+### Does the admin app support multi-tenant billing features?

+The admin mobile app is missing a few multi-tenant features where the authorized admin can see the products and licenses of the tenant in question along with the products and licenses of associated tenants in a single view.

+This feature is not yet part of Microsoft 365 Admin mobile app and will be coming soon. For more information, admins can go to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

+## Manage email settings

+1. Go to the admin center at <https://admin.microsoft.com>.

+2. Go to **Users** > **Active users** and select the user for whom you would like to manage email settings.

+3. In the new pane, select **Mail** to manage email settings.

+> ¹ You can only manage email apps for mailboxes that are hosted fully in Microsoft 365. You cannot use this feature to manage email apps for mailboxes that are hosted on-premises.

+The Experience insights (preview) dashboard shows you data across usage and sentiment to give you a fuller view of your organization's experience with Microsoft 365.

+Experience insights is optimized for organizations with higher volumes of data so is only available for organizations with 20,000 plus seats. We are working on bringing the experience to smaller organizations in the future. This information and data on the dashboard will help you better understand and improve your users' experience with Microsoft 365. The dashboard shows you data across usage and user sentiment and helps give you a fuller picture of your users' overall experience. You can drill down into specific information such as feature usage for certain apps, exact feedback and Net Promoter Score (NPS) comments, and top help articles viewed by users in your organization. This info can help you identify opportunities to improve usersΓÇÖ Microsoft 365 products and app experiences in your organization.

+If your IT administrator has granted you [access to Bookings](/microsoft-365/bookings/turn-bookings-on-or-off), you can access the app via Office online.

+- [Create a manual booking](create-a-manual-booking.md)

+Certain improvement actions can be automatically tested by Compliance Manager. [Get details](compliance-manager-setup.md#set-up-automated-testing) on which improvement actions can and can't be tested automatically.

+The **Manage user history** settings help you quickly identify which users have worked with improvement actions in Compliance Manager. The identifiable user data associated with improvement actions includes the status of the improvement actions and documents they uploaded. Understanding and retrieving this type of data may be necessary for your organizationΓÇÖs own compliance needs.

+The [data classification overview](data-classification-overview.md) and [content explorer](data-classification-content-explorer.md) tabs give you visibility into what content has been discovered and labeled, and where that content is. [Activity explorer](https://compliance.microsoft.com/dataclassification?viewid=activitiesexplorer) rounds out this suite of functionality by allowing you to monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed, and made available in the Activity explorer UI. Activity explorer reports on up to 30 days worth of data.

+Insider risk policy templates define the type of risk activities that you want to detect and investigate. Each policy template is based on specific indicators that correspond to specific triggers and risk activities. All global indicators are disabled by default, and you must select one or more indicators to configure an insider risk management policy.

+Signals are collected and alerts are triggered by policies when users perform activities related to indicators. Insider risk management uses different types of events and indicators to collect signals and create alerts:

+- **Global settings indicators**: Indicators enabled in global settings for insider risk management define both the indicators available for configuration in policies and the types of user activity signals collected by insider risk management. For example, if a user copies data to personal cloud storage services or portable storage devices and these indicators are selected only in global settings, this activity will be available for review in the Activity explorer. However, since this activity wasn't defined in an insider risk management policy, the activity won't be assigned a risk score or generate an alert.

+- **Policy indicators**: Indicators included in insider risk management policies are used to determine a risk score for an in-scope user. Policy indicators are enabled from indicators defined in global settings and are only activated after a triggering event occurs for a user. Some examples of policy indicators are when a user copies data to personal cloud storage services or portable storage devices, if a user account is removed from Azure Active Directory, or if a user shares internal files and folders with unauthorized external parties.

+In some cases, you may want to limit the insider risk policy indicators that are applied to insider risk policies in your organization. You can turn off the policy indicators for specific areas by disabling them from all insider risk policies in global settings. Triggering events can only be modified for policies created from the *General data leaks* or *Data leaks by priority users* templates. Policies created from all other templates don't have customizable triggering indicators or events.

+To define the insider risk policy indicators that are enabled in all insider risk policies, navigate to **Insider risk settings** > **Indicators** and select one or more policy indicators. The indicators selected on the **Indicators** settings page can't be individually configured when creating or editing an insider risk policy in the policy wizard.

+For data at rest, Azure offers many encryption options, such as support for AES-256, giving you the flexibility to choose the data storage scenario that best meets your needs. Data can be automatically encrypted when written to Azure Storage using [Storage Service Encryption](/azure/storage/storage-service-encryption), and operating system and data disks used by VMs can be encrypted. For more information, see [Security recommendations for Windows virtual machines in Azure](/azure/virtual-machines/security-recommendations). In addition, delegated access to data objects in Azure Storage can be granted using [Shared Access Signatures](/azure/storage/storage-dotnet-shared-access-signature-part-1). Azure also provides encryption for data at rest using [Transparent Data Encryption for Azure SQL Database and Data Warehouse](/sql/relational-databases/security/encryption/transparent-data-encryption-azure-sql).

+These limits apply to all sensitive information types (SIT) except exact data match sensitive information types which support up to 100.

+> [!NOTE]

+> We support up to 100 exact data match (EDM) evaluations. Policies that use EDM SITs should not be written with a **min** or **max** instance count value greater than 100.

+ | `Mailbox` <br/> |Specifies the email address of the mailbox that the PST file will be imported to. You can't specify a public folder or unified group because the PST Import Service doesn't support importing PST files or unified groups to public folders. <br/> To import a PST file to an inactive mailbox, you have to specify the mailbox GUID for this parameter. To obtain this GUID, run the following PowerShell command in Exchange Online: `Get-Mailbox <identity of inactive mailbox> -InactiveMailboxOnly`. | `FL Guid` <br/> **Note:** Sometimes you might have multiple mailboxes with the same email address, where one mailbox is an active mailbox and the other mailbox is in a soft-deleted (or inactive) state. In these situations, you have to specify the mailbox GUID to uniquely identify the mailbox to import the PST file to. To obtain this GUID for active mailboxes, run the following PowerShell command: `Get-Mailbox <identity of active mailbox>`. | `FL Guid`. To obtain the GUID for soft-deleted (or inactive) mailboxes, run this command `Get-Mailbox \<identity of soft-deleted or inactive mailbox\> -SoftDeletedMailbox | FL Guid`. <br/> | `annb@contoso.onmicrosoft.com` <br/> Or <br/> `2d7a87fe-d6a2-40cc-8aff-1ebea80d4ae7` <br/> |

+## Week of August 22, 2022

+| Published On |Topic title | Change |

+|||--|

+| 8/22/2022 | [Enable co-authoring for encrypted documents](/microsoft-365/compliance/sensitivity-labels-coauthoring?view=o365-worldwide) | modified |

+| 8/22/2022 | [Choose between guided and advanced modes for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-modes?view=o365-worldwide) | added |

+| 8/22/2022 | [Supported data types and filters in guided mode for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-builder-details?view=o365-worldwide) | added |

+| 8/22/2022 | [Work with query results in guided mode for hunting in Microsoft 365 Defender](/microsoft-365/security/defender/advanced-hunting-query-builder-results?view=o365-worldwide) | added |

+| 8/22/2022 | [Build queries using guided mode in Microsoft 365 Defender advanced hunting](/microsoft-365/security/defender/advanced-hunting-query-builder?view=o365-worldwide) | added |

+| 8/22/2022 | [Overview - Advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide) | modified |

+| 8/22/2022 | [Manage Microsoft feedback for your organization](/microsoft-365/admin/manage/manage-feedback-ms-org?view=o365-worldwide) | modified |

+| 8/22/2022 | [Get started using Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide) | modified |

+| 8/22/2022 | [Payloads in Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide) | modified |

+| 8/22/2022 | [Simulation automations for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide) | modified |

+| 8/22/2022 | [Simulate a phishing attack with Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training?view=o365-worldwide) | modified |

+| 8/22/2022 | [View email security reports](/microsoft-365/security/office-365-security/view-email-security-reports?view=o365-worldwide) | modified |

+| 8/23/2022 | [About the Microsoft Defender Vulnerability Management public preview trial](/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial?view=o365-worldwide) | added |

+| 8/23/2022 | [Trial playbook - Microsoft Defender Vulnerability Management (public preview)](/microsoft-365/security/defender-vulnerability-management/trial-playbook-defender-vulnerability-management?view=o365-worldwide) | added |

+| 8/23/2022 | [Top 10 ways to secure your business data - Best practices for small and medium-sized businesses](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide) | modified |

+| 8/23/2022 | [Onboard and offboard macOS devices into Microsoft Purview solutions using Microsoft Intune](/microsoft-365/compliance/device-onboarding-offboarding-macos-intune?view=o365-worldwide) | modified |

+| 8/23/2022 | [Integrate Microsoft Teams classes and meetings with Moodle](/microsoft-365/lti/teams-classes-meetings-with-moodle?view=o365-worldwide) | modified |

+| 8/23/2022 | [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide) | modified |

+| 8/24/2022 | [Message encryption FAQ](/microsoft-365/compliance/ome-faq?view=o365-worldwide) | modified |

+| 8/24/2022 | [Office 365 Message Encryption](/microsoft-365/compliance/ome?view=o365-worldwide) | modified |

+| 8/24/2022 | [Help your frontline workers use collaboration apps and features](/microsoft-365/frontline/collab-features-apps-toolkit?view=o365-worldwide) | added |

+| 8/24/2022 | [Help your frontline workers track time and attendance](/microsoft-365/frontline/shifts-toolkit?view=o365-worldwide) | added |

+| 8/24/2022 | [Choose your scenarios for Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-choose-scenarios?view=o365-worldwide) | modified |

+| 8/24/2022 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified |

+| 8/24/2022 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified |

+| 8/24/2022 | [Top 10 ways to secure your data - Best practices for small and medium-sized businesses](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide) | modified |

+| 8/24/2022 | [Set up and secure managed devices](/microsoft-365/business-premium/m365bp-protect-devices?view=o365-worldwide) | modified |

+| 8/24/2022 | [Microsoft 365 Business Premium - Productivity and security](/microsoft-365/business-premium/m365bp-secure-users?view=o365-worldwide) | modified |

+| 8/24/2022 | [Security incident management](/microsoft-365/business-premium/m365bp-security-incident-management?view=o365-worldwide) | modified |

+| 8/24/2022 | [Microsoft Defender for Business Premium trial playbook](/microsoft-365/business-premium/m365bp-trial-playbook-microsoft-business-premium?view=o365-worldwide) | modified |

+| 8/24/2022 | Set up a connector to archive Jive data in Microsoft 365 | removed |

+| 8/24/2022 | Get CVE-KB map API | removed |

+| 8/24/2022 | Get KB collection API | removed |

+| 8/24/2022 | Get RBAC machine groups collection API | removed |

+| 8/24/2022 | Get machines security states collection API | removed |

+| 8/24/2022 | [Microsoft security portals and admin centers](/microsoft-365/security/defender/portals?view=o365-worldwide) | modified |

+| 8/24/2022 | [Sensitive information type limits](/microsoft-365/compliance/sit-limits?view=o365-worldwide) | added |

+| 8/24/2022 | [Create custom sensitive information types](/microsoft-365/compliance/create-a-custom-sensitive-information-type?view=o365-worldwide) | modified |

+| 8/24/2022 | [What's new in Microsoft Purview risk and compliance solutions](/microsoft-365/compliance/whats-new?view=o365-worldwide) | modified |

+| 8/25/2022 | [Microsoft Adoption Score](/microsoft-365/admin/adoption/adoption-score?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Microsoft 365 apps health](/microsoft-365/admin/adoption/apps-health?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Communication](/microsoft-365/admin/adoption/communication?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Content collaboration](/microsoft-365/admin/adoption/content-collaboration?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Meetings](/microsoft-365/admin/adoption/meetings?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Mobility](/microsoft-365/admin/adoption/mobility?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Privacy](/microsoft-365/admin/adoption/privacy?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Microsoft Adoption Score - Teamwork](/microsoft-365/admin/adoption/teamwork?view=o365-worldwide) | renamed |

+| 8/25/2022 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-worldwide) | modified |

+| 8/25/2022 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified |

+| 8/25/2022 | About the Microsoft Defender Vulnerability Management public preview trial | removed |

+| 8/25/2022 | Trial playbook - Microsoft Defender Vulnerability Management (public preview) | removed |

+| 8/25/2022 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 8/25/2022 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified |

+| 8/25/2022 | [Manage clients for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-clients-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Manage data for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-data-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Manage sharing for Microsoft Whiteboard in GCC environments](/microsoft-365/whiteboard/manage-sharing-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Manage access to Microsoft Whiteboard for GCC environments](/microsoft-365/whiteboard/manage-whiteboard-access-gcc?view=o365-worldwide) | added |

+| 8/25/2022 | [Onboard non-persistent virtual desktop infrastructure (VDI) devices](/microsoft-365/security/defender-endpoint/configure-endpoints-vdi?view=o365-worldwide) | modified |

+| 8/25/2022 | [Review events and errors using Event Viewer](/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide) | modified |

+| 8/25/2022 | [What's the difference between junk email and bulk email?](/microsoft-365/security/office-365-security/what-s-the-difference-between-junk-email-and-bulk-email?view=o365-worldwide) | modified |

+| 8/26/2022 | [Supported Microsoft Defender for Endpoint capabilities by platform](/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform?view=o365-worldwide) | added |

+| 8/26/2022 | [Top 10 ways to secure your data - Best practices for small and medium-sized businesses](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-worldwide) | modified |

+| 8/26/2022 | [Onboard and offboard macOS devices into Microsoft Purview solutions using Microsoft Intune](/microsoft-365/compliance/device-onboarding-offboarding-macos-intune?view=o365-worldwide) | modified |

+| 8/26/2022 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-worldwide) | modified |

+| 8/26/2022 | [Onboard devices and configure Microsoft Defender for Endpoint capabilities](/microsoft-365/security/defender-endpoint/onboard-configure?view=o365-worldwide) | modified |

+| 8/26/2022 | Microsoft Defender Experts for Hunting preview | removed |

+> **The ability to onboard Windows Server endpoints is currently in preview**. When general availability is announced, a Microsoft Defender for Business servers license must be purchased for each onboarded server, or those servers can be offboarded.

+> Make sure that you meet the following requirements before you onboard a Windows Server endpoint:

+> **The ability to onboard Linux Server endpoints is currently in preview**. When general availability is announced, a Microsoft Defender for Business servers license must be purchased for each onboarded server, or those servers can be offboarded.

+> Make sure that you meet the following requirements before you onboard a Linux Server endpoint:

+# Add or remove machine tags API

+Adds or removes tag to a specific [Machine](machine.md).

+One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md).

+> - The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information).

+> - The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information).

+## Example Request

+To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

+> [!NOTE]

+> Experts on Demand is not a security incident response service. ItΓÇÖs intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+> [!NOTE]

+> Experts on Demand is not a security incident response service. ItΓÇÖs intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+ Title: About the Microsoft Defender Vulnerability Management public preview trial

+description: Learn about the Microsoft Defender Vulnerability Management trial

+keywords: defender vulnerability management

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+- NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: m365d

+# About the Microsoft Defender Vulnerability Management public preview trial

+**Applies to:**

+- [Microsoft Defender Vulnerability Management](../defender-vulnerability-management/index.yml)

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+Microsoft Defender Vulnerability Management is a new service that provides advanced vulnerability management capabilities to minimize your organization's cyber risk. Get real-time asset discovery, continuous risk-based assessment and prioritization, and built in remediation tools.

+It includes the existing vulnerability management capabilities in Microsoft Defender for Endpoint and new capabilities to further provide enhanced tools so your teams can intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.

+## How to sign up for the Defender Vulnerability Management public preview trial

+> [!NOTE]

+> The sign up process outlined below is only relevant to customers who have access to the [Microsoft Defender 365 portal](https://security.microsoft.com/homepage).

+>

+> If you don't have access to the Microsoft Defender 365 portal learn more about how you can sign up to the [Microsoft Defender Vulnerability Management Standalone public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md#try-defender-vulnerability-management-standalone).

+To sign up for the Defender Vulnerability Management trial, you can go directly to the [Microsoft 365 trials hub](https://security.microsoft.com/trialHorizontalHub) page or by selecting **Trials** on the left navigation from the [Microsoft Defender 365 portal](https://security.microsoft.com/homepage).

+Once you've reached the [Microsoft 365 trials hub](https://security.microsoft.com/trialHorizontalHub), sign up depends on whether you already have Microsoft Defender for Endpoint Plan 2 or not:

+- If you have Defender for Endpoint Plan 2, find the **Defender Vulnerability Management add-on** card and select **Try now**.

+- If you don't have have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, choose the **Defender Vulnerability Management** card and select **Try now**.

+2. Review the information about what's included in the trial, then select **Begin trial**.

+Your trial will be effective immediately for 120 days. It can take up to 6 hours for all vulnerability management features to appear in your left navigation. Sign out and sign back in to see the updates.

+> [!NOTE]

+> This is a public preview trial. Details on your purchase options for this new offering will be made available once the offering is generally available.

+## Required roles for starting the trial

+As a Global Administrator, you can start the trial or you can allow to users start the trial on behalf of your organization by enabling this option:

+1. In the Microsoft 365 admin center, go to **Settings** > **Org settings** > **Services** > **User owned apps and services**

+2. Check **Let users start trials on behalf of your organization**

+3. Select **Save**

+> [!NOTE]

+> If you don't want users in your organization to be able to start trials, as a Global Administrator you must disable this option once you've activated the trial.

+>

+> Only a Global Administrator can end the trial.

+It can take a few hours for the changes to take effect. Once it does, return to the trial setup page and select **Begin trial**.

+## Licensing

+As part of the trial setup, the new Defender Vulnerability Management trial licenses will be applied to users automatically. Therefore, no assignment is needed (_The trial can automatically apply up to 1,000,000 licenses_). The licenses are active for 120 days.

+## Getting started, extending, and ending the trial

+### Getting started

+You can start using Defender Vulnerability Management features as soon as you see them in the Microsoft 365 Defender portal. Nothing is created automatically and users won't be affected. When you navigate to each solution, you may be guided to make extra setup configurations to start using features.

+### Extending the trial

+You can extend the trial within the last 15 days of the trial period. You're limited to a maximum of two trial periods. If you don't extend by the time your trial period ends, you'll need to wait at least 30 days before signing up for a second trial.

+### Ending the trial

+Admins can disable the trial anytime by selecting **Trials** on the left navigation, going to the **Defender Vulnerability Management** trial card and selecting **End trial**.

+Unless stated otherwise for the solution your trial data will be maintained for time, usually 180 days, before being permanently deleted. You may continue to access the data gathered during the trial until that time.

+## Terms and conditions

+See the [terms and conditions](/legal/microsoft-365/microsoft-365-trial) for Microsoft 365 trials.

+## Learn more about Defender Vulnerability Management

+Wondering what you can experience in your free trial? The Defender Vulnerability Management trial includes:

+- **[Security baselines assessment](tvm-security-baselines.md)**: When the trial ends security baseline profiles may be stored for a short additional time before being deleted.

+- **[Blocking vulnerable applications (beta)](tvm-block-vuln-apps.md)**: When the trial ends blocked applications will be immediately unblocked whereas baseline profiles may be stored for a short additional time before being deleted.

+- **[Browser extensions assessment](tvm-browser-extensions.md)**

+- **[Digital certificates assessment](tvm-certificate-inventory.md)**

+- **[Network shares analysis](tvm-network-share-assessment.md)**

+ Title: Trial playbook - Microsoft Defender Vulnerability Management (public preview)

+description: Learn how Microsoft Defender Vulnerability Management can help you protect all your users and data.

+keywords: vulnerability management, threat and vulnerability management, Microsoft Defender for Endpoint TVM, Microsoft Defender for Endpoint-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, Microsoft Defender for Endpoint, Microsoft Defender Vulnerability Management, endpoint vulnerabilities, next generation

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mde

+# Trial playbook: Microsoft Defender Vulnerability Management

+## Welcome to the Microsoft Defender Vulnerability Management trial playbook

+This playbook is a simple guide to help you make the most of your free trial. Using the suggested steps in this playbook from the Microsoft Security team, you'll learn how vulnerability management can help you protect all your users and data.

+## What is Microsoft Defender Vulnerability Management?

+Reducing cyber risk requires a comprehensive risk-based vulnerability management program to identify, assess, remediate, and track important vulnerabilities across your most critical assets.

+Microsoft Defender Vulnerability Management is a new service that proactively provides continuous real-time discovery and assessment of vulnerabilities, context-aware threat & business prioritization, and built-in remediation processes. It includes all Defender Vulnerability Management capabilities in Microsoft Defender for Endpoint and new enhanced capabilities so your teams can further intelligently assess, prioritize, and seamlessly remediate the biggest risks to your organization.

+Watch the following video to learn more about Defender Vulnerability Management:

+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Y1FX]

+## Let's get started

+### Step 1: Set-up

+> [!NOTE]

+> Users need to have the global admin role defined in Azure AD to onboard the trial.

+1. Check [permissions and pre-requisites.](tvm-prerequisites.md)

+2. The Microsoft Defender Vulnerability Management preview trial can be accessed in several ways:

+ Via the [Microsoft 365 Defender portal](https://security.microsoft.com) under Trials.

+ :::image type="content" source="../../medivm-trialshub.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management trial hub landing page.":::

+ Via the [Microsoft Admin Center](https://admin.microsoft.com/#/catalog) (global admins only).

+3. Sign up for the trial depends on whether you already have Microsoft Defender for Endpoint Plan 2 or not.

+ - If you have Defender for Endpoint Plan 2, choose [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-the-defender-vulnerability-management-add-on-public-preview-trial-for-defender-for-endpoint-plan-2-customers).

+ - If you don't have Defender for Endpoint Plan 1 or Plan 2, or Microsoft 365 E3, choose [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).

+4. When you're ready to get started, visit the [Microsoft 365 Defender portal](https://security.microsoft.com) to start using the Defender Vulnerability Management trial.

+> [!NOTE]

+> This is a public preview trial. Details on your purchase options for this new offering will be made available once the offering is generally available.

+> [!NOTE]

+> Once you activate the trial it can take up to 6 hours for the new features to become available in the portal.

+Now that you have set up your trial, it's time to try key capabilities.

+### Step 2: Know what to protect in a single view

+Built-in and agentless scanners continuously monitor and detect risk even when devices aren't connected to the corporate network. Expanded asset coverage consolidates software applications, digital certificates, network shares, and browser extensions into a single inventory view.

+1. [**Device inventory**](../defender-endpoint/machines-view-overview.md) - The device inventory shows a list of the devices in your network. By default, the list displays devices seen in the last 30 days. At a glance, you'll see information such as domains, risk levels, OS platform, associated CVEs, and other details for easy identification of devices most at risk.

+2. Discover and assess your organization's software in a single, consolidated inventory view:

+ - [**Software application inventory**](tvm-software-inventory.md) - the software inventory in Defender Vulnerability Management is a list of known applications in your organization. The view includes vulnerability and misconfiguration insights across installed software with prioritized impact scores and details such as OS platforms, vendors, number of weaknesses, threats, and an entity-level view of exposed devices.

+ - [**Browser extension assessments**](tvm-browser-extensions.md) - the browser extensions page displays a list of the extensions installed across different browsers in your organization. Extensions usually need different permissions to run properly. Defender Vulnerability Management provides detailed information on the permissions requested by each extension and identifies those with the highest associated risk levels, the devices with the extension turned on, installed versions, and more.

+ - [**Certificate inventory**](tvm-certificate-inventory.md) - the certificate inventory allows you to discover, assess, and manage digital certificates installed across your organization in a single view. This can help you:

+ - Identify certificates that are about to expire so you can update them and prevent service disruption.

+ - Detect potential vulnerabilities due to the use of weak signature algorithm (for example, SHA-1-RSA), short key size (for example, RSA 512 bit), or weak signature hash algorithm (for example, MD5).

+ - Ensure compliance with regulatory guidelines and organizational policy.

+3. [Assign device value](tvm-assign-device-value.md) - defining a device's value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the Defender Vulnerability Management exposure score calculation. Devices assigned as "high value" will receive more weight. Device value options:

+ - Low

+ - Normal (Default)

+ - High

+ You can also use the [set device value API](/microsoft-365/security/defender-endpoint/set-device-value).

+### Step 3: Track and mitigate remediation activities

+1. [**Request remediation**](tvm-remediation.md#request-remediation) - vulnerability management capabilities bridge the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Recommendation** pages to [Intune](/mem/intune/).

+2. [**View your remediation activities**](tvm-remediation.md#view-your-remediation-activities) - when you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked on a **Remediation** page, and a remediation ticket is created in Microsoft Intune.

+3. [**Block vulnerable applications**](tvm-block-vuln-apps.md) - Remediating vulnerabilities takes time and can be dependent on the responsibilities and resources of the IT team. Security admins can temporarily reduce the risk of a vulnerability by taking immediate action to block all currently known vulnerable versions of an application or warn users with customizable messages before opening vulnerable app versions until the remediation request is completed. The block option gives IT teams time to patch the application without security admins worrying that the vulnerabilities will be exploited in the meantime.

+ - [How to block vulnerable applications](tvm-block-vuln-apps.md#how-to-block-vulnerable-applications)

+ - [View remediation activities](tvm-block-vuln-apps.md#view-remediation-activities)

+ - [View blocked applications](tvm-block-vuln-apps.md#view-blocked-applications)

+ - [Unblock applications](tvm-block-vuln-apps.md#unblock-applications)

+4. Use enhanced assessment capabilities such as [Network shares analysis](tvm-network-share-assessment.md) to protect vulnerable network shares. As network shares can be easily accessed by network users, small common weaknesses can make them vulnerable. These types of misconfigurations are commonly used in the wild by attackers for lateral movement, reconnaissance, data exfiltration, and more. That's why we built a new category of configuration assessments in Defender Vulnerability Management that identify the common weaknesses that expose your endpoints to attack vectors in Windows network shares. This helps you:

+ - Disallow offline access to shares

+ - Remove shares from the root folder

+ - Remove share write permission set to 'Everyone'

+ - Set folder enumeration for shares

+

+5. View and monitor your organization's devices using a [**Vulnerable devices report**](tvm-vulnerable-devices-report.md) that shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure.

+### Step 4: Set up security baseline assessments

+Instead of running point-in-time compliance scans, security baselines assessment helps you to continuously and proactively monitor your organization's compliance against industry security benchmarks in real time. A security baseline profile is a customized profile that you can create to assess and monitor endpoints in your organization against industry security benchmarks (CIS, NIST, MS). When you create a security baseline profile, you're creating a template that consists of multiple device configuration settings and a base benchmark to compare against.

+Security baselines provide support for Center for Internet Security (CIS) benchmarks for Windows 10, Windows 11, and Windows Server 2008 R2 and above, as well as Security Technical Implementation Guides (STIG) benchmarks for Windows 10 and Windows Server 2019.

+1. Get started with [security baselines assessment](tvm-security-baselines.md#get-started-with-security-baselines-assessment)

+2. Review [security baseline profile assessment results](tvm-security-baselines.md#review-security-baseline-profile-assessment-results)

+3. [Use advanced hunting](tvm-security-baselines.md#use-advanced-hunting)

+### Step 5: Create meaningful reports to get in-depth insights using APIs and Advanced Hunting

+Defender Vulnerability Management APIs can help drive clarity in your organization with customized views into your security posture and automation of vulnerability management workflows. Alleviate your security team's workload with data collection, risk score analysis, and integrations with your other organizational processes and solutions. For more information, see:

+- [Export assessment methods and properties per device](../defender-endpoint/get-assessment-methods-properties.md)

+- [Defender Vulnerability Management APIs blog](https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/new-threat-amp-vulnerability-management-apis-create-reports/ba-p/2445813)

+Advanced hunting enables flexible access to Defender Vulnerability Management raw data, which allows you to proactively inspect entities for known and potential threats.

+For more information, see [Hunt for exposed devices](../defender-endpoint/advanced-hunting-overview.md).

+## Additional resources

+- Compare offerings: [Microsoft Defender Vulnerability Management](defender-vulnerability-management-capabilities.md)

+- [Defender Vulnerability Management documentation](../defender-vulnerability-management/index.yml)

+- Datasheet: [Microsoft Defender Vulnerability Management: Reduce cyber risk with continuous vulnerability discovery and assessment, risk-based prioritization, and remediation](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4XR02)

+> [!NOTE]

+> Experts on Demand is not a security incident response service. ItΓÇÖs intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+> [!NOTE]

+> Experts on Demand is not a security incident response service. ItΓÇÖs intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/)

+3. On the **Email attachments** tab, click  **Submit to Microsoft for analysis**.

+3. On the **URLs** tab, click  **Submit to Microsoft for analysis**.

+On the **User reported messages** tab, select a message in the list, click  **Submit to Microsoft for analysis**, and then select one of the following values from the dropdown list:

+ Title: Track and respond to emerging security threats with campaigns view in Microsoft Defender for Office 365

+description: Walkthrough of threat campaigns within Microsoft Defender for Office 365 to demonstrate how they can be used to investigate a coordinated email attack against your organization.

+search.product:

+search.appverid:

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+f1.keywords:

+ - NOCSH

+ms.localizationpriority: medium

+audience: ITPro

+ms.technology: mdo

+# Track and respond to emerging threats with campaigns in Microsoft Defender for Office 365

+Campaigns can be used to track and respond to emerging threats because campaigns allow you to investigate a coordinated email attack against your organization. As new threats target your organization, Microsoft Defender for Office 365 will automatically detect and correlate malicious messages.

+## What you will need

+- Microsoft Defender for Office 365 Plan 2 (included in E5 plans).

+- Sufficient permissions (Security Reader role).

+- Five to ten minutes to perform these steps.

+## What is a campaign in Microsoft Defender for Office 365

+A campaign is a coordinated email attack against one or many organizations. Email attacks that steal credentials and company data are a large and lucrative industry. As technologies to stop attacks grow and multiply, attackers modify their methods to continue their success.

+Microsoft leverages vast amounts of anti-phishing, anti-spam, and anti-malware data across the entire service to help identify campaigns. We analyze and classify the attack information according to several factors, for example:

+- **Attack source**: The source IP addresses and sender email domains.

+- **Message properties**: The content, style, and tone of the messages.

+- **Message recipients**: How recipients are related, for example, recipient domains, recipient job functions (such as admins and executives), company types (such as large, small, public, and private), and industries.

+- **Attack payload**: Malicious links, attachments, or other payloads in the messages.

+A campaign might be short-lived, or could span several days, weeks, or months with active and inactive periods. A campaign might be launched against your specific organization, or your organization might be part of a larger campaign across *multiple* companies.

+> [!TIP]

+> To learn more about the data available within a campaign, read [Campaign Views in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/campaigns).

+## Watch the *Exploring campaign views* video

+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWGBL8]

+## Investigating a suspicious email campaign using threat reports

+In the event that a campaign has targeted your organization and youΓÇÖd like to learn more about the impact:

+1. Navigate to the [campaign page](https://security.microsoft.com/campaigns).

+1. Select the campaign name that you would like to investigate.

+1. Upon the flyout opening, select **Download threat report**.

+1. Open the threat report and it will provide more information surrounding the campaign. The information in the report includes:

+- **Executive summary:** High-level summary of the type of campaign and the number of users targeted in your organization.

+- **Analysis:** Timeline chart of when the campaign started, the count of messages targetting your organization, and the destination and verdicts of the messages.

+- **Attack origin:** Top sending IP addresses and domains with a count of messages that were delivered to inboxes in your organization. This allows you to investigate who is targeting your organization.

+- **Email template and payload:** The subject line of the emails that were part of the campaign and URLs (and their frequency) present as part of the campaign.

+- **Recommendations:** Recommendations for next steps to remediate messages.

+## Investigate inboxed messages that are part of a email threat campaign

+1. Navigate to the [campaign page](https://security.microsoft.com/campaigns).

+1. Scroll through the list of campaigns in the **Details view**, below the graph.

+1. Select the campaign name you want to investigate. If the campaign has a click count of more than zero, that indicates that a user in your organization clicked on a URL or downloaded a file from the email.

+1. The campaign flyout displays more information about the campaign, the graph displays a timeline of the campaign from campaign start to end date, and the horizontal flow diagram displays the stages of the campaign from its origin, the verdict, and the current location of the messages.

+1. Below the flow diagram, select the **URL clicks** tab to display information regarding the click. Here you can see the user that clicked on a URL, if the user is tagged as a priority account user, the URL itself, and the time of click.

+1. If you want to learn more about the inboxed and clicked messages, select **Explore messages** > **Inboxed messages**. A new tab will open and navigate to Threat Explorer.

+1. In the **details view** of Explorer you can reference **Latest delivery** to determine if a message is still in the inbox or was moved into quarantine by system ZAP. _To get more details about the specific message, select the message. The flyout provides extra information. Upon selecting the **Open email entity page** on the top left of the flyout, a new tab will open and give you further information about the message._

+1. If you would like to take an action and move the messages out of the inbox, you can select the message and then select **Message actions** > **Move to junk folder**. This will ensure your user doesnΓÇÖt continue to interact with the malicious message that could result in a potential breach.

+## Next steps

+To learn more, read, [Campaign Views in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/campaigns).

+ Title: Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365

+description: Step to setup preset security policies in Microsoft Defender for Office 365 so you have the security recommended by the product. Preset policies set a security profile of either *Standard* or *Strict*. Set these and Microsoft Defender for Office 365 will manage and maintain these security controls for you.

+# Set up steps for the Standard or Strict preset security policies in Microsoft Defender for Office 365

+Does Microsoft Defender for Office 365 gave you a way to apply security policies that it would then maintain?

+Did you know that when a best practice for a security control changes due to the evolving threat landscape, or as new controls are added, Microsoft *automatically* updates security control settings for users assigned to a *Standard* or *Strict* preset security policy?

+By using preset security policies (*Standard* or *Strict*), you will always have Microsoft's *recommended, best practice, configuration* for your users.

+**Use the steps below** to apply preset security policies and have Microsoft Defender for Office 365 manage and maintain security controls *for you*.

+## Choose between Standard and Strict policies

+## Enable Security Presets in Microsoft Defender for Office 365

+1. On the **Impersonation Protection** section, add email addresses & domains to protect from impersonation attacks, then add any trusted senders and domains you do not want the impersonation protection to apply to, then press **Next**.

+1. Click on the **Confirm** button.

+1. Select the **Manage** link in the Strict protection preset.

+1. Repeat steps 7-10 again, but for the users strict protection should be applied to. (if applicable)

+1. Click on the **Confirm** button.

+> To learn more about preset policies click [here](../../office-365-security/preset-security-policies.md)

+## Your next step is Config Analyzer

+Secure Presets are always recommended because it *ensures* admins are exercising Microsoft best practices. However, in some cases customized configurations are required. Learn about custom policies [here](../../office-365-security/tenant-wide-setup-for-increased-security.md).

+ Title: Steps to set up a weekly digest email of message center changes for Microsoft Defender for Office 365

+description: The steps to setup a weekly digest email of message center activity to stay up-to-date about changes to Microsoft Defender for Office 365.

+# Set up a digest notification of changes to Microsoft Defender for Office 365 using the message center

+Would it be convenient if, every week, a digest email of Microsoft Defender for Office 365 changes from the Microsoft message center landed in your inbox?

+The message center is where admins learn about official *service announcements and feature changes*, via visiting the site (desktop or mobile app), consulting Microsoft Planner, or *by email*.

+Follow the steps below to make that helpful digest email happen.

+## Steps to set up a weekly digest mail of message center changes and notifications.

+1. Login to the **Admin Center** at https://admin.microsoft.com

+1. On the left-hand navigation, select **Show All**.

+1. Expand **Health** and press **Message Center**.

+1. On the page that loads, select **Preferences**.

+1. A flyout will appear on the right, select the **Email** tab.

+1. Ensure the email notification settings are as expected, you can select **Other e-mail addresses** if required to setup the digest to be sent to different users or a shared mailbox for example.

+1. Select the **Send me a weekly digest about services I select** box, and select the services you wish to receive information about, as a minimum you should select **Exchange Online** & **Microsoft 365 Defender**.

+1. Press **Save**.

+You're done.

+> [!TIP]

+> **Hove you seen our step-by-step guides?** Configuration 1-2-3s and no frills, for admins in a hurry. Visit for the steps to *[enable DMARC Reporting for Microsoft Online Email Routing Addresses (MOERA) and parked Domains](step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md)*.