Updates from: 08/27/2022 01:22:56
Category Microsoft Docs article Related commit history on GitHub Change details
admin Secure Your Business Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/secure-your-business-data.md
audience: Admin -+ ms.localizationpriority: medium Last updated 08/24/2022
Microsoft 365 for business plans include security capabilities, such as antiphis
| Step | Task | Description | |:--:|:|:|
-| 1 | **Use multi-factor authentication**. | [Multi-factor authentication](multi-factor-authentication-microsoft-365.md) (MFA), also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent hackers from taking over if they know your password. See [security defaults and MFA](../../business-premium/m365bp-conditional-access.md). |
-| 2 | **Protect your administrator accounts**. | Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the right number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs. See [Protect your administrator accounts](../../business-premium/m365bp-protect-admin-accounts.md). |
-| 3 | **Use preset security policies**. | Your subscription includes [preset security policies](../../security/office-365-security/preset-security-policies.md) that use recommended settings for anti-spam, anti-malware, and anti-phishing protection. See [Protect against malware and other cyberthreats](../../business-premium/m365bp-increase-protection.md). |
-| 4 | **Protect all devices**. | Every device is a possible attack avenue into your network and must be configured properly, even those devices that are personally owned but used for work. See the following articles: <br/>- [Help users set up MFA on their devices](https://support.microsoft.com/office/set-up-your-microsoft-365-sign-in-for-multi-factor-authentication-ace1d096-61e5-449b-a875-58eb3d74de14)<br/>- [Protect unmanaged Windows and Mac computers](../../business-premium/m365bp-protect-pcs-macs.md) <br/>- [Set up managed devices](../../business-premium/m365bp-managed-devices-setup.md) (requires Microsoft 365 Business Premium or Microsoft Defender for Business) |
-| 5 | **Train everyone on email best practices**. | Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on humans making consistently good decisions with those communications. Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email. See [Protect yourself against phishing and other attacks](../../business-premium/m365bp-avoid-phishing-and-attacks.md). |
-| 6 | **Use Microsoft Teams for collaboration and sharing**. | The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it. See the following articles: <br/>- [Use Microsoft Teams for collaboration](../../business-premium/create-teams-for-collaboration.md) <br/>- [Set up meetings with Microsoft Teams](../../business-premium/set-up-meetings.md) <br/>- [Share files and videos in a safe environment](../../business-premium/share-files-and-videos.md) |
-| 7 | **Set sharing settings for SharePoint and OneDrive files and folders**. | Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs. See [Set sharing settings for SharePoint and OneDrive files and folders](../../business-premium/m365bp-increase-protection.md#set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). |
-| 8 | **Use Microsoft 365 Apps on devices**. | Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Whether you're using the web or desktop version of an app, you can start a document on one device, and pick it up later on another device. Instead of sending files as email attachments, you can share links to files that are stored in SharePoint or OneDrive. See [Install Office apps on all devices](../../business-premium/m365bp-install-office-apps.md). |
-| 9 | **Manage calendar sharing for your business**. | You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only. See [Manage calendar sharing](../../business-premium/m365bp-increase-protection.md#manage-calendar-sharing). |
-| 10 | **Maintain your environment**. | After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to make sure people have only the access they need to do their jobs. See [Maintain your environment](../../business-premium/m365bp-maintain-environment.md). |
+| 1 | **[Use multi-factor authentication](multi-factor-authentication-microsoft-365.md)**. | [Multi-factor authentication](multi-factor-authentication-microsoft-365.md) (MFA), also known as two-step verification, requires people to use a code or authentication app on their phone to sign into Microsoft 365, and is a critical first step to protecting your business data. Using MFA can prevent hackers from taking over if they know your password.<br/><br/>See [security defaults and MFA](../../business-premium/m365bp-conditional-access.md). |
+| 2 | **[Protect your administrator accounts](../../business-premium/m365bp-protect-admin-accounts.md)**. | Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the right number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs. <br/><br/>See [Protect your administrator accounts](../../business-premium/m365bp-protect-admin-accounts.md). |
+| 3 | **[Use preset security policies](../../business-premium/m365bp-increase-protection.md)**. | Your subscription includes [preset security policies](../../security/office-365-security/preset-security-policies.md) that use recommended settings for anti-spam, anti-malware, and anti-phishing protection. <br/><br/>See [Protect against malware and other cyberthreats](../../business-premium/m365bp-increase-protection.md). |
+| 4 | **[Protect all devices](../../business-premium/m365bp-devices-overview.md)**. | Every device is a possible attack avenue into your network and must be configured properly, even those devices that are personally owned but used for work. <br/><br/>See the following articles: <br/>- [Help users set up MFA on their devices](https://support.microsoft.com/office/set-up-your-microsoft-365-sign-in-for-multi-factor-authentication-ace1d096-61e5-449b-a875-58eb3d74de14)<br/>- [Protect unmanaged Windows and Mac computers](../../business-premium/m365bp-protect-pcs-macs.md) <br/>- [Set up managed devices](../../business-premium/m365bp-managed-devices-setup.md) (requires Microsoft 365 Business Premium or Microsoft Defender for Business) |
+| 5 | **[Train everyone on email best practices](../../business-premium/m365bp-avoid-phishing-and-attacks.md)**. | Email can contain malicious attacks cloaked as harmless communications. Email systems are especially vulnerable, because email is handled by everyone in the organization, and safety relies on humans making consistently good decisions with those communications. Train everyone to know what to watch for spam or junk mail, phishing attempts, spoofing, and malware in their email. <br/><br/>See [Protect yourself against phishing and other attacks](../../business-premium/m365bp-avoid-phishing-and-attacks.md). |
+| 6 | **[Use Microsoft Teams for collaboration and sharing](../../business-premium/m365bp-collaborate-share-securely.md)**. | The best way to collaborate and share securely is to use Microsoft Teams. With Microsoft Teams, all your files and communications are in a protected environment and aren't being stored in unsafe ways outside of it.<br/><br/> See the following articles: <br/>- [Use Microsoft Teams for collaboration](../../business-premium/create-teams-for-collaboration.md) <br/>- [Set up meetings with Microsoft Teams](../../business-premium/set-up-meetings.md) <br/>- [Share files and videos in a safe environment](../../business-premium/share-files-and-videos.md) |
+| 7 | **[Set sharing settings for SharePoint and OneDrive files and folders](../../business-premium/m365bp-increase-protection.md)**. | Your default sharing levels for SharePoint and OneDrive might be set to a more permissive level than you should use. We recommend reviewing and if necessary, changing the default settings to better protect your business. Grant people only the access they need to do their jobs. <br/><br/>See [Set sharing settings for SharePoint and OneDrive files and folders](../../business-premium/m365bp-increase-protection.md#set-sharing-settings-for-sharepoint-and-onedrive-files-and-folders). |
+| 8 | **[Use Microsoft 365 Apps on devices](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27)**. | Outlook and Microsoft 365 Apps (also referred to as Office apps) enable people to work productively and more securely across devices. Whether you're using the web or desktop version of an app, you can start a document on one device, and pick it up later on another device. Instead of sending files as email attachments, you can share links to documents that are stored in SharePoint or OneDrive. <br/><br/>See the following articles: <br/>- [Install Office apps on all devices](../../business-premium/m365bp-install-office-apps.md).<br/>- [Train your users on Office and Microsoft 365](https://support.microsoft.com/topic/train-your-users-on-office-and-microsoft-365-7cba3c97-7f19-46ed-a1c6-763971a26c27) |
+| 9 | **[Manage calendar sharing for your business](../../business-premium/m365bp-increase-protection.md#manage-calendar-sharing)**. | You can help people in your organization share their calendars appropriately for better collaboration. You can manage what level of detail they can share, such as by limiting the details that are shared to free/busy times only. <br/><br/>See [Manage calendar sharing](../../business-premium/m365bp-increase-protection.md#manage-calendar-sharing). |
+| 10 | **[Maintain your environment](../../business-premium/m365bp-maintain-environment.md)**. | After your initial setup and configuration of Microsoft 365 for business is complete, your organization needs a maintenance and operations plan. As employees come and go, you'll need to add or remove users, reset passwords, and maybe even reset devices to factory settings. You'll also want to make sure people have only the access they need to do their jobs. <br/><br/>See [Maintain your environment](../../business-premium/m365bp-maintain-environment.md). |
## Comparing Microsoft 365 for business plans
compliance Device Onboarding Offboarding Macos Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-offboarding-macos-intune.md
You can use Intune to onboard macOS devices into Microsoft Purview solutions.
- Make sure your [macOS devices are onboarded into Intune](/mem/intune/fundamentals/deployment-guide-platform-macos) and are enrolled in the [Company Portal app](/mem/intune/user-help/enroll-your-device-in-intune-macos-cp). - Make sure you have access to the [Microsoft Endpoint Manager center](https://endpoint.microsoft.com/#home).-- This supports macOS version Catalina 10.15 and higher.
+- This supports three most recent major releases of macOS.
- Create the user groups that you are going to assign the configuration updates to. - Install the v95+ Edge browser on your macOS devices ## Onboard macOS devices into Microsoft Purview solutions using Microsoft Intune
-Onboarding a macOS device into Compliance solutions is a six phase process.
+Onboarding a macOS device into Compliance solutions is a multi-phase process.
1. [Create system configuration profiles](#create-system-configuration-profiles) 1. [Get the device onboarding package](#get-the-device-onboarding-package)
-1. [Deploy the onboarding package](#deploy-the-onboarding-package)
-1. [Enable system extension](#enable-system-extension)
+1. [Deploy the mobileconfig and onboarding packages](#deploy-the-mobileconfig-and-onboarding-packages)
1. [Publish application](#publish-application)
+<!--1. [Enable system extension](#enable-system-extension)-->
+ ### Create system configuration profiles
-1. You'll need these files for this procedure.
+1. You'll need these files for this procedure.
|file needed for |source | |||
-|Onboarding package |downloaded from the compliance portal **Onboarding package**, file name *DeviceComplianceOnboarding.xml* |
-|accessibility |[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
+System mobile config file | [mdatp-nokext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/combined/mdatp-nokext.mobileconfig) Copy and paste the contents into a text file. Save the file with the **mobileconfig** extension only, it will not be recognized if it has the .txt extension.|
+MDE preferences| [com.microsoft.wdav.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/settings/data_loss_prevention/com.microsoft.wdav.mobileconfig). Copy and paste the contents into a text file. Save the file with the **mobileconfig** extension only, it will not be recognized if it has the .txt extension.
+
+### Get the device onboarding package
+
+1. In **Microsoft Purview Compliance center** open **Settings** > **Device Onboarding** and choose **Onboarding**.
+
+1. For **Select operating system to start onboarding process** choose **macOS**.
+
+1. For **Deployment method** choose **Mobile Device Management/Microsoft Intune**.
+
+1. Choose **Download onboarding package**.
+
+1. Extract the zip file and open the *Intune* folder. This contains the onboarding code in the *DeviceComplianceOnboarding.xml* file.
+
+<!--|accessibility |[accessibility.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/accessibility.mobileconfig)|
full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/fulldisk.mobileconfig)| |Network filer| [netfilter.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/netfilter.mobileconfig)] |System extensions |[sysext.mobileconfig](https://github.com/microsoft/mdatp-xplat/blob/master/macos/mobileconfig/profiles/sysext.mobileconfig)
full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp
> - netfilter.mobileconfig > - system extensions >
->If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.
-
-<!--2. Copy this code and save it in a file named `com.microsoft.autoupdate2.xml`.
-
-```xml
-<?xml version="1.0" encoding="utf-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1">
- <dict>
- <key>PayloadUUID</key>
- <string>B762FF60-6ACB-4A72-9E72-459D00C936F3</string>
- <key>PayloadType</key>
- <string>Configuration</string>
- <key>PayloadOrganization</key>
- <string>Microsoft</string>
- <key>PayloadIdentifier</key>
- <string>com.microsoft.autoupdate2</string>
- <key>PayloadDisplayName</key>
- <string>Microsoft AutoUpdate settings</string>
- <key>PayloadDescription</key>
- <string>Microsoft AutoUpdate configuration settings</string>
- <key>PayloadVersion</key>
- <integer>1</integer>
- <key>PayloadEnabled</key>
- <true/>
- <key>PayloadRemovalDisallowed</key>
- <true/>
- <key>PayloadScope</key>
- <string>System</string>
- <key>PayloadContent</key>
- <array>
- <dict>
- <key>PayloadUUID</key>
- <string>5A6F350A-CC2C-440B-A074-68E3F34EBAE9</string>
- <key>PayloadType</key>
- <string>com.microsoft.autoupdate2</string>
- <key>PayloadOrganization</key>
- <string>Microsoft</string>
- <key>PayloadIdentifier</key>
- <string>com.microsoft.autoupdate2</string>
- <key>PayloadDisplayName</key>
- <string>Microsoft AutoUpdate configuration settings</string>
- <key>PayloadDescription</key>
- <string/>
- <key>PayloadVersion</key>
- <integer>1</integer>
- <key>PayloadEnabled</key>
- <true/>
- <key>ChannelName</key>
- <string>Production</string>
- <key>HowToCheck</key>
- <string>AutomaticDownload</string>
- <key>EnableCheckForUpdatesButton</key>
- <true/>
- <key>DisableInsiderCheckbox</key>
- <false/>
- <key>SendAllTelemetryEnabled</key>
- <true/>
- </dict>
- </array>
- </dict>
-</plist>
-```
>-
-2. Open the **Microsoft Endpoint Manager center** > **Devices** > **Configuration profiles**.
-
-1. Choose: **Create profile**
-
-1. Choose:
- 1. **Platform = macOS**
- 1. **Profile type = Templates**
- 1. **Template name = Custom**
-
-1. Choose **Create**
-
-1. Choose a name for the profile, like *AccessibilityformacOS* in this example. Choose **Next**.
-
-1. Choose the **accessibility.mobileconfig** file that you downloaded in step 1 as the configuration profile file.
-
-1. Choose **Next**
-
-1. On the **Assignments** tab add the group you want to deploy these configurations to and choose **Next**.
-
-1. Review your settings and choose **Create** to deploy the configuration.
-
-1. Repeat steps 3-11 to create profiles for the:
- 1. **fulldisk.mobileconfig** file
- 1. **com.microsoft.autoupdate2.xml** file
- 1. MDE preferences **com.microsoft.wdav.xml** file
- 1. set Antivirus engine `passive mode` = `true` or `false`. Use `true`if deploying DLP only. Use `false` or do not assign a value if deploying DLP and Microsoft Defender for Endpoint (MDE).
- 1. **netfilter.mobileconfig**
-
-1. Open **Devices** > **Configuration profiles**, you should see your created profiles there.
-
-1. In the **Configuration profiles** page, choose the profile that you just created, in this example *AccessibilityformacOS* and choose **Device status** to see a list of devices and the deployment status of the configuration profile.
-
-### Get the device onboarding package
+>If any of these individual files is updated, you'd need to download the either the combined file again or the single updated file individually.-->
-1. In **Compliance center** open **Settings** > **Device Onboarding** and choose **Onboarding**.
-
-1. For **Select operating system to start onboarding process** choose **macOS**.
-
-1. For **Deployment method** choose **Mobile Device Management/Microsoft Intune**.
-
-1. Choose **Download onboarding package**. This contains the onboarding code in the *DeviceComplianceOnboarding.xml* file.
-
-### Deploy the onboarding package
+### Deploy the mobileconfig and onboarding packages
1. Open the **Microsoft Endpoint Manager center** > **Devices** > **Configuration profiles**.
-1. Choose: **Create profile**.
+1. Choose: **Create profile**
1. Choose: 1. **Platform = macOS**
full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp
1. Choose **Create**
-1. Choose a name for the profile, like *OnboardingPackage* in this example. Choose **Next**.
+1. Choose a name for the profile, like *SystemMobileConfig* in this example. Choose **Next**.
-1. Choose the *DeviceComplianceOnboarding.xml* file as the configuration profile file.
+1. Choose the **mdatp-nokext.mobileconfig** file that you copied and saved in step 1 as the configuration profile file.
1. Choose **Next**
full disk access |[fulldisk.mobileconfig](https://github.com/microsoft/mdatp
1. Review your settings and choose **Create** to deploy the configuration.
-### Enable system extension
-
-1. In the **Microsoft Endpoint Manager center** select **Create Profile** under **Configuration Profiles**
-
-1. Choose:
- 1. **Platform = macOS**
- 1. **Profile type = Templates**
- 1. **Template name = Extensions**
-
-1. Choose **Create**
+1. Repeat steps 2-9 to create profiles for the:
+ 1. **DeviceComplianceOnboarding.xml** file. Name it *Purview Device Onboarding Package*
+ 1. **com.microsoft.wdav.mobileconfig** file. Name it *Endpoint Device Preferences*
+
+1. Open **Devices** > **Configuration profiles**, you should see your created profiles there.
-1. In the **Basics** tab, give this new profile a name.
+1. In the **Configuration profiles** page, choose the profile that you just created, for example *SystemMobileConfig* and choose **Device status** to see a list of devices and the deployment status of the configuration profile.
-1. In the **Configuration settings** tab expand **System Extensions**.
+### Publish application
-1. Under **Bundle identifier** and **Team identifier**, set these values
+Microsoft Endpoint DLP is installed as a component of Microsoft Defender for Endpoint (MDE) on macOS. This procedure applies to onboarding devices into Microsoft Purview solutions
-|Bundle identifier |Team identifier |
-|||
-|**com.microsoft.wdav.epsext**|**UBF8T346G9**|
-|**com.microsoft.wdav.netext**|**UBF8T346G9**|
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), open **Apps**.
+1. Select By platform > macOS > Add.
-1. On the **Assignments** tab add the group you want to deploy these configurations to and choose **Next**.
+1. Choose **App type**=**macOS**, click **Select**.
-1. Choose **Next** to deploy the configuration.
+1. Keep default values, click **Next**.
-### Publish application
+1. Add assignments, click **Next**.
-Microsoft Endpoint DLP is installed as a component of Microsoft Defender for Endpoint (MDE) on macOS
+1. Review and **Create**.
-1. Follow the procedures in [Intune-based deployment for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-install-with-intune#publish-application) to deploy MDE to enrolled macOS devices.
+1. You can visit **Apps** \> **By platform** \> **macOS** to see it on the list of all applications.
-## Offboard macOS devices using Intune
+<!--## Offboard macOS devices using Intune PINGING PG FOR THIS PROCEDURE
> [!NOTE] > Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to six months.
-2. In **Microsoft Endpoint Manager center**, open **Devices** > **Configuration profiles**, you should see your created profiles there.
+1. In **Microsoft Endpoint Manager center**, open **Devices** > **Configuration profiles**, you should see your created profiles there.
1. In the **Configuration profiles** page, choose the *wdav.pkg.intunemac* profile.
Microsoft Endpoint DLP is installed as a component of Microsoft Defender for End
1. Open **Properties** and **Assignments**
-1. Remove the group from the assignment. This will uninstall the *wdav.pkg.intunemac* package and offboard the macOS device from Compliance solutions.
+1. Remove the group from the assignment. This will uninstall the *wdav.pkg.intunemac* package and offboard the macOS device from Compliance solutions.-->
compliance Dlp Configure Endpoint Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoint-settings.md
For example:
| ***.CONTOSO.COM** |**Matches the specified domain name, any subdomain, and any site**: <p>*://contoso.com <p>*://contoso.com/anysubsite <p>*://contoso.com/anysubsite1/anysubsite2 <p>*://anysubdomain.contoso.com/ <p>*://anysubdomain.contoso.com/anysubsite/ <p>*://anysubdomain1.anysubdomain2.contoso.com/anysubsite/ <p>*://anysubdomain1.anysubdomain2.contoso.com/anysubsite1/anysubsite2 (etc) <p>**Does not match unspecified domains** <p>*://anysubdomain.contoso.com.AU/ | | **`www.contoso.com`** |**Matches the specified domain name**: <p>`www.contoso.com` <p>**Does not match unspecified domains or subdomains** <p>*://anysubdomain.contoso.com/, in this case, you have to put the FQDN domain name itself `www.contoso.com`|
-#### Sensitive service domains (preview)
+#### Sensitive service domains
When you list a website in Sensitive services domains you can audit, block with override, or block users when they attempt to:
When you list a website in Sensitive services domains you can audit, block with
- copy data from a website - save a website as local files
-Each website must be listed in a website group and the user must be accessing the website through Microsoft Edge. Sensitive service domains (preview) is used in conjunction with a DLP policy for Devices. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains-preview) for more information.
+Each website must be listed in a website group and the user must be accessing the website through Microsoft Edge. Sensitive service domains is used in conjunction with a DLP policy for Devices. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.
### Additional settings for endpoint DLP
compliance Dlp Policy Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md
The available context options change depending on which location you choose. If
##### Conditions Devices supports - Content contains-- (preview) The user accessed a sensitive website from Edge. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains-preview) for more information.
+- The user accessed a sensitive website from Edge. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.
- File extension is - File type is - See, [Endpoint activities you can monitor and take action on](endpoint-dlp-learn-about.md#endpoint-activities-you-can-monitor-and-take-action-on)
The actions that are available in a rule are dependent on the locations that hav
#### Devices actions <!--- (preview) Audit or restricted activities when users access sensitive websites in Microsoft Edge browser on Windows devices. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains-preview) for more information.
+- Audit or restricted activities when users access sensitive websites in Microsoft Edge browser on Windows devices. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains)](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.
- Audit or restrict activities on Windows devices To use `Audit or restrict activities on Windows devices`, you have to configure options in **DLP settings** and in the policy in which you want to use them. See, [Restricted apps and app groups](dlp-configure-endpoint-settings.md#restricted-apps-and-app-groups) for more information.
compliance Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery.md
f1.keywords:
Previously updated : Last updated : 08/25/2022 audience: Admin
Electronic discovery, or eDiscovery, is the process of identifying and deliverin
Microsoft Purview provides three eDiscovery solutions: Content search, eDiscovery (Standard), and eDiscovery (Premium).
+<!--
![Key capabilities of Microsoft Purview eDiscovery tools.](..\media\m365-ediscovery-solution-graphic.png)
+-->
+
+|Content Search|eDiscovery (Standard)|eDiscovery (Premium)|
+||||
+|Search for content </br> Keyword queries and search conditions </br> Export search results </br> Role-based permissions|Search and export </br> Case management </br>Legal hold|Custodian management </br> Legal hold notifications </br> Advanced indexing </br> Review set filtering </br> Tagging </br> Analytics </br> Predictive coding models </br> And more...|
- **Content search**. Use the Content search tool to search for content across Microsoft 365 data sources and then export the search results to a local computer.
compliance Endpoint Dlp Using https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md
You can continue to add new services, apps, and policies to extend and augment y
This configuration will help ensure your data remains safe while also avoiding unnecessary restrictions that prevent or restrict users from accessing and sharing non-sensitive items.
-## Scenario 6 Monitor or restrict user activities on sensitive service domains (preview)
+## Scenario 6 Monitor or restrict user activities on sensitive service domains
Use this scenario when you want to audit, block with override, or block these user activities on a website.
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft Purview compliance portal](
### Data Loss Prevention - [DLP policy reference](dlp-policy-reference.md#blocking-and-notifications-in-sharepoint-online-and-onedrive-for-business) - added new section on Blocking and notifications in SharePoint Online, and OneDrive for Business in response to customer escalations. Updated to support the public preview of sensitive services domains. Updated support for Power BI. Updated support for trainable classifiers.-- [Configure endpoint DLP settings](dlp-configure-endpoint-settings.md#sensitive-service-domains-preview) - added new content in support of the public preview release of sensitive service domains public preview. Updated URL matching behavior.-- [Using endpoint DLP](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains-preview) - new scenario content in support of the public preview release of sensitive services domains. Updated subscription information.
+- [Configure endpoint DLP settings](dlp-configure-endpoint-settings.md#sensitive-service-domains) - added new content in support of the public preview release of sensitive service domains public preview. Updated URL matching behavior.
+- [Using endpoint DLP](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) - new scenario content in support of the public preview release of sensitive services domains. Updated subscription information.
### eDiscovery
enterprise Additional Office365 Ip Addresses And Urls https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls.md
Apart from DNS, these instances are all optional for most customers unless you n
|20|**[Azure AD Connect](/azure/active-directory/hybrid/)** with 21 ViaNet in China to sync on-premises user accounts to Azure AD.|\*.digicert.com:80 <BR> \*.entrust.net:80 <BR> \*.chinacloudapi.cn:443 <br> secure.aadcdn.partner.microsoftonline-p.cn:443 <br> \*.partner.microsoftonline.cn:443 <p> Also see [Troubleshoot ingress with Azure AD connectivity issues](https://docs.azure.cn/zh-cn/active-directory/hybrid/tshoot-connect-connectivity).|Outbound server-only traffic| |21|**Microsoft Stream** (needs the Azure AD user token). <br> Office 365 Worldwide (including GCC)|\*.cloudapp.net <br> \*.api.microsoftstream.com <br> \*.notification.api.microsoftstream.com <br> amp.azure.net <br> api.microsoftstream.com <br> az416426.vo.msecnd.net <br> s0.assets-yammer.com <br> vortex.data.microsoft.com <br> web.microsoftstream.com <br> TCP port 443|Inbound server traffic| |22|Use **MFA server** for multi-factor authentication requests, both new installations of the server and setting it up with Active Directory Domain Services (AD DS).|See [Getting started with the Azure AD multi-factor authentication Server](/azure/active-directory/authentication/howto-mfaserver-deploy#plan-your-deployment).|Outbound server-only traffic|
-|23|**Microsoft Graph Change Notifications** <p> Developers can use [change notifications](/graph/webhooks?context=graph%2fapi%2f1.0&view=graph-rest-1.0&preserve-view=true) to subscribe to events in the Microsoft Graph.|Public Cloud: 52.159.23.209, 52.159.17.84, 52.147.213.251, 52.147.213.181, 13.85.192.59, 13.85.192.123, 13.89.108.233, 13.89.104.147, 20.96.21.67, 20.69.245.215, 137.135.11.161, 137.135.11.116, 52.159.107.50, 52.159.107.4, 52.229.38.131, 52.183.67.212, 52.142.114.29, 52.142.115.31, 51.124.75.43, 51.124.73.177, 20.44.210.83, 20.44.210.146, 40.80.232.177, 40.80.232.118, 20.48.12.75, 20.48.11.201, 104.215.13.23, 104.215.6.169, 52.148.24.136, 52.148.27.39, 40.76.162.99, 40.76.162.42, 40.74.203.28, 40.74.203.27, 13.86.37.15, 52.154.246.238, 20.96.21.98, 20.96.21.115, 137.135.11.222, 137.135.11.250, 52.159.109.205, 52.159.102.72, 52.151.30.78, 52.191.173.85, 51.104.159.213, 51.104.159.181, 51.138.90.7, 51.138.90.52, 52.148.115.48, 52.148.114.238, 40.80.233.14, 40.80.239.196, 20.48.14.35, 20.48.15.147, 104.215.18.55, 104.215.12.254, 20.199.102.157, 20.199.102.73, 13.87.81.123, 13.87.81.35, 20.111.9.46, 20.111.9.77, 13.87.81.133, 13.87.81.141 <p> Microsoft Cloud for US Government: 52.244.33.45, 52.244.35.174, 52.243.157.104, 52.243.157.105, 52.182.25.254, 52.182.25.110, 52.181.25.67, 52.181.25.66, 52.244.111.156, 52.244.111.170, 52.243.147.249, 52.243.148.19, 52.182.32.51, 52.182.32.143, 52.181.24.199, 52.181.24.220 <p> Microsoft Cloud China operated by 21Vianet: 42.159.72.35, 42.159.72.47, 42.159.180.55, 42.159.180.56, 40.125.138.23, 40.125.136.69, 40.72.155.199, 40.72.155.216 <br> TCP port 443 <p> Note: Developers can specify different ports when creating the subscriptions.|Inbound server traffic|
+|23|**Microsoft Graph Change Notifications** <p> Developers can use [change notifications](/graph/webhooks?context=graph%2fapi%2f1.0&view=graph-rest-1.0&preserve-view=true) to subscribe to events in the Microsoft Graph.|Public Cloud: 52.159.23.209, 52.159.17.84, 52.147.213.251, 52.147.213.181, 13.85.192.59, 13.85.192.123, 20.9.36.45, 20.9.35.166, 20.96.21.67, 20.69.245.215, 137.135.11.161, 137.135.11.116, 52.159.107.50, 52.159.107.4, 52.229.38.131, 52.183.67.212, 52.142.114.29, 52.142.115.31, 51.124.75.43, 51.124.73.177, 20.44.210.83, 20.44.210.146, 40.80.232.177, 40.80.232.118, 20.48.12.75, 20.48.11.201, 104.215.13.23, 104.215.6.169, 52.148.24.136, 52.148.27.39, 40.76.162.99, 40.76.162.42, 40.74.203.28, 40.74.203.27, 13.86.37.15, 52.154.246.238, 20.96.21.98, 20.96.21.115, 137.135.11.222, 137.135.11.250, 52.159.109.205, 52.159.102.72, 52.151.30.78, 52.191.173.85, 51.104.159.213, 51.104.159.181, 51.138.90.7, 51.138.90.52, 52.148.115.48, 52.148.114.238, 40.80.233.14, 40.80.239.196, 20.48.14.35, 20.48.15.147, 104.215.18.55, 104.215.12.254, 20.199.102.157, 20.199.102.73, 13.87.81.123, 13.87.81.35, 20.111.9.46, 20.111.9.77, 13.87.81.133, 13.87.81.141 <p> Microsoft Cloud for US Government: 52.244.33.45, 52.244.35.174, 52.243.157.104, 52.243.157.105, 52.182.25.254, 52.182.25.110, 52.181.25.67, 52.181.25.66, 52.244.111.156, 52.244.111.170, 52.243.147.249, 52.243.148.19, 52.182.32.51, 52.182.32.143, 52.181.24.199, 52.181.24.220 <p> Microsoft Cloud China operated by 21Vianet: 42.159.72.35, 42.159.72.47, 42.159.180.55, 42.159.180.56, 40.125.138.23, 40.125.136.69, 40.72.155.199, 40.72.155.216 <br> TCP port 443 <p> Note: Developers can specify different ports when creating the subscriptions.|Inbound server traffic|
|24|**Network Connection Status Indicator**<p>Used by Windows 10 and 11 to determine if the computer is connected to the internet (does not apply to non-Windows clients). When this URL cannot be reached, Windows will assume it is not connected to the Internet and M365 Apps for Enterprise will not try to verify activation status, causing connections to Exchange and other services to fail.|www.msftconnecttest.com <br> 13.107.4.52<p>Also see [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints) and [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints).|Outbound server-only traffic| |25|**Teams Notifications on Mobile Devices**<p>Used by Android and Apple mobile devices to receive push notifications to the Teams client for incoming calls and other Teams services. When these ports are blocked, all push notifications to mobile devices will fail.|For specific ports, see [FCM ports and your firewall in the Google Firebase documentation](https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall) and [If your Apple devices aren't getting Apple push notifications](https://support.apple.com/en-us/HT203609).|Outbound server-only traffic|
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
### [Trial playbook: Get the most out of your trial](defender-endpoint-trial-playbook.md) ### [Compare Microsoft endpoint security plans](defender-endpoint-plan-1-2.md) ### [Minimum requirements](minimum-requirements.md)
+### [Supported Microsoft Defender for Endpoint capabilities by platform](supported-capabilities-by-platform.md)
### [What's new in Microsoft Defender for Endpoint?](whats-new-in-microsoft-defender-endpoint.md) ### [Preview features](preview.md) ### [Data storage and privacy](data-storage-privacy.md)
security Application Deployment Via Mecm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/application-deployment-via-mecm.md
ms.technology: mde + # Migrating servers from Microsoft Monitoring Agent to the unified solution **Applies to:**
For more information on installing the listed prerequisites, see [related topics
Copy the unified solution package, onboarding script and migration script to the same content source you deploy other apps with MECM. 1. Download Onboarding Script and the unified solution from [Microsoft 365 Defender settings page](https://sip.security.microsoft.com/preferences2/onboarding).-
- :::image type="content" source="images/onboarding-script.png" alt-text="Screenshot of onboarding script and unified solution download." lightbox="images/onboarding-script.png":::
-
+ :::image type="content" source="images/onboarding-script.png" alt-text="Screenshot of onboarding script and unified solution download" lightbox="images/onboarding-script.png":::
+ > [!Note]
+ > You must select the Group Policy from the Deployment method dropdown to obtain the .cmd file.
2. Download the migration script from the document: [Server migration scenarios from the previous, MMA-based Microsoft Defender for Endpoint solution](server-migration.md). This script can also be found on GitHub: [GitHub - microsoft/mdefordownlevelserver](https://github.com/microsoft/mdefordownlevelserver). 3. Save all three files in a shared folder used by MECM as a Software Source.
Copy the unified solution package, onboarding script and migration script to the
1. In the MECM console, follow these steps: **Software Library>Applications>Create Application**. 2. Select **Manually specify the application information**.
-
:::image type="content" source="images/manual-application-information.png" alt-text="Screenshot of manually specifying the application information selection." lightbox="images/manual-application-information.png":::
-
3. Select **Next** on the Software Center screen of the wizard. 4. On the Deployment Types, click **Add**. 5. Select **Manually to specify the deployment type information** and select **Next**. 6. Give a name to your script deployment and select **Next**. :::image type="content" source="images/manual-deployment-information.png" alt-text="Screenshot specifying the script deployment information.":::
-
-7. On this step, copy the UNC path that your content is located. Example: `\\Cm1\h$\SOFTWARE_SOURCE\UAmigrate`.
+7. On this step, copy the UNC path that your content is located. Example: `\\ServerName\h$\SOFTWARE_SOURCE\path`.
:::image type="content" source="images/deployment-type-wizard.png" alt-text="Screenshot that shows UNC path copy.":::
Copy the unified solution package, onboarding script and migration script to the
Click **Next** and make sure to add your own Workspace ID in this section. 9. Click **Next** and click add a clause. 10. The detection method will be based on the registry key shown below.
- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense\ImagePath`
+ `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense`
Check the option: **This registry setting must exit on the target system to indicate presence of this application.**
- :::image type="content" source="images/detection-wizard.png" alt-text="Screenshot that shows detection type wizard":::
+ :::image type="content" source="images/detection-wizard.png" alt-text="Screenshot that shows detection type wizard":::
>[!TIP]
- >This registry key value was obtained by running the Powershell command shown below on a device that has the unified solution installed. Other creative methods of detection can also be used. The goal is to identify whether the unified solution has already been installed on a specific device.
+ >The registry key value was obtained by running the Powershell command shown below on a device that has the unified solution installed. Other creative methods of detection can also be used. The goal is to identify whether the unified solution has already been installed on a specific device. You can leave the Value and Data Type fields as blank.
```powershell get-wmiobject Win32_Product | Sort-Object -Property Name |Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize ``` 11. In the **User Experience** section, check the recommended settings shown in the screenshot. You can choose what suits your environment and click **Next**. For **Installation program visibility**, it's advisable to install with **Normal** during phase testing then change it to **Minimized** for general deployment.
-
+ >[!TIP] >The maximum allowed runtime can be lowered from (default) 120 minutes to 60 minutes.
security Automation Levels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md
ms.pagetype: security
ms.localizationpriority: medium Previously updated : 07/20/2022 Last updated : 08/22/2022 audience: ITPro
Automated investigation and remediation (AIR) capabilities in Microsoft Defender
- New tenants (which include tenants that were created on or after August 16, 2020) with Defender for Endpoint are set to full automation by default. -- [Defender for Business](../defender-business/compare-mdb-m365-plans.md) uses full automation by default. Defender for Business doesn't use device groups the same way as Defender for Business. Thus, full automation is turned on and applied to all devices in Defender for Business.
+- [Defender for Business](../defender-business/compare-mdb-m365-plans.md) uses full automation by default. Defender for Business doesn't use device groups the same way as Defender for Endpoint. Thus, full automation is turned on and applied to all devices in Defender for Business.
- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out.
security Mssp List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-list.md
Logo |Partner name | Description
![Image of CyberProof logo.](images/cyberproof-logo.png) |[CyberProof Managed Detection & Response (MDR)](https://go.microsoft.com/fwlink/?linkid=2163964) | 24x7 managed threat detection and response services fully integrated with Microsoft Sentinel and Defender for Endpoint. ![Image of Dell Technologies Advanced Threat Protection logo.](images/dell-logo.png)| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability :::image type="content" source="images/dxc-logo.png" alt-text="Image of DXC-Managed Endpoint Threat Detection and Response logo.":::.| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days.
-![Image of eSentire log.](images/esentire-logo.png) | [eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2154970) | 24x7 threat investigations and response via Microsoft Defender for Endpoint.
+![Image of eSentire log.](images/esentire-logo.png) | [eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2154970) | 24/7 threat hunting, investigation, and complete response with certified MDR expertise across the Microsoft Ecosystem, including Microsoft 365 Defender & Sentinel-plus 15-minute mean time to contain.
![Image of expel logo.](images/expel-logo.png)| [Expel Managed detection and response for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2162430) | Expel helps your security keep up by detecting security risks in Microsoft Defender for Endpoint. ![Image of Mandiant logo.](images/mandiant-logo.png) | [Mandiant Managed Defense (MDR) for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2164352) | Fortify your Defender for Endpoint with 24/7 frontline MDR intelligence and expertise from Mandiant. ![Image of NTT Security logo.](images/ntt-logo.png)| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
After onboarding the devices, you'll then need to configure the other capabiliti
| [Configure Auto Investigation & Remediation (AIR) capabilities](configure-automated-investigations-remediation.md) | Microsoft Defender for Endpoint uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. | | [Configure Microsoft Threat Experts (MTE) capabilities](configure-microsoft-threat-experts.md) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed. |
+For more information, see [Supported Microsoft Defender for Endpoint capabilities by platform](supported-capabilities-by-platform.md).
+
-## Supported capabilities for Windows devices
-
-|Operating System |Windows 10 & 11 |Windows Server 2012 R2 <sup>[[1](#fn1)]<sup></sup> |Windows Server 2016<sup>[[1](#fn1)]<sup></sup> |Windows Server 2019 & 2022|Windows Server 1803+|
-|||||||
-|**Prevention** | | | | | |
-|Attack Surface Reduction rules | Y | Y | Y | Y | Y |
-|Device Control | Y | N | N | N | N |
-|Firewall | Y | Y | Y | Y | Y |
-|Network Protection | Y | Y | Y | Y | Y |
-|Next-generation protection | Y | Y | Y | Y | Y |
-|Tamper Protection | Y | Y | Y | Y | Y |
-|Web Protection | Y | Y | Y | Y | Y |
-|||||||
-|**Detection** | | | |||
-|Advanced Hunting | Y | Y | Y | Y | Y |
-|Custom file indicators | Y | Y | Y | Y | Y |
-|Custom network indicators | Y | Y | Y | Y | Y |
-|EDR Block & Passive Mode | Y | Y | Y | Y | Y |
-|Sense detection sensor | Y | Y | Y | Y | Y |
-|Endpoint & network device discovery | Y | N | N | N | N |
-|||||||
-|**Response** | | | |||
-|Automated Investigation & Response (AIR) | Y | Y | Y | Y | Y |
-|Device response capabilities: isolation, collect investigation package, run AV scan | Y | Y | Y | Y | Y |
-|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes | Y | Y | Y | Y | Y |
-|Live Response | Y | Y | Y | Y | Y |
-
-(<a id="fn1">1</a>) Refers to the modern, unified solution for Windows Server 2012 R2 and 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).
-
->[!NOTE]
->Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and AV using System Center Endpoint Protection (SCEP).
security Supported Capabilities By Platform https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform.md
+
+ Title: Supported Microsoft Defender for Endpoint capabilities by platform
+description: Get to know the Microsoft Defender for Endpoint capabilities supported for Windows 10 devices, servers, and non-Windows devices.
+keywords: onboarding, Microsoft Defender for Endpoint onboarding, sccm, group policy, mdm, local script, detection test
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365-initiative-defender-endpoint
+
+ms.technology: mde
++
+# Supported Microsoft Defender for Endpoint capabilities by platform
++
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+Learn how to [Onboard devices and configure Microsoft Defender for Endpoint capabilities](onboard-configure.md).
+
+The following table gives information about the supported Microsoft Defender for Endpoint capabilities by platform.
+
+|Operating System |Windows 10 & 11 |Windows Server 2012 R2 <sup>[[1](#fn1)]</sup>, <br> 2016 <sup>[[1](#fn1)]</sup>, <br> 2019 & 2022, <br> 1803+ |macOS |Linux|
+||||||
+|**Prevention** | | | | |
+|Attack Surface Reduction rules | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
+|Controlled folder access | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
+|Device Control | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) |
+|Firewall | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
+|Network Protection | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
+|Next-generation protection | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
+|Tamper Protection | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) |
+|Web Protection | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
+||||||
+|**Detection** | | | | |
+|Advanced Hunting | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
+|Custom file indicators | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
+|Custom network indicators | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
+|EDR Block | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
+|Passive Mode | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
+|Sense detection sensor | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
+|Endpoint & network device discovery | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
+|Vulnerability management | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) |
+||||||
+|**Response** | | | ||
+|Automated Investigation & Response (AIR) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) | ![No](images/svg/check-no.svg) |
+|Device response capabilities: collect investigation package, run AV scan | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup> |
+|Device isolation | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)][[3](#fn3)]</sup> | ![No](images/svg/check-no.svg) |
+|File response capabilities: collect file, deep analysis, block file, stop, and quarantine processes | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![No](images/svg/check-no.svg) <sup>[[4](#fn4)]</sup> | ![No](images/svg/check-no.svg) <sup>[[4](#fn4)]</sup> |
+|Live Response | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> | ![Yes.](images/svg/check-yes.svg) <sup>[[2](#fn2)]</sup> |
++
+(<a id="fn1">1</a>) Refers to the modern, unified solution for Windows Server 2012 R2 and 2016. For more information, see [Onboard Windows Servers to the Defender for Endpoint service](configure-server-endpoints.md).
+
+(<a id="fn2">2</a>) Feature is currently in preview ([Microsoft Defender for Endpoint preview features](preview.md))
+
+(<a id="fn3">3</a>) Response capabilities using Live Response [2]
+
+(<a id="fn4">4</a>) Collect file only, using Live Response [2]
+>[!NOTE]
+>Windows 7, 8.1, Windows Server 2008 R2 include support for the EDR sensor, and AV using System Center Endpoint Protection (SCEP).
+
security Playbook Responding Ransomware M365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/playbook-responding-ransomware-m365-defender.md
Containment and investigation should occur as simultaneously as possible; howeve
### Step 1: Assess the scope of the incident
-Run through this list of questions and tasks to discover the extent of the attack. Microsoft 365 Defender can provide a consolidated view of all impacted or at-risk assets to aid in your incident response assessment. See [Incident response with Microsoft 365 Defender | Microsoft Docs](/incidents-overview.md). You can use the alerts and the evidence list in the incident to determine:
+Run through this list of questions and tasks to discover the extent of the attack. Microsoft 365 Defender can provide a consolidated view of all impacted or at-risk assets to aid in your incident response assessment. See [Incident response with Microsoft 365 Defender](incidents-overview.md). You can use the alerts and the evidence list in the incident to determine:
* Which user accounts might be compromised? * Which accounts were used to deliver the payload?
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
Features in sender intelligence are critical for catching spam, bulk, impersonat
- **SPF** can reject mails based on DNS TXT records that list IP addresses and servers allowed to send mail on the organization's behalf. - **DKIM** provides an encrypted signature that authenticates the sender. - **DMARC** lets admins mark SPF and DKIM as required in their domain and enforces alignment between the results of these two technologies.
- - **ARC** is not customer configured, but builds on DMARC to work with forwarding in mailing lists, while recording an authentication chain.
+ - **ARC** builds on DMARC to work with forwarding in mailing lists while recording an authentication chain.
3. **Spoof intelligence** is capable of filtering those allowed to 'spoof' (that is, those sending mail on behalf of another account, or forwarding for a mailing list) from malicious senders who imitate organizational or known external domains. It separates legitimate 'on behalf of' mail from senders who spoof to deliver spam and phishing messages.
security Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-policies.md
ms.prod: m365-security
- [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) - [Microsoft 365 Defender](../defender/microsoft-365-defender.md)
-Quarantine policies (formerly known as _quarantine tags_) in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 allow admins to control what users are able to do to quarantined messages based on why the message was quarantined.
+Quarantine policies (formerly known as _quarantine tags_) in Exchange Online Protection (EOP) and Microsoft Defender for Office 365 allow admins to control what users are able to do to quarantined messages based on why the message was quarantined. This feature is available in all Microsoft 365 organizations with Exchange Online mailboxes.
Traditionally, users have been allowed or denied levels of interactivity for quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined by anti-spam filtering as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.
security Virus Detection In Spo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/virus-detection-in-spo.md
Microsoft 365 uses a common virus detection engine for scanning files that users
## What happens if an infected file is uploaded to SharePoint Online?
-The Microsoft 365 virus detection engine runs asynchronously (independent from file uploads) within SharePoint Online. **All files are not automatically scanned**. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged. In April 2018, we removed the 25 MB limit for scanned files.
+The Microsoft 365 virus detection engine scans files asynchronously (at some time after upload). If a file has not yet been scanned by the asynchronous virus detection process, and a user tries to download the file from the browser or from Teams, a scan on download is triggered by SharePoint before the download is allowed. **All file types are not automatically scanned**. Heuristics determine the files to scan. When a file is found to contain a virus, the file is flagged.
Here's what happens: