Updates from: 09/10/2021 03:15:31
Category Microsoft Docs article Related commit history on GitHub Change details
admin About Shared Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/about-shared-mailboxes.md
Before you [create a shared mailbox](create-a-shared-mailbox.md), here are some
> [!NOTE]
-> To access a shared mailbox, a user must have an Exchange Online license, but the shared mailbox doesn't require a separate license. Every shared mailbox has a corresponding user account. Notice how you weren't asked to provide a password when you created the shared mailbox? The account has a password, but it's system-generated (unknown). You shouldn't use the account to log in to the shared mailbox. Without a license, shared mailboxes are limited to 50 GB. To increase the size limit to 100 GB, the shared mailbox must be assigned an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving add-on license. This will also let you enable auto-expanding archiving for an unlimited amount of archive storage capacity. Similarly, if you want to place a shared mailbox on litigation hold, the shared mailbox must have an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving add-on license. If you want to apply advanced features such as Microsoft Defender for Office 365, Advanced eDiscovery, or automatic retention policies, the shared mailbox must be licensed for those features.
+> To access a shared mailbox, a user must have an Exchange Online license, but the shared mailbox doesn't require a separate license. Every shared mailbox has a corresponding user account. Notice how you weren't asked to provide a password when you created the shared mailbox? The account has a password, but it's system-generated (unknown). You shouldn't use the account to log in to the shared mailbox. Without a license, shared mailboxes are limited to 50 GB. To increase the size limit to 100 GB, the shared mailbox must be assigned an Exchange Online Plan 2 license. The Exchange Online Plan 1 license with an Exchange Online Archiving add-on license will only increase the size of the archive mailbox. This will also let you enable auto-expanding archiving for an unlimited amount of archive storage capacity. Similarly, if you want to place a shared mailbox on litigation hold, the shared mailbox must have an Exchange Online Plan 2 license or an Exchange Online Plan 1 license with an Exchange Online Archiving add-on license. If you want to apply advanced features such as Microsoft Defender for Office 365, Advanced eDiscovery, or automatic retention policies, the shared mailbox must be licensed for those features.
## Related content
compliance Customer Key Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customer-key-manage.md
The New-MoveRequest cmdlet is no longer available for local mailbox moves. Refer
Check on the status of encryption by running the Get-SPODataEncryptionPolicy cmdlet as follows: ```PowerShell
- Get-SPODataEncryptionPolicy -Identity <SPOAdminSiteUrl>
+ Get-SPODataEncryptionPolicy <SPOAdminSiteUrl>
``` The output from this cmdlet includes:
The output from this cmdlet includes:
- **Rolling:** A key roll is in progress. If the key for the geo is rolling, you'll also be shown information on what percentage of sites have completed the key roll operation so that you can monitor progress.
+- It will also output the percentage of sites onboarded.
+ ## Get details about DEPs you use with multiple workloads To get details about all of the DEPs you've created to use with multiple workloads, complete these steps:
compliance Search The Audit Log In Security And Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
# Search the audit log in the compliance center
-Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the Microsoft 365 compliance center to search the unified audit log to view user and administrator activity in your organization. Why a unified audit log? Because you can search for the following types of [user and admin activity](#audited-activities) in Microsoft 365:
--- User activity in SharePoint Online and OneDrive for Business-- User activity in Exchange Online (Exchange mailbox audit logging)-- Admin activity in SharePoint Online-- Admin activity in Azure Active Directory (the directory service for Microsoft 365)-- Admin activity in Exchange Online (Exchange admin audit logging)-- eDiscovery activities in the security and compliance center-- User and admin activity in Power BI-- User and admin activity in Microsoft Teams-- User and admin activity in Dynamics 365-- User and admin activity in Yammer-- User and admin activity in Microsoft Power Automate-- User and admin activity in Microsoft Stream-- Analyst and admin activity in Microsoft Workplace Analytics-- User and admin activity in Microsoft Power Apps-- User and admin activity in Microsoft Forms-- User and admin activity for sensitivity labels for sites that use SharePoint Online or Microsoft Teams-- Admin activity in Briefing email and MyAnalytics
+Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the audit log search tool in Microsoft 365 compliance center to search the unified audit log to view user and administrator activity in your organization. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. User's in your organization can use the audit log search tool to search for, view, and export (to a CSV file) the audit records for these operations.
+
+## Microsoft 365 services that support auditing
+
+Why a unified audit log? Because you can search the audit log for activities performed in different Microsoft 365 services. The following table lists the Microsoft 365 services and features (in alphabetical order) that are supported by the unified audit log.
+
+| Microsoft 365 service or feature | Record types|
+|:|:|
+| Azure Active Directory|AzureActiveDirectory, AzureActiveDirectoryAccountLogon, AzureActiveDirectoryStsLogon |
+| Azure Information Protection|AipDiscover, AipSensitivityLabelAction, AipProtectionAction, AipFileDeleted, AipHeartBeat |
+| Content explorer|LabelContentExplorer|
+| Data loss prevention (DLP)|ComplianceDLPSharePoint, ComplianceDLPExchange|
+| Defender for Endpoint|DLPEndpoint|
+| Dynamics 365|CRM|
+| eDiscovery|Discovery, AeD|
+| Exact Data Match|MipExactDataMatch|
+| Exchange Online|ExchangeAdmin, ExchangeItem, ExchangeItemAggregated |
+| Forms|MicrosoftForms|
+| Information barriers|InformationBarrierPolicyApplication|
+| Microsoft 365 Defender|MDATPAudit, AirInvestigation, AirManualInvestigation, AirAdminActionInvestigation|
+| Microsoft Teams|MicrosoftTeams|
+| MyAnalytics|MyAnalyticsSettings|
+| OneDrive for Business|OneDrive|
+| Power Apps|PowerAppsApp, PowerAppsPlan|
+| Power Automate|MicrosoftFlow|
+| Power BI|PowerBIAudit|
+| Quarantine|Quarantine|
+| Retention policies and retention labels|MIPLabel, MipAutoLabelExchangeItem, MipAutoLabelSharePointItem, MipAutoLabelSharePointPolicyLocation|
+| Sensitive information types|DlpSensitiveInformationType|
+| Sensitivity labels|MIPLabel, SensitivityLabelAction, SensitivityLabeledFileAction, SensitivityLabelPolicyMatch|
+| SharePoint Online|SharePoint, SharePointFileOperation,SharePointSharingOperation, SharePointListOperation, SharePointCommentOperation |
+| Stream|MicrosoftStream|
+| Threat Intelligence|ThreatIntelligence, ThreatIntelligenceUrl, ThreatFinder, ThreatIntelligenceAtpContent|
+| Workplace Analytics|WorkplaceAnalytics|
+|Yammer|Yammer|
+|||
+
+For more information about the operations that are audited in each of the services listed in the previous table, see the [Audited activities](#audited-activities) section in this article.
+
+The previous table also identifies the record type value to use to search the audit log for activities in the corresponding service using the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell or by using a PowerShell script. Some services have multiple record types for different types of activities within the same service. For a more complete list of auditing record types, see [Office 365 Management Activity API schema](/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype).
+
+ For more information about using PowerShell to search the audit log, see:
+
+- [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog)
+
+- [Use a PowerShell script to search the audit log](audit-log-search-script.md)
## Before you search the audit log
Be sure to read the following items before you start searching the audit log.
For more information, see [Turn off audit log search](turn-audit-log-search-on-or-off.md). -- As previously stated, the underlying cmdlet used to search the audit log is an Exchange Online cmdlet, which is **Search-UnifiedAuditLog**. That means you can use this cmdlet to search the audit log instead of using the **Audit log search** page in the Microsoft 365 compliance center. You have to run this cmdlet in remote PowerShell connected to your Exchange Online organization. For more information, see [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog).
+- As previously stated, the underlying cmdlet used to search the audit log is an Exchange Online cmdlet, which is **Search-UnifiedAuditLog**. That means you can use this cmdlet to search the audit log instead of using the search tool on the **Audit** page in the Microsoft 365 compliance center. You have to run this cmdlet in Exchange Online PowerShell. For more information, see [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog).
For information about exporting the search results returned by the **Search-UnifiedAuditLog** cmdlet to a CSV file, see the "Tips for exporting and viewing the audit log" section in [Export, configure, and view audit log records](export-view-audit-log-records.md#tips-for-exporting-and-viewing-the-audit-log).
Be sure to read the following items before you start searching the audit log.
- It can take up to 30 minutes or up to 24 hours after an event occurs for the corresponding audit log record to be returned in the results of an audit log search. The following table shows the time it takes for the different services in Office 365.
- <br>
-
- ****
|Microsoft 365 service or feature|30 minutes|24 hours| ||::|::|
Be sure to read the following items before you start searching the audit log.
|eDiscovery|![Check mark.](../media/checkmark.png)|| |Exchange Online|![Check mark.](../media/checkmark.png)|| |Microsoft Power Automate||![Check mark.](../media/checkmark.png)|
- |Microsoft Project|![Check mark.](../media/checkmark.png)||
|Microsoft Stream|![Check mark.](../media/checkmark.png)|| |Microsoft Teams|![Check mark.](../media/checkmark.png)|| |Power Apps||![Check mark.](../media/checkmark.png)|
Be sure to read the following items before you start searching the audit log.
|Workplace Analytics|![Check mark.](../media/checkmark.png)|| |Yammer||![Check mark.](../media/checkmark.png)| |Microsoft Forms|![Check mark.](../media/checkmark.png)||
- |
+ ||||
- Azure Active Directory (Azure AD) is the directory service for Office 365. The unified audit log contains user, group, application, domain, and directory activities performed in the Microsoft 365 admin center or in the Azure management portal. For a complete list of Azure AD events, see [Azure Active Directory Audit Report Events](/azure/active-directory/reports-monitoring/concept-audit-logs).
compliance Set Up Advanced Audit https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-advanced-audit.md
description: "This article describes how to set up Advanced Audit so you can per
# Set up Advanced Audit in Microsoft 365
-If your organization has a subscription and end user licensing that supports Advanced Audit, perform the following steps to set up and use the additional capabilities in Advanced Audit.
+If your organization has a subscription and end-user licensing that supports Advanced Audit, perform the following steps to set up and use the additional capabilities in Advanced Audit.
![Workflow to set up Advanced Audit.](../media/AdvancedAuditWorkflow.png)
compliance Use Notifications And Policy Tips https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-notifications-and-policy-tips.md
Currently, Outlook 2013 and later supports showing policy tips only for these co
- Content contains - Content is shared
-Note that Exceptions are considered conditions and all of these conditions work in Outlook, where they will match content and enforce protective actions on content. But showing policy tips to users is not yet supported.
+Note that Exceptions are considered conditions and all of these conditions work in Outlook, where they will match content and enforce protective actions on content. But showing policy tips to users is not yet supported. Also, Outlook does not support showing policy tips for a DLP policy that's applied to a dynamic distribution group.
### Policy tips in the Exchange admin center vs. the Security &amp; Compliance Center
You can customize the text for policy tips separately from the email notificatio
- [DLP policy conditions, exceptions, and actions (preview)](./dlp-microsoft-teams.md) - [Create a DLP policy to protect documents with FCI or other properties](protect-documents-that-have-fci-or-other-properties.md) - [What the DLP policy templates include](what-the-dlp-policy-templates-include.md)-- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
+- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
lighthouse M365 Lighthouse Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview.md
description: "For Managed Service Providers (MSPs), learn how Microsoft 365 Ligh
> [!NOTE] > The features described in this article are in Preview, are subject to change, and are only available to partners who meet the [requirements](m365-lighthouse-requirements.md). If your organization does not have Microsoft 365 Lighthouse, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md).
-Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium.
+Microsoft 365 Lighthouse is an admin portal that helps Managed Service Providers (MSPs) secure and manage devices, data, and users at scale for small- and medium-sized business (SMB) customers who are using Microsoft 365 Business Premium or Microsoft 365 E3.
-Lighthouse simplifies onboarding of Microsoft 365 Business Premium tenants by recommending security configuration baselines tailored to SMB customers and providing multi-tenant views across all customer environments. With Lighthouse, MSPs can scale the management of their customers, focus on what's most important, quickly find and investigate risks, and take action to get their customers to a healthy and secure state.
+Lighthouse simplifies onboarding of Microsoft 365 Business Premium and Microsoft 365 E3 tenants by recommending security configuration baselines tailored to SMB customers and providing multi-tenant views across all customer environments. With Lighthouse, MSPs can scale the management of their customers, focus on what's most important, quickly find and investigate risks, and take action to get their customers to a healthy and secure state.
-No additional costs are associated with using Lighthouse to manage Microsoft 365 services and connected devices. Lighthouse is currently in Preview and available to MSPs enrolled in the Cloud Solution Provider (CSP) program and serving SMB customers with a Microsoft 365 Business Premium subscription.
+No additional costs are associated with using Lighthouse to manage Microsoft 365 services and connected devices. Lighthouse is currently in Preview and available to MSPs enrolled in the Cloud Solution Provider (CSP) program and serving SMB customers with a Microsoft 365 Business Premium or Microsoft 365 E3 subscription.
-Use of Lighthouse by Microsoft CSP channel partners that have customers using Microsoft 365 Business Premium is supported. This includes CSP partners transacting directly with Microsoft and those transacting through an indirect provider (distributor).
+Use of Lighthouse by Microsoft CSP channel partners that have customers using Microsoft 365 Business Premium or Microsoft 365 E3 is supported. This includes CSP partners transacting directly with Microsoft and those transacting through an indirect provider (distributor).
> [!IMPORTANT] > To use Lighthouse, MSPs and their customer tenants must meet the requirements listed in [Microsoft 365 Lighthouse requirements](m365-lighthouse-requirements.md).
lighthouse M365 Lighthouse Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-requirements.md
MSPs must be enrolled in the Cloud Solution Provider (CSP) program as an Indirec
In addition, each MSP customer tenant must qualify for Lighthouse by meeting the following requirements: - Delegated Admin PrivilegesΓÇ»(DAP) for the MSP -- At least one Microsoft 365 Business Premium license
+- At least one Microsoft 365 Business Premium or Microsoft 365 E3 license
- Fewer than 500 licensed users  ## Requirements for enabling device management  
To view customer tenant devices on the device management pages, a MSP must:ΓÇ»
## Requirements for enabling user management
-For customer data to show up in reports on user management pages, including Risky users, Multifactor authentication, and Password reset, customer tenants must have licenses for Azure Active Directory Premium P1 or later. Azure AD Premium P1 is included with Microsoft 365 Business Premium.
+For customer data to show up in reports on user management pages, including Risky users, Multifactor authentication, and Password reset, customer tenants must have licenses for Azure Active Directory Premium P1 or later. Azure AD Premium P1 is included with Microsoft 365 Business Premium and Microsoft 365 E3.
## Requirements for enabling threat management
lighthouse M365 Lighthouse Tenant List Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-tenant-list-overview.md
The following table shows the different status messages and their meaning.<br><b
| Ineligible, DAP | Delegated Admin Privileges (DAP) setup is required. | | Ineligible, user count | Tenant has more users than allowed. | | Ineligible, license | Tenant does not have required license. |
+| Ineligible, contract type | A Cloud Solution Provider (CSP) contract is required. |
| Inactive | Tenant is no longer active. | Once you inactivate a tenant, you can't take action on the tenant while Lighthouse completes the inactivation process. It may take up to 48 hours for inactivation to complete.
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
Users can follow these steps to enable the same permissions from the device sett
![Locate "Microsoft Defender Endpoint" and select "Don't Optimise".](images/select-dont-optimise.png) Return to the Microsoft Defender Endpoint onboarding screen, select **Allow**, and you will be redirected to the dashboard screen.+
+## Send in-app feedback
+
+If a user faces an issue which is not already addressed in the above sections or is unable to resolve using the listed steps, the user can provide **in-app feedback** along with **diagnostic data**. Our team can then investigate the logs to provide the right solution. Users can follow these steps to do the same:
+1. Open the **MDE application** on your device and click on the **profile icon** in the top-left corner.
+
+ ![Click on profile icon.](images/selectprofileicon1.jpeg)
+
+2. Select ΓÇ£Help & feedbackΓÇ¥.
+
+ ![Select help and feedback](images/selecthelpandfeedback2.png)
++
+3. Select ΓÇ£Send feedback to MicrosoftΓÇ¥.
+
+ ![Select send feedback to Microsoft](images/sendfeedbacktomicrosoft3.jpeg)
+
+4. Choose from the given options. To report an issue, select ΓÇ£I want to report an issueΓÇ¥.
+
+ ![Report an issue](images/reportissue4.jpeg)
+
+5. Provide details of the issue that you are facing and check ΓÇ£Send diagnostic dataΓÇ¥. We recommend checking ΓÇ£Include your email addressΓÇ¥ so that the team can reach back to you with a solution or a follow-up.
+
+ ![Add details and attach diagnostic data](images/finalsubmit5.png)
+
+6. Click on ΓÇ£SubmitΓÇ¥ to successfully send the feedback.
+++++
security Attack Surface Reduction Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules.md
Intune Name: `Block abuse of exploited vulnerable signed drivers`
GUID: `56a863a9-875e-4185-98a7-b882c64b5ce5`
+AH action type:
+ ### Block Adobe Reader from creating child processes This rule prevents attacks by blocking Adobe Reader from creating processes.
Configuration Manager name: Not yet available
GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
+AH action type:
+
+- AsrAdobeReaderChildProcessAudited
+- AsrAdobeReaderChildProcessBlocked
+ ### Block all Office applications from creating child processes This rule blocks Office apps from creating child processes. Office apps include Word, Excel, PowerPoint, OneNote, and Access.
Configuration Manager name: `Block Office application from creating child proces
GUID: `d4f940ab-401b-4efc-aadc-ad5f3c50688a`
+AH action type:
+
+- AsrOfficeChildProcessAudited
+- AsrOfficeChildProcessBlocked
+ ### Block credential stealing from the Windows local security authority subsystem This rule helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).
Configuration Manager name: `Block credential stealing from the Windows local se
GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
+AH action type:
+
+- AsrLsassCredentialTheftAudited
+- AsrLsassCredentialTheftBlocked
+ ### Block executable content from email client and webmail This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
Microsoft Endpoint Manager name: `Block executable content from email client and
GUID: `be9ba2d9-53ea-4cdc-84e5-9b1eeee46550`
+AH action type:
+
+- AsrExecutableEmailContentAudited
+- AsrExecutableEmailContentBlocked
+ > [!NOTE] > The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use: >
Configuration Manager name: `Block executable files from running unless they mee
GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
+AH action type:
+
+- AsrUntrustedExecutableAudited
+- AsrUntrustedExecutableBlocked
+ ### Block execution of potentially obfuscated scripts This rule detects suspicious properties within an obfuscated script.
Configuration Manager name: `Block execution of potentially obfuscated scripts`
GUID: `5beb7efe-fd9a-4556-801d-275e5ffc04cc`
+AH action type:
+
+- AsrObfuscatedScriptAudited
+- AsrObfuscatedScriptBlocked
+ ### Block JavaScript or VBScript from launching downloaded executable content This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
Configuration Manager name: `Block JavaScript or VBScript from launching downloa
GUID: `d3e037e1-3eb8-44c8-a917-57927947596d`
+AH action type:
+
+- AsrScriptExecutableDownloadAudited
+- AsrScriptExecutableDownloadBlocked
+ ### Block Office applications from creating executable content This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
SCCM name: `Block Office applications from creating executable content`
GUID: `3b576869-a4ec-4529-8536-b80a7769e899`
+AH action type:
+
+- AsrExecutableOfficeContentAudited
+- AsrExecutableOfficeContentBlocked
+ ### Block Office applications from injecting code into other processes This rule blocks code injection attempts from Office apps into other processes.
Configuration Manager name: `Block Office applications from injecting code into
GUID: `75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84`
+AH action type:
+
+- AsrOfficeProcessInjectionAudited
+- AsrOfficeProcessInjectionBlocked
+ ### Block Office communication application from creating child processes This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
Configuration Manager name: Not available
GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
+AH action type:
+
+- AsrOfficeCommAppChildProcessAudited
+- AsrOfficeCommAppChildProcessBlocked
+ ### Block persistence through WMI event subscription This rule prevents malware from abusing WMI to attain persistence on a device.
Configuration Manager name: Not available
GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
+AH action type:
+
+- AsrPersistenceThroughWmiAudited
+- AsrPersistenceThroughWmiBlocked
+ ### Block process creations originating from PSExec and WMI commands This rule blocks processes created through [PsExec](/sysinternals/downloads/psexec) and [WMI](/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
Configuration Manager name: Not applicable
GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
+AH action type:
+
+- AsrPsexecWmiChildProcessAudited
+- AsrPsexecWmiChildProcessBlocked
+ ### Block untrusted and unsigned processes that run from USB With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
Configuration Manager name: `Block untrusted and unsigned processes that run fro
GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
+AH action type:
+
+- AsrUntrustedUsbProcessAudited
+- AsrUntrustedUsbProcessBlocked
+ ### Block Win32 API calls from Office macros This rule prevents VBA macros from calling Win32 APIs.
Configuration Manager name: `Block Win32 API calls from Office macros`
GUID: `92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b`
+AH action type:
+
+- AsrOfficeMacroWin32ApiCallsAudited
+- AsrOfficeMacroWin32ApiCallsBlocked
+ ### Use advanced protection against ransomware This rule provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file resembles ransomware. This rule does not block files that have one or more of the following characteristics:
Intune name: `Advanced ransomware protection`
Configuration Manager name: `Use advanced protection against ransomware` GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`+
+AH action type:
+
+- AsrRansomwareAudited
+- AsrRansomwareBlocked
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
One of the options when takingΓÇ»[response actions on a file](respond-file-alert
Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
-## Private Preview: Alerting on file blocking actions
+## Public Preview: Alerting on file blocking actions
> [!IMPORTANT] > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which might be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Choose if to Generate an alert on the file block event and define the alerts set
> > For more information about the EnableFileHashComputation group policy, see [Defender CSP](/windows/client-management/mdm/defender-csp).
-## Private Preview: Advanced hunting capabilities
+## Public Preview: Advanced hunting capabilities
> [!IMPORTANT] > Information in this section (**Public Preview for Automated investigation and remediation engine**) relates to prerelease product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
security Ti Indicator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ti-indicator.md
rbacGroupIds|List of strings|RBAC device group ID's where the indicator is expos
The indicator action types supported by the API are:
+- Allowed
+- Alert
- AlertAndBlock-- Allow - Audit-- Alert
+- Block
+- BlockAndRemediate
- Warn-- BlockExecution-- BlockRemdiation
-The API list of action types contains the new response actions along with the prior response actions (AlertAndBlock, and Alert).
+The API list of action types contains the new response actions along with the prior response actions (AlertAndBlock, and Alert). For more information on the description of the response action types, see [Create indicators](manage-indicators.md).
+
+The Allowed, Warn, Block, and BlockAndRemediate IoC response actions are in public preview. For more information on the public preview, see [Public Preview: Custom file IoC enhancements and API schema update - Microsoft Tech Community](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/public-preview-custom-file-ioc-enhancements-and-api-schema/ba-p/2676997).
+++ > [!Note] >
security Tune Performance Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md
The high-level process for running performance analyzer involves the following s
1. Run performance analyzer to collect a performance recording of Microsoft Defender Antivirus events on the endpoint.
-> [!NOTE]
-> Performance of Microsoft Defender Antivirus events of the type **Microsoft-Antimalware-Engine** are recorded through the performance analyzer.
+ > [!NOTE]
+ > Performance of Microsoft Defender Antivirus events of the type **Microsoft-Antimalware-Engine** are recorded through the performance analyzer.
2. Analyze the scan results using different recording reports. ## Using performance analyzer
-To start recording system events, open Powershell in administrative mode and perform the following steps:
+To start recording system events, open PowerShell in administrative mode and perform the following steps:
1. Run the following command to start the recording:
-`New-MpPerformanceRecording -RecordTo <recording.etl>`
+ `New-MpPerformanceRecording -RecordTo <recording.etl>`
- where `-RecordTo` parameter specifies full path location in which the trace file is saved. For more cmdlet information, see [Defender](/powershell/module/defender).
+ where `-RecordTo` parameter specifies full path location in which the trace file is saved. For more cmdlet information, see [Defender](/powershell/module/defender).
2. If there are processes or services thought to be affecting performance, reproduce the situation by carrying out the relevant tasks.+ 3. Press **ENTER** to stop and save recording, or **Ctrl+C** to cancel recording.+ 4. Analyze the results using the performance analyzerΓÇÖs `Get-MpPerformanceReport`parameter. For example, on executing the command `Get-MpPerformanceReport -Path <recording.etl> -TopFiles 3 -TopScansPerFile 10`, the user is provided with a list of top-ten scans for the top 3 files affecting performance. For more information on command-line parameters and options, see the [New-MpPerformanceRecording](#new-mpperformancerecording) and [Get-MpPerformanceReport](#get-mpperformancereport).
+> [!NOTE]
+> When running a recording, if you get the error "Cannot start performance recording because Windows Performance Recorder is already recording", run the following command
+> to stop the existing trace with the new command:
+> **wpr -cancel -instancename MSFT_MpPerformanceRecording**
+ ### Performance tuning data and information Based on the query, the user will be able to view data for scan counts, duration (total/min/average/max/median), path, process, and reason for scan. The image below shows sample output for a simple query of the top 10 files for scan impact.
Based on the query, the user will be able to view data for scan counts, duration
### Additional functionality: exporting and converting to CSV and JSON
-The results of the perfomance analyzer can also be exported and converted to a CSV or JSON file.
+The results of the performance analyzer can also be exported and converted to a CSV or JSON file.
For examples that describe the process of "export" and "convert" through sample codes, see below. #### For CSV
security Safe Links https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links.md
The settings in Safe Links policies that apply to email messages are described i
For more information about the recommended values for Standard and Strict policy settings for Safe Links policies, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings).
+ - **Do not rewrite URLs, do checks via SafeLinks API only**: If this setting is enabled, no URL wrapping takes place. Safe Links is called exclusively via APIs at the time of URL click by Outlook clients that support it. The recommend value is disabled.
+
- **Recipient filters**: You need to specify the recipient conditions and exceptions that determine who the policy applies to. You can use these properties for conditions and exceptions: - **The recipient is** - **The recipient domain is**