Updates from: 08/06/2021 03:13:51
Category Microsoft Docs article Related commit history on GitHub Change details
admin Change Nameservers At Any Domain Registrar https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/get-help-with-domains/change-nameservers-at-any-domain-registrar.md
For example, here are some additional steps that might be required for email and
- Move all email addresses that use your domain to Microsoft 365 before you change your NS records. -- Want to add a domain that's currently used with a website address, like www.fourthcoffee.com? You can take below steps while you add the domain to keep its website hosted where the site is hosted now so people can still get to the website after you change the domain's NS records to point to Microsoft 365.
+- Want to add a domain that's currently used with a website address, like `https://www.fourthcoffee.com`? You can take below steps while you add the domain to keep its website hosted where the site is hosted now so people can still get to the website after you change the domain's NS records to point to Microsoft 365.
1. In the admin center, go to the **Settings** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834818" target="_blank">Domains</a> page.
admin Get Started Windows 365 Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/get-started-windows-365-business.md
search.appverid: - MET150 - MOE150 description: Learn how to buy Windows 365 Business for your organization, and help users start using their Cloud PCs. # Get started with Windows 365 Business and Cloud PCs
-This article is for people who plan to buy and set up Windows 365 Business for their organization.
+This article is for people who plan to buy and set up Windows 365 Business for their organization.
-[Windows 365 Business](https://www.microsoft.com/windows-365/business) is a version of Windows 365 that is made specifically for use in smaller companies (up to 300 seats). It gives organizations an easy, streamlined way of providing Cloud PCs to their users. With Windows 365 Cloud PCs, you can stream your apps, data, content, settings, and storage from the Microsoft cloud.
+[Windows 365 Business](https://www.microsoft.com/windows-365/business) is a version of Windows 365 that is made specifically for use in smaller companies (up to 300 seats). It gives organizations an easy, streamlined way of providing Cloud PCs to their users. With Windows 365 Cloud PCs, you can stream your apps, data, content, settings, and storage from the Microsoft cloud.
> [!NOTE]
-> Before starting, make sure that your [Azure AD device settings](/azure/active-directory/devices/device-management-azure-portal#configure-device-settings) for **Users may join devices to Azure AD** are set to **All**.
+> Before starting, make sure that your [Azure AD device settings](/azure/active-directory/devices/device-management-azure-portal#configure-device-settings) for **Users may join devices to Azure AD** are set to **All**.
![Users may join devices to Azure AD settings](../../media/deschutes/azure-device-settings.png)- ## Prerequisites There are no prerequisites to set up Windows 365 Business.-- ## Buy subscriptions There are two different ways in which you can buy Windows 365 Business subscriptions for your users:+ - The [Windows 365 products site](https://www.microsoft.com/windows-365/business/compare-plans-pricing) - Microsoft 365 admin center
-After you buy a subscription, you can use the Microsoft 365 admin center to assign licenses to users in your organization.
--
+After you buy a subscription, you can use the Microsoft 365 admin center to assign licenses to users in your organization.
### Buy subscriptions through the Windows 365 products site
-If you don't already have a Microsoft 365 subscription, you can buy your Windows 365 Business subscriptions on the [Windows 365 products site](https://www.microsoft.com/windows-365/business/compare-plans-pricing). Use the following steps to buy a Windows 365 Business subscription through the Windows 365 products page.
-
+If you don't already have a Microsoft 365 subscription, you can buy your Windows 365 Business subscriptions on the [Windows 365 products site](https://www.microsoft.com/windows-365/business/compare-plans-pricing). Use the following steps to buy a Windows 365 Business subscription through the Windows 365 products page.
-1. On the [Windows 365 Business](https://www.microsoft.com/windows-365/business) page, select **See plans and pricing**.
+1. On the [Windows 365 Business](https://www.microsoft.com/windows-365/business) page, select **See plans and pricing**.
2. On the next page, select the subscription you want to purchase, and then select **Buy now**. 3. On the **Thank you for choosing Windows 365 Business** page, follow the steps to set up your account. 4. In **step 5 - Confirmation details**, if you are ready to assign licenses to users, select **Get started** to go to your Windows 365 home page at https://windows365.microsoft.com. 5. On the Windows 365 home page, in the **Quick actions** section, select **Manage your organization**. This takes you to the Microsoft 365 admin center where you can assign licenses to users. -- ### Buy a subscription through the Microsoft admin center If you already have a Microsoft 365 tenant and are a Global or Billing admin, you can use the Microsoft 365 admin center to buy a Windows 365 Business subscription for your organization.
If you already have a Microsoft 365 tenant and are a Global or Billing admin, yo
4. On the **Checkout** page, enter the number of subscriptions you want to buy, as well and your payment information. Then select **Place Order**. 5. The **You're all set!** page appears confirming your purchase. -
-## Assign licenses to users
+## Assign licenses to users
Whether you purchased your subscriptions through the Windows 365 products site, or through the Microsoft 365 admin center, you can [assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users) through the **Billing** page in the Microsoft 365 admin center.
-You can assign different Windows 365 Business license types to a user, based on the users business need. See [Windows 365 Business sizing options](windows-365-business-sizing.md) for guidance on which license type might be suitable for your users.
+You can assign different Windows 365 Business license types to a user, based on the users business need. See [Windows 365 Business sizing options](windows-365-business-sizing.md) for guidance on which license type might be suitable for your users.
+> [!IMPORTANT]
+> The first time a Windows 365 license is assigned on your tenant, a system account called "CloudPCBPRT" is automatically created in Azure Active Directory. Do not delete this account. If the system account is deleted, the setup might fail. This system account ensures a smooth set up process, and doesn't have any write capabilities or access to your tenant beyond the scoped service capabilities of Windows 365 Business. If you delete this user, file a ticket through Support Central.
## Get your users started with Cloud PC
After licenses are assigned, let your users know that there are two different wa
Users can navigate to **https://windows365.microsoft.com** to access their Cloud PCs.
-On their Windows 365 home page, users see the Cloud PCs they have access to in the **Your Cloud PCs** section.
+On their Windows 365 home page, users see the Cloud PCs they have access to in the **Your Cloud PCs** section.
![Windows 365 home](../../media/deschutes/cloudpc-home.png)
While on the Windows 365 home page, users can perform actions on their Cloud PCs
- **Restart**: Restarts the Cloud PC. - - **Reset**: Reset does the following: - Reinstalls Windows 10.
While on the Windows 365 home page, users can perform actions on their Cloud PCs
> [!IMPORTANT] > Before resetting your Cloud PC, make sure to back up any important files you need to keep to a cloud storage service or external storage. Resetting your Cloud PC will delete these files. -- **Rename**: Changes the name of the Cloud PC shown to the user on the Windows 365 home page.
+- **Rename**: Changes the name of the Cloud PC shown to the user on the Windows 365 home page.
- **Troubleshoot**: Troubleshoot and attempt to fix any issues that may be keeping a user from connecting to their Cloud PC. The following table describes the statuses that can result from the checks.
While on the Windows 365 home page, users can perform actions on their Cloud PCs
|CanΓÇÖt connect to Cloud PC. WeΓÇÖre working to fix it, try again later. |A Microsoft service required for connectivity is unavailable. Try connecting again later. | |We couldnΓÇÖt fix issues with your Cloud PC. Contact your administrator. |An issue was detected but it was unable to be fixed. This could be due to an ongoing Windows update or another issue. If this error persists for an extended period of time the Cloud PC may need to be reset. | --- ### Remote Desktop
-The Microsoft Remote Desktop app lets users access and control a remote PC, including a Cloud PC. Windows 365 users can download and install the Remote Desktop client they need from the Windows 365 home page.
+The Microsoft Remote Desktop app lets users access and control a remote PC, including a Cloud PC. Windows 365 users can download and install the Remote Desktop client they need from the Windows 365 home page.
#### Install the Microsoft Remote Desktop app To set up their Remote Desktop client, users follow these steps:
-1. On the **Windows 365 home page**, select the **Microsoft Remote Desktop apps** icon (under the home icon).
-2. On the **Microsoft Remote Desktop apps** page, download and install the Remote Desktop app you need.
+1. On the **Windows 365 home page**, select the **Microsoft Remote Desktop apps** icon (under the home icon).
+2. On the **Microsoft Remote Desktop apps** page, download and install the Remote Desktop app you need.
![Remote desktop clients](../../media/deschutes/remote-desktop-apps.png)
-For a list of clients by operating system, seeΓÇ»[Remote Desktop clients](/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients).
-
+For a list of clients by operating system, seeΓÇ»[Remote Desktop clients](/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients).
## Installing apps
Users can install apps on their Cloud PC as they would normally in Windows by ei
All Windows 365 Business users have local administrator privileges on their Cloud PC, so they should have the permissions required to install apps to their workspaces.
+> [!IMPORTANT]
+> If a user tries to use a Microsoft 365 Business Standard license on their Cloud PC, they might see the following error: "Account Issue: The products we found in your account cannot be used to activate Office in shared computer scenarios." In this scenario, the user must uninstall the version of Office installed on their Cloud PC and install a new copy from Office.com.
- ## Management through Intune
+## Management through Intune
Windows 365 Business does not enroll Cloud PCs to [Intune](/mem/intune/fundamentals/what-is-intune) as part of the provisioning process. If the organization and users are properly licensed, Cloud PCs can be enrolled to Intune using the same procedure for [enrolling Windows 10 machines to Intune](/mem/intune/user-help/enroll-windows-10-device).
Sending outbound email messages directly on port 25 from a Windows 365 Business
If you need to get help while setting up Windows 365 Business in the Microsoft 365 admin center, see [Get help or support](/microsoft-365/business-video/get-help-support). -- ## Related content [Windows 365 Business](https://www.microsoft.com/windows-365/business) <br/>
compliance Advanced Ediscovery Large Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/advanced-ediscovery-large-cases.md
Additionally, the new large case format includes an updated user interface that
## Known issues -- At this time, the option to export content as **Loose files and PSTs** isn't supported in large cases (the option is currently greyed out). This export option will be supported soon. For more information about exporting content, see [Export documents from a review set in Advanced eDiscovery](export-documents-from-review-set.md).
+- The option to export content as **Loose files and PSTs** is not currently supported in large cases (the option is greyed out). This export option for large cases will be supported soon. For more information about exporting content, see [Export documents from a review set in Advanced eDiscovery](export-documents-from-review-set.md).
+
+- The Advanced indexing that occurs when you add custodians and non-custodial data source to a case is not currently supported in large cases. The indexing job is created, but it doesn't complete. Advanced indexing in large cases will be supported soon. For more information about Advanced indexing, see [Advanced indexing of custodian data](indexing-custodian-data.md).
## Frequently asked questions
compliance App Governance Countries https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-countries.md
Title: "Get Started with app governance"
+ Title: "Supported regions for app governance"
f1.keywords: - NOCSH
compliance App Governance Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-get-started.md
description: "Get started with app governance capabilities to govern your apps."
To begin using the app governance add-on to Microsoft Cloud App Security:
-1. Verify your account has the [appropriate level of licensing](#licensing-for-app-governance). App governance is an add-on feature for Microsoft Cloud App Security (MCAS), and thus MCAS must be present in your account as either a standalone product or as part of the various license packages listed below.
+1. Verify your account has the [appropriate level of licensing](#licensing-for-app-governance). App governance is an add-on feature for Microsoft Cloud App Security (MCAS), and thus MCAS must be present in your account as either a standalone product or as part of the various license packages.
1. You must have one of the [administrator roles](#administrator-roles) listed below to access the app governance pages in the portal. 1. Your organization's billing address must be within one of the [supported areas of North America, Europe, or Africa](app-governance-countries.md) in order to activate the free trial.
-## Add app governance to your Microsoft 365 account
+## Sign up for free trial of app governance
For new Microsoft 365 customers:
-1. At the top of this page, click the **Free Account** button.
-1. Under **Try Microsoft 365 for business** click **Try 1 month free**.
+1. At the top of this page, select the **Free Account** button.
+1. UnderΓÇ»**Try Microsoft 365 for business** select **Try 1 month free**.
1. Complete the steps for the sign-up.
+1. Continue with the steps for existing Microsoft 365 customers.
For existing Microsoft 365 customers:
-1. In your Microsoft 365 admin center, navigate to **Billing** > **Purchase services** and click **Add-ons**. Use the search bar to locate **app governance**.
-1. In the app governance card, clickΓÇ»**Details**.
-1. ClickΓÇ»**Activate Start free trial**.
+1. Navigate to the [sign up page for the free trial](https://admin.microsoft.com/Commerce/Trial.aspx?OfferId=20be85b6-b196-402c-82b4-36b4e72862dc).
+1. Complete the steps to add app governance. Sign-up is simple, as shown in the following graphic.
-## Add integration with MCAS
-Pre requisites:
+## Add integration with MCAS
+
+Prerequisites:
- Office 365 is connected in Cloud App Security - Office 365 Azure AD apps are enabled
-To enable app governance sync with Cloud App Security follow these steps:
+To enable app governance sync with Cloud App Security, follow these steps:
1. Go to your Microsoft Cloud App Security portal ΓÇô [https://portal.cloudappsecurity.com](https://portal.cloudappsecurity.com)
-1. Click the gear icon (top right corner) and select **Settings**.
+1. Select the gear icon (top right corner) and select **Settings**.
1. Under **Threat Protection**, select **App Governance**.
-1. Click **Enable App Governance integration**, and then select **Save**.
+1. Select **Enable App Governance integration**, and then select **Save**.
Next, review newly enabled policies in MCAS. The new policies might take few minutes to appear once integration is enabled.
Next, review newly enabled policies in MCAS. The new policies might take few min
- Microsoft 365 OAuth App Governance - Review App Governance widget in MCAS dashboard - Review newly generated App Governance alerts in MCAS alerts-- Review MCAS M365 OAuth policies in App Governance policy list-- Review newly generated  MCAS M365 OAuth alerts  in App Governance alerts
+- Review MCAS Microsoft 365 OAuth policies in App Governance policy list
+- Review newly generated  MCAS Microsoft 365 OAuth alerts  in App Governance alerts
## Licensing for app governance
compliance App Governance Manage App Governance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/app-governance-manage-app-governance.md
description: "Implement Microsoft app governance capabilities to govern your app
>*[Microsoft 365 licensing guidance for security & compliance](https://aka.ms/ComplianceSD).* > [!NOTE]
-> To sign up for app governance, see [Get started with app governance (in preview)](app-governance-get-started.md#add-app-governance-to-your-microsoft-365-account).
+> To sign up for app governance, see [Get started with app governance (in preview)](app-governance-get-started.md#sign-up-for-free-trial-of-app-governance).
Cyberattacks have become increasingly sophisticated in the ways they exploit the apps you have deployed in your on-premises and cloud infrastructures, establishing a starting point for privilege escalation, lateral movement, and exfiltration of your data. To understand the potential risks and stop these types of attacks, you need to gain clear visibility into your organizationΓÇÖs app compliance posture to quickly identify when an app exhibits anomalous behaviors and to respond when these behaviors present risks to your environment, data, and users.
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
There are two different methods for automatically applying a sensitivity label t
- These files can be auto-labeled at rest before or after the auto-labeling policies are created. Files cannot be auto-labeled if they are part of an open session (the file is open). - Currently, attachments to list items aren't supported and won't be auto-labeled. - Maximum of 25,000 automatically labeled files in your tenant per day.
- - Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive).
+ - Maximum of 10 auto-labeling policies per tenant, each targeting up to 10 sites (SharePoint or OneDrive). With the [recent enhancements now rolling out](#recent-enhancements-for-auto-labeling-policies), these numbers increase to 100 policies and 100 sites when they are specified individually. You can also specify all sites, and this configuration is exempt from the 100 sites maximum.
- Existing values for modified, modified by, and the date are not changed as a result of auto-labeling policiesΓÇöfor both simulation mode and when labels are applied. - When the label applies encryption, the [Rights Management issuer and Rights Management owner](/azure/information-protection/configure-usage-rights#rights-management-issuer-and-rights-management-owner) is the account that last modified the file.
Use the following table to help you identify the differences in behavior for the
|:--|:--|:--| |App dependency|Yes ([minimum versions](sensitivity-labels-office-apps.md#support-for-sensitivity-label-capabilities-in-apps)) |No \* | |Restrict by location|No |Yes |
+|Conditions: Exact Data Match for custom sensitive info types|Yes |No |
|Conditions: Trainable classifiers|Yes |No | |Conditions: Sharing options and additional options for email|No |Yes | |Conditions: Exceptions|No |Yes (email only) |
Also similarly to DLP policy configuration, you can choose whether a condition m
> [!NOTE] > Auto-labeling based on custom sensitive information types applies only to newly created or modified content in OneDrive and SharePoint; not to existing content. This limitation also applies to auto-labeling polices.
+#### Custom sensitive information types with Exact Data Match
+
+You can configure a sensitivity label to use [Exact Data Match (EDM)-based classification](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) for custom sensitive information types. However, currently, you must also specify at least one sensitive information type that doesn't use EDM. For example, one of the built-in sensitive information types, such as **Credit card number**.
+
+If you configure a sensitivity label with only EDM for your sensitive information type conditions, the auto-labeling setting is automatically turned off for the label.
+ ### Configuring trainable classifiers for a label If you use this option, make sure you have published in your tenant at least one other sensitivity label that's configured for auto-labeling and the [sensitive info types option](#configuring-sensitive-info-types-for-a-label).
Specific to the Azure Information Protection unified labeling client:
## How to configure auto-labeling policies for SharePoint, OneDrive, and Exchange
+> [!IMPORTANT]
+> New enhancements are currently rolling out for auto-labeling policies that include faster simulation results, support for more files and more sites, and email notifications. For more information, see [Recent enhancements for auto-labeling policies](#recent-enhancements-for-auto-labeling-policies).
+ Make sure you're aware of the prerequisites before you configure auto-labeling policies. ### Prerequisites for auto-labeling policies
Workflow for an auto-labeling policy:
1. Create and configure an auto-labeling policy. 2. Run the policy in simulation mode, which can take 48 hours to complete.
+
+ With the [recent enhancements](#recent-enhancements-for-auto-labeling-policies) now rolling out, this time is reduced to 12 hours and the completed simulation triggers an email notification that's sent to the user configured to receive [activity alerts](alert-policies.md).
3. Review the results, and if necessary, refine your policy. Rerun simulation mode and wait for it to complete again.
Finally, you can use simulation mode to provide an approximation of the time nee
6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint sites, and OneDrive. Then select **Next**. ![Choose locations page auto-labelingwizard](../media/locations-auto-labeling-wizard.png)-
- You must specify individual SharePoint sites and OneDrive accounts. For OneDrive, the URL for a user's OneDrive account is in the following format: `https://<tenant name>-my.sharepoint.com/personal/<user_name>_<tenant name>_com`
+
+ To specify individual OneDrive accounts: The URL for a user's OneDrive account is in the following format: `https://<tenant name>-my.sharepoint.com/personal/<user_name>_<tenant name>_com`
For example, for a user in the contoso tenant that has a user name of "rsimone": `https://contoso-my.sharepoint.com/personal/rsimone_contoso_onmicrosoft_com`
- To verify the syntax for your tenant and identify URLs for users, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls).
+ To verify the syntax for your tenant and identify OneDrive URLs for users, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls).
7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, select **Advanced rules**. Then select **Next**.
For more information about the PowerShell cmdlets that support auto-labeling pol
- [Set-AutoSensitivityLabelPolicy](/powershell/module/exchange/set-autosensitivitylabelpolicy) - [Set-AutoSensitivityLabelRule](/powershell/module/exchange/set-autosensitivitylabelrule)
+## Recent enhancements for auto-labeling policies
+
+The recent enhancements now rolling out for auto-labeling policies for OneDrive and SharePoint have the following improvements from the previous version:
+
+- Maximum of 100 auto-labeling policies per tenant instead of 10.
+
+- Support for all OneDrive and SharePoint sites (the default for new policies) and the ability to select available SharePoint sites instead of having to enter each site by URL. When you use the new default of **All**, all existing SharePoint sites and OneDrive accounts in your tenant and any newly created sites and accounts are automatically included in the policy. When you select **Choose sites** for SharePoint, you can still manually enter sites by their URL if needed.
+
+- When you specify individual sites in an auto-labeling policy, up to 100 sites are now supported instead of 10 sites.
+
+- Maximum of 1,000,000 matched files per auto-labeling policy, although the total of 25,000 automatically labeled files in your tenant per day remains the same.
+
+- Simulation improvements:
+ - Running the auto-labeling policy in simulation mode completes within 12 hours instead of up to 48 hours.
+ - Better performance by providing up to 100 randomly sampled matched files for review for each site (OneDrive or SharePoint) instead of every matched item for review.
+ - When simulation is complete, an email notification is sent to the user configured to receive [activity alerts](alert-policies.md).
+
+- Improvements to help you review matched items:
+ - Additional metadata information for the sampled matched items.
+ - Ability to export information about the matched items, such as the SharePoint site name and file owner. You can use this information to pivot and analyze the matched files, and delegate to file owners for review if needed.
+
+> [!TIP]
+> To take advantage of the higher number of policies and sites supported, use PowerShell to efficiently create new policies and add additional sites to existing policies. For more information, see the [Use PowerShell for auto-labeling policies](#use-powershell-for-auto-labeling-policies) section on this page.
+
+### How to determine whether your tenant has the new enhancements
+
+When your tenant has the new enhancements, you'll see the following notification on the **Auto-labeling** tab:
+
+![Banner to confirm a tenant has the new enhancements](../media/auto-labeling-updatedbanner.png)
+
+If you don't see this notification, your tenant hasn't got the new enhancements but check again in a few days.
+
+> [!NOTE]
+> If you had any auto-labeling policies that were in simulation mode when your tenant received the new enhancements, you must re-run the simulation. If this scenario applies to you, you'll be prompted to select **Restart Simulation** when you review the simulation. If you don't restart the simulation, it won't complete.
+>
+> However, the enhancements still apply to any auto-labeling policies running without simulation and all new auto-labeling policies you create.
+ ## Tips to increase labeling reach Although auto-labeling is one of the most efficient ways to classify, label, and protect Office files that your organization owns, check whether you can supplement it with any of the additional methods to increase your labeling reach:
compliance Archive 17A 4 Skype For Business Server Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-17a-4-skype-for-business-server-data.md
+
+ Title: "Set up a connector to archive Skype for Business Server data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Learn how to set up and use a 17a-4 Skype for Business Server DataParser connector to import and archive Skype for Business Server data in Microsoft 365."
++
+# Set up a connector to archive Skype for Business Server data (preview)
+
+Use the [Skype Server DataParser](https://www.17a-4.com/skype-server-dataparser/) from 17a-4 LLC to import and archive data from a Skype for Business Server to user mailboxes in your Microsoft 365 organization. The DataParser includes a Skype for Business connector that's configured to capture items from a third-party data source and import those items to Microsoft 365. The Skype for Business Server DataParser connector converts Skype for Business Server data to an email message format and then imports those items to user mailboxes in Microsoft 365.
+
+After Skype for Business Server data is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, eDiscovery, retention policies and retention labels, and communication compliance. Using a Skype for Business Server connector to import and archive data in Microsoft 365 can help your organization stay compliant with government and regulatory policies.
+
+## Overview of archiving Skype for Business Server data
+
+The following overview explains the process of using a data connector to archive Skype for Business Server data in Microsoft 365.
+
+![Archiving workflow for Skype for Business Server data from 17a-4](../media/SkypeServerDataParserConnectorWorkflow.png)
+
+1. Your organization works with 17a-4 to set up and configure the Skype for Business Server DataParser.
+
+2. On a regular basis, Skype for Business Server items are collected by the DataParser. The DataParser also converts the content of a message to an email message format.
+
+3. The Skype for Business Server DataParser connector that you create in the Microsoft 365 compliance center connects to DataParser and transfers the messages to a secure Azure Storage location in the Microsoft cloud.
+
+4. A subfolder in the Inbox folder named **Skype for Business Server DataParser** is created in the user mailboxes, and the Skype for Business Server items are imported to that folder. The connector determines which mailbox to import items to by using the value of the *Email* property. Every Skype for Business Server item contains this property, which is populated with the email address of every participant.
+
+## Before you set up a connector
+
+- Create a DataParser account for Microsoft connectors. To do this, contact [17a-4 LLC](https://www.17a-4.com/contact/). You need to sign into this account when you create the connector in Step 1.
+
+- The user who creates the Skype for Business Server DataParser connector in Step 1 (and completes it in Step 3) must be assigned to the Mailbox Import Export role in Exchange Online. This role is required to add connectors on the **Data connectors** page in the Microsoft 365 compliance center. By default, this role is not assigned to a role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Step 1: Set up a Skype for Business Server DataParser connector
+
+The first step is to access to the Data connectors page in the Microsoft 365 compliance center and create a 17a-4 connector for Skype for Business Server data.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Skype for Business Server DataParser**.
+
+2. On the **Skype for Business Server DataParser** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. Enter a unique name that identifies the connector and then click **Next**.
+
+5. Sign in to your 17a-4 account and complete the steps in the Skype for Business Server DataParser connection wizard.
+
+## Step 2: Configure the Skype for Business Server DataParser connector
+
+Work with 17a-4 Support to configure the Skype for Business Server DataParser connector.
+
+## Step 3: Map users
+
+The Skype for Business Server DataParser connector will automatically map users to their Microsoft 365 email addresses before importing data to Microsoft 365.
+
+## Step 4: Monitor the Skype for Business Server DataParser connector
+
+After you create a Skype for Business Server DataParser connector, you can view the connector status in the Microsoft 365 compliance center.
+
+1. Go to <https://compliance.microsoft.com> and click **Data connectors** in the left nav.
+
+2. Click the **Connectors** tab and then select the Skype for Business Server DataParser connector that you created to display the flyout page, which contains the properties and information about the connector.
+
+3. Under **Connector status with source**, click the **Download log** link to open (or save) the status log for the connector. This log contains data that has been imported to the Microsoft cloud.
+
+## Known issues
+
+At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archive Rogers Network Archiver Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archive-rogers-network-archiver-data.md
+
+ Title: "Set up a connector to archive Rogers Network data in Microsoft 365"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+localization_priority: Normal
+
+description: "Admins can set up a TeleMessage connector to import and archive Rogers Network data in Microsoft 365. This lets you archive data from third-party data sources in Microsoft 365 so you can use compliance features such as legal hold, content search, and retention policies to manage your organization's third-party data."
++
+# Set up a connector to archive Rogers Network data (preview)
+
+Use the TeleMessage connector in the Microsoft 365 compliance center to import and archive SMS and MMS data from the Rogers mobile network. After you set up and configure a [Rogers Network Archiver connector](https://www.telemessage.com/mobile-archiver/network-archiver/rogers/), it connects to your organization's Rogers mobile network, and imports SMS and MMS data to mailboxes in Microsoft 365.
+
+After data from the Rogers mobile network is stored in user mailboxes, you can apply Microsoft 365 compliance features such as Litigation Hold, Content search, and Microsoft 365 retention policies to the data. For example, you can search for SMS and MMS messages from the Rogers mobile network using Content search or a search associated with a Core eDiscovery case. Using a Rogers Network Archiver connector to import and archive data in Microsoft 365 can help your organization stay compliant with corporate governance regulations and regulatory policies.
+
+## Overview of archiving Rogers mobile network data
+
+The following overview explains the process of using a connector to archive Rogers SMS and MMS data in Microsoft 365.
+
+![Rogers Network archiving workflow](../media/RogersNetworkConnectorWorkflow.png)
+
+1. Your organization works with TeleMessage to set up a Rogers Network Archiver connector. For more information, see [Activating the TeleMessage Rogers Network Archiver for Microsoft 365](https://www.telemessage.com/microsoft-365-activation-for-the-rogers-network-archiver/).
+
+2. In real time, your organization's Rogers mobile network data is copied to the TeleMessage site.
+
+3. The Rogers Network Archiver connector that you create in the Microsoft 365 compliance center connects to the TeleMessage site every day and transfers the email messages from the previous 24 hours to a secure Azure Storage area in the Microsoft Cloud.
+
+4. The connector imports the mobile communication items to the mailbox of a specific user. A new folder named Rogers SMS/MMS Network Archiver will be created in the specific user's mailbox and the items will be imported to it. The connector does the mapping by using the value of the *User's Email address* property. Every email message contains this property, which is populated with the email address of every participant of the email message.
+
+ In addition to automatic user mapping using the value of the *User's Email address* property, you can also define a custom mapping by uploading a CSV mapping file. This mapping file should contain User's mobile Number and the corresponding Microsoft 365 mailbox address for each user. If you enable automatic user mapping and provide a custom mapping, for every email item the connector will first look at custom mapping file. If it doesn't find a valid Microsoft 365 user that corresponds to a user's mobile number, the connector will use the user's email address property of the email item. If the connector doesn't find a valid Microsoft 365 user in either the custom mapping file or the *user's email address* property of the email item, the item won't be imported.
+
+## Before you set up a connector
+
+- Order the [Rogers Network Archiver service from TeleMessage](https://www.telemessage.com/mobile-archiver/order-mobile-archiver-for-o365/) and get a valid administration account for your organization. You'll need to sign into this account when you create the connector in the compliance center.
+
+- Register all users that require Rogers Network archiving in the TeleMessage account. When registering users, be sure to use the same email address that's used for their Microsoft 365 account.
+
+- Your employees must have corporate-owned and corporate-liable mobile phones on the O2 mobile network. Archiving messages in Microsoft 365 isn't available for employee-owned or "Bring Your Own Devices (BYOD) devices.
+
+- Obtain the Rogers account and billing contact details for your organization so that you can complete the onboarding forms and order the message archiving service from Rogers.
+
+- The user who creates a Rogers Network Archiver connector in Step 3 must be assigned the Mailbox Import Export role in Exchange Online. This is required to add connectors in the **Data connectors** page in the Microsoft 365 compliance center. By default, this role isn't assigned to any role group in Exchange Online. You can add the Mailbox Import Export role to the Organization Management role group in Exchange Online. Or you can create a role group, assign the Mailbox Import Export role, and then add the appropriate users as members. For more information, see the [Create role groups](/Exchange/permissions-exo/role-groups#create-role-groups) or [Modify role groups](/Exchange/permissions-exo/role-groups#modify-role-groups) sections in the article "Manage role groups in Exchange Online".
+
+## Create a Rogers Network Archiver connector
+
+After you've completed the prerequisites described in the previous section, you can create the Rogers Network Archiver connector in the Microsoft 365 compliance center. The connector uses the information you provide to connect to the TeleMessage site and transfer Rogers SMS/MMS data to the corresponding user mailbox boxes in Microsoft 365.
+
+1. Go to <https://compliance.microsoft.com> and then click **Data connectors** > **Rogers Network Archiver**.
+
+2. On the **Rogers Network Archiver** product description page, click **Add connector**.
+
+3. On the **Terms of service** page, click **Accept**.
+
+4. On the **Login to TeleMessage** page, under Step 3, enter the required information in the following boxes and then click **Next**.
+
+ - **Username:** Your TeleMessage username.
+
+ - **Password:** Your TeleMessage password.
+
+5. After the connector is created, you can close the pop-up window and go to the next page.
+
+6. On the **User mapping** page, enable automatic user mapping. To enable custom mapping, upload a CSV file that contains the user mapping information, and then click **Next**.
+
+7. Review your settings, and then click **Finish** to create the connector.
+
+8. Go to the Connectors tab in **Data connectors** page to see the progress of the import process for the new connector.
+
+## Known issues
+
+- At this time, we don't support importing attachments or items that are larger than 10 MB. Support for larger items will be available at a later date.
compliance Archiving Third Party Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/archiving-third-party-data.md
TeleMessage data connectors are also available in GCC environments in the Micros
|[Bell Network](archive-bell-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Enterprise Number](archive-enterprise-number-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[O2 Network](archive-o2-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+|[Rogers Network](archive-rogers-network-archiver-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Signal](archive-signal-archiver-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Telegram](archive-telegram-archiver-data.md)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[TELUS Network](archive-telus-network-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
Before you can archive third-party data in Microsoft 365, you have to work with
|[Quip](archive-17a-4-quip-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Refinitiv Eikon Messenger](archive-17a-4-refinitiv-messenger-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[ServiceNow](archive-17a-4-servicenow-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
+[Skype for Business Server](archive-17a-4-skype-for-business-server-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
|[Slack](archive-17a-4-slack-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[SQL](archive-17a-4-sql-database-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|| |[Symphony](archive-17a-4-symphony-data.md) |![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)|![Check mark](../media/checkmark.png)||
compliance Communication Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md
For the latest Ignite presentations for communication compliance, see the follow
For a quick overview of communication compliance, see the [Detect workplace harassment and respond with Communication Compliance in Microsoft 365](https://youtu.be/z33ji7a7Zho) video on the [Microsoft Mechanics channel](https://www.youtube.com/user/OfficeGarageSeries).
+Check out how [TD Securities is using communication compliance](https://customers.microsoft.com/story/1391545301764211731-td-securities-banking-capital-markets-compliance) to address their regulatory obligations and meet their security and stability needs.
+ ## Scenarios for communication compliance Communication compliance policies can assist with reviewing messages in your organization in several important compliance areas:
compliance Conversation Review Sets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/conversation-review-sets.md
Instant messaging is a convenient way to ask questions, share ideas, or quickly communicate across large audiences. As instant messaging platforms, like Microsoft Teams and Yammer groups, become core to enterprise collaboration, organizations must evaluate how their eDiscovery workflow addresses these new forms of communication and collaboration.
-The Conversation Reconstruction feature in Advanced eDiscovery is designed to help you identify contextual content and produce distinct conversation views. This capability allows you to efficiently and rapidly review complete instant message conversations (also called *threaded conversations*) that are generated in platforms like Microsoft Teams.
+The conversation reconstruction feature in Advanced eDiscovery is designed to help you identify contextual content and produce distinct conversation views. This capability allows you to efficiently and rapidly review complete instant message conversations (also called *threaded conversations*) that are generated in platforms like Microsoft Teams.
-With Conversation Reconstruction, you can use built-in capabilities to reconstruct, review, and export threaded conversations. Use Advanced eDiscovery Conversation Reconstruction to:
+With conversation reconstruction, you can use built-in capabilities to reconstruct, review, and export threaded conversations. Use Advanced eDiscovery conversation reconstruction to:
- Preserve unique message-level metadata across all messages within a conversation.
With Conversation Reconstruction, you can use built-in capabilities to reconstru
## Terminology
-Here are few definitions to help you get start using Conversation Reconstruction.
+Here are few definitions to help you get start using conversation reconstruction.
- **Messages:** Represent the smallest unit of a conversation. Messages may vary in size, structure, and metadata.
Here are few definitions to help you get start using Conversation Reconstruction
![Microsoft Teams Channel Conversation](../media/threadedchat.png)
- In other apps (such as 1xN chat messages in Teams), there is not a formal reply chain and instead messages appear as a "flat river of messages" within a single thread. In these types apps, conversations are inferred from a group of messages that occur within a certain time. This "soft-grouping" of messages (as opposed to a reply chain) represent the "back and forth" conversation about a specific topic of interest.
+ In other apps (such as group chat messages in Teams), there is not a formal reply chain and instead messages appear as a "flat river of messages" within a single thread. In these types apps, conversations are inferred from a group of messages that occur within a certain time. This "soft-grouping" of messages (as opposed to a reply chain) represent the "back and forth" conversation about a specific topic of interest.
## Step 1: Create a draft collection
When you add items from conversations to a review set, you can use the threaded
3. After the items have been added to the review set, you can review all the individual messages from *CRC1*.
-To enabled the threaded conversations option, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set).
+To enable the threaded conversations option, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set).
## Step 3: Review and export threaded conversations
-After the content has been processed and added to the review set, you can start reviewing the data in the review set. The review capabilities are different depending on whether the content was added to a standard review set or a conversation review set.
-
-### Reviewing conversations in a standard review set
-
-In a standard review set, messages are processed and displayed as individual items, similar to how they're stored in a mailbox folder. In this workflow, each message is processed as a separate item. As a result, the threaded summary and export options aren't available in a standard review set.
-
- ![Standard review set](../media/standardrs.PNG)
-
-### Reviewing conversations in a conversation review set
-
-In a conversation review set, individual messages are threaded together and presented as conversations. This lets you review and export contextual conversations.
+After the content has been processed and added to the review set, you can start reviewing the data in the review set. Individual messages are threaded together and presented as conversations. This lets you review and export contextual conversations.
![Conversation review set](../media/ConversationRSOptions.PNG)
-The following sections describe reviewing and exporting conversations in a conversation review set.
+The following sections describe reviewing and exporting conversations.
-#### Reviewing conversations
+### Reviewing conversations
-In a conversation review set, you can use the following options to facilitate the review process.
+In a review set, you can use the following options to facilitate the review process.
- **Group by conversation:** Groups messages within the same conversation together to help users simplify and expedite their review process.
In a conversation review set, you can use the following options to facilitate th
- **Rerun conversation conversion:** When messages are added to a conversation review set, a conversion job is automatically run to create the threaded summary and annotate views. If the Conversation Reconstruction job fails, you can rerun this job by clicking **Action > Create conversation PDFs** in the review set.
-#### Exporting conversations
-
-In a conversation review set, you can set the following options to export conversations:
-
-![Export options for conversations](../media/export.png)
-
-1. Metadata options:
- - **Load file:** Metadata is included for each individual message, email, and document. There is one row for each message in a conversation.
- - **Tags:** Tags from your review process are included in the metadata file. Messages in a conversation share the same tags.
-
-2. Conversation options:
- - **Conversation files:** When you export conversation files, the annotated view is converted to a PDF file and downloaded to the export folder. Messages in one conversation file point to the PDF version of the same conversation file.
- - **Individual chat messages:** When you export individual messages, each unique message in the conversation is exported as a standalone item. The file is exported in the same format that it was saved as in the mailbox. For a specific conversation, you receive multiple .msg files.
+### Exporting conversations
- > [!NOTE]
- > If you applied annotations to the conversation file, these annotations won't be transferred to the individual messages.
+For the options you can select when exporting conversations from a review set, see [Export documents from a review set](export-documents-from-review-set.md#export-options).
-3. Other options:
- - **Generate text files for all exported content:** Generates a text file for each conversation exported from the review set.
- - **Replace exported content with redacted PDFs:** If redacted conversation files are generated during the review process, then these files are available during export. You can decided whether to export only the native files (by not selecting this option) or to replace the native files with the redacted versions of the native files (by selecting this option), which are exported as PDF files.
+Specifically, you can export entire chat conversations in a single PDF file or you can export each chat message in a conversation as an individual file.
## More information To learn more about how to review case data in Advanced eDiscovery, see the following articles:
+- [Query and filter content in a review set](review-set-search.md)
+- [Tag documents in a review set](tagging-documents.md)
- [View case data](view-documents-in-review-set.md) - [Analyze case data](analyzing-data-in-review-set.md) - [Export case data](exporting-data-ediscover20.md)
compliance Data Classification Activity Explorer Available Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-activity-explorer-available-events.md
This event is generated each time an unlabeled document is labeled or an email i
|Source |Reported in activity explorer | Note | |||| | Word, Excel, PowerPoint|yes |
-|Outlook| yes |from Win 32 |
+|Outlook| yes | |
|SharePoint online, OneDrive|yes | | |Exchange |yes | | |Azure Information Protection (AIP) unified client and AIP unified scanner |yes |the AIP *new label* action is mapped to *label applied* in activity explorer |
This event is generated each time a sensitivity label is removed from a file or
|Source |Reported in activity explorer | Note | |||| |Word, Excel, PowerPoint |yes |
-|Outlook |yes |Win 32|
+|Outlook |yes ||
|SharePoint Online, OneDrive |yes | |Exchange |yes | |AIP unified client |yes |the AIP *remove label* action is mapped to the *label removed* action in activity explorer|
compliance Data Classification Content Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-classification-content-explorer.md
In order to get access to the content explorer tab, an account must be assigned
> Membership in these role groups does not allow you to view the list of items in content explorer or to view the contents of the items in content explorer. > [!IMPORTANT]
-> Only Global admins can manage or assign permissions to other users in the Compliance Center. For more details, see [Give users access to the Security & Compliance Center](microsoft-365/security/office-365-security/grant-access-to-the-security-and-compliance-center).
+> Only Global admins can manage or assign permissions to other users in the Compliance Center. For more details, see [Give users access to the Security & Compliance Center](../security/office-365-security/grant-access-to-the-security-and-compliance-center.md).
> ### Required permissions to access items in content explorer
compliance Export Documents From Review Set https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-documents-from-review-set.md
Use the following options to configure the export. Not all options are allowed f
- Replace redacted natives with converted PDFs: If redacted PDF files are generated during review, these files are available for export. You can choose to export only the native files that were redacted (by not selecting this option) or you can select this option to export the PDF files that contain the actual redactions.
+ - Conversation PDFs instead of individual chat messages: Select this checkbox to export chat conversations in a PDF file. All chat messages from the same conversation are exported in the same PDF file. If you leave this checkbox unselected, each unique message in a chat conversation is exported as a standalone item. The file is exported in the same format that it was saved as in the mailbox. For a specific conversation, you receive multiple .msg files.
+ The following sections describe the folder structure for loose files and condensed directory structure options. Exports are partitioned into ZIP files with a maximum size of uncompressed content of 75 GB. If the export size is less than 75 GB, the export will consist of a summary file and a single ZIP file. For exports larger than 75 GB of uncompressed data, multiple ZIP files will be created. Once downloaded, the ZIP files can be uncompressed into a single location to recreate the full export. ### Loose files and PST export structure
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
For other labeling solutions, check their documentation for file types supported
Administrator-defined [protection templates](/azure/information-protection/configure-policy-templates), such as those you define for Office 365 Message Encryption, aren't visible in Office apps when you're using built-in labeling. This simplified experience reflects that there's no need to select a protection template, because the same settings are included with sensitivity labels that have encryption enabled.
-If you need to convert existing protection templates to labels, use the Azure portal and the following instructions: [To convert templates to labels](/azure/information-protection/configure-policy-templates#to-convert-templates-to-labels).
+You can convert an existing template into a sensitivity label when you use the [New-Label](/powershell/module/exchange/new-label) cmdlet with the *EncryptionTemplateId* parameter.
## Information Rights Management (IRM) options and sensitivity labels
enterprise Setup Guides For Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/setup-guides-for-microsoft-365.md
search.appverid:
- MET150 - BCS160 ms.assetid: 165f46e8-3533-4d76-be57-97f81ebd40f2
-description: "Accelerate your planning and configuration of Microsoft 365 or Office 365 with setup guides."
+description: "Get step-by-step tools to plan, migrate, and implement the features in your tenantΓÇÖs licenses. Find a guide to set up a service or an app you need to run."
# Setup guides for Microsoft 365 and Office 365 services Microsoft 365 and Office 365 setup guides give you tailored guidance and resources for planning and deploying your tenant, apps, and services. These guides are created using the same best practices that [Microsoft 365 FastTrack](https://www.microsoft.com/fasttrack/microsoft-365) onboarding specialists share in individual interactions, and they're available to all admins within the Microsoft 365 admin center. They give information on product setup, enabling security features, deploying collaboration tools, and provide scripts to speed up advanced deployments.
-## How to access setup guides in the Microsoft 365 admin center
-
-The setup guides are accessible from the [Setup guidance](https://aka.ms/setupguidance) page in the Microsoft 365 admin center. You can keep track of the status of your progress and you have the option to return at any time to complete a guide. To reach the **Setup guidance** page:
-
-1. In the [Microsoft 365 admin center](https://admin.microsoft.com/), go to the **Home** page.
-
-2. Find the **Training & guides** card.
-
- ![Training & guides card in the Microsoft 365 admin center](../media/setup-guides-for-microsoft-365/adminportal-trainingandguides.png)
-
-3. Select **Customized setup guidance**.
-
- ![Screenshot of the Setup guidance page in the Microsoft 365 admin center](../media/setup-guides-for-microsoft-365/adminportal-setupguidance.png)
-
->[!NOTE]
->Tenant administrator permissions are required to access the Microsoft 365 admin center.
-
-## How do setup guides work in the Microsoft 365 admin center?
-
-Each guide provides you with step-by-step instructions, resources, articles, and when needed, scripts you can use to make configuration changes. These guides provide you with choices that reflect the specific needs of both small and large organizations. Additionally, the guidance includes assistance for both new and more experienced admins.
-
-![Example of a setup guide](../media/setup-guides-for-microsoft-365/m365-setupguide-example.png)
-
-You can use the guides to learn more about specific Microsoft 365 and Office 365 features during the planning phase, during deployment and rollout, or to revisit them after you've completed a deployment to modify a setting.
- ## Guides for initial setup ### Prepare your environment The [Prepare your environment](https://aka.ms/prepareyourenvironment) guide helps you prepare your organization's environment for Microsoft 365 and Office 365 services. Regardless of your goals, there are tasks you'll need to complete to ensure a successful deployment. To avoid any errors while preparing your environment, you're provided with step-by-step instructions to connect your domain, add users, assign licenses, set up email with Exchange Online, and install or deploy Office apps.
-### Email setup advisor
+### Email setup guide
-The [Email setup advisor](https://aka.ms/office365setup) provides you with the step-by-step guidance needed for configuring Exchange Online for your organization. This includes setting up new email accounts, migrating email, and configuring email protection. For a successful email set up, use this advisor and you'll receive the recommended migration method based on your organization's current mail system, the number of mailboxes being migrated, and how you want to manage users and their access.
+The [Email setup guide](https://aka.ms/office365setup) provides you with the step-by-step guidance needed for configuring Exchange Online for your organization. This includes setting up new email accounts, migrating email, and configuring email protection. For a successful email setup, use this advisor and you'll receive the recommended migration method based on your organization's current mail system, the number of mailboxes being migrated, and how you want to manage users and their access.
### Migrate Gmail contacts and calendar items
Microsoft Edge has been rebuilt from the ground up to bring you world-class comp
The [Microsoft Edge setup guide](https://aka.ms/edgeadvisor) will help you configure Enterprise Site Discovery to see which sites accessed in your org might need to use IE mode, review and configure important security features, configure privacy policies and additional policies to meet your org's requirements, and manage web access on your devices. You can download Microsoft Edge to individual devices, or we'll show you how to deploy to multiple users in your org with Configuration Manager or Microsoft Intune.
+### Configure IE mode for Microsoft Edge
+
+If you've already deployed Microsoft Edge and only want to configure IE mode, the [Configure IE mode for Microsoft Edge guide](https://aka.ms/configureiemode) will give you scripts to automate the configuration of Enterprise Site Discovery. You'll also get IE mode recommendations from a cloud-based tool that will help you create an Enterprise Mode Site List to deploy to your users.
+ ### Microsoft Search setup guide Microsoft Search helps your organization find what they need to complete what they're working on. Whether it's searching for people, files, org charts, sites, or answers to common questions, your org can use Microsoft Search throughout their workday to get answers.
The [Azure AD setup guide](https://aka.ms/aadpguidance) provides information to
It also includes essential information on enabling self-service password resets, conditional access and integrated third-party sign-on including optional advanced identity protection and user provisioning automation.
-### Sync users from your orgΓÇÖs directory
+### Sync users from your Windows Server Active Directory
-The [Sync users from your orgΓÇÖs directory wizard](https://aka.ms/directorysyncsetup) walks you through turning on directory synchronization. This brings your on-premises and cloud identities together for easier access and simplified management. Unlock new capabilities, like single sign-on, self-service options, automatic account provisioning, conditional access controls, and compliance policies. This ensures that your users have access to the resources they need from anywhere.
+The [Sync users from your Windows Server Active Directory wizard](https://aka.ms/directorysyncsetup) walks you through turning on directory synchronization. This brings your on-premises and cloud identities together for easier access and simplified management. Unlock new capabilities, like single sign-on, self-service options, automatic account provisioning, conditional access controls, and compliance policies. This ensures that your users have access to the resources they need from anywhere.
### Plan your passwordless deployment
Set up Microsoft Intune to manage devices in your organization. For full control
With the [Microsoft Intune setup guide](https://aka.ms/intunesetupguide), you'll set up device and app compliance policies, assign app protection policies, and monitor the device and app protection status.
-### Microsoft Defender for Endpoint advisor
+### Microsoft Defender for Endpoint setup guide
-The [Microsoft Defender for Endpoint advisor](https://aka.ms/mdatpsetup) provides instructions that will help your enterprise network prevent, detect, investigate, and respond to advanced threats. Make an informed assessment of your organization's vulnerability and decide which deployment package and configuration methods are best.
+The [Microsoft Defender for Endpoint setup guide](https://aka.ms/mdatpsetup) provides instructions that will help your enterprise network prevent, detect, investigate, and respond to advanced threats. Make an informed assessment of your organization's vulnerability and decide which deployment package and configuration methods are best.
>[!NOTE] >A Microsoft Volume License is required for Microsoft Defender for Endpoint.
Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering serv
Use the [Exchange Online Protection setup guide](https://aka.ms/EOPguidance) to set up EOP by selecting which of the three deployment scenarios&mdash;on-premises mailboxes, hybrid (mix of on-premises and cloud) mailboxes, or all cloud mailboxes&mdash;fits your organization. The guide provides information and resources to set up and review your user's licensing, assign permissions in the Microsoft 365 admin center, and configure your organization's anti-malware and spam policies in the Security & Compliance Center.
-### Microsoft Defender for Office 365 advisor
+### Microsoft Defender for Office 365 setup guide
+
+The [Microsoft Defender for Office 365 setup guide](https://aka.ms/oatpsetup) safeguards your organization against malicious threats that your environment might encounter through email messages, links, and third-party collaboration tools. This guide provides you with the resources and information to help you prepare and identify the Defender for Office 365 plan to fit your organization's needs.
+
+### Microsoft Defender for Identity setup guide
-The [Microsoft Defender for Office 365 advisor](https://aka.ms/oatpsetup) safeguards your organization against malicious threats that your environment might encounter through email messages, links, and third-party collaboration tools. This guide provides you with the resources and information to help you prepare and identify the Defender for Office 365 plan to fit your organization's needs.
+The [Microsoft Defender for Identity setup guide](https://aka.ms/DefenderforIdentitysetup) provides security solution set-up guidance to identify, detect, and investigate advanced threats that might compromise user identities. These include detecting suspicious user activities and malicious insider actions directed at your organization. YouΓÇÖll create a Defender for Identity instance, connect to your organization's Active Directory, and then set up sensors, alerts, notifications, and configure your unique portal preferences.
### Microsoft information protection setup guide
The [Microsoft Information governance setup guide](https://aka.ms/migsetupguide)
## Guides for collaboration
+### Build your employee experience
+
+Transform how your employees work together with the [Employee experience dashboard](https://aka.ms/EmployeeExperienceDashboard). For seamless teamwork, use Microsoft 365 to create productive, aligned teams, and keep employees engaged with leadership and the rest of the organization. Help your employees be effective in all work activities. These guides will provide instructions on how to use SharePoint, Teams, and Yammer to build collaboration across your org to help drive productivity.
+ ### Microsoft 365 Apps deployment advisor The [Microsoft 365 Apps deployment advisor](https://aka.ms/OPPquickstartguide) helps you get your users' devices running the latest version of Office products like Word, Excel, PowerPoint, and OneNote. You'll get guidance on the various deployment methods that include easy self-install options to enterprise deployments with management tools. The instructions will help you assess your environment, figure out your specific deployment requirements, and implement the necessary support tools to ensure a successful install.
Use the [Deploy Office to remote users guide](https://aka.ms/officeremoteinstall
### Deploy and update Microsoft 365 Apps with Configuration Manager For organizations using Configuration Manager, you can use the [Deploy and update Microsoft 365 Apps with Configuration Manager advisor](https://aka.ms/oppinstall) to generate a script that will automatically configure your Microsoft 365 Apps deployment using best practices recommended by FastTrack engineers. Use this guide to build your deployment groups, customize your Office apps and features, configure dynamic or lean installations, and then run the script to create the applications, automatic deployment rules, and device collections you need to target your deployment.+
+### Intune Configuration Manager co-management setup guide
+
+Use the [Intune Configuration Manager co-management setup guide](https://aka.ms/comanagementsetup) to set up existing Configuration Manager client devices and new internet-based devices that your org wants to co-manage with both Microsoft Intune and Configuration Manager. Co-management allows you to manage Windows 10 devices and adds new functionality to your org's devices, while receiving the benefits of both solutions.
+
+## How to access setup guides in the Microsoft 365 admin center
+
+The setup guides are accessible from the [Setup guidance](https://aka.ms/setupguidance) page in the Microsoft 365 admin center. You can keep track of the status of your progress and you have the option to return at any time to complete a guide. To reach the **Setup guidance** page:
+
+1. In the [Microsoft 365 admin center](https://admin.microsoft.com/), go to the **Home** page.
+
+2. Find the **Training & guides** card.
+
+ ![Training & guides card in the Microsoft 365 admin center](../media/setup-guides-for-microsoft-365/adminportal-trainingandguides.png)
+
+3. Select **Step-by-step guides**.
+
+ ![Screenshot of the Setup guidance page in the Microsoft 365 admin center](../media/setup-guides-for-microsoft-365/adminportal-setupguidance.png)
+
+> [!NOTE]
+> Tenant administrator permissions are required to access the Microsoft 365 admin center.
+
+## How do setup guides work in the Microsoft 365 admin center?
+
+Each guide provides you with step-by-step instructions, resources, articles, and when needed, scripts you can use to make configuration changes. These guides provide you with choices that reflect the specific needs of both small and large organizations. Additionally, the guidance includes assistance for both new and more experienced admins.
+
+![Example of a setup guide](../media/setup-guides-for-microsoft-365/m365-setupguide-example.png)
+
+You can use the guides to learn more about specific Microsoft 365 and Office 365 features during the planning phase, during deployment and rollout, or to revisit them after you've completed a deployment to modify a setting.
enterprise View Service Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/view-service-health.md
If you are unable to sign in to the admin center, you can use the [service statu
The **All services** tab (the default view) shows all services, their current health state, and any active incidents or advisories. An icon and status in the **Health** column indicate the state of each service.
-If there is an active incident or advisory for a service they will be listed directly under the service name in a nested table. You can collapse the nested table to hide the incidents or advisories in this view by clicking on the chevron icon to the left of the service name.
+If there is an active incident or advisory for a service they will be listed directly under the service name in a nested table. You can collapse the nested table to hide the incidents or advisories in this view by clicking on the chevron icon to the left of the service name.
To filter your view to only show all the active incidents, select the **Incidents** tab at the top of the page. Selecting the **Advisories** tab will only show all the active advisories posted. The **History** tab shows all incidents and advisories that have been resolved within the last seven or 30 days.
-If you're experiencing an issue with a Microsoft 365 service and you donΓÇÖt see it listed on the **Service health** page, tell us about it by selecting **Report an issue**, and completing the short form. WeΓÇÖll look at related data and reports from other organizations to see how widespread the issue is, and if it originated with our service. If it did, weΓÇÖll add it as a new incident or advisory on the **Service health** page, where you can track its resolution. The **Reported Issues** page will show all issues your tenant has reported from this form and the status.
+If you're experiencing an issue with a Microsoft 365 service and you don't see it listed on the **Service health** page, tell us about it by selecting **Report an issue**, and completing the short form. We'll look at related data and reports from other organizations to see how widespread the issue is, and if it originated with our service. If it did, we'll add it as a new incident or advisory on the **Service health** page, where you can track its resolution. The **Reported Issues** page will show all issues your tenant has reported from this form and the status.
To customize your view of which services show up on the dashboard, select **Preferences** > **Custom view**, and clear the checkboxes for the services you want to filter out of your Service health dashboard view. Make sure that the checkbox is selected for each service that you want to monitor.
To sign up for email notifications of new incidents that affect your tenant and
- Whether you want notifications for incidents or advisories - The services for which you want notification
-You can also subscribe to email notifications for individual events instead of every event for a service. To do so, select the active issue you want to receive email notification updates for, select **Manage notifications for this issue**, and then specify:
+You can also subscribe to email notifications for individual events instead of every event for a service. To do so, select the active issue you want to receive email notification updates for, select **Manage notifications for this issue**, and then specify:
+ - Up to two email addresses. > [!NOTE]
You can also subscribe to email notifications for individual events instead of e
### View details of posted service health
-On the **All services** view, select the issue title to see the issue detail page, which shows more information about the issue, including a feed of all the messages posted while we work on a solution.
+On the **All services** view, select the issue title to see the issue detail page, which shows more information about the issue, including a feed of all the messages posted while we work on a solution.
-[ ![A screenshot showing the service advisory](../media/service-health-advisory.png) ](../media/service-health-advisory.png#lightbox)
+[![Screenshot showing the service advisory](../media/service-health-advisory.png)](../media/service-health-advisory.png#lightbox)
The advisory or incident summary provides the following information:
Most of the time, services will appear as healthy with no further information. W
|**Extended recovery** | This status indicates that corrective action is in progress to restore service to most users but will take some time to reach all the affected systems. You might also see this status if we've made a temporary fix to reduce impact while we wait to apply a permanent fix. | |**Investigation suspended** | If our detailed investigation of a potential issue results in a request for additional information from customers to allow us to investigate further, you'll see this status. If we need you to act, we'll let you know what data or logs we need. | |**Service restored** | We've confirmed that corrective action has resolved the underlying problem and the service has been restored to a healthy state. To find out what went wrong, view the issue details. |
-|**False positive** | After a detailed investigation, weΓÇÖve confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service. |
-|**Post-incident report published** | WeΓÇÖve published a Post Incident Report for a specific issue that includes root cause information and next steps to ensure a similar issue doesnΓÇÖt reoccur. |
+|**False positive** | After a detailed investigation, we've confirmed the service is healthy and operating as designed. No impact to the service was observed or the cause of the incident originated outside of the service. Incidents and advisories with this status appear in the history view until they expire (after the period of time stated in the final post for that event). |
+|**Post-incident report published** | We've published a Post Incident Report for a specific issue that includes root cause information and next steps to ensure a similar issue doesn't reoccur. |
### Message Post Types | Type | Definition | |:--|:--| |**Quick Update** | Short and frequent incremental updates for broadly impacting incidents, available to all customers. |
-|**Additional Details** | These additional posts will provide richer technical and resolution details to offer deeper visibility into the handling of incidents. This is available for tenants that meet the same requirements outlined for [Exchange Online monitoring](/microsoft-365/enterprise/microsoft-365-exchange-monitoring?view=o365-worldwide#requirements), |
+|**Additional Details** | These additional posts will provide richer technical and resolution details to offer deeper visibility into the handling of incidents. This is available for tenants that meet the same requirements outlined for [Exchange Online monitoring](/microsoft-365/enterprise/microsoft-365-exchange-monitoring#requirements), |
### History
For more information about our commitment to uptime, see [Transparent operations
## Related topics
-[Activity Reports in the Microsoft 365 admin center](https://support.office.com/article/0d6dfb17-8582-4172-a9a9-aed798150263)
-
-[Message center Preferences](../admin/manage/message-center.md?preserve-view=true&view=o365-worldwide#preferences)
-
-[How to check Windows release health on admin center](/windows/deployment/update/check-release-health)
+- [Activity Reports in the Microsoft 365 admin center](https://support.office.com/article/0d6dfb17-8582-4172-a9a9-aed798150263)
+- [Message center Preferences](../admin/manage/message-center.md?preserve-view=true&view=o365-worldwide#preferences)
+- [How to check Windows release health on admin center](/windows/deployment/update/check-release-health)
security Collect Investigation Package https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-investigation-package.md
Collect investigation package from a device.
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
+> [!IMPORTANT]
+>
+> - These response actions are only available for devices on Windows 10, version 1703 or later.
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md)
security Control Usb Devices Using Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/control-usb-devices-using-intune.md
The following table describes the ways Microsoft Defender for Endpoint can allow
|[Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids)|You can only install and use approved peripherals that match any of these device instance IDs.| |[Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids)|You can't install or use prohibited peripherals that match any of these device instance IDs.| |[Limit services that use Bluetooth](#limit-services-that-use-bluetooth)|You can limit the services that can use Bluetooth.|
-|[Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings)|You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline.|
| ### Restrict USB drives and other peripherals
Using Intune, you can limit the services that can use Bluetooth through the ["Bl
> [!div class="mx-imgBorder"] > ![screenshot of Bluetooth settings page](images/bluetooth.png)
-### Use Microsoft Defender for Endpoint baseline settings
-
-The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for threat protection. Configuration settings for baseline are located in the edit profile page of the configuration settings.
-
-> [!div class="mx-imgBorder"]
-> ![Baselines in MEM](images/baselines.png)
## Prevent threats from removable storage
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
- auditing, allowing or preventing the read, write or execute access to removable storage with or without exclusion
+<br>
+
+****
+
+|Privilege|Permission|
+|||
+|Access|Read, Write, Execute|
+|Action Mode|Audit, Allow, Prevent|
+|CSP Support|Yes|
+|GPO Support|Yes|
+|User-based Support|Yes|
+|Machine-based Support|Yes|
+|||
-#### Access Control
+## Prepare your endpoints
-|Privilege |Permission |
-|||
-|Access | Read, Write, Execute |
-|Action Mode | Audit, Allow, Prevent |
-|||
+Deploy Removable Storage Access Control on Windows 10 devices that have antimalware client version **4.18.2103.3 or later**.
-#### Supported deployment method
-|&nbsp; |&nbsp; |
-|||
-|CSP Support | Yes |
-|GPO Support | Yes |
+- **4.18.2104 or later**: Add SerialNumberId, VID_PID, filepath-based GPO support, ComputerSid
+- **4.18.2105 or later**: Add Wildcard support for HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId, the combination of specific user on specific machine, removeable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support
+- **4.18.2107 or later**: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets)
-#### Supported target scenario
-| &nbsp; | &nbsp; |
-|||
-|User-based Support | Yes |
-|Machine-based Support | Yes |
+> [!NOTE]
+> None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.
+## Policy properties
+You can use the following properties to create a removable storage group:
-## Licensing
+### Property name: Group Id
-Before you get started with Removable Storage Access Control, you should [confirm your Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1). To access and use Removable Storage Access Control, you must have the following:
+**Description**: GUID, a unique ID, represents the group and will be used in the policy.
-- Microsoft 365 E3 for functionality/policy deployment.-- Microsoft 365 E5 for reporting.
+### Property name: DescriptorIdList
-## Prepare your endpoints
+**Description**: List the device properties you want to use to cover in the group.
-Deploy Removable Storage Access Control on Windows 10 devices that have antimalware client version **4.18.2103.3 or later**.
+For each device property, see **Device Properties** section above for more detail.
-- **4.18.2104 or later**: Add SerialNumberId, VID_PID, filepath-based GPO support, ComputerSid
+**Options**:
-- **4.18.2105 or later**: Add Wildcard support for HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId, the combination of specific user on specific machine, removeable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support
+- Primary ID
+ - RemovableMediaDevices
+ - CdRomDevices
+- DeviceId
+- HardwareId
+- InstancePathId: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0.
-- **4.18.2107 or later**: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets)
+The number at the end (for example **&0**) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`.
+- FriendlyNameId
+- SerialNumberId
+- VID
+- PID
+- VID_PID
+ - 0751_55E0: match this exact VID/PID pair
+ - _55E0: match any media with PID=55E0
+ - 0751_: match any media with VID=0751
-> [!NOTE]
-> None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.
+### Property name: MatchType
-## Policy properties
+**Description**: When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship.
-You can use the following properties to create a removable storage group:
+**Options**:
+
+- MatchAll: Any attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.
+- MatchAny: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.
+
+Following are the access control policy properties:
+
+### Property name: PolicyRuleId
+
+**Description**: GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting.
+
+### Property name: IncludedIdList
+
+**Description**: The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.
+
+**Options** The Group ID/GUID must be used at this instance.
+
+The following example shows the usage of GroupID:
+
+`<IncludedIdList> <GroupId>{EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>`
+
+### Property name: ExcludedIDList
-#### Removable Storage Group
-|Property Name |Description |Options |
-||||
-|**GroupId** | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the group and will be used in the policy. | |
-|**DescriptorIdList** | List the device properties you want to use to cover in the group. For each device property, see [Device Properties](/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection?view=o365-worldwide&preserve-view=true) for more detail.ΓÇï | - **PrimaryId**ΓÇï: RemovableMediaDevices, CdRomDevices, WpdDevices</br> - **DeviceIdΓÇï** </br>- **HardwareIdΓÇï**</br>- **InstancePathId**ΓÇï: InstancePathId is a string that uniquely identifies the device in the system, for example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*</br>- **FriendlyNameIdΓÇï**</br>- **SerialNumberIdΓÇï**</br>- **VIDΓÇï**</br>- **PIDΓÇï**</br>- **VID_PID**</br> 0751_55E0: match this exact VID/PID pair </br>_55E0: match any media with PID=55E0 </br>0751_: match any media with VID=0751 |
-|**MatchType** | When there are multiple device properties being used in the DescriptorIDList, MatchType defines the relationship. | **MatchAll**: </br>ΓÇïAny attributes under the DescriptorIdList will be **And** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will check to see whether the USB meets both values.ΓÇï </br> </br>**MatchAny**:</br> ΓÇïThe attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts DeviceID and InstancePathID, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.ΓÇï |
-||||
--
-#### Access Control Policy
-
-|Property Name |Description |Options |
-||||
-|PolicyRuleIdΓÇï | [GUID](https://en.wikipedia.org/wiki/Universally_unique_identifier), a unique ID, represents the policy and will be used in the reporting and troubleshooting. | |
-|IncludedIdList | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups. | The Group ID/GUID must be used at this instance.ΓÇï </br> ΓÇïThe following example shows the usage of GroupID:ΓÇï </br> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>ΓÇï` |
-|ExcludedIDList | The group(s) that the policy will not be applied to. | The Group ID/GUID must be used at this instance. |
-|Entry Id | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.ΓÇï | |
-|Type|Defines the action for the removable storage groups in IncludedIDList.ΓÇï </br>- Enforcement: Allow or DenyΓÇï </br>- Audit: AuditAllowed or AuditDeniedΓÇï|- AllowΓÇï </br>- DenyΓÇï</br> - AuditAllowed: Defines notification and event when access is allowedΓÇï</br>- AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.ΓÇï </br></br> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.ΓÇï|
-|Sid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine.ΓÇï||
-|ComputerSid|Local computer Sid or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry.ΓÇï||
-|Options|Defines whether to display notification or notΓÇï|0-4. When Type Allow or Deny is selected:</br>ΓÇï</br>0: nothingΓÇï</br>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification.ΓÇï </br> </br>When Type **AuditAllowed** or **AuditDenied** is selected:ΓÇï</br>0: nothingΓÇï</br>1: show notificationΓÇï</br>2: send eventΓÇï</br>3: show notification and send eventΓÇï|
-|AccessMask|Defines the access.ΓÇï|1-7:ΓÇï </br></br>1: ReadΓÇï</br>2: WriteΓÇï</br>3: Read and WriteΓÇï</br>4: ExecuteΓÇï</br>5: Read and ExecuteΓÇï</br>6: Write and ExecuteΓÇï</br>7: Read and Write and ExecuteΓÇï|
-||||
+**Description**: The group(s) that the policy will not be applied to.
+
+**Options**: The Group ID/GUID must be used at this instance.
+
+### Property name: Entry Id
+
+**Description**: One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.
+
+### Property name: Type
+
+**Description**: Defines the action for the removable storage groups in IncludedIDList.
+
+- Enforcement: Allow or Deny
+- Audit: AuditAllowed or AuditDenied
+
+**Options**:
+
+- Allow
+- Deny
+- AuditAllowed: Defines notification and event when access is allowed
+- AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.
+
+When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**.
+
+### Property name: Options
+
+**Description**: Defines whether to display notification or not.
++
+**Options**: 0-4.
+
+When Type **Allow** or **Deny** is selected:
+
+- 0: nothing
+- 4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Block** happens and the **AuditDenied** is setting configured, the system will not show notification.
+
+When Type **AuditAllowed** or **AuditDenied** is selected:
+
+- 0: nothing
+- 1: show notification, only works for AuditDenied
+- 2: send event
+- 3: show notification and send event. If applying this to AuditAllowed, will only fire the event for reporting but will not show the notification.
+
+### Property name: Sid
+
+**Description**: Defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one SID and an entry without any SID means applying the policy over the machine.
+
+### Property name: ComputerSid
+
+**Description**: Defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSID and an entry without any ComputerSID means applying the policy over the machine. If you want to apply an entry to a specific user and specific machine, add both SID and ComputerSID into the same entry.
+
+### Property name: AccessMask
+
+**Description**: Defines the access.
+
+Options 1-7:
+
+- 1: Read
+- 2: Write
+- 3: Read and Write
+- 4: Execute
+- 5: Read and Execute
+- 6: Write and Execute
+- 7: Read and Write and Execute
## Common Removable Storage Access Control scenarios
To help familiarize you with Microsoft Defender for Endpoint Removable Storage A
1. Create groups 1. Group 1: Any removable storage and CD/DVD. An example for this use case is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
- 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
+ 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name ΓÇô Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
> [!NOTE] > You have to replace `&` with `&amp;` in the value. 2. Create policy 1. Policy 1: Block Write and Execute access to all but block specific unapproved USBs. An example of this use case is: PolicyRule **23b8e437-66ac-4b32-b3d7-24044637fc98** in the sample [Scenario 2 Audit Write and Execute access to all but block specific unapproved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.- 2. Policy 2: Audit Write and Execute access to others. An example of this use case is: PolicyRule **b58ab853-9a6f-405c-a194-740e69422b48** in the sample [Scenario 2 Audit Write and Execute access to others.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file. ## Deploying and managing policy via Group Policy
Before you get started with Removable Storage Access Control, you must confirm y
2. Combine all rules within `<PolicyRules>` `</PolicyRules>` into one xml file.
- If you want to restrict a specific user, then use SID property into the Entry. If there's no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.
+ If you want to restrict a specific user, then use SID property into the Entry. If there is no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.
The following image illustrates the usage of SID property, and an example of [Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs](#scenario-1-prevent-write-and-execute-access-to-all-but-allow-specific-approved-usbs). :::image type="content" source="images/usage-sid-property.png" alt-text="The screen displaying a code that indicates usage of the SID property attribute":::
-3. Save both rule and group XML files on network share folder and put network share folder path into the Group Policy setting: **Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus -> Device Control: 'Define device control policy groups' and 'Define device control policy rules'**.
+3. Save both rule and group XML files on the network share folder and put the network share folder path into the Group Policy setting: **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control**: **'Define device control policy groups'** and **'Define device control policy rules'**.
- - The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot.
+ If you cannot find the policy configuration UX in the Group Policy, you can download the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files by selecting **Raw** and then **Save as**.
+
+ - The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot.
:::image type="content" source="images/device-control.png" alt-text="The Device Control screen":::
For policy deployment in Intune, the account must have permissions to create, ed
1. For each Group, create an OMA-URI rule: - OMA-URI:
- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**GroupGUID**%7d/GroupData
+ `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**GroupGUID**%7d/GroupData`
For example, for **any removable storage and CD/DVD** group in the sample, the link must be:
- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData
+ `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData`
- Data Type: String (XML file)
-2. For each policy, also create an OMA-URI:
+ :::image type="content" source="images/xml-data-type-string.png" alt-text="The xml file for the STRING data type":::
+2. For each policy, also create an OMA-URI:
- OMA-URI:
- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bFA6BE102-0784-4A2A-B010-A0BEBEBF68E1%7d/RuleData
+ `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bFA6BE102-0784-4A2A-B010-A0BEBEBF68E1%7d/RuleData`
For example, for the **Block Write and Execute Access but allow approved USBs** rule in the sample, the link must be:
- ./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bc544a991-5786-4402-949e-a032cb790d0e%7d/RuleData.
+ `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bc544a991-5786-4402-949e-a032cb790d0e%7d/RuleData`
- Data Type: String (XML file) ## Deploying and managing policy by using Intune user interface
-This capability (in Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> Devices \> Configuration profiles \> Create profile \> Platform: Windows 10 and later & Profile: Device Control) isn't yet available.
+This capability (in Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) \> Devices \> Configuration profiles \> Create profile \> Platform: Windows 10 and later & Profile: Device Control) is not yet available.
## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint
The Microsoft 365 security portal shows removable storage blocked by the Device
```kusto //events triggered by RemovableStoragePolicyTriggered DeviceEvents-
-| where ActionType == "RemovableStoragePolicyTriggered"
-| extend parsed=parse_json(AdditionalFields)
-| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) 
-| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
-| extend MediaBusType = tostring(parsed.BusType) 
+| where ActionType == &quot;RemovableStoragePolicyTriggered&quot;
+| extend parsed=parse_json(AdditionalFields)
+| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) 
+| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
+| extend MediaBusType = tostring(parsed.BusType) 
| extend MediaClassGuid = tostring(parsed.ClassGuid) | extend MediaClassName = tostring(parsed.ClassName) | extend MediaDeviceId = tostring(parsed.DeviceId)
DeviceEvents
| extend MediaVendorId = tostring(parsed.VendorId)  | extend MediaSerialNumber = tostring(parsed.SerialNumber)  | extend MediaVolume = tostring(parsed.Volume) 
-|project Timestamp, DeviceId, DeviceName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, MediaVolume
+| project Timestamp, DeviceId, DeviceName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, MediaVolume
| order by Timestamp desc ```
The most common reason is there's no required [antimalware client version](/micr
Another reason could be that the XML file isn't correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files, which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.
-If there's a value and the policy is managed via Group Policy, check whether the client device can access the policy XML path.
+### There is no configuration UX for 'Define device control policy groups' and 'Define device control policy rules' on my Group Policy
+
+We don't backport the Group Policy configuation UX, but you can still get the related adml and admx files by clicking 'Raw' and 'Save as' at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.
### How can I know which machine is using out of date antimalware client version in the organization?
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
localization_priority: Normal
- next-gen - edr Previously updated : 07/29/2021 Last updated : 08/05/2021 - m365-security-compliance - m365initiative-defender-endpoint
If Microsoft Defender Antivirus is running in active mode or passive mode, EDR i
If Windows Server 2016 has Microsoft Defender Antivirus running in active mode, and the endpoint is onboarded to Defender for Endpoint, then EDR in block mode is technically supported. However, EDR in block mode is intended to be extra protection when Microsoft Defender Antivirus is not the primary antivirus solution on an endpoint. In those cases, Microsoft Defender Antivirus runs in passive mode.
-Currently, running Microsoft Defender Antivirus in passive mode is not supported on Windows Server 2016. To learn more, see [Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions](microsoft-defender-antivirus-compatibility.md#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions).
+Currently, running Microsoft Defender Antivirus in passive mode is not supported on Windows Server 2016. To learn more, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server) and [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
### How much time does it take for EDR in block mode to be disabled?
security Enable Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
ms.technology: mde
You can enable controlled folder access by using any of these methods:
-* [Windows Security app](#windows-security-app)
-* [Microsoft Endpoint Manager](#endpoint-manager)
-* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-* [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [Windows Security app](#windows-security-app)
+- [Microsoft Endpoint Manager](#endpoint-manager)
+- [Mobile Device Management (MDM)](#mobile-device-management-mdm)
+- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+- [Group Policy](#group-policy)
+- [PowerShell](#powershell)
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the device. Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
-* Microsoft Defender Antivirus **Configure local administrator merge behavior for lists**
-* System Center Endpoint Protection **Allow users to add exclusions and overrides**
+- Microsoft Defender Antivirus **Configure local administrator merge behavior for lists**
+- System Center Endpoint Protection **Allow users to add exclusions and overrides**
For more information about disabling local list merging, see [Prevent or allow users to locally modify Microsoft Defender AV policy settings](/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus).
Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](/wi
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**. 4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
- * **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
- * **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
- * **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
- * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
- * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
+ - **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
+ - **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
+ - **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
+ - **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** \> Microsoft \> Windows \> Windows Defender \> Operational \> ID 1123.
+ - **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** \> **Windows** \> **Windows Defender** \> **Operational** \> **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
- ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](/microsoft-365/security/defender-endpoint/images/cfa-gp-enable)
+ ![Screenshot of the group policy option Enabled and Audit Mode selected in the drop-down](../../media/cfa-gp-enable.png)
> [!IMPORTANT] > To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu.
Use `Disabled` to turn off the feature.
## See also
-* [Protect important folders with controlled folder access](controlled-folders.md)
-* [Customize controlled folder access](customize-controlled-folders.md)
-* [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md)
+- [Protect important folders with controlled folder access](controlled-folders.md)
+- [Customize controlled folder access](customize-controlled-folders.md)
+- [Evaluate Microsoft Defender for Endpoint](evaluate-mde.md)
security Enable Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md
localization_priority: Normal
-+ ms.technology: mde
Check if network protection has been enabled on a local device by using Registry
2. Choose **HKEY_LOCAL_MACHINE** from the side menu
-3. Navigate through the nested menus to **SOFTWARE** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**
+3. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**
4. Select **EnableNetworkProtection** to see the current state of network protection on the device
- * 0, or **Off**
- * 1, or **On**
- * 2, or **Audit** mode
-
- ![networkprotection](https://user-images.githubusercontent.com/3296790/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.PNG)
+ - 0, or **Off**
+ - 1, or **On**
+ - 2, or **Audit** mode
+
+ ![Network Protection registry key](../../media/95341270-b738b280-08d3-11eb-84a0-16abb140c9fd.png)
## Enable network protection Enable network protection by using any of these methods:
-* [PowerShell](#powershell)
-* [Mobile Device Management (MDM)](#mobile-device-management-mdm)
-* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune)
-* [Group Policy](#group-policy)
+- [PowerShell](#powershell)
+- [Mobile Device Management (MDM)](#mobile-device-management-mdm)
+- [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune)
+- [Group Policy](#group-policy)
### PowerShell
Use the following procedure to enable network protection on domain-joined comput
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
-> [!NOTE]
-> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus."
+ > [!NOTE]
+ > On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus."
4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options:
- * **Block** - Users can't access malicious IP addresses and domains
- * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
- * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log. However, the user won't be blocked from visiting the address.
+ - **Block** - Users can't access malicious IP addresses and domains
+ - **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains
+ - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log. However, the user won't be blocked from visiting the address.
> [!IMPORTANT] > To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
Confirm network protection is enabled on a local computer by using Registry edit
2. Navigate to **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection** 3. Select **EnableNetworkProtection** and confirm the value:
- * 0=Off
- * 1=On
- * 2=Audit
+ - 0=Off
+ - 1=On
+ - 2=Audit
## See also
-* [Network protection](network-protection.md)
-* [Evaluate network protection](evaluate-network-protection.md)
-* [Troubleshoot network protection](troubleshoot-np.md)
+- [Network protection](network-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
+- [Troubleshoot network protection](troubleshoot-np.md)
security Get Package Sas Uri https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-package-sas-uri.md
## API description Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md). -
+> [!IMPORTANT]
+>
+> - These actions are only available for devices on Windows 10, version 1703 or later.
## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Access the Microsoft Defender for Endpoint APIs](apis-intro.md)
security Import Export Exploit Protection Emet Xml https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md
When you've configured exploit protection to your desired state (including both
2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**:
- ![Highlight of the Exploit protection settings option in the Windows Security app](/microsoft-365/security/defender-endpoint/images/wdsc-exp-prot)
+ ![Highlight of the Exploit protection settings option in the Windows Security app](../../media/wdsc-exp-prot.png)
3. At the bottom of the **Exploit protection** section, select **Export settings**. Choose the location and name of the XML file where you want the configuration to be saved. > [!IMPORTANT] > If you want to use Default configuration, use the settings "On by default" instead of "Use Default (On)" to get the settings exported correctly on the XML file.
- ![Highlight of the Export Settings option](/microsoft-365/security/defender-endpoint/images/wdsc-exp-prot-export)
+ ![Highlight of the Export Settings option](../../media/wdsc-exp-prot-export.png)
> [!NOTE] > When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections (either section will export all settings).
You can use Group Policy to deploy the configuration you've created to multiple
3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit protection**.
- ![Screenshot of the group policy setting for exploit protection](/microsoft-365/security/defender-endpoint/images/exp-prot-gp)
+ ![Screenshot of the group policy setting for exploit protection](../../media/exp-prot-gp.png)
4. Double-click **Use a common set of Exploit protection settings** and set the option to **Enabled**.
security Linux Schedule Scan Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-atp.md
Type "`:wq`" without the double quotes.
To view your cron jobs, type `sudo crontab -l` #### To inspect cron job runs
security Linux Static Proxy Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md
Title: Microsoft Defender for Endpoint on Linux static proxy discovery-+ description: Describes how to configure Microsoft Defender for Endpoint on Linux, for static proxy discovery. keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, installation, proxy search.product: eADQiWindows 10XVcnh
localization_priority: Normal audience: ITPro-+ - m365-security-compliance ms.technology: mde
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
During installation, the `HTTPS_PROXY` environment variable must be passed to th
``` - The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
-
+ ```bash Acquire::https::Proxy "http://proxy.server:port/"; ``` > [!CAUTION] > Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration.
-
-- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender for Endpoint:
- ```bash
+- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender for Endpoint:
+
+ ```bash
HTTPS_PROXY="http://proxy.server:port/" apt install mdatp ```
The `HTTPS_PROXY` environment variable may similarly be defined during uninstall
Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts. ## Post installation configuration
-
-After installation, the `HTTPS_PROXY` environment variable must be defined in the Defender for Endpoint service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
-> [!NOTE]
-> On CentOS or RedHat Linux distributions the location of the Endpoint service file is `/usr/lib/systemd/system/mdatp.service`.
+After installation, the `HTTPS_PROXY` environment variable must be defined in the Defender for Endpoint service file. To do this, run `sudo systemctl edit --full mdatp.service`.
+You can then propagate the variable to the service in one of two ways:
- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address. - Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
-
+ ```bash HTTPS_PROXY="http://proxy.server:port/" ```
-After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
+After modifying `mdatp.service`, save the file and restart the service so the changes can be applied using the following commands:
```bash
-systemctl daemon-reload; systemctl restart mdatp
+sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
ms.technology: mde Previously updated : 08/04/2021 Last updated : 08/05/2021 # Manage Microsoft Defender Antivirus updates and apply baselines
All our updates contain
- integration improvements (Cloud, [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender)). <br/> <details>
-<summary> July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.x)</summary>
+<summary> July-2021 (Platform: 4.18.2107.4 | Engine: 1.1.18400.4)</summary>
-&ensp;Security intelligence update version: **x.xxx.xx.x**
-&ensp;Released: **date, 2021**
+&ensp;Security intelligence update version: **1.345.13.0**
+&ensp;Released: **August 5, 2021**
&ensp;Platform: **4.18.2107.4**
-&ensp;Engine: **1.1.18400.x**
+&ensp;Engine: **1.1.18400.4**
&ensp;Support phase: **Security and Critical Updates** ### What's new - Device control support added for Windows Portable Devices - Potentially unwanted applications (PUA) protection is turned on by default for consumers (See [Potentially unwanted apps will be blocked by default](https://support.microsoft.com/windows/potentially-unwanted-apps-will-be-blocked-by-default-b9f53cb9-7f1e-40bb-8c6b-a17e0ab6289e)) - Scheduled scans for Group Policy Object managed systems will adhere to user configured scan time
+- Improvements to the behavior monitoring engine
### Known Issues No known issues
We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). <details>
+<summary>1.1.2108.01</summary>
+
+&ensp;Package version: **1.1.2108.01**
+&ensp;Platform version: **4.18.2107.4**
+&ensp;Engine version: **1.1.18300.4**
+&ensp;Signature version: **1.343.2244.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+<br/>
+</details><details>
<summary>1.1.2107.02</summary> &ensp;Package version: **1.1.2107.02**
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
-+ ms.technology: mde Previously updated : 07/06/2021 Last updated : 08/05/2021 # Microsoft Defender Antivirus compatibility - **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-## Summary
-Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another (non-Microsoft) antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) together with your antivirus protection.
+Microsoft Defender Antivirus is automatically installed on endpoints running the following versions of Windows:
-## Important points to keep in mind
+- Windows 10 or later
+- Windows Server 2016
+- Windows Server, version 1803 or later
+- Windows Server 2019
-- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself).
+But what happens when another (non-Microsoft) antivirus/antimalware solution is used? Can you run Microsoft Defender Antivirus alongside another antivirus product? The answers depend on several factors, such as your operating system and whether you're using [Microsoft Defender for Endpoint](microsoft-defender-endpoint.md) (Defender for Endpoint) together with your antivirus protection.
-- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode.
+This article describes what happens with Microsoft Defender Antivirus and a non-Microsoft antivirus/antimalware solution, with or without Defender for Endpoint.
-- When [EDR in block mode](edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, EDR in block mode detects and remediate malicious items that are found on the device (post breach). EDR in block mode requires Microsoft Defender Antivirus to be enabled in either active mode or passive mode.
+## Antivirus protection without Defender for Endpoint
-- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
+This section describes what happens with Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware products on endpoints that are not onboarded to Defender for Endpoint. The following table summarizes what to expect: <br/><br/>
-- If you are enrolled in Microsoft Defender for Endpoint and you are using a non-Microsoft antivirus/antimalware product, then Microsoft Defender Antivirus is enabled in passive mode. Defender for Endpoint requires common information sharing from Microsoft Defender Antivirus in order to properly monitor your devices and network for intrusion attempts and attacks. To learn more, see [Microsoft Defender Antivirus compatibility with Microsoft Defender for Endpoint](defender-compatibility.md).
+| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state |
+|||-|-|
+| Windows 10 | Microsoft Defender Antivirus | Active mode |
+| Windows 10 | A non-Microsoft antivirus/antimalware solution | Disabled mode (happens automatically) |
+| Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
+| Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[1](#fn1)]<sup></sup> |
-- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).
+(<a id="fn1">1</a>) On Windows Server, if you are running a non-Microsoft antivirus product, you can disable Microsoft Defender Antivirus by using Group Policy to turn Microsoft Defender Antivirus off, or by using the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to true.)
-- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints. You can also enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app.
+> [!TIP]
+> See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
-## Microsoft Defender Antivirus and non-Microsoft antivirus/antimalware solutions
+## Antivirus protection with Defender for Endpoint
-The operating system, antivirus product, and Defender for Endpoint affect whether Microsoft Defender Antivirus is in active mode, passive mode, or disabled. The following table summarizes what happens with Microsoft Defender Antivirus when non-Microsoft antivirus/antimalware solutions are used together or without Microsoft Defender for Endpoint.
+If your organization is using a non-Microsoft antivirus/antimalware solution together with Defender for Endpoint, Microsoft Defender Antivirus can, depending on your operating system, run in passive mode. <br/><br/>
-| Windows version | Antivirus/antimalware solution | Onboarded to <br/> Defender for Endpoint? | Microsoft Defender Antivirus state |
+| Windows version | Primary antivirus/antimalware solution | Microsoft Defender Antivirus state |
|||-|-|
-| Windows 10 | Microsoft Defender Antivirus | Yes | Active mode |
-| Windows 10 | Microsoft Defender Antivirus | No | Active mode |
-| Windows 10 | A non-Microsoft antivirus/antimalware solution | Yes | Passive mode (automatically) |
-| Windows 10 | A non-Microsoft antivirus/antimalware solution | No | Disabled mode (automatically) |
-| Windows Server, version 1803 or newer <p> Windows Server 2019 | Microsoft Defender Antivirus | Yes | Active mode |
-| Windows Server, version 1803 or newer <p> Windows Server 2019 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server, version 1803 or newer <p> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Yes | Microsoft Defender Antivirus must be set to passive mode (manually) <sup>[[1](#fn1)]<sup> |
-| Windows Server, version 1803 or newer <p> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup></sup> |
-| Windows Server 2016 | Microsoft Defender Antivirus | Yes | Active mode |
-| Windows Server 2016 | Microsoft Defender Antivirus | No | Active mode |
-| Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | Yes | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
-| Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | No | Microsoft Defender Antivirus must be disabled (manually) <sup>[[2](#fn2)]<sup> |
-
-(<a id="fn1">1</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server. You can set Microsoft Defender Antivirus to passive mode using PowerShell, Group Policy, or a registry key.
-
-If you are using Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
-- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`-- Name: `ForceDefenderPassiveMode`-- Type: `REG_DWORD`-- Value: `1`
+| Windows 10 or later | Microsoft Defender Antivirus | Active mode |
+| Windows 10 or later | A non-Microsoft antivirus/antimalware solution | Passive mode (happens automatically) |
+| Windows Server 2016 <br/><br/> Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | Microsoft Defender Antivirus | Active mode |
+| Windows Server, version 1803 or newer <br/><br/> Windows Server 2019 | A non-Microsoft antivirus/antimalware solution | Passive mode (set manually) <sup>[[2](#fn2)]<sup></sup> |
+| Windows Server 2016 | A non-Microsoft antivirus/antimalware solution | Disabled (set manually) <sup>[[3](#fn3)]<sup> |
-> [!NOTE]
-> Passive mode is not supported on Windows Server 2016. The `ForceDefenderPassiveMode` registry key can be used on Windows Server, version 1803 or newer, or Windows Server 2019, but not Windows Server 2016.
+(<a id="fn2">2</a>) On Windows Server, version 1803 or newer, or Windows Server 2019, when you install a non-Microsoft antivirus product, you can set Microsoft Defender Antivirus to passive mode manually. You can use the **ForceDefenderPassiveMode** registry key to perform this task. To use the registry key, navigate to `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`, and set or create a DWORD entry called `ForceDefenderPassiveMode`. Set its value to `1` (which sets the registry key's value to *true*). For more information, see [Passive mode and Windows Server](microsoft-defender-antivirus-on-windows-server.md#passive-mode-and-windows-server).
-(<a id="fn2">2</a>) On Windows Server 2016, if you are using a non-Microsoft antivirus product, you cannot run Microsoft Defender Antivirus in either passive mode or active mode. In such cases, [disable/uninstall Microsoft Defender Antivirus manually](microsoft-defender-antivirus-on-windows-server.md#are-you-using-windows-server-2016) to prevent problems caused by having multiple antivirus products installed on a server.
+(<a id="fn3">3</a>) On Windows Server 2016, you can disable Microsoft Defender Antivirus by using Group Policy to turn off Windows Defender Antivirus, or use the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key. To use the registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*).
-See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations.
+> [!TIP]
+> See [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) for key differences and management options for Windows Server installations. On Windows Server 2016, you might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus*.
-> [!IMPORTANT]
-> Microsoft Defender Antivirus is only available on devices running Windows 10, Windows Server 2016, Windows Server, version 1803 or later, and Windows Server 2019.
->
-> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](/previous-versions/system-center/system-center-2012-R2/hh508760(v=technet.10)), which is managed through Microsoft Endpoint Configuration Manager.
->
-> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](/previous-versions/windows/it-pro/windows-8.1-and-8/dn344918(v=ws.11)#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
+### Why run Microsoft Defender Antivirus in passive mode?
-## How Microsoft Defender Antivirus affects Defender for Endpoint functionality
+Defender for Endpoint includes capabilities that further extend the antivirus protection that is installed on your endpoint. You can benefit from running Microsoft Defender Antivirus alongside another antivirus solution.
-The table in this section summarizes the functionality and features that are available in each state. The table is designed to be informational only. It is intended to describe the features & capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, in passive mode, or is disabled/uninstalled.
+For example, [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) provides added protection from malicious artifacts even if Microsoft Defender Antivirus is not the primary antivirus product. Such capabilities require Microsoft Defender Antivirus to be installed and running in passive mode or active mode.
-> [!IMPORTANT]
-> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode.
+### Requirements for Microsoft Defender Antivirus to run in passive mode
-|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled |
-|:|:|:|:|:|
-| [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No <sup>[[3](#fn3)]<sup> | No | No |
-| [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | No | Yes |
-| [File scanning and detection information](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
-| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[4](#fn4)]<sup> | Yes | No |
-| [Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes | Yes | No |
+In order for Microsoft Defender Antivirus to run in passive mode, endpoints must meet the following requirements:
-(<a id="fn3">3</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+- Operating system: Windows 10 or later; Windows Server, version 1803 or newer; or Windows Server 2019
+- Microsoft Defender Antivirus must be installed
+- Another non-Microsoft antivirus/antimalware product must be installed and used as the primary antivirus solution
+- Endpoints must be onboarded to Defender for Endpoint
-(<a id="fn4">4</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
+## How Microsoft Defender Antivirus affects Defender for Endpoint functionality
-> [!NOTE]
-> [Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode.
+Defender for Endpoint affects whether Microsoft Defender Antivirus can run in passive mode. Microsoft Defender Antivirus can affect certain capabilities in Defender for Endpoint, too. For example, real-time protection works when Microsoft Defender Antivirus is in active or passive mode, but not when Microsoft Defender Antivirus is disabled or uninstalled.
-## Why Defender for Endpoint matters
+The table in this section summarizes the features and capabilities that are actively working or not, according to whether Microsoft Defender Antivirus is in active mode, passive mode, or disabled/uninstalled.
-Consider onboarding your endpoints to Defender for Endpoint, even if you are using a non-Microsoft antivirus/antimalware solution. In most cases, when you onboard your devices to Defender for Endpoint, you can use Microsoft Defender Antivirus alongside your non-Microsoft antivirus solution for added protection. For example, you can use [EDR in block mode](edr-in-block-mode.md), which blocks and remediates malicious artifacts that your primary antivirus solution might have missed.
+> [!IMPORTANT]
+> The following table is designed to be informational only. **Do not turn off capabilities**, such as real-time protection, cloud-delivered protection, or limited periodic scanning if you are using Microsoft Defender Antivirus in passive mode, or if you are using [EDR in block mode](edr-in-block-mode.md), which works behind the scenes to detect and remediate malicious artifacts that were detected post-breach.
+<br/><br/>
-Here's how it works:
+| Protection | Microsoft Defender Antivirus <br/> Active mode | Microsoft Defender Antivirus <br/> Passive mode | Microsoft Defender Antivirus <br/> Disabled or uninstalled | [EDR in block mode](edr-in-block-mode.md) |
+|:|:|:|:|:|
+| [Real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) | Yes | No <sup>[[5](#fn5)]<sup> | No | No |
+| [Limited periodic scanning availability](limited-periodic-scanning-microsoft-defender-antivirus.md) | No | No | Yes | No |
+| [File scanning and detection information](review-scan-results-microsoft-defender-antivirus.md) | Yes | Yes | No | Yes |
+| [Threat remediation](configure-remediation-microsoft-defender-antivirus.md) | Yes | See note <sup>[[6](#fn6)]<sup> | No | Yes |
+| [Security intelligence updates](manage-updates-baselines-microsoft-defender-antivirus.md) | Yes | Yes | No | Yes |
-- If your organization's client devices are protected by a non-Microsoft antivirus/antimwalware solution, when those devices are onboarded to Defender for Endpoint, Microsoft Defender Antivirus goes into passive mode automatically. In this case, threat detections occur, but real-time protection and threats are not remediated by Microsoft Defender Antivirus.
-
- > [!NOTE]
- > This particular scenario does not apply to endpoints running Windows Server.
+(<a id="fn5">5</a>) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
-- If your organization's client devices are protected by a non-Microsoft antivirus/antimalware solution, and those devices are not onboarded to Microsoft Defender for Endpoint, then Microsoft Defender Antivirus goes into disabled mode automatically. In this case, threats are not detected or remediated by Microsoft Defender Antivirus.
-
- > [!NOTE]
- > This particular scenario does not apply to endpoints running Windows Server.
+(<a id="fn6">6</a>) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
+
+> [!NOTE]
+> [Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode.
-- If your organization's endpoints are running Windows Server and those endpoints are protected by a non-Microsoft antivirus/antimalware solution, when those endpoints are onboarded to Defender for Endpoint, Microsoft Defender Antivirus does not go into either passive mode or disabled mode automatically. In this particular scenario, you must configure your Windows Server endpoints appropriately.
+## Important notes
- - On Windows Server, version 1803 or newer, and Windows Server 2019, you can set Microsoft Defender Antivirus to run in passive mode.
- - On Windows Server 2016, Microsoft Defender Antivirus must be disabled (passive mode is not supported on Windows Server 2016).
+- Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-- If your organization's endpoints are protected by a non-Microsoft antivirus/antimalware solution, when those devices are onboarded to Defender for Endpoint with [EDR in block mode](/microsoft-365/security/defender-endpoint/edr-in-block-mode) enabled, then Defender for Endpoint blocks and remediates malicious artifacts.
-
- > [!NOTE]
- > This particular scenario does not apply to Windows Server 2016. EDR in block mode requires Microsoft Defender Antivirus to be enabled in either active mode or passive mode.
+- In Defender for Endpoint, turn EDR in block mode on, even if Microsoft Defender Antivirus is not your primary antivirus solution. EDR in block mode detects and remediate malicious items that are found on the device (post breach). To learn more, see [EDR in block mode](edr-in-block-mode.md).
+## More details about Microsoft Defender Antivirus states
-> [!WARNING]
-> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+The table in this section describes various states you might see with Microsoft Defender Antivirus. <br/><br/>
+| Microsoft Defender Antivirus state | What happens |
+|||
+| Active mode | In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. Settings that are configured by using Configuration Manager, Group Policy, Microsoft Intune, or other management products will apply. Files are scanned, threats are remediated, and detection information is reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the endpoint itself). |
+| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are *not* remediated by Microsoft Defender Antivirus. Threats can be remediated by [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), however.<br/><br/> Files are scanned, and reports are provided for threat detections that are shared with the Defender for Endpoint service. You might see alerts in the [security center](microsoft-defender-security-center.md) showing Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in passive mode. <br/><br/>When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have a non-Microsoft antivirus product that is providing real-time protection from malware. <br/><br/>For optimal security layered defense and detection efficacy, make sure to get your antivirus and antimwalware updates, even if Microsoft Defender Antivirus is running in passive mode. See [Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md). <br/><br/>**NOTE**: Passive mode is not supported on Windows Server 2016. |
+| Disabled <br/>or<br/>Uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.<br/><br/> Disabling or uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. <br/><br/>In cases where Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the non-Microsoft antivirus/antimalware product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. The automatic re-enabling of Microsoft Defender Antivirus helps to ensure that antivirus protection is maintained on your endpoints.<br/><br/>You might also use [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which works with the Microsoft Defender Antivirus engine to periodically check for threats if you are using a non-Microsoft antivirus app. |
## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server.md) - [EDR in block mode](edr-in-block-mode.md)-- [Configure Endpoint Protection](/mem/configmgr/protect/deploy-use/endpoint-protection-configure)-- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Learn about Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-learn-about)
security Microsoft Defender Antivirus On Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server.md
ms.technology: mde Previously updated : 05/13/2021 Last updated : 08/05/2021 # Microsoft Defender Antivirus on Windows Server
The process of setting up and running Microsoft Defender Antivirus on a server p
4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence). 5. (As needed) [Submit samples](#submit-samples). 6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions).
-7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode).
+7. (Only if necessary) Set [Windows Server to passive mode](#passive-mode-and-windows-server).
## Enable the user interface on Windows Server
To help ensure security and performance, certain exclusions are automatically ad
See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
-## Need to set Microsoft Defender Antivirus to passive mode?
+## Passive mode and Windows Server
If you are using a non-Microsoft antivirus product as your primary antivirus solution on Windows Server, you must set Microsoft Defender Antivirus to passive mode or disabled mode. -- On Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode.
+- On Windows Server, version 1803 or newer, or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode. See the following sections:
+
+ - [Set Microsoft Defender Antivirus to passive mode using a registry key](#set-microsoft-defender-antivirus-to-passive-mode-using-a-registry-key)
+ - [Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard](#disable-microsoft-defender-antivirus-using-the-remove-roles-and-features-wizard)
+ - [Turn off the Microsoft Defender Antivirus user interface using PowerShell](#turn-off-the-microsoft-defender-antivirus-user-interface-using-powershell)
-- On Windows Server 2016, Microsoft Defender Antivirus is not supported alongside a non-Microsoft antivirus/antimalware product. In these cases, you must set Microsoft Defender Antivirus to disabled mode.
+- On Windows Server 2016, Microsoft Defender Antivirus is not supported alongside a non-Microsoft antivirus/antimalware product. In these cases, you must set Microsoft Defender Antivirus to disabled mode. See [Uninstalling or disabling Microsoft Defender Antivirus on Windows Server 2016](#uninstalling-or-disabling-microsoft-defender-antivirus-on-windows-server-2016)
### Set Microsoft Defender Antivirus to passive mode using a registry key
To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c
Uninstall-WindowsFeature -Name Windows-Defender-GUI ```
-### Are you using Windows Server 2016?
+### Uninstalling or disabling Microsoft Defender Antivirus on Windows Server 2016
-If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus.
+If you are using Windows Server 2016 with a non-Microsoft antimalware/antivirus product, you'll need to either disable or uninstall Microsoft Defender Antivirus. You can use one of several methods:
-> [!NOTE]
-> You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
-
-The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016:
-
-```PowerShell
-Uninstall-WindowsFeature -Name Windows-Defender
-```
-
-To disable Microsoft Defender Antivirus on Windows Server 2016, use the following PowerShell cmdlet:
-
-```PowerShell
-Set-MpPreference -DisableRealtimeMonitoring $true
-```
+| Procedure | Description |
+|||
+| Disable Microsoft Defender Antivirus using Group Policy | In your Local Group Policy Editor, navigate to **Windows Defender**, and then select **Turn off Windows Defender Antivirus**. |
+| Disable Microsoft Defender Antivirus using a registry key | To use the the [DisableAntiSpyware](/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key, navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`, and set or create a DWORD entry called `DisableAntiSpyware`. Set its value to `1` (which sets the registry key's value to *true*). |
+| Disable Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Set-MpPreference -DisableRealtimeMonitoring $true` |
+| Uninstall Microsoft Defender Antivirus using PowerShell | Use the following PowerShell cmdlet: `Uninstall-WindowsFeature -Name Windows-Defender` |
## See also
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
For more information on live response, see [Investigate entities on devices usin
As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
+> [!IMPORTANT]
+>
+> - These response actions are only available for devices on Windows 10, version 1703 or later.
+ To download the package (Zip file) and investigate the events that occurred on a device 1. Select **Collect investigation package** from the row of response actions at the top of the device page.
security Run Av Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-av-scan.md
Initiate Microsoft Defender Antivirus scan on a device.
[!include[Device actions note](../../includes/machineactionsnote.md)]
+> [!IMPORTANT]
+>
+> - This action is available for devices on Windows 10, version 1709 or later.
+> - A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender AV is the active antivirus solution or not. Microsoft Defender AV can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
+ ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
security Whats New In Microsoft Defender Atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-atp.md
For more information on preview features, see [Preview features](preview.md).
> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: > > ```https
-> /api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=
+> https://docs.microsoft.com/api/search/rss?search=%22features+are+generally+available+%28GA%29+in+the+latest+release+of+Microsoft+Defender+for+Endpoint%22&locale=en-us&facet=
> ``` ## June 2021
security Advanced Hunting Query Emails Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-emails-devices.md
EmailAttachmentInfo
| join ( //Check devices for any activity involving the attachments DeviceFileEvents
-| project FileName, SHA256
+| project FileName, SHA256, DeviceName, DeviceId
) on SHA256 | project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress ```
security Integrate Microsoft 365 Defender Secops https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops.md
Title: Introduction to integrating Microsoft 365 Defender into your security operations
+ Title: Integrating Microsoft 365 Defender into your security operations
description: The basics of integrating Microsoft 365 Defender into your security operations. keywords: incidents, alerts, investigate, correlation, attack, devices, users, identities, identity, mailbox, email, 365, microsoft, m365, incident response, cyber-attack, secops, security operations, soc search.product: eADQiWindows 10XVcnh
search.appverid:
- MET150 ms.technology: m365d
-# Introduction to integrating Microsoft 365 Defender into your security operations
+# Integrating Microsoft 365 Defender into your security operations
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Whats New In Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-defender-for-office-365.md
Learn more by watching [this video](https://www.youtube.com/watch?v=Tdz6KfruDGo&
- User restricted from sharing forms and collecting responses - Form blocked due to potential phishing attempt - Form flagged and confirmed as phishing
- - [New alert policies for ZAP](new-defender-alert-policies.md)
-- Microsoft Defender for Office 365 alerts are now integrated into Microsoft 365 Defender - [Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue](investigate-alerts.md)
+ - [New alert policies for ZAP](../../compliance/new-defender-alert-policies.md)
+- Microsoft Defender for Office 365 alerts are now integrated into Microsoft 365 Defender - [Microsoft 365 Defender Unified Alerts Queue and Unified Alerts Queue](../defender/investigate-alerts.md)
- [User Tags](user-tags.md) are now integrated into Microsoft Defender for Office 365 alerting experiences, including: the alerts queue and details in Office 365 Security & Compliance, and scoping custom alert policies to user tags to create targeted alert policies. - Tags are also available in the unified alerts queue in the Microsoft 365 Defender center (Microsoft Defender for Office 365 Plan 2)