Updates from: 08/07/2021 03:16:53
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Retention Policies Yammer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-yammer.md
For other workloads, see:
## What's included for retention and deletion
-The following Yammer items can be retained and deleted by using retention policies for Yammer: Community messages and user messages.
+Yammer user messages and community messages can be deleted by using retention policies for Yammer, and in addition to the text in the messages, the following items can be retained for compliance reasons: Hypertext links and links to other Yammer messages.
-Reactions from others in the form of emoticons are not included in these messages.
+User messages include all the names of the people in the chat, and community messages include the community name and the message title (if supplied).
+
+Reactions from others in the form of emoticons are not retained when you use retention policies for Yammer.
+
+Files that you use with Yammer aren't included in retention policies for Yammer. These items have their own retention policies.
## How retention works with Yammer
compliance Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md
Whether it be adding new solutions to the [Microsoft 365 compliance center](micr
> > And visit the [Microsoft 365 Roadmap](https://www.microsoft.com/microsoft-365/roadmap) to learn about Microsoft 365 features that were launched, are rolling out, are in development, have been cancelled, or previously released.
+## July 2021
+
+### Advanced eDiscovery
+
+- [Advanced eDiscovery workflow for content in Microsoft Teams using large cases](teams-workflow-in-advanced-ediscovery.md) added an end-to-end workflow of managing Teams content in Advanced eDiscovery; includes details about the preview of the new conversation transcript functionality.
+- [Use large cases in Advanced eDiscovery](advanced-ediscovery-large-cases.md) added a preview of new large case format that extends review set and case limits and supports conversation transcripts for Teams and Yammer chat conversations.
+
+### App governance
+
+- The [app governance add-on for Microsoft Cloud App Security](app-governance-manage-app-governance.md) (MCAS) has gone into public preview. App governance provides monitoring of OAUth-based apps in your M365 tenant and generates alerts for activity that might represent malware or inappropriate levels of permissions.
+
+### Compliance offerings
+
+- [Compliance offerings](/compliance/regulatory/offering-home) changes focusing on applicable service coverage and updates to align more closely with the [Azure offerings](/azure/compliance) for applicable regulations.
+
+### Compliance & service assurance
+
+- [Service assurance](/compliance/) (updated; quarterly review content updates for certifications and statements of applicability)
+ - Cloud background checks
+ - Employee transfer & termination
+ - Governance
+ - Human resources
+ - Incident management
+ - Pre-employment screening
+ - Security incident management (SIM)
+ - SIM ΓÇô Containment, eradication, and recovery
+ - SIM ΓÇô Detection & analysis
+ - SIM ΓÇô Post-incident reporting
+ - SIM ΓÇô Preparation
+ - Tenant isolation
+
+### Data classification
+
+- [Learn about data classification](data-classification-overview.md). Updated for GA release of discrimination trainable classifier.
+
+### Data loss prevention
+
+- [Learn about Microsoft 365 Endpoint data loss prevention](endpoint-dlp-learn-about.md) added updated guidance on Always audit file activity for devices.
+- [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md) updated for GA release.
+- [Learn about the Microsoft 365 data loss prevention on-premises scanner](dlp-on-premises-scanner-learn.md) updated for GA release.
+- [Use the Microsoft 365 data loss prevention on-premises scanner](dlp-on-premises-scanner-use.md) updated for GA release.
+- [Use data loss prevention policies for non-Microsoft cloud apps](dlp-use-policies-non-microsoft-cloud-apps.md) updated for GA release and MIP-MCAS integration.
+
+### Insider risk management
+
+- [Investigate insider risk management activities](insider-risk-management-activities.md) added content updates for new User activity reports and new dismiss multiple alerts preview features.
+- [Get started with insider risk management settings](insider-risk-management-settings.md) added content updates for new RBAC functionality to choose reviewers for priority user groups preview feature.
+
+### Privacy management
+
+- Microsoft [privacy management](privacy-management.md) has gone into public preview. Privacy management helps your organization understand and manage the personal data in your Microsoft 365 environment, remediate potential privacy risks, and fulfill subject rights requests.
+
+### Retention and records management
+- In preview: [Retention policies for Teams](create-retention-policies.md#retention-policy-for-teams-locations) now supports private channels as a new Teams location when you create or edit a retention policy
+- Instructions for [importing a file plan](file-plan-manager.md#import-retention-labels-into-your-file-plan) are updated to include regulatory records and dependencies are now listed for each entry
+
+### Sensitive information types
+
+The following pages were added:
+
+- [Custom sensitive information type filters reference](sit-custom-sit-filters.md)
+- [Modify a custom sensitive information type using PowerShell](sit-modify-a-custom-sensitive-information-type-in-powershell.md)
+- [Remove a custom sensitive information type using PowerShell](sit-remove-a-custom-sensitive-information-type-in-powershell.md)
+
+### Sensitivity labels
+- Trainable classifiers are now generally available (GA) for [auto-labeling in Office apps](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps) for Windows and the web (Office Online)
+- Mandatory labeling is now extended to [Power BI (in preview)](/power-bi/admin/service-security-sensitivity-label-mandatory-label-policy)
+- For [co-authoring for files encrypted with sensitivity labels]( sensitivity-labels-coauthoring.md): Rolling out support for DLP policies that use sensitivity labels as conditions and unencrypted attachments for emails
+- Auditing events for Outlook is now available for macOS, iOS, and Android, and rolling out for Outlook on the web
+ ## June 2021 ### Customer Key
Content was added or updated in the following topics:
- **SharePoint external sharing**. For [container labels](sensitivity-labels-teams-groups-sites.md) the option for external sharing from SharePoint sites is now released as generally available. Additionally, the Microsoft 365 admin center and Planner now support applying these sensitivity labels. - **Co-authoring and AutoSave**. Support for [co-authoring and AutoSave](sensitivity-labels-coauthoring.md) for encrypted files is released as preview for testing in non-production tenants.-
-## January 2021
-
-### Support for card content in Teams
-
-The following Microsoft 365 compliance solutions now support the detection of [card content](/microsoftteams/platform/task-modules-and-cards/what-are-cards) generated through apps in Teams messages:
--- **Core and Advanced eDiscovery**. Card content can now be [placed on hold](create-ediscovery-holds.md#preserve-card-content) or included in [searches](/microsoftteams/ediscovery-investigation#search-for-card-content) (applies to content search as well).-- **Audit**. Card activity is now [recorded to the audit log](/microsoftteams/audit-log-events#teams-activities).-- **Retention policies**. Can now use retention policies to [retain and delete card content](retention-policies-teams.md#whats-included-for-retention-and-deletion).-
-### Information governance and records management
-
-[New assessment](retention-regulatory-requirements.md#new-zealand-public-records-act) to address using information governance and records management to help meet compliance obligations for the New Zealand Public Records Act.
-
-### Sensitivity labels
--- Sensitivity labels are now supported for US Government tenants (GCC and GCC-H).-- New [automatic labeling](sensitivity-labels-office-apps.md) support for macOS.
contentunderstanding Set Up Content Understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/set-up-content-understanding.md
To use SharePoint Syntex, your organization must have a subscription to SharePoi
To use form processing, you also need AI Builder credits. If you have 300 or more licensed users, an allocation of AI Builder credits is provided each month.
-For details about SharePoint Syntex licensing, see [SharePoint Syntex licensing](syntex-licensing.md)
- ## To set up SharePoint Syntex 1. In the Microsoft 365 admin center, select **Setup**, and then view the **Files and content** section.
contentunderstanding Syntex Licensing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/syntex-licensing.md
- Title: 'Licensing for SharePoint Syntex'------
- - enabler-strategic
- - m365initiative-syntex
-localization_priority: Priority
-description: "Learn about licensing for SharePoint Syntex"
--
-# Licensing for SharePoint Syntex
-
-To use SharePoint Syntex, your organization must have a subscription to SharePoint Syntex, and each Syntex user must have a license. If you cancel your SharePoint Syntex subscription at a future date (or your trial expires), users will no longer be able to create, publish, or run document understanding or form processing models. Additionally, term store reports, SKOS taxonomy import, and Content type push will no longer be available. No models, content or metadata will be deleted and site permissions will not be changed.
-
-## Tasks requiring a license
-
-The following tasks require a SharePoint Syntex license for the user performing them:
-
-- Uploading content to a document library that has an associated document understanding model-- Manually running a document understanding model-- Creating a form processing model via the entry point in a SharePoint library-- Uploading content to a library where a form processing model has been applied-- Viewing the metadata extracted from files using a document understanding or forms processing model
-
-Unlicensed users can be granted access to a content center and can create document understanding models there but can't apply them to a document library.
-
-## Cost of running models
-
-The cost of running document understanding models is included in the cost of a SharePoint Syntex license. However, form processing models use AI Builder capacity, for both training and runtime processing. Capacity must be allocated to the Power Apps environment where you will use AI Builder.
-
-If you have 300 or more SharePoint Syntex licenses for SharePoint Syntex in your organization, you will be allocated one million AI Builder credits. This capacity is renewed each month if you maintain the 300-license minimum. (Unused credits don't roll over from month to month.) If you have fewer than 300 licenses, you must purchase AI Builder credits in order to use forms processing.
-
-You can estimate the AI Builder capacity thatΓÇÖs right for you with the [AI Builder calculator](https://powerapps.microsoft.com/ai-builder-calculator).
-
-If you plan to use a custom Power Platform environment, you must [allocate credits to that environment](/power-platform/admin/capacity-add-on).
-
-Go to the [Power Platform admin center](https://admin.powerplatform.microsoft.com/resources/capacity) to check your credits and usage.
-
-## Additional term store features
-
-A subscription to SharePoint Syntex features the following additional term store features:
-
-- SKOS-based term set import-- Pushing enterprise content types to a hub site, which also adds them to the associated sites and any newly created lists or libraries-- Term store reports providing insights into published term sets and their use across your tenant--
-## See also
-
-[Licensing overview for Microsoft Power Platform](/power-platform/admin/pricing-billing-skus)
-
-[Power Apps and Power Automate licensing FAQ](/power-platform/admin/powerapps-flow-licensing-faq)
enterprise Lightweight Base Configuration Microsoft 365 Enterprise https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/lightweight-base-configuration-microsoft-365-enterprise.md
$commonPW="<common user account password>"
$PasswordProfile=New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile $PasswordProfile.Password=$commonPW
-$userUPN= "user2@" + $orgName + ".onmicrosoft.com"
-New-AzureADUser -DisplayName "User 2" -GivenName User -SurName 2 -UserPrincipalName $userUPN -UsageLocation $loc -AccountEnabled $true -PasswordProfile $PasswordProfile -MailNickName "user2"
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense $License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuID $LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses $LicensesToAssign.AddLicenses = $License
-Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $LicensesToAssign
-$userUPN= "user3@" + $orgName + ".onmicrosoft.com"
-New-AzureADUser -DisplayName "User 3" -GivenName User -SurName 3 -UserPrincipalName $userUPN -UsageLocation $loc -AccountEnabled $true -PasswordProfile $PasswordProfile -MailNickName "user3"
-$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
-$License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuID
-$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
-$LicensesToAssign.AddLicenses = $License
-Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $LicensesToAssign
-
-$userUPN= "user4@" + $orgName + ".onmicrosoft.com"
-New-AzureADUser -DisplayName "User 4" -GivenName User -SurName 4 -UserPrincipalName $userUPN -UsageLocation $loc -AccountEnabled $true -PasswordProfile $PasswordProfile -MailNickName "user4"
-$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
-$License.SkuId = (Get-AzureADSubscribedSku | Where-Object -Property SkuPartNumber -Value "ENTERPRISEPREMIUM" -EQ).SkuID
-$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
-$LicensesToAssign.AddLicenses = $License
-Set-AzureADUserLicense -ObjectId $userUPN -AssignedLicenses $LicensesToAssign
+for($i=2;$i -le 4; $i++) {
+ $userUPN= "user$($i)@$($orgName).onmicrosoft.com"
+ New-AzureADUser -DisplayName "User $($i)" -GivenName User -SurName $i -UserPrincipalName $userUPN -UsageLocation $loc -AccountEnabled $true -PasswordProfile $PasswordProfile -MailNickName "user$($i)"
+ $userObjectID = (Get-AzureADUser -SearchString $userupn).ObjectID
+ Set-AzureADUserLicense -ObjectId $userObjectID -AssignedLicenses $LicensesToAssign
+}
``` > [!NOTE] > The use of a common password here is for automation and ease of configuration for a test environment. Obviously, this is highly discouraged for production subscriptions.
Explore these additional sets of Test Lab Guides:
[Microsoft 365 for enterprise overview](microsoft-365-overview.md)
-[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/)
+[Microsoft 365 for enterprise documentation](/microsoft-365-enterprise/)
lti Teams Classes With Canvas https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-classes-with-canvas.md
Microsoft Teams classes is a Learning Tools Interoperability (LTI) app that help
> [!NOTE] > The current Class Teams LTI only supports syncing Canvas users with Microsoft Azure Active Directory (AAD) in a limited scope.
-> - Your tenant must have an exact match between a Canvas field (email, user ID, or SIS ID) and the UPN in Microsoft AAD. We are working to expand flexibility to the syncing functionality, but in the meantime, any users in Canvas not matched to a UPN in AAD will not be added to the Teams class synced with Canvas.
+> - Your tenant must have an Microsoft Education license.
> - Only a single Microsoft tenant can be used for mapping users between Canvas and Microsoft. > - You will have to turn off SDS before using the Class Teams LTI in order to avoid duplication of groups. ## Microsoft Office 365 Admin
-Before managing the Microsoft Teams integration within Instructure Canvas, it is important to have CanvasΓÇÖs **Microsoft-Teams-Sync-for-Canvas** Azure app approved by your institutionΓÇÖs Microsoft Office 365 admin in your Microsoft Azure tenant before completing the Canvas admin setup.
+Prior to managing the Microsoft Teams integration within Instructure Canvas, it is important to have CanvasΓÇÖs **Microsoft-Teams-Sync-for-Canvas** Azure app approved by your institutionΓÇÖs Microsoft Office 365 admin in your Microsoft Azure tenant before completing the Canvas admin setup.
1. Sign in to Canvas.
Before managing the Microsoft Teams integration within Instructure Canvas, it is
3. In the admin navigation, select the **Settings** link, and then the **Integrations** tab. 4. Enable Microsoft Teams Sync by turning the toggle on.
+
+ ![Canvas Teams Sync Updated png](https://user-images.githubusercontent.com/87142492/128225881-abdfc52d-dc9e-48ad-aec5-f6617c6436f3.png)
- ![teams-sync](media/teams-sync.png)
-
-5. Enter your Microsoft tenant name and login attribute.
+5. Enter your Microsoft tenant name, login attribute, domain suffix, and AAD lookup attribute.
- The login attribute will be used for associating the Canvas user with an Azure Active Directory user.
+ These fields will be used for matching users in Canvas with users in Microsoft Azure Active Directory.
+ * The Login Attribute is the Canvas user attribute utilized for matching.
+ * The Suffix field is optional and lets you specify a domain when there isn't an exact mapping between Canvas attributes and Microsoft AAD fields. For example, if your Canvas email is 'name@example.edu' while the UPN in Microsoft AAD is 'name', you can match users by entering 'example.edu' in the suffix field.
+ * The Active Directory Lookup Attribute is the field on the Microsoft side which Canvas attributes are matched to. Select in between UPN, primary email address, or the email alias.
6. Select **Update Settings** once done.
managed-desktop Roles And Responsibilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/roles-and-responsibilities.md
Microsoft provides these key roles and responsibilities:
Role or responsibility | Description | MDM policy management | Microsoft will apply MDM policies according to best practices and consider requests for policy changes. We'll also make changes to your tenant as prescribed in [Device policies](../service-description/device-policies.md).
-User support | We provide a mechanism for elevated access to devices and for issues to get escalated if necessary. For more information, see [User support](../service-description/user-support.md).
+User support | We provide a mechanism for elevated access to devices and for issues to get escalated through a support request if necessary. For more information, see [User support](../service-description/user-support.md).
Microsoft Managed Desktop service support | Microsoft will provide support to your IT department through a Microsoft Managed Desktop Operations Team. This team will support technical troubleshooting, change requests, and incident management for the customerΓÇÖs Microsoft Managed Desktop environment. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md). Security monitoring | Microsoft will monitor your Microsoft Managed Desktop devices using Microsoft Defender for Endpoint. If the Microsoft Managed Desktop Security Operations Center (SOC) detects a threat, we will notify you, isolate the device, and rectify the issue remotely. For more information, see [Security](../service-description/security.md). Update monitoring and management | We actively monitor your Microsoft Managed Desktop devices to ensure that the latest quality and feature updates are installed for Microsoft Windows and Microsoft Office. For more information, see [How updates are handled](../service-description/updates.md).
managed-desktop User Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/user-support.md
Your IT admin is responsible for these items:
- Working with the support provider to set and manage service level agreements for user support - Managing elevated access privileges for approved support staff. For more information, see [Enable user support features](../get-started/enable-support.md)-- If there are device issues affecting multiple users, escalating those by using the Microsoft Managed Desktop admin support process. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md).
+- If there are device issues affecting users, escalating those by using the Microsoft Managed Desktop admin support process. For more information, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md).
- Route hardware-related issues to the appropriate vendor or supplier - Maintain and protect device security policy settings on Microsoft Managed Desktop devices by preventing the policies we set from being changed.
Integrating your existing processes with this workflow for Microsoft Managed Des
If a user issue needs to be escalated to Microsoft Managed Desktop, it's helpful to identify which team the issue should be directed to. We can transfer cases appropriately, but it saves time to route them to the right place from the start. -- Problems specific to Microsoft Managed Desktop (for example, a policy or setting that's deployed by the service itself): escalate directly to the Operations team. For more info, see [Getting help for users](../working-with-managed-desktop/end-user-support.md).
+- Problems specific to Microsoft Managed Desktop (for example, a policy or setting that's deployed by the service itself): escalate directly to the Operations team by creating a new support request. For more info, see [Getting help for users](../working-with-managed-desktop/end-user-support.md).
- Hardware problems: direct to your hardware supplier or vendor - Other problems: escalate through existing support channels, whether that's a Unified or Premier subscription.
If a user issue needs to be escalated to Microsoft Managed Desktop, it's helpful
### Elevation portal
-Since Microsoft Managed Desktop devices run on standard user by default, some tasks require elevation of privileges. For more information about user account control, see [User account control](/windows/security/identity-protection/user-account-control/user-account-control-overview). In order for support staff to be able to [perform tasks](../working-with-managed-desktop/end-user-support.md#elevation-requests) while troubleshooting issues for users, we provide "just-in-time" access to an admin account. This password accessed securely by only those you designate, and rotates every couple hours.
+Since Microsoft Managed Desktop devices run on standard user by default, some tasks require elevation of privileges. For more information about user account control, see [User account control](/windows/security/identity-protection/user-account-control/user-account-control-overview). In order for support staff to be able to [perform tasks](../working-with-managed-desktop/end-user-support.md#elevation-requests) while troubleshooting issues for users, we provide "just-in-time" access to an admin account. This password is accessed securely by only those you designate, and rotates every couple of hours.
For steps on how to set up users for access to this portal, see [Enable user support features](../get-started/enable-support.md).
For steps on submitting an elevation request, see [Elevation requests](../workin
### Escalation portal
-If an issue requires escalation to Microsoft Managed Desktop Operations team, designated support staff might direct similar to an IT admin support request.
+If an issue requires escalation to the Microsoft Managed Desktop Operations team, designated support staff might direct similar to an IT admin support request.
> [!NOTE] > Only Sev C support requests can be filed in this manner. For an issue matching the description of other severities, itΓÇÖs recommended to contact the appropriate IT admin to file. For more info, see [Support request severity definitions](../working-with-managed-desktop/admin-support.md#support-request-severity-definitions).
managed-desktop Admin Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/admin-support.md
You can submit support tickets or feedback requests to Microsoft using the Micro
## Open a new support request 1. Sign in to [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu.
-2. Look for the Microsoft Managed Desktop section, and then select **Service request**.
-3. On **Support requests**, select **+ New Support ticket**.
-4. Select the **Support request type** that matches the help you need. The following table outlines the options.
-5. Select the **Severity level**. For more information, see [Support request severity definitions](#sev).
+2. Look for the Microsoft Managed Desktop section, and then select **Service requests**.
+3. On the **Service requests** blade, select **+ New support request**.
+4. Select the **Request type** that matches the help you need. The following table outlines the options.
+5. Select the **Severity** level. For more information, see [Support request severity definitions](#sev).
6. Provide as much information about the request as possible to help the team respond quickly. Depending on the type of request, you may be required to provide different details. 7. Review all the information you provided for accuracy. 8. When you're ready, select **Create**. Support request type|When to use |
-Incident|You require the Microsoft Managed Desktop Operations team to investigate, for example, a widespread impact of a change or service outage.
+Incident|You require the Microsoft Managed Desktop Operations team to investigate a user issue caused by, for example, a widespread impact of a change or service outage.
Request for information|You're planning a change in networking, proxy configuration, VPN systems, certificate expiration, or just need some information about the service. A response from the Microsoft Managed Desktop Operations team is advised when communicating a change within your organization. Change request|You require the Microsoft Managed Desktop Operations team to make a change, such as moving devices between update groups.
While email is the recommended approach to interact with our team, you may want
If you need to edit the details of a case, for example updating the primary case contact, you will need to follow these steps:
-1. From the **Service request** blade, in **Tenant Administration** menu of [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), use the search bar or filters to find the case you're interested in editing.
+1. From the **Service requests** blade, in the **Tenant Administration** menu of [Microsoft Endpoint Manager](https://endpoint.microsoft.com/), use the search bar or filters to find the case you're interested in editing.
2. Select the case to open up the request's details 3. Scroll to the bottom of the request details and select **Edit**. 4. Update the editable information, add attachments to the case, or add a note for the Service Engineering team, then select **Save**.
managed-desktop End User Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/end-user-support.md
Before you request elevated access to a device, it's best to review which action
2. Select **New elevation request**. 3. Provide these details: - **Support ticket ID** from your own support ticketing system.
- - **Device name**: enter the device serial number and then select the device from the menu.
- - **Category**: Select the category that best fits your issue. If no option seems close, then select **Other** and provide more info in the **Title** and **Plan of action** fields. It's best to select a category if at all possible.
- - **Subcategory**: Select the one that best fits the issue. If no option seems close, then select **Other** and provide a short description in **Title**. In **Plan of action**, provide the troubleshooting steps you plan to take once elevation is granted.
+ - **Device name**: Enter the device serial number and then select the device from the menu.
+ - **Category**: Select the category that best fits your issue. If no option seems close, then select **Other**. It's best to select a category if at all possible.
+ - **Subcategory**: Select the one that best fits the issue. If no option seems close, then select **Other**.
+ - **Title**: Provide a short description of the issue on the device.
+ - **Plan of action**: Provide the troubleshooting steps you plan to take once elevation is granted.
4. Select **Submit**.
If you need to [escalate](../service-description/user-support.md#escalation-port
5. Revisit the ticket in the same portal to interact with our team. > [!NOTE]
-> Only Severity C issues can be escalated through this path. For other issues, contact your IT admin to file the request through the Admin portal.
+> Only Severity C issues can be escalated through this path. For other issues, contact your IT admin to file the request through the Admin portal.
security Configure Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md
# Configure and validate exclusions for Microsoft Defender Antivirus scans -- **Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
To configure and validate exclusions, see the following:
Keep the following points in mind when you are defining exclusions: -- Exclusions are technically a protection gap. Always consider mitigations when defining exclusions. Other mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
+- Exclusions are technically a protection gap. Consider all your options when defining exclusions. Other options can be as simple as making sure the excluded location has the appropriate access-control lists (ACLs) or setting policies to audit mode at first.
-- Review the exclusions periodically. Recheck and re-enforce the mitigations as part of the review process.
+- Review the exclusions periodically. Recheck and re-enforce mitigations as part of your review process.
-- Ideally, avoid defining exclusions intending to be proactive. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate.
+- Ideally, avoid defining exclusions in an effort to be proactive. For example, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate.
-- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
+- Review and audit changes to your list of exclusions. Your security team should preserve context around why a certain exclusion was added to avoid confusion later on. Your security team should be able to provide specific answers to questions about why exclusions exist.
-## Related articles
+## See also
- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
**Applies to:** - [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Microsoft Defender Antivirus
+
+You can define exclusions for Microsoft Defender Antivirus that apply to [scheduled scans](schedule-antivirus-scans.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on, real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). **Generally, you shouldn't need to apply exclusions**. If you do need to apply exclusions, you can choose from several different kinds:
+
+- Exclusions based on file extensions and folder locations (described in this article)
+- [Exclusions for files that are opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
> [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](/microsoft-365/security/defender-endpoint/manage-indicators).
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
+> To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](/microsoft-365/security/defender-endpoint/manage-indicators).
+
+## Before you begin...
+
+See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md) before defining your exclusion lists.
## Exclusion lists
-You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+To exclude certain files from Microsoft Defender Antivirus scans, you modify your exclusion lists. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE] > Exclusions apply to Potentially Unwanted Apps (PUA) detections as well.
+>
+> Automatic exclusions apply only to Windows Server 2016 and later. These exclusions are not visible in the Windows Security app and in PowerShell.
-> [!NOTE]
-> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
-
-This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
+The following table lists some examples of exclusions based on file extension and folder location. <br/><br/>
| Exclusion | Examples | Exclusion list | |:|:|:|
This article describes how to configure exclusion lists for the files and folde
| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions | | A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
-Exclusion lists have the following characteristics:
+## Characteristics of exclusion lists
- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.+ - File extensions apply to any file name with the defined extension if a path or folder is not defined.
-> [!IMPORTANT]
-> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
-> - You cannot exclude mapped network drives. You must specify the actual network path.
-> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
+## Important notes about exclusions based on file extensions and folder locations
-To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
+- Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
-The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
+- Don't exclude mapped network drives. Specify the actual network path.
-> [!IMPORTANT]
-> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-> Changes made in the Windows Security app **will not show** in the Group Policy lists.
+- Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. Restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
-By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
+- Exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md), but not across Defender for Endpoint. To define exclusions across Defender for Endpoint, use [custom indicators](manage-indicators.md).
-You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+- By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. In addition, exclusion list changes made with Group Policy are visible in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+
+- To allow local changes to override managed deployment settings, [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists).
## Configure the list of exclusions based on folder name or file extension
+You can choose from several methods to define exclusions for Microsoft Defender Antivirus.
+ ### Use Intune to configure file name, folder, or file extension exclusions
-See the following articles:
+See the following articles:
+ - [Configure device restriction settings in Microsoft Intune](/intune/device-restrictions-configure)+ - [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](/intune/device-restrictions-windows-10#microsoft-defender-antivirus) ### Use Configuration Manager to configure file name, folder, or file extension exclusions
See [How to create and deploy antimalware policies: Exclusion settings](/configm
>[!NOTE] >If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
-1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
See [How to create and deploy antimalware policies: Exclusion settings](/configm
4. Open the **Path Exclusions** setting for editing, and add your exclusions. 1. Set the option to **Enabled**.
- 1. Under the **Options** section, click **Show**.
- 1. Specify each folder on its own line under the **Value name** column.
- 1. If you are specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension. Enter **0** in the **Value** column.
+ 2. Under the **Options** section, select **Show**.
+ 3. Specify each folder on its own line under the **Value name** column.
+ 4. If you are specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension. Enter **0** in the **Value** column.
5. Choose **OK**. 6. Open the **Extension Exclusions** setting for editing and add your exclusions. 1. Set the option to **Enabled**.
- 1. Under the **Options** section, select **Show**.
- 1. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
+ 2. Under the **Options** section, select **Show**.
+ 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Choose **OK**.
The format for the cmdlets is as follows:
<cmdlet> -<exclusion list> "<item>" ```
-The following are allowed as the `<cmdlet>`:
+The following table lists cmdlets that you can use in the `<cmdlet>` portion of the PowerShell cmdlet:
| Configuration action | PowerShell cmdlet | |:|:|
The following are allowed as the `<cmdlet>`:
|Add to the list | `Add-MpPreference` | |Remove item from the list | `Remove-MpPreference` |
-The following are allowed as the `<exclusion list>`:
+The following table lists values that you can use in the `<exclusion list>` portion of the PowerShell cmdlet:
| Exclusion type | PowerShell parameter | |:|:|
For example, the following code snippet would cause Microsoft Defender Antivirus
Add-MpPreference -ExclusionExtension ".test" ```
-For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
+> [!TIP]
+> For more information, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](/powershell/module/defender/).
### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions
-Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
+Use the [Set, Add, and Remove methods of the MSFT_MpPreference](/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
```WMI ExclusionExtension ExclusionPath ```
-The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+Using **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
-For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
+> [!TIP]
+> For more information, see [Windows Defender WMIv2 APIs](/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
<a id="man-tools"></a>
You can use the asterisk `*`, question mark `?`, or environment variables (such
The following table describes how the wildcards can be used and provides some examples. -
-|Wildcard |Examples |
+| Wildcard | Examples |
|:|:|
-|`*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders and `C:\Serv\Secondary\Allowed\Backup` and its subfolders |
-|`?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
-|Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
+| `*` (asterisk) <p> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` includes `C:\MyData\notes.txt` <p> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <p> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders and `C:\Serv\Secondary\Allowed\Backup` and its subfolders |
+| `?` (question mark) <p> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <p> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <p> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders <p> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
+| Environment variables <p> The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
> [!IMPORTANT]
For more information, see [Use PowerShell cmdlets to configure and run Microsoft
You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
-In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
+In the following PowerShell snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
```PowerShell Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.t
If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
-You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace `c:\test.txt` with a file that conforms to the rule you are validating:
```PowerShell $client = new-object System.Net.WebClient
If you do not have Internet access, you can create your own EICAR test file by w
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
-## Related topics
+## See also
- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)+ - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)+ - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)+ - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
ms.technology: mde
# Microsoft Defender for Endpoint Device Control Removable Storage Access Control
+> [!NOTE]
+> The Group Policy management of this product is now generally avaialable (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806)
+ Microsoft Defender for Endpoint Device Control Removable Storage Access Control enables you to do the following task:
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
****
-|Privilege|Permission|
-|||
-|Access|Read, Write, Execute|
-|Action Mode|Audit, Allow, Prevent|
-|CSP Support|Yes|
-|GPO Support|Yes|
-|User-based Support|Yes|
-|Machine-based Support|Yes|
-|||
+| Privilege | Permission |
+|:|:|
+| Access | Read, Write, Execute |
+| Action Mode | Audit, Allow, Prevent |
+| CSP Support | Yes |
+| GPO Support | Yes |
+| User-based Support | Yes |
+| Machine-based Support | Yes |
## Prepare your endpoints
Another reason could be that the XML file isn't correctly formatted, for example
### There is no configuration UX for 'Define device control policy groups' and 'Define device control policy rules' on my Group Policy
-We don't backport the Group Policy configuation UX, but you can still get the related adml and admx files by clicking 'Raw' and 'Save as' at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.
+We don't backport the Group Policy configuration UX, but you can still get the related adml and admx files by clicking 'Raw' and 'Save as' at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.
### How can I know which machine is using out of date antimalware client version in the organization?
security Event Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-views.md
You can also manually navigate to the event area that corresponds to the feature
3. Select **Action** > **Import Custom View...**
- > [!div class="mx-imgBorder"]
- > ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif)
+ > [!div class="mx-imgBorder"]
+ > ![Animation highlighting Import custom view on the left of the Even viewer window](images/events-import.gif)
-4. Navigate to where you extracted XML file for the custom view you want and select it.
+4. Navigate to where you extracted the XML file for the custom view you want and select it.
5. Select **Open**.
You can also manually navigate to the event area that corresponds to the feature
2. On the left panel, under **Actions**, select **Create Custom View...**
- > [!div class="mx-imgBorder"]
- > ![Animation highlighting the create custom view option on the Event viewer window](images/events-create.gif)
+ > [!div class="mx-imgBorder"]
+ > ![Animation highlighting the create custom view option on the Event viewer window](images/events-create.gif)
3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
You can access these events in Windows Event viewer:
![Animation showing using Event Viewer](images/event-viewer.gif)
-Feature | Provider/source | Event ID | Description
-:-|:-|:-:|:-
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 2 | ACG enforce
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 4 | Do not allow child processes block
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 6 | Block low integrity images block
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 8 | Block remote images block
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 10 | Disable win32k system calls block
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 12 | Code integrity guard block
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 13 | EAF audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 14 | EAF enforce
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 15 | EAF+ audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 16 | EAF+ enforce
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 17 | IAF audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 18 | IAF enforce
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 19 | ROP StackPivot audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 20 | ROP StackPivot enforce
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 21 | ROP CallerCheck audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 22 | ROP CallerCheck enforce
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 23 | ROP SimExec audit
-Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP SimExec enforce
-Exploit protection | WER-Diagnostics | 5 | CFG Block
-Exploit protection | Win32K (Operational) | 260 | Untrusted Font
-Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed
-Network protection | Windows Defender (Operational) | 1125 | Event when Network protection fires in Audit-mode
-Network protection | Windows Defender (Operational) | 1126 | Event when Network protection fires in Block-mode
-Controlled folder access | Windows Defender (Operational) | 5007 | Event when settings are changed
-Controlled folder access | Windows Defender (Operational) | 1124 | Audited Controlled folder access event
-Controlled folder access | Windows Defender (Operational) | 1123 | Blocked Controlled folder access event
-Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Controlled folder access sector write block event
-Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
-Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
-Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode
-Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode
+<br>
+
+****
+
+|Feature|Provider/source|Event ID|Description|
+|||::||
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|1|ACG audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|2|ACG enforce|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|3|Do not allow child processes audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|4|Do not allow child processes block|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|5|Block low integrity images audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|6|Block low integrity images block|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|7|Block remote images audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|8|Block remote images block|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|9|Disable win32k system calls audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|10|Disable win32k system calls block|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|11|Code integrity guard audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|12|Code integrity guard block|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|13|EAF audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|14|EAF enforce|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|15|EAF+ audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|16|EAF+ enforce|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|17|IAF audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|18|IAF enforce|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|19|ROP StackPivot audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|20|ROP StackPivot enforce|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|21|ROP CallerCheck audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|22|ROP CallerCheck enforce|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|23|ROP SimExec audit|
+|Exploit protection|Security-Mitigations (Kernel Mode/User Mode)|24|ROP SimExec enforce|
+|Exploit protection|WER-Diagnostics|5|CFG Block|
+|Exploit protection|Win32K (Operational)|260|Untrusted Font|
+|Network protection|Windows Defender (Operational)|5007|Event when settings are changed|
+|Network protection|Windows Defender (Operational)|1125|Event when Network protection fires in Audit-mode|
+|Network protection|Windows Defender (Operational)|1126|Event when Network protection fires in Block-mode|
+|Controlled folder access|Windows Defender (Operational)|5007|Event when settings are changed|
+|Controlled folder access|Windows Defender (Operational)|1124|Audited Controlled folder access event|
+|Controlled folder access|Windows Defender (Operational)|1123|Blocked Controlled folder access event|
+|Controlled folder access|Windows Defender (Operational)|1127|Blocked Controlled folder access sector write block event|
+|Controlled folder access|Windows Defender (Operational)|1128|Audited Controlled folder access sector write block event|
+|Attack surface reduction|Windows Defender (Operational)|5007|Event when settings are changed|
+|Attack surface reduction|Windows Defender (Operational)|1122|Event when rule fires in Audit-mode|
+|Attack surface reduction|Windows Defender (Operational)|1121|Event when rule fires in Block-mode|
+|
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
In addition, a notification is shown on the iOS device. Tapping on the notificat
> [!div class="mx-imgBorder"] > ![Image of site reported as unsafe notification](images/ios-phish-alert.png)
+## Device not seen on the Defender for Endpoint console after onboarding.
+
+After onboarding, it takes few hours for device to show up in the Device inventory in the Defender for Endpoint security console. Also, ensure that device is registered correctly with Azure Active Directory and device has internet connectivity. For successful onboarding, the device has to be registered via Microsoft Authenticator or Intune Company Portal and the user needs to sign-in using the same account with which device is registered with Azure AD.
+ ## Data and Privacy For details about data collected and privacy, see [Privacy Information - Microsoft Defender for Endpoint on iOS](ios-privacy.md).
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
ms.technology: mde
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+## 101.39.98 (30.121062.13998.0)
+
+- Performance improvements & bug fixes
+ ## 101.34.27 (30.121052.13427.0) - Performance improvements & bug fixes
security Manage Gradual Rollout https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-gradual-rollout.md
It is important to ensure that client components are up-to-date to deliver criti
Capabilities are provided through several components: - [Endpoint Detection & Response](overview-endpoint-detection-response.md) -- [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md#microsoft-defender-antivirus-your-next-generation-protection) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
+- [Next-generation protection](microsoft-defender-antivirus-windows.md) with [cloud-delivered protection](cloud-protection-microsoft-defender-antivirus.md)
- [Attack Surface Reduction](overview-attack-surface-reduction.md) Updates are released monthly using a gradual release process. This process helps to enable early failure detection to catch impact as it occurs and address it quickly before a larger rollout. > [!NOTE]
-> For more information on how to control daily definition updates, see [Schedule Microsoft Defender Antivirus definition updates - Windows security | Microsoft Docs](manage-protection-update-schedule-microsoft-defender-antivirus.md). Definition updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.
+> For more information on how to control daily security intelligence updates, see [Schedule Microsoft Defender Antivirus protection updates](manage-protection-update-schedule-microsoft-defender-antivirus.md). Updates ensure that next-generation protection can defend against new threats, even if cloud-delivered protection is not available to the endpoint.
## Microsoft gradual rollout model
The following update channels are available:
| Current Channel (Broad) | Get updates at the end of gradual release | Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). | | (default) | | If you disable or do not configure this policy, the device will remain in Current Channel (Default): Stay up to date automatically during the gradual release cycle. Suitable for most devices. |
-### Update channels for daily definition updates
+### Update channels for daily updates
-You can also assign a machine to a channel to define the cadence in which it receives daily definition updates. Note that unlike the monthly process, there is no Beta channel and this gradual release cycle occurs multiple times a day.
+You can also assign a machine to a channel to define the cadence in which it receives daily updates. Note that unlike the monthly process, there is no Beta channel and this gradual release cycle occurs multiple times a day.
| Channel name | Description | Application | |-|-|-|
security Microsoft Defender Antivirus Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md
The following table describes what to expect when Microsoft Defender Antivirus i
| Mode | What happens | ||| | Active mode | In active mode, Microsoft Defender Antivirus is used as the primary antivirus app on the device. Files are scanned, threats are remediated, and detected threats are listed in your organization's security reports and in your Windows Security app. |
-| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the primary antivirus app on the device. Files are scanned, and detected threats are reported, but threats are not remediated by Microsoft Defender Antivirus. |
+| Passive mode | In passive mode, Microsoft Defender Antivirus is not used as the primary antivirus app on the device. Files are scanned, and detected threats are reported, but threats are not remediated by Microsoft Defender Antivirus. <br/><br/>**IMPORTANT**: Microsoft Defender Antivirus can run in passive mode only on endpoints that are onboarded to Microsoft Defender for Endpoint. See [Requirements for Microsoft Defender Antivirus to run in passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode). |
| Disabled or uninstalled | When disabled or uninstalled, Microsoft Defender Antivirus is not used. Files are not scanned, and threats are not remediated. In general, we do not recommend disabling or uninstalling Microsoft Defender Antivirus. | To learn more, see [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md).
You'll see the name of your antivirus/antimalware solution on the settings page.
3. In the list of results, look at the **AMRunningMode** row. - **Normal** means Microsoft Defender Antivirus is running in active mode.
- - **Passive mode** means Microsoft Defender Antivirus running, but is not the primary antivirus/antimalware product on your device.
- - **EDR Block Mode** means Microsoft Defender Antivirus is running and a capability in Microsoft Defender for Endpoint that is called "EDR in block mode" is enabled. (See [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md).)
- - **SxS Passive Mode** means Microsoft Defender Antivirus is running in passive mode alongside another antivirus/antimalware product, and your device is not onboarded to Microsoft Defender for Endpoint. In this case, limited periodic scanning is used for Microsoft Defender Antivirus. To learn more, see [Use limited periodic scanning in Microsoft Defender Antivirus](limited-periodic-scanning-microsoft-defender-antivirus.md).
-To learn more about the Get-MpComputerStatus PowerShell cmdlet, see the reference article [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus).
+ - **Passive mode** means Microsoft Defender Antivirus running, but is not the primary antivirus/antimalware product on your device. Passive mode is only available for devices that are onboarded to Microsoft Defender for Endpoint and that meet certain requirements. To learn more, see [Requirements for Microsoft Defender Antivirus to run in passive mode](microsoft-defender-antivirus-compatibility.md#requirements-for-microsoft-defender-antivirus-to-run-in-passive-mode).
+
+ - **EDR Block Mode** means Microsoft Defender Antivirus is running and [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md), a capability in Microsoft Defender for Endpoint, is enabled.
+
+ - **SxS Passive Mode** means Microsoft Defender Antivirus is running alongside another antivirus/antimalware product, and [limited periodic scanning is used](limited-periodic-scanning-microsoft-defender-antivirus.md).
+
+> [!TIP]
+> To learn more about the Get-MpComputerStatus PowerShell cmdlet, see the reference article [Get-MpComputerStatus](/powershell/module/defender/get-mpcomputerstatus).
## Get your antivirus/antimalware platform updates
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
In Windows 10, versions 1703, hiding the interface will hide Microsoft Defender
With the setting set to **Enabled**: With the setting set to **Disabled** or not configured:
You can prevent users from pausing scans, which can be helpful to ensure schedul
- [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) -- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
+- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
security Microsoft Defender For Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/microsoft-defender-for-office.md
> [!IMPORTANT]
-> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](/microsoft-365/security/mtp/overview-security-center).
+> The improved [Microsoft 365 Defender portal](https://security.microsoft.com) is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](/microsoft-365/security/defender/overview-security-center).
security User Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
Use the following articles to configure the prerequisites required so user repor
- Skip spam filtering on the custom mailbox by creating an exchange mail flow rule to set the spam confidence level. See [Use the EAC to create a mail flow rule that sets the SCL of a message](/exchange/security-and-compliance/mail-flow-rules/use-rules-to-set-scl#use-the-eac-to-create-a-mail-flow-rule-that-sets-the-scl-of-a-message) to set the SCL to **Bypass spam filtering**. -- [Create a Safe Attachments policy](set-up-safe-attachments-policies.md) that includes the custom mailbox where Safe Attachments scanning is turned off (**Safe Attachments unknown malware response** section \> **Off**).--- [Create a Safe Links policy](set-up-safe-links-policies.md) that includes the custom mailbox where Safe Links scanning is turned off (**Select the action for unknown potentially malicious URLs in messages** section \> **Off**).- - [Create an anti-malware policy](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) that includes the custom mailbox where zero-hour auto purge (ZAP) for malware is turned off (**Protection settings** section \> **Enable zero-hour auto purge for malware** is not selected). - [Create an anti-spam policy](configure-your-spam-filter-policies.md#use-the-microsoft-365-defender-portal-to-create-anti-spam-policies) that includes the custom mailbox where ZAP for spam and ZAP for phishing are turned off (**Zero-hour auto purge** section \> **Enabled zero-hour auto purge (ZAP)** is not selected). - Disable the junk email rule in the custom mailbox. Use [Configure junk email settings on Exchange Online mailboxes](configure-junk-email-settings-on-exo-mailboxes.md) to disable the junk email rule. After it's disabled, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action **Move message to Junk Email folder** or the safelist collection on the mailbox.
+If you have Microsoft Defender for Office 365, you should also configure the below so that our advanced filtering does not impact the users reporting messages:
+
+- [Create a Safe Links policy](set-up-safe-links-policies.md) that includes the custom mailbox where Safe Links scanning is turned off (**Select the action for unknown potentially malicious URLs in messages** section \> **Off**).
+
+- [Create a Safe Attachments policy](set-up-safe-attachments-policies.md) that includes the custom mailbox where Safe Attachments scanning is turned off (**Safe Attachments unknown malware response** section \> **Off**).
+ After you've verified that your mailbox meets all applicable prerequisites, you can use the procedures in this article to configure the user submissions mailbox. ## What do you need to know before you begin?