Updates from: 08/28/2021 03:17:00
Category Microsoft Docs article Related commit history on GitHub Change details
admin Remove License From Shared Mailbox https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/remove-license-from-shared-mailbox.md
f1.keywords:
- NOCSH -+ audience: Admin
commerce Add Licenses Bought Through Vlsc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/add-licenses-bought-through-vlsc.md
search.appverid: MET150 description: "Learn how to add licenses to your Microsoft 365 subscription purchased through the third-party partner, recognized by Microsoft." Previously updated : 04/07/2021 Last updated : 08/27/2021 # Add licenses to a subscription purchased through the Volume Licensing Service Center
commerce Manage Licenses For Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-licenses-for-devices.md
- okr_SMB - commerce_licensing search.appverid: MET150 Previously updated : 03/17/2021 Last updated : 08/27/2021 # Manage licenses for devices
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
- **Service-side labeling when content is already saved (in SharePoint or OneDrive) or emailed (processed by Exchange Online)**: Use an auto-labeling policy.
- You might also hear this method referred to as auto-labeling for data at rest (documents in SharePoint and OneDrive) and data in transit (email that is sent or received by Exchange). For Exchange, it doesn't include emails at rest (mailboxes).
+ You might also hear this method referred to as auto-labeling for data at rest (documents in SharePoint and OneDrive) and data in transit (email that is sent or received by Exchange). For Exchange, it doesn't include emails at rest (mailboxes).
- Because this labeling is applied by services rather than by applications, you don't need to worry about what apps users have and what version. As a result, this capability is immediately available throughout your organization and suitable for labeling at scale. Auto-labeling policies don't support recommended labeling because the user doesn't interact with the labeling process. Instead, the administrator runs the policies in simulation mode to help ensure the correct labeling of content before actually applying the label.
+ Because this labeling is applied by services rather than by applications, you don't need to worry about what apps users have and what version. As a result, this capability is immediately available throughout your organization and suitable for labeling at scale. Auto-labeling policies don't support recommended labeling because the user doesn't interact with the labeling process. Instead, the administrator runs the policies in simulation mode to help ensure the correct labeling of content before actually applying the label.
- For configuration instructions, see [How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange](#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) on this page.
+ For configuration instructions, see [How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange](#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange) on this page.
- Specific to auto-labeling for SharePoint and OneDrive:
- - Office files for Word, PowerPoint, and Excel are supported. Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls).
- - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they are part of an open session (the file is open).
- - Currently, attachments to list items aren't supported and won't be auto-labeled.
- - Maximum of 25,000 automatically labeled files in your tenant per day.
- - Maximum of 100 auto-labeling policies per tenant, each targeting up to 100 sites (SharePoint or OneDrive) when they are specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum.
- - Existing values for modified, modified by, and the date are not changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied.
- - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the account that last modified the file.
+ Specific to auto-labeling for SharePoint and OneDrive:
- Specific to auto-labeling for Exchange:
- - Unlike manual labeling or auto-labeling with Office apps, PDF attachments as well as Office attachments (Word, Excel, and PowerPoint files) are also scanned for the conditions you specify in your auto-labeling policy. When there is a match, the email is labeled but not the attachment.
- - For PDF files, if the label applies encryption, these files are encrypted when your tenant is [enabled for PDF attachments](ome-faq.yml#are-pdf-file-attachments-supported-).
- - For these Office files, Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls). If the label applies encryption, these files are encrypted.
- - If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label.
- - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling.
- - Incoming email is labeled when there is a match with your auto-labeling conditions:
- - If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption isn't applied.
- - If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that this can result in the names of people outside your organization.
- - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email. There currently isn't a way to set a Rights Manager owner for all incoming email messages that are automatically encrypted.
+ - Office files for Word, PowerPoint, and Excel are supported. Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls).
+ - These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they are part of an open session (the file is open).
+ - Currently, attachments to list items aren't supported and won't be auto-labeled.
+ - Maximum of 25,000 automatically labeled files in your tenant per day.
+ - Maximum of 100 auto-labeling policies per tenant, each targeting up to 100 sites (SharePoint or OneDrive) when they are specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum.
+ - Existing values for modified, modified by, and the date are not changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied.
+ - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the account that last modified the file.
+ Specific to auto-labeling for Exchange:
+
+ - Unlike manual labeling or auto-labeling with Office apps, PDF attachments as well as Office attachments (Word, Excel, and PowerPoint files) are also scanned for the conditions you specify in your auto-labeling policy. When there is a match, the email is labeled but not the attachment.
+ - For PDF files, if the label applies encryption, these files are encrypted when your tenant is [enabled for PDF attachments](ome-faq.yml#are-pdf-file-attachments-supported-).
+ - For these Office files, Open XML format is supported (such as .docx and .xlsx) but not Microsoft Office 97-2003 format (such as .doc and .xls). If the label applies encryption, these files are encrypted.
+ - If you have Exchange mail flow rules or data loss prevention (DLP) policies that apply IRM encryption: When content is identified by these rules or policies and an auto-labeling policy, the label is applied. If that label applies encryption, the IRM settings from the Exchange mail flow rules or DLP policies are ignored. However, if that label doesn't apply encryption, the IRM settings from the mail flow rules or DLP policies are applied in addition to the label.
+ - Email that has IRM encryption with no label will be replaced by a label with any encryption settings when there is a match by using auto-labeling.
+ - Incoming email is labeled when there is a match with your auto-labeling conditions:
+ - If the label is configured for [encryption](encryption-sensitivity-labels.md), that encryption isn't applied.
+ - If the label is configured to apply [dynamic markings](sensitivity-labels-office-apps.md#dynamic-markings-with-variables), be aware that this can result in the names of people outside your organization.
+ - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the person who sends the email. There currently isn't a way to set a Rights Manager owner for all incoming email messages that are automatically encrypted.
## Compare auto-labeling for Office apps with auto-labeling policies
Similarly to when you configure DLP policies, you can then refine your condition
You can learn more about these configuration options from the DLP documentation: [Tuning rules to make them easier or harder to match](data-loss-prevention-policies.md#tuning-rules-to-make-them-easier-or-harder-to-match).
-Also similarly to DLP policy configuration, you can choose whether a condition must detect all sensitive information types, or just one of them. And to make your conditions more flexible or complex, you can add [groups and use logical operators between the groups](data-loss-prevention-policies.md#grouping-and-logical-operators).
+Also similarly to DLP policy configuration, you can choose whether a condition must detect all sensitive information types, or just one of them. And to make your conditions more flexible or complex, you can add [groups and use logical operators between the groups](data-loss-prevention-policies.md).
> [!NOTE] > Auto-labeling based on custom sensitive information types applies only to newly created or modified content in OneDrive and SharePoint; not to existing content. This limitation also applies to auto-labeling polices.
Specific to built-in labeling:
- For recommended labels in the desktop versions of Word, the sensitive content that triggered the recommendation is flagged so that users can review and remove the sensitive content instead of applying the recommended sensitivity label. -- For details about how these labels are applied in Office apps, example screenshots, and how sensitive information is detected, see [Automatically apply or recommend sensitivity labels to your files and emails in Office](https://support.office.com/en-us/article/automatically-apply-or-recommend-sensitivity-labels-to-your-files-and-emails-in-office-622e0d9c-f38c-470a-bcdb-9e90b24d71a1).
+- For details about how these labels are applied in Office apps, example screenshots, and how sensitive information is detected, see [Automatically apply or recommend sensitivity labels to your files and emails in Office](https://support.microsoft.com/office/automatically-apply-or-recommend-sensitivity-labels-to-your-files-and-emails-in-office-622e0d9c-f38c-470a-bcdb-9e90b24d71a1).
Specific to the Azure Information Protection unified labeling client: -- Automatic and recommended labeling applies to Word, Excel, and PowerPoint when you save a document, and to Outlook when you send an email.
+- Automatic and recommended labeling applies to Word, Excel, and PowerPoint when you save a document, and to Outlook when you send an email.
- For Outlook to support recommended labeling, you must first configure an [advanced policy setting](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#enable-recommended-classification-in-outlook).
Make sure you're aware of the prerequisites before you configure auto-labeling p
### Prerequisites for auto-labeling policies - Simulation mode:
- - Auditing for Microsoft 365 must be turned on. If you need to turn on auditing or you're not sure whether auditing is already on, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md).
- - To view file or email contents in the source view, you must have the **Content Explorer Content Viewer** role. Global admins don't have this role by default. If you don't have this permission, you don't see the preview pane when you select an item from the **Matched Items** tab.
+ - Auditing for Microsoft 365 must be turned on. If you need to turn on auditing or you're not sure whether auditing is already on, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md).
+ - To view file or email contents in the source view, you must have the **Content Explorer Content Viewer** role. Global admins don't have this role by default. If you don't have this permission, you don't see the preview pane when you select an item from the **Matched Items** tab.
- To auto-label files in SharePoint and OneDrive:
- - You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md).
- - At the time the auto-labeling policy runs, the file mustn't be open by another process or user. A file that's checked out for editing falls into this category.
+ - You have [enabled sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md).
+ - At the time the auto-labeling policy runs, the file mustn't be open by another process or user. A file that's checked out for editing falls into this category.
- If you plan to use [custom sensitive information types](sensitive-information-type-learn-about.md) rather than the built-in sensitivity types:
- - Custom sensitivity information types apply only to content that is added or modified in SharePoint or OneDrive after the custom sensitivity information types are created.
- - To test new custom sensitive information types, create them before you create your auto-labeling policy, and then create new documents with sample data for testing.
+ - Custom sensitivity information types apply only to content that is added or modified in SharePoint or OneDrive after the custom sensitivity information types are created.
+ - To test new custom sensitive information types, create them before you create your auto-labeling policy, and then create new documents with sample data for testing.
- One or more sensitivity labels [created and published](create-sensitivity-labels.md) (to at least one user) that you can select for your auto-labeling policies. For these labels:
- - It doesn't matter if the auto-labeling in Office apps label setting is turned on or off, because that label setting supplements auto-labeling policies, as explained in the introduction.
- - If the labels you want to use for auto-labeling are configured to use visual markings (headers, footers, watermarks), note that these are not applied to documents.
- - If the labels apply [encryption](encryption-sensitivity-labels.md):
- - When the auto-labeling policy includes locations for SharePoint or OneDrive, the label must be configured for the **Assign permissions now** setting.
- - When the auto-labeling policy is just for Exchange, the label can be configured for either **Assign permissions now** or **Let users assign permissions** (for the Do Not Forward or Encrypt-Only options).
+ - It doesn't matter if the auto-labeling in Office apps label setting is turned on or off, because that label setting supplements auto-labeling policies, as explained in the introduction.
+ - If the labels you want to use for auto-labeling are configured to use visual markings (headers, footers, watermarks), note that these are not applied to documents.
+ - If the labels apply [encryption](encryption-sensitivity-labels.md):
+ - When the auto-labeling policy includes locations for SharePoint or OneDrive, the label must be configured for the **Assign permissions now** setting.
+ - When the auto-labeling policy is just for Exchange, the label can be configured for either **Assign permissions now** or **Let users assign permissions** (for the Do Not Forward or Encrypt-Only options).
### Learn about simulation mode
Finally, you can use simulation mode to provide an approximation of the time nee
6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** for your chosen locations, select the link to choose specific instances. Then select **Next**. ![Choose locations page auto-labelingwizard.](../media/locations-auto-labeling-wizard.png)
-
+ To specify individual OneDrive accounts: The URL for a user's OneDrive account is in the following format: `https://<tenant name>-my.sharepoint.com/personal/<user_name>_<tenant name>_com` For example, for a user in the contoso tenant that has a user name of "rsimone": `https://contoso-my.sharepoint.com/personal/rsimone_contoso_onmicrosoft_com`
Finally, you can use simulation mode to provide an approximation of the time nee
When you have defined all the rules you need, and confirmed their status is on, select **Next** to move on to choosing a label to auto-apply.
-11. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**.
+9. For the **Choose a label to auto-apply** page: Select **+ Choose a label**, select a label from the **Choose a sensitivity label** pane, and then select **Next**.
-12. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Otherwise, select **Leave policy turned off**. Select **Next**:
+10. For the **Decide if you want to test out the policy now or later** page: Select **Run policy in simulation mode** if you're ready to run the auto-labeling policy now, in simulation mode. Otherwise, select **Leave policy turned off**. Select **Next**:
![Test out the policy auto-labeling wizard.](../media/simulation-mode-auto-labeling-wizard.png)
-13. For the **Summary** page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the wizard.
+11. For the **Summary** page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the wizard.
Now on the **Information protection** > **Auto-labeling** page, you see your auto-labeling policy in the **Simulation** or **Off** section, depending on whether you chose to run it in simulation mode or not. Select your policy to see the details of the configuration and status (for example, **Policy simulation is still running**). For policies in simulation mode, select the **Matched items** tab to see which emails or documents matched the rules that you specified.
You can modify your policy directly from this interface:
Your auto-policies run continuously until they are deleted. For example, new and modified documents will be included with the current policy settings. You can also see the results of your auto-labeling policy by using [content explorer](data-classification-content-explorer.md) when you have the appropriate [permissions](data-classification-content-explorer.md#permissions):+ - **Content Explorer List Viewer** lets you see a file's label but not the file's contents. - **Content Explorer Content Viewer** lets you see the file's contents.
To create a new auto-labeling policy:
```powershell New-AutoSensitivityLabelPolicy -Name <AutoLabelingPolicyName> -SharePointLocation "<SharePointSiteLocation>" -ApplySensitivityLabel <Label> -Mode TestWithoutNotifications ```+ This command creates an auto-labeling policy for a SharePoint site that you specify. For a OneDrive location, use the *OneDriveLocation* parameter, instead. To add additional sites to an existing auto-labeling policy:
The recent enhancements for auto-labeling policies for OneDrive and SharePoint h
- Maximum of 1,000,000 matched files per auto-labeling policy, although the total of 25,000 automatically labeled files in your tenant per day remains the same. - Simulation improvements:
- - Running the auto-labeling policy in simulation mode completes within 12 hours instead of up to 48 hours.
- - Better performance by providing up to 100 randomly sampled matched files for review for each site (OneDrive or SharePoint) instead of every matched item for review.
- - When simulation is complete, an email notification is sent to the user configured to receive [activity alerts](alert-policies.md).
+ - Running the auto-labeling policy in simulation mode completes within 12 hours instead of up to 48 hours.
+ - Better performance by providing up to 100 randomly sampled matched files for review for each site (OneDrive or SharePoint) instead of every matched item for review.
+ - When simulation is complete, an email notification is sent to the user configured to receive [activity alerts](alert-policies.md).
- Improvements to help you review matched items:
- - Additional metadata information for the sampled matched items.
- - Ability to export information about the matched items, such as the SharePoint site name and file owner. You can use this information to pivot and analyze the matched files, and delegate to file owners for review if needed.
+ - Additional metadata information for the sampled matched items.
+ - Ability to export information about the matched items, such as the SharePoint site name and file owner. You can use this information to pivot and analyze the matched files, and delegate to file owners for review if needed.
> [!TIP] > To take advantage of the higher number of policies and sites supported, use PowerShell to efficiently create new policies and add additional sites to existing policies. For more information, see the [Use PowerShell for auto-labeling policies](#use-powershell-for-auto-labeling-policies) section on this page.
When your tenant has the new enhancements, you'll see the following notification
> [!NOTE] > If you had any auto-labeling policies that were in simulation mode when your tenant received the new enhancements, you must re-run the simulation. If this scenario applies to you, you'll be prompted to select **Restart Simulation** when you review the simulation. If you don't restart the simulation, it won't complete.
->
+>
> However, the enhancements still apply to any auto-labeling policies running without simulation and all new auto-labeling policies you create. ## Tips to increase labeling reach
Although auto-labeling is one of the most efficient ways to classify, label, and
- When you use the [Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2):
- - For files in on-premises data stores such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you are planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud.
+ - For files in on-premises data stores such as network shares and SharePoint Server libraries: Use the [scanner](/azure/information-protection/deploy-aip-scanner) to discover sensitive information in these files and label them appropriately. If you are planning to migrate or upload these files to SharePoint in Microsoft 365, use the scanner to label the files before you move them to the cloud.
- - If you have used another labeling solution before using sensitivity labels: Use PowerShell and [an advanced setting to reuse labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#migrate-labels-from-secure-islands-and-other-labeling-solutions) from these solutions.
+ - If you have used another labeling solution before using sensitivity labels: Use PowerShell and [an advanced setting to reuse labels](/azure/information-protection/rms-client/clientv2-admin-guide-customizations#migrate-labels-from-secure-islands-and-other-labeling-solutions) from these solutions.
- Encourage [manual labeling](https://support.microsoft.com/office/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9) after providing users with training which sensitivity labels to apply. When you're confident that users understand which label to apply, consider configuring a default label and mandatory labeling as [policy settings](sensitivity-labels.md#what-label-policies-can-do).
compliance Dlp Policy Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md
DLP scans email differently from items in SharePoint Online or OneDrive for Busi
#### Additional options
-If you have multiple rules in a policy, you can use the **Additional options** to control further rule processing if there is a match to the rule you are editing as well as setting the priority for evaluation of the rule.
+If you have multiple rules in a policy, you can use the **Additional options** to control further rule processing if there is a match to the rule you are editing as well as setting the priority for evaluation of the rule.
+
+## See also
+
+- [Learn about data loss prevention](dlp-learn-about-dlp.md#learn-about-data-loss-prevention)
+- [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp)
+- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md#create-a-dlp-policy-from-a-template)
+- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md#create-test-and-tune-a-dlp-policy)
compliance Sensitive Information Type Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-learn-about.md
Learn more about confidence levels in this video
### Example sensitive information type
-## Argentina national identity (DNI) number
+#### Argentina national identity (DNI) number
### Format
compliance Use Network Upload To Import Pst Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-network-upload-to-import-pst-files.md
You have to perform Step 1 only once to import PST files to Microsoft 365 mailbo
- You have to be a global administrator in your organization.
- > [!TIP]
+ > [!TIP]
> Consider creating a new role group in Exchange Online that's specifically intended for importing PST files. For the minimum level of privileges required to import PST files, assign the Mailbox Import Export and Mail Recipients roles to the new role group, and then add members. - The only supported method for importing PST files to Microsoft 365 is to use the AzCopy tool, as described in this topic. You can't use the Azure Storage Explorer to upload PST files directly to the Azure Storage area.--- You need to store the PST files that you want to import to Microsoft 365 on a file server or shared folder in your organization. In Step 2, you run the AzCopy tool to upload the PST files that are stored on a file server or shared folder to Microsoft 365.
+
+- You need to store the PST files that you want to import to Microsoft 365 on a file server or shared folder in your organization. It's currently not supported to copy PST files from your organization's Azure Storage account to the Azure Storage location used by the Microsoft 365 Import service. In Step 2, you run the AzCopy tool to upload the PST files that are stored on a file server or shared folder to the Microsoft cloud.
- Large PST files may impact the performance of the PST import process. So we recommend that each PST file you upload to the Azure Storage location in Step 2 should be no larger than 20 GB.
enterprise Microsoft 365 Networking Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-networking-overview.md
Title: "Microsoft 365 Network Connectivity Overview"
Previously updated : 6/23/2020 Last updated : 08/27/2021 audience: Admin
description: "Discusses why network optimization is important for SaaS services,
*This article applies to both Microsoft 365 Enterprise and Office 365 Enterprise.*
-Microsoft 365 is a distributed Software-as-a-Service (SaaS) cloud that provides productivity and collaboration scenarios through a diverse set of micro-services and applications. Client components of Microsoft 365 such as Outlook, Word and PowerPoint run on user computers and connect to other components of Microsoft 365 that run in Microsoft datacenters. The most significant factor that determines the quality of the Microsoft 365 end user experience is network reliability and low latency between Microsoft 365 clients and Microsoft 365 service front doors.
+Microsoft 365 is a distributed Software-as-a-Service (SaaS) cloud that provides productivity and collaboration scenarios through a diverse set of micro-services and applications. Client components of Microsoft 365 such as Outlook, Word, and PowerPoint run on user computers and connect to other components of Microsoft 365 that run in Microsoft datacenters. The most significant factor that determines the quality of the Microsoft 365 end user experience is network reliability and low latency between Microsoft 365 clients and Microsoft 365 service front doors.
In this article, you will learn about the goals of Microsoft 365 networking, and why Microsoft 365 networking requires a different approach to optimization than generic Internet traffic. ## Microsoft 365 networking goals
-The ultimate goal of Microsoft 365 networking is to optimize the end user experience by enabling the least restrictive access between clients and the closest Microsoft 365 endpoints. The quality of end user experience is directly related to the performance and responsiveness of the application that the user is using. For example, Microsoft Teams relies on low latency so that user phone calls, conferences and shared screen collaborations are glitch-free, and Outlook relies on great networking connectivity for instant search features that leverage server-side indexing and AI capabilities.
+The ultimate goal of Microsoft 365 networking is to optimize the end user experience by enabling the least restrictive access between clients and the closest Microsoft 365 endpoints. The quality of end user experience is directly related to the performance and responsiveness of the application that the user is using. For example, Microsoft Teams relies on low latency so that user phone calls, conferences and shared screen collaborations are glitch-free, and Outlook relies on great networking connectivity for instant search features that apply server-side indexing and AI capabilities.
The primary goal in the network design should be to minimize latency by reducing the round-trip time (RTT) from client machines to the Microsoft Global Network, Microsoft's public network backbone that interconnects all of Microsoft's datacenters with low latency, high availability cloud application entry points spread around the world. You can learn more about the Microsoft Global Network at [How Microsoft builds its fast and reliable global network](https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/).
In traditional network architectures, higher latency for generic Internet traffi
We're making it easier to identify Microsoft 365 network traffic and making it simpler to manage the network identification. -- New categories of network endpoints to differentiate highly critical network traffic from network traffic which is not impacted by Internet latencies. There are just a handful of URLs and supporting IP Addresses in the most critical ΓÇ£OptimizeΓÇ¥ category.-- Web services for script usage or direct device configuration and change management of Microsoft 365 network identification. Changes are available from the web service, or in RSS format, or on email using a Power Automate template.
+- New categories of network endpoints to differentiate highly critical network traffic from network traffic that's not impacted by Internet latencies. There are just a handful of URLs and supporting IP Addresses in the most critical ΓÇ£OptimizeΓÇ¥ category.
+- Web services for script usage or direct device configuration and change management of Microsoft 365 network identification. Changes are available from the web service, or in RSS format, or on email using a Microsoft Flow template.
- [Office 365 Network partner program](./microsoft-365-networking-partner-program.md) with Microsoft partners who provide devices or services that follow Microsoft 365 network connectivity principles and have simple configuration. ## Securing Microsoft 365 connections
Microsoft 365 helps meet your organization's needs for content security and data
## Why is Microsoft 365 networking different?
-Microsoft 365 is designed for optimal performance using endpoint security and encrypted network connections, reducing the need for perimeter security enforcement. Microsoft 365 datacenters are located across the world and the service is designed to use various methods for connecting clients to best available service endpoints. Since user data and processing is distributed between many Microsoft datacenters, there is no single network endpoint to which client machines can connect. In fact, data and services in your Microsoft 365 tenant are dynamically optimized by the Microsoft Global Network to adapt to the geographic locations from which they are accessed by end users.
+Microsoft 365 is designed for optimal performance using endpoint security and encrypted network connections, reducing the need for perimeter security enforcement. Microsoft 365 datacenters are located across the world and the service is designed to use various methods for connecting clients to best available service endpoints. Since user data and processing are distributed between many Microsoft datacenters, there is no single network endpoint to which client machines can connect. In fact, data and services in your Microsoft 365 tenant are dynamically optimized by the Microsoft Global Network to adapt to the geographic locations from which they are accessed by end users.
Certain common performance issues are created when Microsoft 365 traffic is subject to packet inspection and centralized egress: -- High latency can cause extremely poor performance of video and audio streams, and slow response of data retrieval, searches, real-time collaboration, calendar free/busy information, in-product content and other services
+- High latency can cause poor performance of video and audio streams, and slow response of data retrieval, searches, real-time collaboration, calendar free/busy information, in-product content and other services
- Egressing connections from a central location defeats the dynamic routing capabilities of the Microsoft 365 global network, adding latency and round-trip time - Decrypting SSL secured Microsoft 365 network traffic and re-encrypting it can cause protocol errors and has security risk
-Shortening the network path to Microsoft 365 entry points by allowing client traffic to egress as close as possible to their geographic location can improve connectivity performance and the end user experience in Microsoft 365. It can also help to reduce the impact of future changes to the network architecture on Microsoft 365 performance and reliability. The optimum connectivity model is to always provide network egress at the user's location, regardless of whether this is on the corporate network or remote locations such as home, hotels, coffee shops and airports. Generic Internet traffic and WAN based corporate network traffic would be separately routed and not use the local direct egress model. This local direct egress model is represented in the diagram below.
+Shortening the network path to Microsoft 365 entry points by allowing client traffic to egress as close as possible to their geographic location can improve connectivity performance and the end user experience in Microsoft 365. It can also help to reduce the impact of future changes to the network architecture on Microsoft 365 performance and reliability. The optimum connectivity model is to always provide network egress at the user's location, regardless of whether this is on the corporate network or remote locations such as home, hotels, coffee shops, and airports. Generic Internet traffic and WAN based corporate network traffic would be separately routed and not use the local direct egress model. This local direct egress model is represented in the diagram below.
![Local egress network architecture.](../media/6bc636b0-1234-4ceb-a45a-aadd1044b39c.png)
The local egress architecture has the following benefits for Microsoft 365 netwo
- Provides optimal Microsoft 365 performance by optimizing route length. End user connections are dynamically routed to the nearest Microsoft 365 entry point by the Microsoft Global Network's _Distributed Service Front Door_ infrastructure, and traffic is then routed internally to data and service endpoints over Microsoft's ultra-low latency high availability fiber. - Reduces the load on corporate network infrastructure by allowing local egress for Microsoft 365 traffic, bypassing proxies and traffic inspection devices.-- Secures connections on both ends by leveraging client endpoint security and cloud security features, avoiding application of redundant network security technologies.
+- Secures connections on both ends by applying client endpoint security and cloud security features, avoiding application of redundant network security technologies.
> [!NOTE] > The _Distributed Service Front Door_ infrastructure is the Microsoft Global Network's highly available and scalable network edge with geographically distributed locations. It terminates end user connections and efficiently routes them within the Microsoft Global Network. You can learn more about the Microsoft Global Network at [How Microsoft builds its fast and reliable global network](https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/).
Optimizing Microsoft 365 network performance really comes down to removing unnec
[How Microsoft builds its fast and reliable global network](https://azure.microsoft.com/blog/how-microsoft-builds-its-fast-and-reliable-global-network/)
-[Office 365 Networking blog](https://techcommunity.microsoft.com/t5/Office-365-Networking/bd-p/Office365Networking)
+[Office 365 Networking blog](https://techcommunity.microsoft.com/t5/Office-365-Networking/bd-p/Office365Networking)
knowledge Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/index.md
description: Learn how to find resources for Microsoft Viva Topics.
</br>
-Viva Topics is an Microsoft 365 service that helps organizations to transform information to knowledge.
+Viva Topics is a Microsoft 365 service that helps organizations to transform information to knowledge.
The resources on this page are designed to get you started with learning about and using Viva Topics in your organization.
The resources in this section help you learn more about what Viva Topics is and
|See resources in the Microsoft Tech Community Resource Center|[Viva Topics Tech Community](https://resources.techcommunity.microsoft.com/viva-topics/)| - ## Adoption
-Learn more about how to use and implement Viva Topics in your organization to help you solve your business problems:
+Learn more about how to use and implement Viva Topics in your organization to help you solve your business problems.
| If you're looking for this information: | Go to this resource: | |:--|:--|
The resources in this section help your users learn how to use and manage topics
|Understand why topics might differ to different users|[Viva Topics security trimming](topic-experiences-security-trimming.md)| |Learn how to prevent specific topics from being identified and viewed|[Restrict access to topics](restrict-access-to-topics.md)|
+## Provide us feedback
+
+Provide feedback about your experience with Viva Topics directly to Microsoft.
+| If you're looking for this information: | Go to this resource: |
+|:--|:--|
+|How to provide feedback about Viva Topics|[Provide us feedback](topic-experiences-overview.md#provide-us-feedback)|
knowledge Topic Experiences Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/topic-experiences-overview.md
Admin controls in the Microsoft 365 admin center allow you to manage Viva Topics
For more information about admin controls, see [assign user permissions](./plan-topic-experiences.md#user-permissions), [manage topic visibility](./topic-experiences-knowledge-rules.md), and [manage topic discovery](./topic-experiences-discovery.md).
-## Topic curation & feedback
+## Topic curation and suggestions
AI will continually work to provide you suggestions to improve your topics as changes occur in your environment.
Users that you allow access to see topics in their daily work might be asked if
For more information, see [Topic discovery and curation](./topic-experiences-discovery-curation.md).
+## Provide us feedback
+
+At Microsoft we take feedback from our customers very seriously. The feedback you provide for Viva Topics will be used to troubleshoot, fix bugs, enhance existing features, and develop new ones.
+
+You can send feedback to Microsoft directly from a topic page, and from the **Manage topics** and **My topics** pages. Look for this button in the lower-right corner of the page.
+
+ ![Screenshot showing the Feedback button.](../media/knowledge-management/feedback-icon.png)
+
+On the **Send Feedback to Microsoft** page, let us know if you like something, if you don't like something, or if you have a suggestion.
+
+ ![Screenshot showing the Send Feedback to Microsoft page.](../media/knowledge-management/feedback-page.png)
+
+When you submit feedback, we ask that you not include sensitive information, such as phone numbers, addresses, or highly personal stories. Instead, please provide information on the specific issue you are experiencing with Viva Topics or your experience in general with Viva Topics. This will help us maintain your privacy as we review and take action based on your feedback.
+
+Thank you for taking the time to share your thoughts with us. Your perspective helps us improve our existing features and develop new ones.
+ ## See also [Use Microsoft Search to find topics in Viva Topics](./search.md)
managed-desktop Readiness Assessment Fix https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix.md
You can ask your Microsoft account representative for a query in Microsoft Endpo
Microsoft Managed Desktop requires Windows Hello for Business to be enabled.
-**Not ready**
-
-Windows Hello for Business is disabled. Enable it by following the steps in [Create a Windows Hello for Business policy](/mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy)
- **Advisory**
-Windows Hello for Business is not set up. Enable it by following the steps in [Create a Windows Hello for Business policy](/mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy).
+Windows Hello for Business is either disabled or not set up. Enable it by following the steps in [Create a Windows Hello for Business policy](/mem/intune/protect/windows-hello#create-a-windows-hello-for-business-policy).
### Windows 10 update rings
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Investigate incidents](investigate-incidents.md) #### [Alerts queue]()
+##### [Alerts queue in Microsoft 365 Defender](alerts-queue-endpoint-detection-response.md)
##### [View and organize the Alerts queue](alerts-queue.md) ##### [Review alerts](review-alerts.md) ##### [Manage alerts](manage-alerts.md)
####### [Get alert related IPs information](get-alert-related-ip-info.md) ####### [Get alert related device information](get-alert-related-machine-info.md) ####### [Get alert related user information](get-alert-related-user-info.md)
-####### [Alerts queue in Microsoft 365 Defender](alerts-queue-endpoint-detection-response.md)
+ ###### [Assessments of vulnerabilities and secure configurations]() ####### [Export assessment methods and properties](get-assessment-methods-properties.md)
security Get Remediation Exposed Devices Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-exposed-devices-activities.md
GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-ae
"computerDnsName": "ComputerPII_2ea21b2d97c9df23c143ad9e3e454cb674232529.DomainPII_21eed80b086e79bdfa178eabfa25e8be9acfa346.corp.contoso.com", "osPlatform": "WindowsServer2016", "rbacGroupName": "UnassignedGroup",
-
+ }, { "id": "3d9b1ca53e8f077199c7dcbfc9dbfa78f9bf1918", "computerDnsName": "ComputerPII_001d606fc149567c192747f48fae304b43c0ddba.DomainxPII_21eed80b086e79bdfa178eabfa25e8be9acfa346.corp.contoso.com", "osPlatform": "WindowsServer2012R2", "rbacGroupName": "UnassignedGroup",
-
+ }, { "id": "3db8b27e6172951d7ea2e2d75945abec56feaf82", "computerDnsName": "ComputerPII_ce60cfbjj4b82a091deb5eae560332bba99a9bd7.DomainPII_0bc1aee0fa396d175e514bd61a9e7a5b2b07ee8e.corp.contoso.com", "osPlatform": "WindowsServer2016", "rbacGroupName": "UnassignedGroup",
-
+ }, { "id": "3bad326dcda5b53fab47408cd4a7080f3f3cc8ab", "computerDnsName": "ComputerPII_b6b35960dd6539d1d1cef5ada02e235e7b357408.DomainPII_21eed80b089e76bdfa178eadfa25e8de9acfa346.corp.contoso.com", "osPlatform": "WindowsServer2012R2", "rbacGroupName": "UnassignedGroup",
-
+ } ] }
security Get Remediation Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-methods-properties.md
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-The API response contains [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) remediation activities that have been created in your tenant.
+The API response contains [Threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) remediation activities that have been created in your tenant.
## Methods
security Get Remediation One Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-one-activity.md
GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-ae
### Response example ```json
-{
- "@odata.context": "https://wpatdadi-luna-stg.cloudapp.net/api/$metadata#RemediationTasks/$entity",
- "id": "03942ef5-aecb-4c6e-b555-d6a97013844c",
- "title": "Update Microsoft Silverlight",
- "createdOn": "2021-02-10T13:20:36.4718166Z",
- "requesterId": "65548a1d-efo0-4a7a-8d19-1b967b5c36f4",
- "requesterEmail": "user1@contoso.com",
- "status": "Active",
- "statusLastModifiedOn": "2021-02-10T13:20:36.4719698Z",
- "description": "Update Silverlight to a later version to mitigate 55 known vulnerabilities affecting your devices. Doing so can help lessen the security risk to your organization due to versions which have reached their end-of-support. ",
- "relatedComponent": "Microsoft Silverlight",
- "targetDevices": 18511,
- "rbacGroupNames": [
- "UnassignedGroup",
- "hhh"
- ],
- "fixedDevices": 2866,
- "requesterNotes": "test",
- "dueOn": "2021-02-11T00:00:00Z",
- "category": "Software",
- "productivityImpactRemediationType": null,
- "priority": "Medium",
- "completionMethod": null,
- "completerId": null,
- "completerEmail": null,
- "scid": null,
- "type": "Update",
- "productId": "microsoft-_-silverlight",
- "vendorId": "microsoft",
- "nameId": "silverlight",
- "recommendedVersion": null,
- "recommendedVendor": null,
- "recommendedProgram": null
-}
+{
+ "@odata.context": "https://wpatdadi-luna-stg.cloudapp.net/api/$metadata#RemediationTasks/$entity",
+ "id": "03942ef5-aecb-4c6e-b555-d6a97013844c",
+ "title": "Update Microsoft Silverlight",
+ "createdOn": "2021-02-10T13:20:36.4718166Z",
+ "requesterId": "65548a1d-efo0-4a7a-8d19-1b967b5c36f4",
+ "requesterEmail": "user1@contoso.com",
+ "status": "Active",
+ "statusLastModifiedOn": "2021-02-10T13:20:36.4719698Z",
+ "description": "Update Silverlight to a later version to mitigate 55 known vulnerabilities affecting your devices. Doing so can help lessen the security risk to your organization due to versions which have reached their end-of-support.",
+ "relatedComponent": "Microsoft Silverlight",
+ "targetDevices": 18511,
+ "rbacGroupNames": [
+ "UnassignedGroup",
+ "hhh"
+ ],
+ "fixedDevices": 2866,
+ "requesterNotes": "test",
+ "dueOn": "2021-02-11T00:00:00Z",
+ "category": "Software",
+ "productivityImpactRemediationType": null,
+ "priority": "Medium",
+ "completionMethod": null,
+ "completerId": null,
+ "completerEmail": null,
+ "scid": null,
+ "type": "Update",
+ "productId": "microsoft-_-silverlight",
+ "vendorId": "microsoft",
+ "nameId": "silverlight",
+ "recommendedVersion": null,
+ "recommendedVendor": null,
+ "recommendedProgram": null
+}
``` ## See also
security Get Software Ver Distribution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-ver-distribution.md
Title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
+ Title: List software version distribution
+description: Retrieves a list of your organization's software version distribution
keywords: apis, graph api, supported apis, get, software version distribution, Microsoft Defender for Endpoint tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10
localization_priority: Normal audience: ITPro-+ MS.technology: mde
-# List software version distribution
+# List software version distribution
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
[!include[Prerelease information](../../includes/prerelease.md)]
-Retrieves a list of your organization's software version distribution.
+Retrieves a list of your organization's software version distribution.
## Permissions
Empty
## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
+If successful, this method returns 200 OK with a list of software distributions data in the body.
## Example
security Get User Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-alerts.md
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) - [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] [!include[Improve request performance](../../includes/improve-request-performance.md)] ## API description
-Retrieves a collection of alerts related to a given user ID.
+Retrieves a collection of alerts related to a given user ID.
## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
## Permissions
Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
> When obtaining a token using user credentials: > > - The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md).
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
+> - Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
Empty
## Response
-If successful and user exists - 200 OK. If the user does not exist - 200 OK with an empty set.
+If successful and user exists - 200 OK. If the user does not exist - 200 OK with an empty set.
## Example
security Get Vuln By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vuln-by-software.md
[!include[Improve request performance](../../includes/improve-request-performance.md)] - [!include[Prerelease information](../../includes/prerelease.md)]
-Retrieve a list of vulnerabilities in the installed software.
+Retrieve a list of vulnerabilities in the installed software.
## Permissions
Empty
## Response
-If successful, this method returns 200 OK with a list of vulnerabilities exposed by the specified software.
+If successful, this method returns 200 OK with a list of vulnerabilities exposed by the specified software.
## Example
If successful, this method returns 200 OK with a list of vulnerabilities exposed
Here is an example of the request. ```http
-GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities
+GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities
``` ### Response example
security Health Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/health-status.md
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - The following table provides information on the values returned when you run the `mdatp health` command and their corresponding descriptions.
-| Value | Description |
-|-|-|
-| automatic_definition_update_enabled | True if automatic antivirus definition updates are enabled, false otherwise. |
-| cloud_automatic_sample_submission_consent | Current sample submission level. Can be one of the following values: <br><br> - **None**: No suspicious samples are submitted to Microsoft. <br> <br> - **Safe**: Only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting. <br> <br> - **All**: All suspicious samples are submitted to Microsoft. |
-| cloud_diagnostic_enabled | True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). |
-| cloud_enabled | True if cloud-delivered protection is enabled, false otherwise. |
-| conflicting_applications | List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but is not limited to, other security products and other applications known to cause compatibility issues. |
-| definitions_status | Status of antivirus definitions. |
-| definitions_updated | Date and time of last antivirus definition update. |
-| definitions_updated_minutes_ago | Number of minutes since last antivirus definition update. |
-| definitions_version | Antivirus definition version. |
-| edr_client_version | Version of the EDR client running on the device. |
-| edr_configuration_version | EDR configuration version. |
-| edr_device_tags | List of tags associated with the device. |
-| edr_group_ids | Group ID that the device is associated with. |
-| edr_machine_id | Device identifier used in Microsoft Defender Security Center. |
-| engine_version | Version of the antivirus engine. |
-| healthy | True if the product is healthy, false otherwise. |
-| licensed | True if the device is onboarded to a tenant, false otherwise. |
-| log_level | Current log level for the product. |
-| machine_guid | Unique machine identifier used by the antivirus component. |
-| network_protection_status | Status of the network protection component (macOS only). Can be one of the following values: <br> <br>- **starting** - Network protection is starting <br> <br> - **failed_to_start** - Network protection couldn't be started due to an error <br> <br> - **started** - Network protection is currently running on the device <br> <br> - **restarting** - Network protection is currently restarting <br> <br> - **stopping** - Network protection is stopping <br> <br> - **stopped** - Network protection is not running |
-| org_id | Organization that the device is onboarded to. If the device is not yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md). |
-| passive_mode_enabled | True if the antivirus component is set to run in passive mode, false otherwise. |
-| product_expiration | Date and time when the current product version reaches end of support. |
-| real_time_protection_available | True if the real-time protection component is healthy, false otherwise. |
-| real_time_protection_enabled | True if real-time antivirus protection is enabled, false otherwise. |
-| real_time_protection_subsystem | Subsystem used to serve real-time protection. If real-time protection is not operating as expected, this prints unavailable. |
-| release_ring | Release ring. For more information, see [Deployment rings](deployment-rings.md). |
+<br>
+
+****
+
+|Value|Description|
+|||
+|automatic_definition_update_enabled|True if automatic antivirus definition updates are enabled, false otherwise.|
+|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: <ul><li>**None**: No suspicious samples are submitted to Microsoft.</li><li>**Safe**: Only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.</li><li>**All**: All suspicious samples are submitted to Microsoft.</li></ul>|
+|cloud_diagnostic_enabled|True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).|
+|cloud_enabled|True if cloud-delivered protection is enabled, false otherwise.|
+|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but is not limited to, other security products and other applications known to cause compatibility issues.|
+|definitions_status|Status of antivirus definitions.|
+|definitions_updated|Date and time of last antivirus definition update.|
+|definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.|
+|definitions_version|Antivirus definition version.|
+|edr_client_version|Version of the EDR client running on the device.|
+|edr_configuration_version|EDR configuration version.|
+|edr_device_tags|List of tags associated with the device.|
+|edr_group_ids|Group ID that the device is associated with.|
+|edr_machine_id|Device identifier used in Microsoft Defender Security Center.|
+|engine_version|Version of the antivirus engine.|
+|healthy|True if the product is healthy, false otherwise.|
+|licensed|True if the device is onboarded to a tenant, false otherwise.|
+|log_level|Current log level for the product.|
+|machine_guid|Unique machine identifier used by the antivirus component.|
+|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: <ul><li>**starting** - Network protection is starting</li><li>**failed_to_start** - Network protection couldn't be started due to an error</li><li>**started** - Network protection is currently running on the device</li><li>**restarting** - Network protection is currently restarting</li><li>**stopping** - Network protection is stopping</li><li>**stopped** - Network protection is not running</li></ul>|
+|org_id|Organization that the device is onboarded to. If the device is not yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
+|passive_mode_enabled|True if the antivirus component is set to run in passive mode, false otherwise.|
+|product_expiration|Date and time when the current product version reaches end of support.|
+|real_time_protection_available|True if the real-time protection component is healthy, false otherwise.|
+|real_time_protection_enabled|True if real-time antivirus protection is enabled, false otherwise.|
+|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection is not operating as expected, this prints unavailable.|
+|release_ring|Release ring. For more information, see [Deployment rings](deployment-rings.md).|
+|
security Host Firewall Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md
Title: Host firewall reporting in Microsoft Defender for Endpoint
-description: Host and view firewall reporting in Microsoft 365 security center.
+description: Host and view firewall reporting in Microsoft 365 security center.
keywords: windows defender, firewall search.product: eADQiWindows 10XVcnh ms.prod: m365-security
ms.technology: mde
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-If you are an admin, you can now host firewall reporting to [Microsoft 365 security center](https://security.microsoft.com). This feature enables you to view Windows 10 and Windows Server 2019 firewall reporting from a centralized location.
+If you are an admin, you can now host firewall reporting to [Microsoft 365 security center](https://security.microsoft.com). This feature enables you to view Windows 10 and Windows Server 2019 firewall reporting from a centralized location.
-## What do you need to know before you begin?
+## What do you need to know before you begin?
- You must be running Windows 10 or Windows Server 2019.-- To onboard devices to the Microsoft Defender for Endpoint service, see [here](onboard-configure.md). -- For Microsoft 365 security center to start receiving the data, you must enable **Audit Events** for Windows Defender Firewall with Advanced Security:
- - [Audit Filtering Platform Packet Drop](/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop)
- - [Audit Filtering Platform Connection](/windows/security/threat-protection/auditing/audit-filtering-platform-connection)
-- Enable these events by using Group Policy Object Editor, Local Security Policy, or the auditpol.exe commands. For more information, see [here](/windows/win32/fwp/auditing-and-logging).
- - The two PowerShell commands are:
- - **auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable**
- - **auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable**
+- To onboard devices to the Microsoft Defender for Endpoint service, see [here](onboard-configure.md).
+- For Microsoft 365 security center to start receiving the data, you must enable **Audit Events** for Windows Defender Firewall with Advanced Security:
+ - [Audit Filtering Platform Packet Drop](/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop)
+ - [Audit Filtering Platform Connection](/windows/security/threat-protection/auditing/audit-filtering-platform-connection)
+- Enable these events by using Group Policy Object Editor, Local Security Policy, or the auditpol.exe commands. For more information, see [here](/windows/win32/fwp/auditing-and-logging).
+ - The two PowerShell commands are:
+ - **auditpol /set /subcategory:"Filtering Platform Packet Drop" /failure:enable**
+ - **auditpol /set /subcategory:"Filtering Platform Connection" /failure:enable**
## The process+ > [!NOTE] > Make sure to follow the instructions from the section above and properly configure your devices for the early preview participation. - After enabling the events, Microsoft 365 security center will start to monitor the data.
- - Remote IP, Remote Port, Local Port, Local IP, Computer Name, Process across inbound and outbound connections.
+ - Remote IP, Remote Port, Local Port, Local IP, Computer Name, Process across inbound and outbound connections.
- Admins can now see Windows host firewall activity [here](https://security.microsoft.com/firewall).
- - Additional reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.
- - It can take up to 12 hours before the data is reflected.
+ - Additional reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.
+ - It can take up to 12 hours before the data is reflected.
## Supported scenarios
-The following scenarios are supported during Ring0 Preview.
+
+The following scenarios are supported during Ring0 Preview.
### Firewall reporting in security center
-Here is a couple of examples of the firewall report pages. Here you will find a summary of inbound, outbound, and application activity. You can access this page directly by going to https://security.microsoft.com/firewall.
+Here is a couple of examples of the firewall report pages. Here you will find a summary of inbound, outbound, and application activity. You can access this page directly by going to https://security.microsoft.com/firewall.
> [!div class="mx-imgBorder"] > ![Host firewall reporting page.](\images\host-firewall-reporting-page.png)
-These reports can also be accessed by going to **Reports** > **Security Report** > **Devices** (section) located at the bottom of the **Firewall Blocked Inbound Connections** card.
+These reports can also be accessed by going to **Reports** \> **Security Report** \> **Devices** (section) located at the bottom of the **Firewall Blocked Inbound Connections** card.
### From "Computers with a blocked connection" to device
-Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch https://securitycenter.microsoft.com in a new tab, and take you directly to the **Device Timeline** tab.
+Cards support interactive objects. You can drill into the activity of a device by clicking on the device name, which will launch https://securitycenter.microsoft.com in a new tab, and take you directly to the **Device Timeline** tab.
> [!div class="mx-imgBorder"] > ![Computers with a blocked connection.](\images\firewall-reporting-blocked-connection.png)
-You can now select the **Timeline** tab, which will give you a list of events associated with that device.
+You can now select the **Timeline** tab, which will give you a list of events associated with that device.
-After clicking on the **Filters** button on the upper right-hand corner of the viewing pane, select the type of event you want. In this case, select **Firewall events** and the pane will be filtered to Firewall events.
+After clicking on the **Filters** button on the upper right-hand corner of the viewing pane, select the type of event you want. In this case, select **Firewall events** and the pane will be filtered to Firewall events.
> [!div class="mx-imgBorder"] > ![Filters button.](\images\firewall-reporting-filters-button.png) ### Drill into advanced hunting (preview refresh)
-Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query will be pre-populated.
+Firewall reports support drilling from the card directly into **Advanced Hunting** by clicking the **Open Advanced hunting** button. The query will be pre-populated.
> [!div class="mx-imgBorder"] > ![Open Advanced hunting button.](\images\firewall-reporting-advanced-hunting.png)
-The query can now be executed, and all related Firewall events from the last 30 days can be explored.
-
-For additional reporting, or custom changes, the query can be exported into Power BI for further analysis. Custom reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.
+The query can now be executed, and all related Firewall events from the last 30 days can be explored.
-
+For additional reporting, or custom changes, the query can be exported into Power BI for further analysis. Custom reporting can be facilitated by downloading the [Custom Reporting script](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Firewall) to monitor the Windows Defender Firewall activities using Power BI.
security Import Export Exploit Protection Emet Xml https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md
You can use Group Policy to deploy the configuration you've created to multiple
2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
+3. Expand the tree to **Windows components** \> **Windows Defender Exploit Guard** \> **Exploit protection**.
![Screenshot of the group policy setting for exploit protection.](../../media/exp-prot-gp.png)
security Indicator Certificates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-certificates.md
Title: Create indicators based on certificates-+ description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities. keywords: ioc, certificate, certificates, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh
It's important to understand the following requirements prior to creating indica
> [!IMPORTANT] >
-> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
->- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
->- Microsoft signed certificates cannot be blocked.
+> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
+> - The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
+> - Microsoft signed certificates cannot be blocked.
## Create an indicator for certificates from the settings page:
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
Choose if to Generate an alert on the file block event and define the alerts set
> [!IMPORTANT] >
->- Typically, file blocks are enforced and removed within a couple of minutes, but can take upwards of 30 minutes.
+> - Typically, file blocks are enforced and removed within a couple of minutes, but can take upwards of 30 minutes.
+> - If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
+> - In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
+> - If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
>
->- If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure hash will be applied. An SHA-256 file hash IoC policy will win over an SHA-1 file hash IoC policy, which will win over an MD5 file hash IoC policy if the hash types define the same file. This is always true regardless of the device group.
->
->- In all other cases, if conflicting file IoC policies with the same enforcement target are applied to all devices and to the device's group, then for a device, the policy in the device group will win.
->
->- If the EnableFileHashComputation group policy is disabled, the blocking accuracy of the file IoC is reduced. However, enabling `EnableFileHashComputation` may impact device performance. For example, copying large files from a network share onto your local device, especially over a VPN connection, might have an effect on device performance.
->
-> For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp).
+> For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp).
## Private Preview: Advanced hunting capabilities
Files:
Certificates: -- EUS:Win32/CustomCertEnterpriseBlock!cl
+- EUS:Win32/CustomCertEnterpriseBlock!cl
The response action activity can also be viewable in the device timeline.
Threat and vulnerability management's block vulnerable application features uses
### Examples
-|Component|Component enforcement|File indicator Action|Result
+<br>
+
+****
+
+|Component|Component enforcement|File indicator Action|Result|
|||||
-|Attack surface reduction file path exclusion|Allow|Block|Block
-|Attack surface reduction rule|Block|Allow|Allow
-|Windows Defender Application Control|Allow|Block|Allow
-|Windows Defender Application Control|Block|Allow|Block
-|Microsoft Defender Antivirus exclusion|Allow|Block|Allow
+|Attack surface reduction file path exclusion|Allow|Block|Block|
+|Attack surface reduction rule|Block|Allow|Allow|
+|Windows Defender Application Control|Allow|Block|Allow|
+|Windows Defender Application Control|Block|Allow|Block|
+|Microsoft Defender Antivirus exclusion|Allow|Block|Allow|
+|
## See also
security Indicator Ip Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md
You can do this through the settings page or by machine groups if you deem certa
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: - URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).-- The Antimalware client version must be 4.18.1906.x or later. -- Supported on machines on Windows 10, version 1709 or later.
+- The Antimalware client version must be 4.18.1906.x or later.
+- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft 365 Defender > Settings > Endpoints > Advanced features**. For more information, see [Advanced features](advanced-features.md). - For support of indicators on iOS, see [Configure custom indicators](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-custom-indicators).
It's important to understand the following prerequisites prior to creating indic
> > There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. - When using the warn mode, you can configure the following controls:
-**Bypass ability**
+**Bypass ability**:
+ - Allow button in Edge - Allow button on toast (Non-Microsoft browsers) - Bypass duration parameter on the indicator-- Bypass enforcement across Microsoft and Non-Microsoft browsers
+- Bypass enforcement across Microsoft and Non-Microsoft browsers
+
+**Redirect URL**:
-**Redirect URL**
- Redirect URL parameter on the indicator - Redirect URL in Edge - Redirect URL on toast (Non-Microsoft browsers)
For more information, see [Govern apps discovered by Microsoft Defender for Endp
## Create an indicator for IPs, URLs, or domains from the settings page
-1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
2. Select the **IP addresses or URLs/Domains** tab.
security Indicator Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-1. In the navigation pane, select **Settings** > **Endpoints** > **Indicators** (under **Rules**).
+1. In the navigation pane, select **Settings** \> **Endpoints** \> **Indicators** (under **Rules**).
2. Select the tab of the entity type you'd like to manage.
Download the sample CSV to know the supported column attributes.
2. Select the tab of the entity type you'd like to import indicators for.
-3. Select **Import** > **Choose file**.
+3. Select **Import** \> **Choose file**.
4. Select **Import**. Do this for all the files you'd like to import.
security Information Protection In Windows Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) - [!include[Prerelease information](../../includes/prerelease.md)] Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
->[!TIP]
+> [!TIP]
> Read our blog post about how Microsoft Defender for Endpoint integrates with Microsoft Information Protection to [discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). Defender for Endpoint applies the following methods to discover, classify, and protect data:
security Investigate Behind Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
ms.technology: mde
Defender for Endpoint supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
-The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
+The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
Defender for Endpoint supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names. ## Use network protection to monitor network connection behind a firewall
-Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a device timeline, turn network protection on (at the minimum in audit mode).
+
+Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a device timeline, turn network protection on (at the minimum in audit mode).
Network protection can be controlled using the following modes: -- **Block** <br> Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center.-- **Audit** <br> Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
+- **Block**: Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center.
+- **Audit**: Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
If you do not configure it, network blocking will be turned off by default.
For more information, see [Enable network protection](enable-network-protection.md). ## Investigation impact+ When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up. ![Image of network events on device's timeline.](images/atp-proxy-investigation.png)
Event's information:
![Image of single network event.](images/atp-proxy-investigation-event.png)
+## Hunt for connection events using advanced hunting
-
-## Hunt for connection events using advanced hunting
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the DeviceNetworkEvents table under the `ConnecionSuccess` action type. Using this simple query will show you all the relevant events:
-```
+```console
DeviceNetworkEvents
-| where ActionType == "ConnectionSuccess"
+| where ActionType == "ConnectionSuccess"
| take 10 ``` ![Image of advanced hunting query.](images/atp-proxy-investigation-ah.png)
-You can also filter out events that are related to connection to the proxy itself.
+You can also filter out events that are related to connection to the proxy itself.
Use the following query to filter out the connections to the proxy:
-```
+```console
DeviceNetworkEvents
-| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
+| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10 ``` -- ## Related topics+ - [Applying network protection with GP - policy CSP](/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
The file details, incident, malware detection, and file prevalence cards display
You'll see details such as the file's MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file's prevalence.
-The file prevalence card shows where the file was seen in devices in the organization and worldwide.
+The file prevalence card shows where the file was seen in devices in the organization and worldwide.
-> [!NOTE]
+> [!NOTE]
> Different users may see dissimilar values in the *devices in organization* section of the file prevalence card. This is because the card displays information based on the RBAC scope that a user has. Meaning, if a user has been granted visibility on a specific set of devices, they will only see the file organizational prevalence on those devices. ![Image of file information.](images/atp-file-information.png)
The **Alerts** tab provides a list of alerts that are associated with the file.
The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file.
->[!NOTE]
->This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
+> [!NOTE]
+> This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
![Image of most recent observed device with the file.](images/atp-observed-machines.png)
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance - m365initiative-defender-endpoint
When you investigate a user account entity, you'll see:
The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Microsoft Defender for Identity alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Microsoft Defender for Identity page, if you have enabled the Microsoft Defender for Identity feature, and there are alerts related to the user. The Microsoft Defender for Identity page will provide more information about the alerts.
->[!NOTE]
->You'll need to enable the integration on both Microsoft Defender for Identity and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
+> [!NOTE]
+> You'll need to enable the integration on both Microsoft Defender for Identity and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account.
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
Microsoft Defender for Endpoint can be configured to send threat signals to be u
Steps to setup app protection policies with Microsoft Defender for Endpoint are as below:
-1. Set up the connection from your Microsoft Endpoint Manager tenant to Microsoft Defender for Endpoint. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant Administration** > **Connectors and tokens** > **Microsoft Defender for Endpoint** (under Cross platform) or **Endpoint Security** > **Microsoft Defender for Endpoint** (under Setup) and turn on the toggles under **App Protection Policy Settings for iOS**.
+1. Set up the connection from your Microsoft Endpoint Manager tenant to Microsoft Defender for Endpoint. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant Administration** \> **Connectors and tokens** \> **Microsoft Defender for Endpoint** (under Cross platform) or **Endpoint Security** \> **Microsoft Defender for Endpoint** (under Setup) and turn on the toggles under **App Protection Policy Settings for iOS**.
1. Select Save. You should see **Connection status** is now set to **Enabled**.
-1. Create app protection policy: After your Microsoft Defender for Endpoint connector setup is complete, navigate to **Apps** > **App protection policies** (under Policy) to create a new policy or update an existing one.
+1. Create app protection policy: After your Microsoft Defender for Endpoint connector setup is complete, navigate to **Apps** \> **App protection policies** (under Policy) to create a new policy or update an existing one.
1. Select the platform, **Apps, Data protection, Access requirements** settings that your organization requires for your policy.
-1. Under **Conditional launch** > **Device conditions**, you will find the setting **Max allowed device threat level**. This will need to be configured to either Low, Medium, High, or Secured. The actions available to you will be **Block access** or **Wipe data**. You may see an informational dialog to make sure you have your connector set up prior to this setting take effect. If your connector is already set up, you may ignore this dialog.
+1. Under **Conditional launch** \> **Device conditions**, you will find the setting **Max allowed device threat level**. This will need to be configured to either Low, Medium, High, or Secured. The actions available to you will be **Block access** or **Wipe data**. You may see an informational dialog to make sure you have your connector set up prior to this setting take effect. If your connector is already set up, you may ignore this dialog.
1. Finish with Assignments and save your policy. For more details on MAM or app protection policy, see [iOS app protection policy settings](/mem/intune/apps/app-protection-policy-settings-ios).
security Ios Install Unmanaged https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md
Microsoft Defender for Endpoint can be configured to send threat signals to be u
Steps to setup app protection policies with Microsoft Defender for Endpoint are as follows:
-1. Set up the connection from your Microsoft Endpoint Manager tenant to Microsoft Defender for Endpoint. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant Administration** > **Connectors and tokens** > **Microsoft Defender for Endpoint** (under Cross platform) or **Endpoint Security** > **Microsoft Defender for Endpoint** (under Setup) and turn on the toggles under **App Protection Policy Settings for iOS**.
+1. Set up the connection from your Microsoft Endpoint Manager tenant to Microsoft Defender for Endpoint. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Tenant Administration** \> **Connectors and tokens** \> **Microsoft Defender for Endpoint** (under Cross platform) or **Endpoint Security** \> **Microsoft Defender for Endpoint** (under Setup) and turn on the toggles under **App Protection Policy Settings for iOS**.
1. Select **Save**. You should see **Connection status** is now set to **Enabled**.
-1. Create the app protection policy: After your Microsoft Defender for Endpoint connector setup is complete, navigate to **Apps** > **App protection policies** (under Policy) to create a new policy or update an existing one.
+1. Create the app protection policy: After your Microsoft Defender for Endpoint connector setup is complete, navigate to **Apps** \> **App protection policies** (under Policy) to create a new policy or update an existing one.
1. Select the platform, **Apps, Data protection, Access requirements** settings that your organization requires for your policy.
-1. Under **Conditional launch** > **Device conditions**, you will find the setting **Max allowed device threat level**. This needs to be configured to either Low, Medium, High, or Secured. The actions available to you will be **Block access** or **Wipe data**. You may see an informational dialog to make sure you have your connector set up prior to this setting taking effect. If your connector is already set up, you may ignore this dialog.
+1. Under **Conditional launch** \> **Device conditions**, you will find the setting **Max allowed device threat level**. This needs to be configured to either Low, Medium, High, or Secured. The actions available to you will be **Block access** or **Wipe data**. You may see an informational dialog to make sure you have your connector set up prior to this setting taking effect. If your connector is already set up, you may ignore this dialog.
1. Finish with Assignments and save your policy. For more details on MAM or app protection policy, see [iOS app protection policy settings](/mem/intune/apps/app-protection-policy-settings-ios).
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
Title: App-based deployment for Microsoft Defender for Endpoint on iOS-+ description: Describes how to deploy Microsoft Defender for Endpoint on iOS using an app keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, app, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
Intune allows you to configure the Defender for iOS app through an App Configura
> [!NOTE] > This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.
-1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add**. Click on **Managed devices**.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** \> **App configuration policies** \> **Add**. Click on **Managed devices**.
> [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager Admin Center4.](images/ios-deploy-4.png)
Intune allows you to configure the Defender for iOS app through an App Configura
- Configuration Key: issupervised - Value type: String - Configuration Value: {{issupervised}}
-
+ > [!div class="mx-imgBorder"] > ![Image of Microsoft Endpoint Manager Admin Center6.](images/ios-deploy-6.png)
security Ios Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-privacy.md
Title: Privacy information - Microsoft Defender for Endpoint on iOS-+ description: Describes privacy information for Microsoft Defender for Endpoint on iOS keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, policy, overview search.product: eADQiWindows 10XVcnh
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
Defender for Endpoint on iOS collects information from your configured iOS devic
For more information about data storage, see [Microsoft Defender for Endpoint data storage and privacy](data-storage-privacy.md). - For more information on most common privacy questions about Microsoft Defender for Endpoint on Android and iOS mobile devices, see [Microsoft Defender for Endpoint and your privacy on Android and iOS mobile devices](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-and-your-privacy-on-android-and-ios-mobile-devices-4109bc54-8ec5-4433-9c33-d359b75ac22a).
-## Required data
-
-Required data consists of data that is necessary to make Defender for Endpoint on iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
-
-Here is a list of the types of data being collected:
-
-### Web page or Network information
--- Domain name and IP address of the website only when a malicious connection or web page is detected. -
-### Device and account information
--- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: -
- - Wi-Fi adapter MAC address
+## Required data
- - Randomly generated globally unique identifier (GUID)
+Required data consists of data that is necessary to make Defender for Endpoint on iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps.
-- Tenant, Device, and User information
+Here is a list of the types of data being collected:
- - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory.
+### Web page or Network information
- - Azure tenant ID - GUID that identifies your organization within Azure Active Directory.
+- Domain name and IP address of the website only when a malicious connection or web page is detected.
- - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify if there are issues affecting a select set of enterprises and the number of enterprises impacted.
+### Device and account information
- - User Principal Name - Email ID of the user.
+- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following:
+ - Wi-Fi adapter MAC address
+ - Randomly generated globally unique identifier (GUID)
+- Tenant, Device, and User information
+ - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory.
+ - Azure tenant ID - GUID that identifies your organization within Azure Active Directory.
+ - Microsoft Defender for Endpoint org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify if there are issues affecting a select set of enterprises and the number of enterprises impacted.
+ - User Principal Name - Email ID of the user.
-### Product and service usage data
+### Product and service usage data
-The following information is collected only for Microsoft Defender for Endpoint app installed on the device.
+The following information is collected only for Microsoft Defender for Endpoint app installed on the device.
-- App package info, including name, version, and app upgrade status.
+- App package info, including name, version, and app upgrade status.
+- Actions done in the app.
+- Crash report logs generated by iOS.
+- Memory usage data.
-- Actions done in the app.
+## Optional Data
-- Crash report logs generated by iOS.
+Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
-- Memory usage data.
+Optional diagnostic data includes:
-## Optional Data
+- App, CPU, and network usage for Defender for Endpoint.
+- Features configured by the admin for Defender for Endpoint.
-Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself.
-
-Optional diagnostic data includes:
--- App, CPU, and network usage for Defender for Endpoint. --- Features configured by the admin for Defender for Endpoint. -
-Feedback Data is collected through in-app feedback provided by the user.
+Feedback Data is collected through in-app feedback provided by the user.
- The user's email address, if they choose to provide it.--- Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
+- Feedback type (smile, frown, idea) and any feedback comments submitted by the user.
For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement).--
security Ios Terms https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-terms.md
Title: Microsoft Defender for Endpoint on iOS Application license terms-+ description: Describes the Microsoft Defender for Endpoint on iOS license terms keywords: microsoft, defender, Microsoft Defender for Endpoint, iOS, license, terms, application, use, installation, service, feedback, scope search.product: eADQiWindows 10XVcnh
localization_priority: Normal audience: ITPro-+ - m365-security-compliance hideEdit: true
These license terms ("Terms") are an agreement between Microsoft Corporation (or
based on where you live, one of its affiliates) and you. They apply to the application named above. These Terms also apply to any Microsoft -- updates,
+- updates,
-- supplements,
+- supplements,
-- Internet-based services, and
+- Internet-based services, and
-- support services
+- support services
for this application, unless other terms accompany those items. If so, those terms apply.
DO NOT USE THE APPLICATION.**
**If you comply with these Terms, you have the perpetual rights below.**
-1. **INSTALLATION AND USE RIGHTS.**
-
- 1. **Installation and Use.** You may install and use any number of copies
- of this application on iOS enabled device or devices that you own
- or control. You may use this application with your company's valid
- subscription of Defender for Endpoint or
- an online service that includes Microsoft Defender for Endpoint functionalities.
-
- 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full
- functionality. Some functionality may not be available in all countries.
-
- 3. **Third-Party Programs.** The application may include third-party
- programs that Microsoft, not the third party, licenses to you under this
- agreement. Notices, if any, for the third-party program are included for
- your information only.
-
-2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
- Internet access, data transfer, and other services per the terms of the data
- service plan and any other agreement you have with your network operator due
- to use of the application. You are solely responsible for any network
- operator charges.
-
-3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
- the application. It may change or cancel them at any time.
-
- 1. Consent for Internet-Based or Wireless Services. The application may
- connect to Internet-based wireless services. Your use of the application
- operates as your consent to the transmission of standard device
- information (including but not limited to technical information about
- your device, system and application software, and peripherals) for
- Internet-based or wireless services. If other terms are provided with your use of the services, those terms also apply.
-
- - Data. Some online services require, or may be enhanced by, the
- installation of local software like this one. At your, or your
- admin's direction, this software may send data from a device to or
- from an online service.
-
- - Usage Data. Microsoft automatically collects usage and performance
- data over the internet. This data will be used to provide and
- improve Microsoft products and services and enhance your experience.
- You may limit or control collection of some usage and performance
- data through your device settings. Doing so may disrupt your use of
- certain features of the application. For more information on Microsoft's data collection and use, see the [Online Services
- Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
-
- 2. Misuse of Internet-based Services. You may not use any Internet-based
- service in any way that could harm it or impair anyone else's use of it
- or the wireless network. You may not use the service to try to gain
- unauthorized access to any service, data, account, or network by any
- means.
-
-4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
- give to Microsoft, without charge, the right to use, share, and commercialize
- your feedback in any way and for any purpose. You also give to third
- parties, without charge, any patent rights needed for their products,
- technologies, and services to use or interface with any specific parts of a
- Microsoft software or service that includes the feedback. You will not give
- feedback that is subject to a license that requires Microsoft to license its
- software or documentation to third parties because we include your feedback
- in them. These rights survive this agreement.
-
-5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
- only gives you some rights to use the application. Microsoft reserves all
- other rights. Unless applicable law gives you more rights despite this
- limitation, you may use the application only as expressly permitted in this
- agreement. In doing so, you must comply with any technical limitations in
- the application that only allow you to use it in certain ways. You may not
-
- - work around any technical limitations in the application;
-
- - reverse engineer, decompile or disassemble the application, except and
- only to the extent that applicable law expressly permits, despite this
- limitation;
-
- - make more copies of the application than specified in this agreement or
- allowed by applicable law, despite this limitation;
-
- - publish the application for others to copy;
-
- - rent, lease, or lend the application; or
-
- - transfer the application or this agreement to any third party.
-
-6. **EXPORT RESTRICTIONS.** The application is subject to United States export
- laws and regulations. You must comply with all domestic and international
- export laws and regulations that apply to the application. These laws
- include restrictions on destinations, end users and end use. For more information, see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
-
-7. **SUPPORT SERVICES.** Because this application is "as is," we may not
- provide support services for it. If you have any issues or questions about
- your use of this application, including questions about your company's
- privacy policy, please contact your company's admin. Do not contact the
- application store, your network operator, device manufacturer, or Microsoft.
- The application store provider has no obligation to furnish support or
- maintenance with respect to the application.
-
-8. **APPLICATION STORE.**
-
- 1. If you obtain the application through an application store (for example, App
- Store), review the applicable application store terms to ensure
- your download and use of the application complies with such terms.
- These terms are between you and Microsoft and not with
- the application store.
-
- 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these
- Terms, the application store provider(s) will have the right to directly
- enforce and rely upon any provision of these Terms that grants them a
- benefit or rights.
-
-9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint and
- Microsoft 365 are registered or common-law trademarks of Microsoft
- Corporation in the United States and/or other countries.
-
-10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
- Internet-based services, and support services that you use are the entire
- agreement for the application and support services.
+1. **INSTALLATION AND USE RIGHTS.**
+
+ 1. **Installation and Use.** You may install and use any number of copies of this application on iOS enabled device or devices that you own or control. You may use this application with your company's valid subscription of Defender for Endpoint or an online service that includes Microsoft Defender for Endpoint functionalities.
+
+ 2. **Updates.** Updates or upgrades to Microsoft Defender for Endpoint may be required for full functionality. Some functionality may not be available in all countries.
+
+ 3. **Third-Party Programs.** The application may include third-party programs that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third-party program are included for your information only.
+
+2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to Internet access, data transfer, and other services per the terms of the data service plan and any other agreement you have with your network operator due to use of the application. You are solely responsible for any network operator charges.
+
+3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with the application. It may change or cancel them at any time.
+
+ 1. Consent for Internet-Based or Wireless Services. The application may connect to Internet-based wireless services. Your use of the application operates as your consent to the transmission of standard device information (including but not limited to technical information about your device, system and application software, and peripherals) for Internet-based or wireless services. If other terms are provided with your use of the services, those terms also apply.
+
+ - Data. Some online services require, or may be enhanced by, the installation of local software like this one. At your, or your admin's direction, this software may send data from a device to or from an online service.
+
+ - Usage Data. Microsoft automatically collects usage and performance data over the internet. This data will be used to provide and improve Microsoft products and services and enhance your experience. You may limit or control collection of some usage and performance data through your device settings. Doing so may disrupt your use of certain features of the application. For more information on Microsoft's data collection and use, see the [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
+
+ 2. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone else's use of it or the wireless network. You may not use the service to try to gain unauthorized access to any service, data, account, or network by any means.
+
+4. **FEEDBACK.** If you give feedback about the application to Microsoft, you give to Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies, and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.
+
+5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement only gives you some rights to use the application. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the application only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the application that only allow you to use it in certain ways. You may not
+
+ - work around any technical limitations in the application;
+
+ - reverse engineer, decompile or disassemble the application, except and only to the extent that applicable law expressly permits, despite this limitation;
+
+ - make more copies of the application than specified in this agreement or allowed by applicable law, despite this limitation;
+
+ - publish the application for others to copy;
+
+ - rent, lease, or lend the application; or
+
+ - transfer the application or this agreement to any third party.
+
+6. **EXPORT RESTRICTIONS.** The application is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the application. These laws include restrictions on destinations, end users and end use. For more information, see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+
+7. **SUPPORT SERVICES.** Because this application is "as is," we may not provide support services for it. If you have any issues or questions about your use of this application, including questions about your company's privacy policy, please contact your company's admin. Do not contact the application store, your network operator, device manufacturer, or Microsoft. The application store provider has no obligation to furnish support or maintenance with respect to the application.
+
+8. **APPLICATION STORE.**
+
+ 1. If you obtain the application through an application store (for example, App Store), review the applicable application store terms to ensure your download and use of the application complies with such terms. These terms are between you and Microsoft and not with the application store.
+
+ 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these Terms, the application store provider(s) will have the right to directly enforce and rely upon any provision of these Terms that grants them a benefit or rights.
+
+9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint and Microsoft 365 are registered or common-law trademarks of Microsoft Corporation in the United States and/or other countries.
+
+10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates, Internet-based services, and support services that you use are the entire agreement for the application and support services.
11. **APPLICABLE LAW.**
- 1. **United States.** If you acquired the application in the United States,
- Washington state law governs the interpretation of this agreement and
- applies to claims for breach of it, regardless of conflict of laws
- principles. The laws of the state where you live govern all other
- claims, including claims under state consumer protection laws, unfair
- competition laws, and in tort.
-
- 2. **Outside the United States.** If you acquired the application in any
- other country, the laws of that country apply.
-
-12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
- have other rights under the laws of your country. You may also have rights
- with respect to the party from whom you acquired the application. This
- agreement does not change your rights under the laws of your country if the
- laws of your country do not permit it to do so.
-
-13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
- FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
- WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
- EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
- EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
- APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
- ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
- CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
- THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
- IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NON-INFRINGEMENT.**
+ 1. **United States.** If you acquired the application in the United States, Washington state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
+
+ 2. **Outside the United States.** If you acquired the application in any other country, the laws of that country apply.
+
+12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the application. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
+
+13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.**
**FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
-14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
- PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
- ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
- DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
- INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
+14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
This limitation applies to: -- anything related to the application, services, content (including code) on
- third-party Internet sites, or third-party programs; and
+- anything related to the application, services, content (including code) on third-party Internet sites, or third-party programs; and
-- claims for breach of contract, warranty, guarantee, or condition; consumer
- protection; deception; unfair competition; strict liability, negligence,
- misrepresentation, omission, trespass, or other tort; violation of statute or
- regulation; or unjust enrichment; all to the extent permitted by applicable
- law.
+- claims for breach of contract, warranty, guarantee, or condition; consumer protection; deception; unfair competition; strict liability, negligence, misrepresentation, omission, trespass, or other tort; violation of statute or regulation; or unjust enrichment; all to the extent permitted by applicable law.
It also applies even if:
-a. Repair, replacement, or refund for the application does not fully compensate
- you for any losses; or
+a. Repair, replacement, or refund for the application does not fully compensate you for any losses; or
-b. Covered Parties knew or should have known about the possibility of the
- damages.
+b. Covered Parties knew or should have known about the possibility of the damages.
The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages.
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
In order to preview new features and provide early feedback, it is recommended t
```bash sudo yum install yum-utils ```+ - Note your distribution and version, and identify the closest entry (by major, then minor) for it under `https://packages.microsoft.com/config/rhel/`.
- Use the following table to help guide you in locating the package:
+ Use the following table to help guide you in locating the package:
+
+ <br>
+
+ ****
- | Distro & version | Package |
+ |Distro & version|Package|
|||
- | For RHEL 8.0-8.5 | https://packages.microsoft.com/config/rhel/8/prod/ |
- | For RHEL 7.2-7.9 | https://packages.microsoft.com/config/rhel/7/prod/ |
+ |For RHEL 8.0-8.5|<https://packages.microsoft.com/config/rhel/8/prod/>|
+ |For RHEL 7.2-7.9|<https://packages.microsoft.com/config/rhel/7/prod/>|
+ |
In the following commands, replace *[version]* and *[channel]* with the information you've identified:
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
Some diagnostic data is required, while some diagnostic data is optional. We giv
There are two levels of diagnostic data for Defender for Endpoint client software that you can choose from:
-* **Required**: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device it's installed on.
-
-* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
+- **Required**: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device it's installed on.
+- **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
By default, only required diagnostic data is sent to Microsoft.
There are three levels for controlling sample submission:
## Manage privacy controls with policy settings
-If you're an IT administrator, you might want to configure these controls at the enterprise level.
+If you're an IT administrator, you might want to configure these controls at the enterprise level.
The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).
As with any new policy settings, you should carefully test them out in a limited
This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected. ### Data fields that are common for all events
-There is some information about events that is common to all events, regardless of category or data subtype.
+
+There is some information about events that is common to all events, regardless of category or data subtype.
The following fields are considered common for all events:
-| Field | Description |
-| -- | -- |
-| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
-| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
-| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
-| app_version | Version of the Defender for Endpoint on Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
-| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
-| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
-| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
+|Field|Description|
+|||
+|platform|The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized.|
+|machine_guid|Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.|
+|sense_guid|Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.|
+|org_id|Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted.|
+|hostname|Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted.|
+|product_guid|Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product.|
+|app_version|Version of the Defender for Endpoint on Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
+|sig_version|Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized.|
+|supported_compressions|List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application.|
+|release_ring|Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized.|
### Required diagnostic data
Required diagnostic data helps to identify problems with Microsoft Defender for
#### Software setup and inventory data events
-**Microsoft Defender for Endpoint installation / uninstallation**
+**Microsoft Defender for Endpoint installation / uninstallation**:
The following fields are collected:
-| Field | Description |
-| - | -- |
-| correlation_id | Unique identifier associated with the installation. |
-| version | Version of the package. |
-| severity | Severity of the message (for example Informational). |
-| code | Code that describes the operation. |
-| text | Additional information associated with the product installation. |
+|Field|Description|
+|||
+|correlation_id|Unique identifier associated with the installation.|
+|version|Version of the package.|
+|severity|Severity of the message (for example Informational).|
+|code|Code that describes the operation.|
+|text|Additional information associated with the product installation.|
-**Microsoft Defender for Endpoint configuration**
+**Microsoft Defender for Endpoint configuration**:
The following fields are collected:
-| Field | Description |
-| | -- |
-| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
-| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
-| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
-| cloud_service.timeout | Time out when the application communicates with the Defender for Endpoint cloud. |
-| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
-| cloud_service.service_uri | URI used to communicate with the cloud. |
-| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
-| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). |
-| cloud_service.automatic_definition_update_enabled | Whether automatic definition update is turned on or not. |
-| edr.early_preview | Whether the device should run EDR early preview features. |
-| edr.group_id | Group identifier used by the detection and response component. |
-| edr.tags | User-defined tags. |
-| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
+|Field|Description|
+|||
+|antivirus_engine.enable_real_time_protection|Whether real-time protection is enabled on the device or not.|
+|antivirus_engine.passive_mode|Whether passive mode is enabled on the device or not.|
+|cloud_service.enabled|Whether cloud delivered protection is enabled on the device or not.|
+|cloud_service.timeout|Time out when the application communicates with the Defender for Endpoint cloud.|
+|cloud_service.heartbeat_interval|Interval between consecutive heartbeats sent by the product to the cloud.|
+|cloud_service.service_uri|URI used to communicate with the cloud.|
+|cloud_service.diagnostic_level|Diagnostic level of the device (required, optional).|
+|cloud_service.automatic_sample_submission|Automatic sample submission level of the device (none, safe, all).|
+|cloud_service.automatic_definition_update_enabled|Whether automatic definition update is turned on or not.|
+|edr.early_preview|Whether the device should run EDR early preview features.|
+|edr.group_id|Group identifier used by the detection and response component.|
+|edr.tags|User-defined tags.|
+|features.\[optional feature name\]|List of preview features, along with whether they are enabled or not.|
#### Product and service usage data events
-**Security intelligence update report**
+**Security intelligence update report**:
The following fields are collected:
-| Field | Description |
-| - | -- |
-| from_version | Original security intelligence version. |
-| to_version | New security intelligence version. |
-| status | Status of the update indicating success or failure. |
-| using_proxy | Whether the update was done over a proxy. |
-| error | Error code if the update failed. |
-| reason | Error message if the update failed. |
+|Field|Description|
+|||
+|from_version|Original security intelligence version.|
+|to_version|New security intelligence version.|
+|status|Status of the update indicating success or failure.|
+|using_proxy|Whether the update was done over a proxy.|
+|error|Error code if the update failed.|
+|reason|Error message if the update failed.|
-#### Product and service performance data events
+#### Product and service performance data events for required diagnostic data
-**Kernel extension statistics**
+**Kernel extension statistics**:
The following fields are collected:
-| Field | Description |
-| - | -- |
-| version | Version of Defender for Endpoint on Linux. |
-| instance_id | Unique identifier generated on kernel extension startup. |
-| trace_level | Trace level of the kernel extension. |
-| subsystem | The underlying subsystem used for real-time protection. |
-| ipc.connects | Number of connection requests received by the kernel extension. |
-| ipc.rejects | Number of connection requests rejected by the kernel extension. |
-| ipc.connected | Whether there is any active connection to the kernel extension. |
+|Field|Description|
+|||
+|version|Version of Defender for Endpoint on Linux.|
+|instance_id|Unique identifier generated on kernel extension startup.|
+|trace_level|Trace level of the kernel extension.|
+|subsystem|The underlying subsystem used for real-time protection.|
+|ipc.connects|Number of connection requests received by the kernel extension.|
+|ipc.rejects|Number of connection requests rejected by the kernel extension.|
+|ipc.connected|Whether there is any active connection to the kernel extension.|
#### Support data
-**Diagnostic logs**
+**Diagnostic logs**:
Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
If you choose to send us optional diagnostic data, required diagnostic data is a
Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
-#### Software setup and inventory data events
+#### Software setup and inventory data events for optional diagnostic data
-**Microsoft Defender for Endpoint configuration**
+**Microsoft Defender for Endpoint configuration**:
The following fields are collected:
-| Field | Description |
-| -- | -- |
-| connection_retry_timeout | Connection retry time-out when communication with the cloud. |
-| file_hash_cache_maximum | Size of the product cache. |
-| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
-| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
-| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
-| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
-| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
-| antivirus_engine.scan_cache_maximum | Size of the product cache. |
-| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
-| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
-| antivirus_engine.threat_type_settings | Configuration for how different threat types are handled by the product. |
-| filesystem_scanner.full_scan_directory | Full scan directory. |
-| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
-| edr.latency_mode | Latency mode used by the detection and response component. |
-| edr.proxy_address | Proxy address used by the detection and response component. |
-
-**Microsoft Auto-Update configuration**
+|Field|Description|
+|||
+|connection_retry_timeout|Connection retry time-out when communication with the cloud.|
+|file_hash_cache_maximum|Size of the product cache.|
+|crash_upload_daily_limit|Limit of crash logs uploaded daily.|
+|antivirus_engine.exclusions[].is_directory|Whether the exclusion from scanning is a directory or not.|
+|antivirus_engine.exclusions[].path|Path that was excluded from scanning.|
+|antivirus_engine.exclusions[].extension|Extension excluded from scanning.|
+|antivirus_engine.exclusions[].name|Name of the file excluded from scanning.|
+|antivirus_engine.scan_cache_maximum|Size of the product cache.|
+|antivirus_engine.maximum_scan_threads|Maximum number of threads used for scanning.|
+|antivirus_engine.threat_restoration_exclusion_time|Time out before a file restored from the quarantine can be detected again.|
+|antivirus_engine.threat_type_settings|Configuration for how different threat types are handled by the product.|
+|filesystem_scanner.full_scan_directory|Full scan directory.|
+|filesystem_scanner.quick_scan_directories|List of directories used in quick scan.|
+|edr.latency_mode|Latency mode used by the detection and response component.|
+|edr.proxy_address|Proxy address used by the detection and response component.|
+
+**Microsoft Auto-Update configuration**:
The following fields are collected:
-| Field | Description |
-| | -- |
-| how_to_check | Determines how product updates are checked (for example automatic or manual). |
-| channel_name | Update channel associated with the device. |
-| manifest_server | Server used for downloading updates. |
-| update_cache | Location of the cache used to store updates. |
+|Field|Description|
+|||
+|how_to_check|Determines how product updates are checked (for example automatic or manual).|
+|channel_name|Update channel associated with the device.|
+|manifest_server|Server used for downloading updates.|
+|update_cache|Location of the cache used to store updates.|
### Product and service usage
The following fields are collected:
The following fields are collected:
-| Field | Description |
-| - | -- |
-| sha256 | SHA256 identifier of the support log. |
-| size | Size of the support log. |
-| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). |
-| format | Format of the support log. |
+|Field|Description|
+|||
+|sha256|SHA256 identifier of the support log.|
+|size|Size of the support log.|
+|original_path|Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*).|
+|format|Format of the support log.|
#### Diagnostic log upload completed report The following fields are collected:
-| Field | Description |
-| - | -- |
-| request_id | Correlation ID for the support log upload request. |
-| sha256 | SHA256 identifier of the support log. |
-| blob_sas_uri | URI used by the application to upload the support log. |
+|Field|Description|
+|||
+|request_id|Correlation ID for the support log upload request.|
+|sha256|SHA256 identifier of the support log.|
+|blob_sas_uri|URI used by the application to upload the support log.|
-#### Product and service performance data events
+#### Product and service performance data events for product service and usage
-**Unexpected application exit (crash)**
+**Unexpected application exit (crash)**:
Unexpected application exits and the state of the application when that happens.
-**Kernel extension statistics**
+**Kernel extension statistics**:
The following fields are collected:
-| Field | Description |
-| | -- |
-| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
-| pkt_ack_conn_timeout | |
-| ipc.ack_pkts | |
-| ipc.nack_pkts | |
-| ipc.send.ack_no_conn | |
-| ipc.send.nack_no_conn | |
-| ipc.send.ack_no_qsq | |
-| ipc.send.nack_no_qsq | |
-| ipc.ack.no_space | |
-| ipc.ack.timeout | |
-| ipc.ack.ackd_fast | |
-| ipc.ack.ackd | |
-| ipc.recv.bad_pkt_len | |
-| ipc.recv.bad_reply_len | |
-| ipc.recv.no_waiter | |
-| ipc.recv.copy_failed | |
-| ipc.kauth.vnode.mask | |
-| ipc.kauth.vnode.read | |
-| ipc.kauth.vnode.write | |
-| ipc.kauth.vnode.exec | |
-| ipc.kauth.vnode.del | |
-| ipc.kauth.vnode.read_attr | |
-| ipc.kauth.vnode.write_attr | |
-| ipc.kauth.vnode.read_ex_attr | |
-| ipc.kauth.vnode.write_ex_attr | |
-| ipc.kauth.vnode.read_sec | |
-| ipc.kauth.vnode.write_sec | |
-| ipc.kauth.vnode.take_own | |
-| ipc.kauth.vnode.link | |
-| ipc.kauth.vnode.create | |
-| ipc.kauth.vnode.move | |
-| ipc.kauth.vnode.mount | |
-| ipc.kauth.vnode.denied | |
-| ipc.kauth.vnode.ackd_before_deadline | |
-| ipc.kauth.vnode.missed_deadline | |
-| ipc.kauth.file_op.mask | |
-| ipc.kauth_file_op.open | |
-| ipc.kauth.file_op.close | |
-| ipc.kauth.file_op.close_modified | |
-| ipc.kauth.file_op.move | |
-| ipc.kauth.file_op.link | |
-| ipc.kauth.file_op.exec | |
-| ipc.kauth.file_op.remove | |
-| ipc.kauth.file_op.unmount | |
-| ipc.kauth.file_op.fork | |
-| ipc.kauth.file_op.create | |
+|Field|Description|
+|||
+|pkt_ack_timeout|The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup.|
+|pkt_ack_conn_timeout||
+|ipc.ack_pkts||
+|ipc.nack_pkts||
+|ipc.send.ack_no_conn||
+|ipc.send.nack_no_conn||
+|ipc.send.ack_no_qsq||
+|ipc.send.nack_no_qsq||
+|ipc.ack.no_space||
+|ipc.ack.timeout||
+|ipc.ack.ackd_fast||
+|ipc.ack.ackd||
+|ipc.recv.bad_pkt_len||
+|ipc.recv.bad_reply_len||
+|ipc.recv.no_waiter||
+|ipc.recv.copy_failed||
+|ipc.kauth.vnode.mask||
+|ipc.kauth.vnode.read||
+|ipc.kauth.vnode.write||
+|ipc.kauth.vnode.exec||
+|ipc.kauth.vnode.del||
+|ipc.kauth.vnode.read_attr||
+|ipc.kauth.vnode.write_attr||
+|ipc.kauth.vnode.read_ex_attr||
+|ipc.kauth.vnode.write_ex_attr||
+|ipc.kauth.vnode.read_sec||
+|ipc.kauth.vnode.write_sec||
+|ipc.kauth.vnode.take_own||
+|ipc.kauth.vnode.link||
+|ipc.kauth.vnode.create||
+|ipc.kauth.vnode.move||
+|ipc.kauth.vnode.mount||
+|ipc.kauth.vnode.denied||
+|ipc.kauth.vnode.ackd_before_deadline||
+|ipc.kauth.vnode.missed_deadline||
+|ipc.kauth.file_op.mask||
+|ipc.kauth_file_op.open||
+|ipc.kauth.file_op.close||
+|ipc.kauth.file_op.close_modified||
+|ipc.kauth.file_op.move||
+|ipc.kauth.file_op.link||
+|ipc.kauth.file_op.exec||
+|ipc.kauth.file_op.remove||
+|ipc.kauth.file_op.unmount||
+|ipc.kauth.file_op.fork||
+|ipc.kauth.file_op.create||
## Resources
security Linux Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
PUA protection in Defender for Endpoint on Linux can be configured in one of the
- **Audit**: PUA files are reported in the product logs, but not in Microsoft 365 Defender. No record of the infection is stored in the threat history and no action is taken by the product. - **Block**: PUA files are reported in the product logs and in Microsoft 365 Defender. A record of the infection is stored in the threat history and action is taken by the product.
->[!WARNING]
->By default, PUA protection is configured in **Audit** mode.
+> [!WARNING]
+> By default, PUA protection is configured in **Audit** mode.
You can configure how PUA files are handled from the command line or from the management console.
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 08/05/2021 Last updated : 08/27/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
Keeping Microsoft Defender Antivirus up to date is critical to assure your devic
- Product updates > [!TIP]
-> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/wdsi/defenderupdates)
+> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates)
## Security intelligence updates
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
> [!TIP] > Don't have Microsoft Defender for Office 365 yet? [Contact sales to start a trial](https://info.microsoft.com/ww-landing-M365SMB-web-contact.html).
-## August 2021
--- [Admin review for reported messages](admin-review-reported-message.md): Admins can now send templated messages back to end users after they review reported messages. This can be customized for your organization and based on your admin's verdict as well.
-=======
## September 2021 - [Quarantine policies](quarantine-policies.md): Admins can configure granular control for recipient access to quarantined messages and customize end-user spam notifications.