.**
+- Intune Company Portal app is downloaded from [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) and installed. Device enrollment is required for Intune device compliance policies to be enforced.
### Installation instructions
-Microsoft Defender for Endpoint on Android supports installation on both modes of
-enrolled devices - the legacy Device Administrator and Android Enterprise modes.
-**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
-
-Deployment of Microsoft Defender for Endpoint on Android is via Microsoft Intune (MDM).
-For more information, see [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md).
+Microsoft Defender for Endpoint on Android supports installation on both modes of enrolled devices - the legacy Device Administrator and Android Enterprise modes. **Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
+Deployment of Microsoft Defender for Endpoint on Android is via Microsoft Intune (MDM). For more information, see [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md).
> [!NOTE]
-> **Microsoft Defender for Endpoint on Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.** <br> You can connect to Google Play from Intune to deploy Microsoft Defender for Endpoint app, across Device Administrator and Android Enterprise entrollment modes.
+> **Microsoft Defender for Endpoint on Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
+>
+> You can connect to Google Play from Intune to deploy Microsoft Defender for Endpoint app, across Device Administrator and Android Enterprise entrollment modes.
## How to Configure Microsoft Defender for Endpoint on Android Guidance on how to configure Microsoft Defender for Endpoint on Android features is available in [Configure Microsoft Defender for Endpoint on Android features](android-configure.md). -- ## Related topics+ - [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md) - [Configure Microsoft Defender for Endpoint on Android features](android-configure.md)-
+- [Mobile Application Management (MAM) basics](/mem/intune/apps/app-management#mobile-application-management-mam-basics)
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
ms.technology: mde
- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization. > [!NOTE]
- > Microsoft Intune is the only supported Unified Endpoint Management (UEM) solution for deploying Microsoft Defender for Endpoint and enforcing Defender for Endpoint related device compliance policies in Intune.
+ > - Microsoft Defender for Endpoint now extends protection to an organizationΓÇÖs data within a managed application for those who arenΓÇÖt using mobile device management (MDM) but are using Intune to manage mobile applications. It also extends this support to customers who use other enterprise mobility management solutions, while still using Intune for [mobile application management (MAM)](/mem/intune/apps/mam-faq).
+ > - In addition, Microsoft Defender for Endpoint already supports devices that are enrolled using Intune mobile device management (MDM).
**System Requirements**
For more information, see [Deploy Microsoft Defender for Endpoint on iOS](ios-in
- [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) - [Configure app protection policy to include Defender for Endpoint risk signals (MAM)](ios-install-unmanaged.md) - [Configure Conditional Access policy based on device risk score from Microsoft Defender for Endpoint](ios-configure-features.md#conditional-access-with-defender-for-endpoint-on-ios)
+- [Mobile Application Management (MAM) basics](/mem/intune/apps/app-management#mobile-application-management-mam-basics)
security Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md
localization_priority: Normal
audience: ITPro -+ ms.technology: mde-+ # Protect your network
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet. Network protection expands the scope of [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
+## Overview of network protection
-Network protection is supported on Windows, beginning with Windows 10, version 1709. Network protection is not yet supported on other operating systems, but web protection is supported using the new Microsoft Edge based on Chromium. To learn more, see [Web protection](web-protection-overview.md).
+Network protection helps protect devices from Internet-based events. Network protection is an attack surface reduction capability. It helps prevent employees from accessing dangerous domains through applications. Domains that host phishing scams, exploits, and other malicious content on the Internet are considered dangerous. Network protection expands the scope of [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-Network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level. It provides web protection functionality in Edge to other supported browsers and non-browser applications. In addition, network protection provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md).
-
-For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
+Network protection extends the protection in [Web protection](web-protection-overview.md) to the operating system level. It provides web protection functionality in Edge to other supported browsers and non-browser applications. In addition, network protection provides visibility and blocking of indicators of compromise (IOCs) when used with [Endpoint detection and response](overview-endpoint-detection-response.md). For example, network protection works with your [custom indicators](manage-indicators.md) that you can use to block specific domains or hostnames.
> [!TIP] > See the Microsoft Defender for Endpoint testground site at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how network protection works.
-Network protection works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into exploit protection events and blocks as part of [alert investigation scenarios](investigate-alerts.md).
-
-When network protection blocks a connection, a notification is displayed from the Action Center. Your security operations team can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your organization's details and contact information. In addition, individual attack surface reduction rules can be enabled and customized to suit certain techniques to monitor.
+## Requirements for network protection
-You can also use [audit mode](audit-windows-defender.md) to evaluate how network protection would impact your organization if it were enabled.
+Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection.
-## Requirements
+<br>
-Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection.
+****
-| Windows version | Microsoft Defender Antivirus |
-|:|:|
-| Windows 10 version 1709 or later <p>Windows Server 1803 or later | [Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled |
+|Windows version|Microsoft Defender Antivirus|
+|||
+|Windows 10 version 1709 or later <p> Windows Server 1803 or later|[Microsoft Defender Antivirus real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled|
+|
-After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your devices (also referred to as endpoints).
+After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your devices (also referred to as endpoints).
- `.smartscreen.microsoft.com` - `.smartscreen-prod.microsoft.com`
-## Review network protection events in the Microsoft Defender for Endpoint Security Center
+## Configuring network protection
+
+For more information about how to enable network protection, see **[Enable network protection](enable-network-protection.md)**. Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
+
+## Viewing network protection events
+
+Network protection works best with [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md), which gives you detailed reporting into exploit protection events and blocks as part of [alert investigation scenarios](investigate-alerts.md).
+
+When network protection blocks a connection, a notification is displayed from the Action Center. Your security operations team can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your organization's details and contact information. In addition, individual attack surface reduction rules can be enabled and customized to suit certain techniques to monitor.
+
+You can also use [audit mode](audit-windows-defender.md) to evaluate how network protection would impact your organization if it were enabled.
-Microsoft Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](investigate-alerts.md).
+## Review network protection events in the Microsoft 365 Defender portal
-You can query Microsoft Defender for Endpoint data by using [advanced hunting](advanced-hunting-overview.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
+Microsoft Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](investigate-alerts.md). You can view these details in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) in the [alerts queue](review-alerts.md) or by using [advanced hunting](advanced-hunting-overview.md). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
-Here is an example query
+Here is an example query for advanced hunting:
```kusto DeviceEvents
-| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
+|where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
``` ## Review network protection events in Windows Event Viewer
You can review the Windows event log to see events that are created when network
This procedure creates a custom view that filters to only show the following events related to network protection:
-| Event ID | Description |
-|:|:|
-| 5007 | Event when settings are changed |
-| 1125 | Event when network protection fires in audit mode |
-| 1126 | Event when network protection fires in block mode |
+<br>
+
+****
+
+|Event ID|Description|
+|||
+|5007|Event when settings are changed|
+|1125|Event when network protection fires in audit mode|
+|1126|Event when network protection fires in block mode|
+|
+
+## Network protection and the TCP three-way handshake
+
+With network protection, the determination of whether to allow or block access to a site is made after the completion of the [three-way handshake via TCP/IP](/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip). Thus, when a site is blocked by network protection, you might see an action type of `ConnectionSuccess` under `NetworkConnectionEvents` in the Microsoft 365 Defender portal, even though the site was actually blocked. `NetworkConnectionEvents` are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.
+
+Here's an example of how that works:
+
+1. Suppose that a user attempts to access a website on their device. The site happens to be hosted on a dangerous domain, and it should be blocked by network protection.
+
+2. The three-way handshake via TCP/IP commences. Before it completes, a `NetworkConnectionEvents` action is logged, and its `ActionType` is listed as `ConnectionSuccess`. However, as soon as the three-way handshake process completes, network protection blocks access to the site. All of this happens very quickly. A similar process occurs with [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview); it's when the three-way handshake completes that a determination is made, and access to a site is either blocked or allowed.
+
+3. In the Microsoft 365 Defender portal, an alert is listed in the [alerts queue](alerts-queue.md). Details of that alert include both `NetworkConnectionEvents` and `AlertEvents`. You can see that the site was blocked, even though you also have a `NetworkConnectionEvents` item with the ActionType of `ConnectionSuccess`.
## Considerations for Windows virtual desktop running Windows 10 Enterprise Multi-Session
Due to the multi-user nature of Windows 10 Enterprise, keep the following points
3. If you need to differentiate between user groups, consider creating separate Windows Virtual Desktop host pools and assignments.
-4. Test network protection in audit mode to assess its behavior before rolling out.
+4. Test network protection in audit mode to assess its behavior before rolling out.
5. Consider resizing your deployment if you have a large number of users or a large number of multi-user sessions.
For Windows 10 Enterprise Multi-Session 1909 and up, used in Windows Virtual Des
## Network protection troubleshooting
-Due to the environment where Network Protection runs, Microsoft might not be able to detect operating system proxy settings. In some cases, network protection clients are unable to reach Cloud Service. To resolve the connectivity problem, customers with E5 licenses should configure one of the following Defender registry keys:
+Due to the environment where network protection runs, Microsoft might not be able to detect operating system proxy settings. In some cases, network protection clients are unable to reach Cloud Service. To resolve the connectivity problem, customers with E5 licenses should configure one of the following Defender registry keys:
```console reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyServer /d "<proxy IP address: Port>" /f
reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyPacUrl /d "<Proxy PAC
```
-## Related articles
+## See also
- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created.- - [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
+- [Configuring attack surface reduction capabilities in Microsoft Intune](/mem/intune/protect/endpoint-security-asr-policy)
security Printer Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md
DeviceEvents
``` :::image type="content" source="../../media/device-control-advanced-hunting.png" alt-text="advanced hunting":::
+
+ You can use the PnP event to find the USB printer used in the organization:
+
+```kusto
+//find the USB Printer VID/PID
+DeviceEvents
+| where ActionType == "PnpDeviceConnected"
+| extend parsed=parse_json(AdditionalFields)
+| extend DeviceDescription = tostring(parsed.DeviceDescription)
+| extend PrinterDeviceId = tostring(parsed.DeviceId)
+| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&")
+| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '')
+| extend VID_PID = replace_string(VID_PID, 'PID_', '')
+| extend ClassId = tostring(parsed.ClassId)
+| extend VendorIds = tostring(parsed.VendorIds)
+| where DeviceDescription == 'USB Printing Support'
+| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed
+| order by Timestamp desc
+```
+
+ :::image type="content" source="https://user-images.githubusercontent.com/81826151/128954383-71df3009-77ef-40db-b575-79c73fda332b.png" alt-text="advanced hunting":::
++++++++
+
+
+
+
security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/recommendation.md
[!include[Improve request performance](../../includes/improve-request-performance.md)] - [!include[Prerelease information](../../includes/prerelease.md)] ## Methods
-Method |Return Type |Description
-:|:|:
-[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
-[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](list-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
-[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
-[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
+<br>
+
+****
+
+|Method|Return Type|Description|
+||||
+|[List all recommendations](get-all-recommendations.md)|Recommendation collection|Retrieves a list of all security recommendations affecting the organization|
+|[Get recommendation by Id](get-recommendation-by-id.md)|Recommendation|Retrieves a security recommendation by its ID|
+|[Get recommendation software](list-recommendation-software.md)|[Software](software.md)|Retrieves a security recommendation related to a specific software|
+|[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection|Retrieves a list of devices associated with the security recommendation|
+|[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md)|[Vulnerability](vulnerability.md) collection|Retrieves a list of vulnerabilities associated with the security recommendation|
+|
## Properties
-Property | Type | Description
-:|:|:
-id | String | Recommendation ID
-productName | String | Related software name
-recommendationName | String | Recommendation name
-Weaknesses | Long | Number of discovered vulnerabilities
-Vendor | String | Related vendor name
-recommendedVersion | String | Recommended version
-recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
-subCategory | String | Recommendation sub-category
-severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
-publicExploit | Boolean | Public exploit is available
-activeAlert | Boolean | Active alert is associated with this recommendation
-associatedThreats | String collection | Threat analytics report is associated with this recommendation
-remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
-Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
-configScoreImpact | Double | Microsoft Secure Score for Devices impact
-exposureImpacte | Double | Exposure score impact
-totalMachineCount | Long | Number of installed devices
-exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
-nonProductivityImpactedAssets | Long | Number of devices which are not affected
-relatedComponent | String | Related software component
+
+<br>
+
+****
+
+|Property|Type|Description|
+||||
+|id|String|Recommendation ID|
+|productName|String|Related software name|
+|recommendationName|String|Recommendation name|
+|Weaknesses|Long|Number of discovered vulnerabilities|
+|Vendor|String|Related vendor name|
+|recommendedVersion|String|Recommended version|
+|recommendedProgram|String|Recommended program|
+|recommendedVendor|String|Recommended vendor|
+|recommendationCategory|String|Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityControls"|
+|subCategory|String|Recommendation sub-category|
+|severityScore|Double|Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)|
+|publicExploit|Boolean|Public exploit is available|
+|activeAlert|Boolean|Active alert is associated with this recommendation|
+|associatedThreats|String collection|Threat analytics report is associated with this recommendation|
+|remediationType|String|Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"|
+|Status|Enum|Recommendation exception status. Possible values are: "Active" and "Exception"|
+|configScoreImpact|Double|Microsoft Secure Score for Devices impact|
+|exposureImpact|Double|Exposure score impact|
+|totalMachineCount|Long|Number of installed devices|
+|exposedMachinesCount|Long|Number of installed devices that are exposed to vulnerabilities|
+|nonProductivityImpactedAssets|Long|Number of devices that are not affected|
+|relatedComponent|String|Related software component|
+|
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
ms.localizationpriority: medium audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
ms.technology: m365d
-# Run the client analyzer on macOS and Linux
+# Run the client analyzer on macOS and Linux
**Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - ## Running the analyzer through GUI scenario
-1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer)
- tool to the macOS or Linux machine you need to investigate.
-> [!NOTE]
-> The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: '029296D437BA97B5563D0C75DD874F8F51C563B2B5AC16745619F4DB2E064C85'.
+1. Download the [XMDE Client Analyzer](https://aka.ms/XMDEClientAnalyzer) tool to the macOS or Linux machine you need to investigate.
+
+ > [!NOTE]
+ > The current SHA256 hash of 'XMDEClientAnalyzer.zip' that is downloaded from the above link is: '029296D437BA97B5563D0C75DD874F8F51C563B2B5AC16745619F4DB2E064C85'.
-2. Extract the contents of XMDEClientAnalyzer.zip on the machine.
+2. Extract the contents of XMDEClientAnalyzer.zip on the machine.
-3. Open a terminal session, change directory to the extracted location and run:
+3. Open a terminal session, change directory to the extracted location and run:
-`./mde_support_tool.sh -d`
+ `./mde_support_tool.sh -d`
-!Note
-On Linux, if the script does not have permissions to execute, then you'll need to first
-run:
-*chmod a+x mde_support_tool.sh*
+ > [!NOTE]
+ > On Linux, if the script does not have permissions to execute, then you'll need to first run:
+ >
+ > `chmod a+x mde_support_tool.sh`
## Running the analyzer using a terminal or SSH scenario
-1. Open a terminal or SSH into the relevant machine.
+1. Open a terminal or SSH into the relevant machine.
-2. Run `wget --quiet -O XMDEClientAnalyzer.zip*
- <https://aka.ms/XMDEClientAnalyzer> *&& unzip -q XMDEClientAnalyzer.zip && cd
- XMDEClientAnalyzer && chmod +x mde_support_tool.sh"`
+2. Run `wget --quiet -O XMDEClientAnalyzer.zip* <https://aka.ms/XMDEClientAnalyzer> *&& unzip -q XMDEClientAnalyzer.zip && cd XMDEClientAnalyzer && chmod +x mde_support_tool.sh"`
-3. Run ` ./mde_support_tool.sh -d ` to generate the result archive file.
+3. Run `./mde_support_tool.sh -d` to generate the result archive file.
-> [!NOTE]
-> For Linux, the analyzer requires 'lxml' to produce the result output. If not
-installed, the analyzer will try to fetch it from the official repository for
-python packages below:
-https://files.pythonhosted.org/packages/\*/lxml\*.whl
+> [!NOTE]
+> For Linux, the analyzer requires 'lxml' to produce the result output. If not installed, the analyzer will try to fetch it from the official repository for python packages below: <https://files.pythonhosted.org/packages/\*/lxml\*.whl>
+>
> In addition, the tool currently requires Python version 3 or later to be installed.
-Example:
-
+Example:
![Image of command line example](images/4ca188f6c457e335abe3c9ad3eddda26.png)
-
-
Additional syntax help:
-**-h** \# Help
+**-h** \# Help<br>
\# Show help message
-**-p** \# Performance
-\# Planned parameter that is not yet implemented.
-\# Collects extensive tracing for analysis of a performance issue that can be
-reproduced on demand.
+**-p** \# Performance<br>
+\# Planned parameter that is not yet implemented.<br>
+\# Collects extensive tracing for analysis of a performance issue that can be reproduced on demand.
-**-o** \# Output
+**-o** \# Output<br>
\# Specify the destination path for the result file
-**-nz** \# No-Zip
+**-nz** \# No-Zip<br>
\# If set, a directory will be created instead of a resulting archive file
-**-f** \# Force
+**-f** \# Force<br>
\# Overwrite if output already exists in destination path ## Result package contents on macOS and Linux -- report.html <br> Description: The main HTML output file that will contain the findings and
- guidance that the analyzer script run on the machine can produce.
+- report.html
+
+ Description: The main HTML output file that will contain the findings and guidance that the analyzer script run on the machine can produce.
+
+- mde_diagnostic.zip
+
+ Description: Same diagnostic output that gets generated when running *mdatp diagnostic create* on either [macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-resources#collecting-diagnostic-information)
+
+ or
+
+ [Linux](/windows/security/threat-protection/microsoft-defender-atp/linux-resources#collect-diagnostic-information)
+
+- mde.xml
+
+ Description: XML output that is generated while running and is used to build the html report file.
+
+- Processes_information.txt
+
+ Description: contains the details of the running Microsoft Defender for Endpoint related processes on the system.
+
+- Log.txt
-- mde_diagnostic.zip <br> Description: Same diagnostic output that gets generated when
- running *mdatp diagnostic create* on either
- [macOS](/windows/security/threat-protection/microsoft-defender-atp/mac-resources#collecting-diagnostic-information)
- or
- [Linux](/windows/security/threat-protection/microsoft-defender-atp/linux-resources#collect-diagnostic-information)
+ Description: contains the same log messages written on screen during the data collection.
-- mde.xml <br> Description: XML output that is generated while running and is used to build
- the html report file.
+- Health.txt
-- Processes_information.txt <br> Description: contains the details of the running Microsoft Defender for Endpoint related
- processes on the system.
+ Description: The same basic health output that is shown when running *mdatp health* command.
-- Log.txt <br> Description: contains the same log messages written on screen during the data
- collection.
+- Events.xml
-- Health.txt <br> Description: The same basic health output that is shown when running *mdatp
- health* command.
+ Description: Additional XML file used by the analyzer when building the HTML report.
-- Events.xml <br> Description: Additional XML file used by the analyzer when building the
- HTML report.
+- Auditd_info.txt
-- Auditd_info.txt <br> Description: details on auditd service and related components for
- [Linux](/windows/security/threat-protection/microsoft-defender-atp/linux-support-events)
- OS
+ Description: details on auditd service and related components for [Linux](/windows/security/threat-protection/microsoft-defender-atp/linux-support-events) OS
security Troubleshoot Np https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md
> [!TIP] > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-pullalerts-abovefoldlink) -
-When you use [Network protection](network-protection.md) you may encounter issues, such as:
+This article provides troubleshooting information for [network protection](network-protection.md), in cases, such as:
- Network protection blocks a website that is safe (false positive) - Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
Network protection will only work on devices with the following conditions:
->[!div class="checklist"]
+> [!div class="checklist"]
+>
> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. > - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). > - [Real-time protection](/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) is enabled.
You can enable network protection in audit mode and then visit a website that we
2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). 3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
-
+ If network protection is not blocking a connection that you are expecting it should block, enable the feature. ```PowerShell
When you report a problem with network protection, you are asked to collect and
mpcmdrun -getfiles ```
-3. Attach the file to the submission form. By default, diagnostic logs are saved at `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
+3. Attach the file to the submission form. By default, diagnostic logs are saved at `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`.
## Resolve connectivity issues with network protection (for E5 customers)
reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyServer /d "<proxy IP
OR - ```powershell reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyPacUrl /d "<Proxy PAC url>" /f ``` You can configure the registry key by using PowerShell, Microsoft Endpoint Manager, or Group Policy. Here are some resources to help:+ - [Working with Registry Keys](/powershell/scripting/samples/working-with-registry-keys) - [Configure custom client settings for Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure-client) - [Use Group Policy settings to manage Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-group-policies)
You can configure the registry key by using PowerShell, Microsoft Endpoint Manag
## See also - [Network protection](network-protection.md)
+- [Network protection and the TCP three-way handshake](network-protection.md#network-protection-and-the-tcp-three-way-handshake)
- [Evaluate network protection](evaluate-network-protection.md) - [Enable network protection](enable-network-protection.md) - [Address false positives/negatives in Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
security Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/vulnerability.md
updatedOn|DateTime|Date when vulnerability was updated
publicExploit|Boolean|Public exploit exists exploitVerified|Boolean|Exploit is verified to work exploitInKit|Boolean|Exploit is part of an exploit kit
-exploitTypes|String collection|Exploit impact. Possible values are: "Denial of service", "Local privilege escalation", "Denial of service"
+exploitTypes|String collection|Exploit impact. Possible values are: "Local privilege escalation", "Denial of service", "Local"
exploitUris|String collection|Exploit source URLs
security Configure Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-event-hub.md
localization_priority: normal audience: ITPro--- M365-security-compliance -- m365initiative-m365-defender +
+- M365-security-compliance
+- m365initiative-m365-defender
MS.technology: mde
MS.technology: mde
Learn how to configure your Event Hub so that it can ingest events from Microsoft 365 Defender. -
-## Setup the required Resource Provider in the Event Hub subscription
-
+## Set up the required Resource Provider in the Event Hub subscription
1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Select **Subscriptions \> {***Select the subscription the event hub will be deployed
-to***} \> Resource providers**.
+1. Select **Subscriptions** \> {***Select the subscription the event hub will be deployed
+to***} \> **Resource providers**.
1. Verify that the **Microsoft.Insights** Provider is registered. Otherwise, register it. ![Image of resource providers in Microsoft Azure](../../media/f893db7a7b1f7aa520e8b9257cc72562.png)
-## Setup Azure Active Directory App Registration
-
+## Set up Azure Active Directory App Registration
->![NOTE]
->You must have Administrator role or Azure Active Directory (AAD) must be
-set to allow non-Administrators to register apps. You must also have an Owner or
-User Access Administrator role to assign the service principal a role.
-For more information, see [Create an Azure AD app & service principal in the
-portal - Microsoft identity platform \| Microsoft
-Docs](/azure/active-directory/develop/howto-create-service-principal-portal).
+> ![NOTE]
+> You must have Administrator role or Azure Active Directory (AAD) must be set to allow non-Administrators to register apps. You must also have an Owner or User Access Administrator role to assign the service principal a role. For more information, see [Create an Azure AD app & service principal in the portal - Microsoft identity platform \| Microsoft Docs](/azure/active-directory/develop/howto-create-service-principal-portal).
1. Create a new registration (which inherently creates a service principal) in
-**Azure Active Directory \> App registrations \> New registration.**
+**Azure Active Directory** \> **App registrations** \> **New registration.**
1. Fill out the form with just the Name (no Redirect URI is required).
Docs](/azure/active-directory/develop/howto-create-service-principal-portal).
![Image of Overview information](../../media/06ac04c4ff713c2065cec2ef2f99a294.png)
-1. Create a secret by clicking on **Certificates & secrets \> New client secret**:
+1. Create a secret by clicking on **Certificates & secrets** \> **New client secret**:
![Image of certificates and secrets](../../media/d2ef88d3d2310d2c60c294b569cdf02e.png)
->[!WARNING]
->**You won't be able to access the client secret again so make sure
-to save it**.
-
-## Setup Event Hub namespace
+> [!WARNING]
+> **You won't be able to access the client secret again so make sure to save it**.
+## Set up Event Hub namespace
1. Create an Event Hub Namespace:
- Go **to Event Hubs \> Add** and select the pricing tier, throughput units and
- Auto-Inflate (requires standard pricing and under features) appropriate for the
- load you are expecting.
- For more information, see [Pricing - Event Hubs \| Microsoft
- Azure](https://azure.microsoft.com/pricing/details/event-hubs/)
+ Go **to Event Hubs \> Add** and select the pricing tier, throughput units and Auto-Inflate (requires standard pricing and under features) appropriate for the load you are expecting. For more information, see [Pricing - Event Hubs \| Microsoft Azure](https://azure.microsoft.com/pricing/details/event-hubs/)
- >[!NOTE]
+ > [!NOTE]
> You can use an existing event hub, but the throughput and scaling are set at the namespace level so it is recommended to place an event hub in itsown namespace. ![Image of Event Hub name space](../../media/ebc4ca37c342ad1da75c4aee4018e51a.png)
-1. You will also need the Resource ID of this Event Hub Namespace. Go to your Azure Event Hubs namespace page \> Properties. Copy the text under Resource ID and record it for use during the M365 Configuration section below.
+1. You will also need the Resource ID of this Event Hub Namespace. Go to your Azure Event Hubs namespace page \> Properties. Copy the text under Resource ID and record it for use during the Microsoft 365 Configuration section below.
![Image of properties](../../media/759498162a4e93cbf17c4130d704d164.png)
-1. Once the Event Hub Namespace is created you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver, and the user who will be logging into Microsoft 365 Defender as Contributor (this can also be done at Resource Group or Subscription level).
+1. Once the Event Hub Namespace is created, you will need to add the App Registration Service Principal as Reader, Azure Event Hubs Data Receiver, and the user who will be logging into Microsoft 365 Defender as Contributor (you can also do this at Resource Group or Subscription level).
- This is done in **Event Hubs Namespace \> Access Control (IAM) \> Add** and
-verify under **Role assignments**:
+ You do this step at **Event Hubs Namespace** \> **Access Control (IAM)** \> **Add** and verify under **Role assignments**:
![Image of access control](../../media/9c9c29137b90d5858920202d87680d16.png)
-## Setup Event Hub
-
+## Set up Event Hub
**Option 1:**
-You can create an Event Hub within your Namespace and **all** the Event Types
-(Tables) you select to export will be written into this **one** Event Hub.
+You can create an Event Hub within your Namespace and **all** the Event Types (Tables) you select to export will be written into this **one** Event Hub.
**Option 2:**
-Instead of exporting all the Event Types (Tables) into one Event Hub, you can
-export each table into a different Event Hub inside your Event Hub Namespace
-(one Event Hub per Event Type).
+Instead of exporting all the Event Types (Tables) into one Event Hub, you can export each table into a different Event Hub inside your Event Hub Namespace (one Event Hub per Event Type).
+
+In this option, Microsoft 365 Defender will create Event Hubs for you.
-In this option, Microsoft 365 Defender will create Event Hubs for you.
->[!NOTE]
+> [!NOTE]
> If you are using an Event Hub Namespace that is **not** part of an Event Hub Cluster, you will only be able to choose up to 10 Event Types (Tables) to export in each Export Settings you define, due to an Azure limitation of 10 Event Hubs per Event Hub Namespace. For example: ![Image of example Event Hub](../../media/005c1f6c10c34420d387f594987f9ffe.png)
-If you choose this option, you can skip to the [Configure Microsoft 365
-Defender to send email tables](#configure-microsoft-365-defender-to-send-email-tables) section.
+If you choose this option, you can skip to the [Configure Microsoft 365 Defender to send email tables](#configure-microsoft-365-defender-to-send-email-tables) section.
-Create an Event Hub within your Namespace by selecting **Event Hubs \> + Event
-Hub**.
+Create an Event Hub within your Namespace by selecting **Event Hubs** \> **+ Event Hub**.
-The Partition Count allows for additional throughput via parallelism, so it is
-recommended to increase this number based on the load you are expecting.
-Default Message Retention and Capture values of 1 and Off are recommended.
+The Partition Count allows for more throughput via parallelism, so it is recommended to increase this number based on the load you are expecting. Default Message Retention and Capture values of 1 and Off are recommended.
![Image of create Event Hub](../../media/1db04b8ec02a6298d7cc70419ac6e6a9.png)
-For this Event Hub (not namespace) you will need to configure a Shared Access
-Policy with Send, Listen Claims. Click on your **Event Hub \> Shared access
-policies \> + Add** and then give it a Policy name (not used elsewhere) and
-check **Send** and **Listen**.
+For this Event Hub (not namespace) you will need to configure a Shared Access Policy with Send, Listen Claims. Click on your **Event Hub** \> **Shared access policies** \> **+ Add** and then give it a Policy name (not used elsewhere) and check **Send** and **Listen**.
![Image of shared access policies](../../media/1867d13f46dc6a0f4cdae6cf00df24db.png) ## Configure Microsoft 365 Defender to send email tables
+### Set up Microsoft 365 Defender send Email tables to Splunk via Event Hub
-### Setup Microsoft 365 Defender send Email tables to Splunk via Event Hub
+1. Log in to Microsoft 365 Defender at <https://security.microsoft.com> with an account that meets all the following role requirements:
+ - Contributor role at the Event Hub *Namespace* Resource level or higher for the Event Hub that you will be exporting to. Without this permission, you will get an export error when you try to save the settings.
-1. Login to Microsoft 365 Defender at <https://security.microsoft.com> with an
-account that meets all the following role requirements:
-
- - Contributor role at the Event Hub *Namespace* Resource level or higher for
- the Event Hub that you will be exporting to. Without this you will get an
- export error when you try to save the settings.
-
- - Global Admin or Security Admin Role on the tenant tied to Microsoft 365
- Defender and Azure.
+ - Global Admin or Security Admin Role on the tenant tied to Microsoft 365 Defender and Azure.
![Image of security portal](../../media/55d5b1c21dd58692fb12a6c1c35bd4fa.png) 1. Click on **Raw Data Export \> +Add**.
- You will now use the data that your recorded above.
+ You will now use the data that you recorded above.
- **Name**: This is local and should be whatever works in your environment.
+ **Name**: This value is local and should be whatever works in your environment.
**Forward events to event hub**: Select this checkbox.
- **Event-Hub Resource ID**: This is the Event Hub Namespace Resource ID you
- recorded above when you setup the Event Hub.
+ **Event-Hub Resource ID**: This value is the Event Hub Namespace Resource ID you recorded when you setup the Event Hub.
- **Event-Hub name**: If you created an Event Hub inside your Event Hub Namespace, paste the Event Hub name you recorded above.
+ **Event-Hub name**: If you created an Event Hub inside your Event Hub Namespace, paste the Event Hub sname you recorded above.
- If you choose to let Microsoft 365 Defender to create Event Hubs per Event Types
- (Tables) for you, leave this field empty.
+ If you choose to let Microsoft 365 Defender to create Event Hubs per Event Types (Tables) for you, leave this field empty.
- **Event Types**: Select the Advanced Hunting tables that you want to forward to
- the Event Hub and then on to your custom app. Alert tables are from Microsoft
- 365 Defender, Devices tables are from Microsoft Defender for Endpoint (EDR), and
- Email tables are from Microsoft Defender for Office 365. Email Events records
- all Email Transactions. The URL (SafeLinks), Attachment (Safe Attachments) and
- Post Delivery Events (ZAP) are also recorded and can be joined to the Email
- Events on the NetworkMessageId field.
+ **Event Types**: Select the Advanced Hunting tables that you want to forward to the Event Hub and then on to your custom app. Alert tables are from Microsoft 365 Defender, Devices tables are from Microsoft Defender for Endpoint (EDR), and Email tables are from Microsoft Defender for Office 365. Email Events records all Email Transactions. The URL (Safe Links), Attachment (Safe Attachments), and Post Delivery Events (ZAP) are also recorded and can be joined to the Email Events on the NetworkMessageId field.
![Image of streaming API settings](../../media/3b2ad64b6ef0f88cf0175f8d57ef8b97.png)
account that meets all the following role requirements:
### Verify that the events are being exported to the Event Hub
+You can verify that events are being sent to the Event Hub by running a basic Advanced Hunting query. Select **Hunting** \> **Advanced Hunting** \> **Query** and enter the following query:
-You can verify that events are being sent to the Event Hub by running a basic
-Advanced Hunting query. Select **Hunting \> Advanced Hunting \> Query** and
-enter the following query:
-
-```
+```console
EmailEvents |joinkind=fullouterEmailAttachmentInfoonNetworkMessageId |joinkind=fullouterEmailUrlInfoonNetworkMessageId
EmailEvents
|count ```
-This will show you how many emails were received in the last hour joined across
-all the other tables. It will also show you if you are seeing events that could
-be exported to the event hub. If this count shows 0 then you won't see any data
-going out to the Event Hub.
+This will show you how many emails were received in the last hour joined across all the other tables. It will also show you if you are seeing events that could be exported to the event hub. If this count shows 0, then you won't see any data going out to the Event Hub.
![Image of advanced hunting](../../media/c305e57dc6f72fa9eb035943f244738e.png)
-Once you have verified there is data to export, you can view the Event Hub to
-verify that messages are incoming. This can take up to one hour.
-
-1. In Azure, go to **Event Hubs \> Click on the Namespace \> Event Hubs \> Click on
-the Event Hub**.
-1. Under **Overview**, scroll down and in the Messages graph you should see
-Incoming Messages. If you don't see any results, then there will be no messages
+Once you have verified there is data to export, you can view the Event Hub to verify that messages are incoming. This can take up to one hour.
+
+1. In Azure, go to **Event Hubs** \> Click on the **Namespace** \> **Event Hubs** \> Click on the **Event Hub**.
+1. Under **Overview**, scroll down and in the Messages graph you should see Incoming Messages. If you don't see any results, then there will be no messages
for your custom app to ingest. ![Image of the overview tab with messages](../../media/e88060e315d76e74269a3fc866df047f.png)
security Streaming Api Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md
ms.technology: mde
2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to Microsoft.Insights**.
-3. Create an Event Hub Namespace, go to **Event Hub > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Event Hubs pricing](https://azure.microsoft.com/pricing/details/event-hubs/).
+3. Create an Event Hub Namespace, go to **Event Hub > Add** and select the pricing tier, throughput units and Auto-Inflate appropriate for expected load. For more information, see [Event Hubs pricing](https://azure.microsoft.com/pricing/details/event-hubs/).
### Add contributor permissions
Once the Event Hub namespace is created you will need to:
1. Define the user who will be logging into Microsoft 365 Defender as Contributor.
-2. If you are connecting to an application, add the App Registration Service Principal as Reader, Azure Event Hub Data Receiver (this can also be done at Resource Group or Subscription level).
+2. If you are connecting to an application, add the App Registration Service Principal as Reader, Azure Event Hub Data Receiver (this can also be done at Resource Group or Subscription level).
Go to **Event hubs namespace > Access control (IAM) > Add** and verify under **Role assignments**.
Once the Event Hub namespace is created you will need to:
5. Choose **Forward events to Azure Event Hub**.
-6. You can select if you want to export the event data to a single Event Hub, or to export each event table to a different event hub in your Event Hub namespace.
+6. You can select if you want to export the event data to a single Event Hub, or to export each event table to a different event hub in your Event Hub namespace.
7. To export the event data to a single Event Hub, enter your **Event Hub name** and your **Event Hub resource ID**.
Once the Event Hub namespace is created you will need to:
- For more information about the schema of Microsoft 365 Defender events, see [Advanced Hunting overview](advanced-hunting-overview.md). -- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well.
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well.
## Data types mapping
To get the data types for event properties do the following:
```kusto {EventType} | getschema
- | project ColumnName, ColumnType
+ | project ColumnName, ColumnType
``` -- Here is an example for Device Info event:
+- Here is an example for Device Info event:
![Image of Event Hub resource Id2](../defender-endpoint/images/machine-info-datatype-example.png)
security Admin Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
ms.prod: m365-security
In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the Submissions portal in the Microsoft 365 Defender portal to submit email messages, URLs, and attachments to Microsoft for scanning.
-When you submit an email message, you will get:
+When you submit an email message for analysis, you will get:
- **Email authentication check**: Details on whether email authentication passed or failed when it was delivered. - **Policy hits**: Information about any policies that may have allowed or blocked the incoming email into your tenant, overriding our service filter verdicts.-- **Payload reputation/detonation**: Examination of any URLs and attachments in the message.
+- **Payload reputation/detonation**: Up-to-date examination of any URLs and attachments in the message.
- **Grader analysis**: Review done by human graders in order to confirm whether or not messages are malicious. > [!IMPORTANT]
solutions Networking Design Principles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/networking-design-principles.md
I am currently a Principal Technical Specialist in our Retail and Consumer Goods
With a background over the past 25 years that includes security, infrastructure, and network engineering, and having moved two of my previous employers to Office 365 before joining Microsoft, IΓÇÖve been on your side of the table plenty of times, and do remember what thatΓÇÖs like. While no two customers are ever the same, most have similar needs, and when consuming a standardized service such as any SaaS or PaaS platform, the best approaches tend to be the same.
-## ItΓÇÖs not the networkΓÇöitΓÇÖs how youΓÇÖre (mis)using it!
-
-No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. ThereΓÇÖs always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they're trying to accomplish, or *how* they're better, easier, more cost-effective, and more performant ways of doing so.
- ## ItΓÇÖs not the network ΓÇö itΓÇÖs how youΓÇÖre (mis)using it! No matter how many times it happens, it never fails to amaze me how *creative* security teams and networking teams try to get with how they think they should connect to Microsoft cloud services. ThereΓÇÖs always some security policy, compliance standard, or better way they insist on using, without being willing to engage in a conversation about what it is they are trying to accomplish, or *how* there are better, easier, more cost-effective, and more performant ways of doing so.
No matter what security goals you have in play, there are ways to accomplish the
[Office 365 Networking blog](https://techcommunity.microsoft.com/t5/office-365-networking/bd-p/Office365Networking)
-[Office 365 connectivity for remote users using VPN split tunneling](../enterprise/microsoft-365-vpn-split-tunnel.md)
+[Office 365 connectivity for remote users using VPN split tunneling](../enterprise/microsoft-365-vpn-split-tunnel.md)
test-base Review https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/review.md
f1.keywords: NOCSH
:::image type="content" alt-text="View validation." source="Media/validation.png" lightbox="Media/validation.png":::
-3. This will onboard your package to the Test Base environment. If your package is successfully created, an automated test which verifys whether your package can be successfully executed on Azure will be triggered.
+3. This will onboard your package to the Test Base environment. If your package is successfully created, an automated test which verifies whether your package can be successfully executed on Azure will be triggered.
![Successful result](Media/successful.png)
f1.keywords: NOCSH
:::image type="content" alt-text="Image for managing packages." source="Media/managepackages.png" lightbox="Media/managepackages.png":::
- - For succesful tests, their results can be seen via the **Test Summary**, **Security Updates Results** and **Feature Updates Results** pages at scheduled intervals, often starting a few days after your upload.
-
- - While failed tests, require you to upload a new package.
+ - For successful tests, their results can be seen via the **Test Summary**, **Security Updates Results** and **Feature Updates Results** pages at scheduled intervals, often starting a few days after your upload.
+
+ - While failed tests, require you to upload a new package.
You can download the **test logs** for further analysis from the **Security update results** and **Feature updates results** pages.