+## Create, edit, or delete custom user views

+If you're a global or user management admin of a Microsoft 365 for business subscription, you can create up to 50 custom user views to view subsets of users. These views are in addition to the standard set of views. You can create, edit, or delete custom user views, and the custom views you create are available to all admins.

+When you create, edit, or delete a custom user view, the changes are shown in the **Filter** list that all admins in your company see when they go to the **Users** page.

+> [!TIP]

+> Standard user views are displayed by default in the **Filters** drop-down list. The standard filters include **All users**, **Licensed users**, **Guest users**, **Sign-in allowed**, **Sign-in blocked**, **Unlicensed users**, **Users with errors**, **Billing admins**, **Global admins**, **Helpdesk admins**, **Service admins**, and **User management admins**. You can't edit or delete standard views.

+A few things to note about standard views:

+- Some standard views display an unsorted list if there are more than 2,000 users in the list. To locate specific users in this list, use the search box.

+- If you didn't purchase Microsoft 365 from Microsoft, **Billing admins** don't appear in the standard views list. For more information, see [Assigning admin roles](assign-admin-roles.md).

+

+### Choose the filters for your custom user view

+You can create and edit your custom views in the **Custom filter** pane. If you select multiple filter options, you get results that contain users who match all the selected criteria. The following example shows you how to create a custom view named "Canadian users" that shows all users on a specific domain who are in Canada.

+ **A - Domain** If you have multiple domains for your organization, you can choose from a drop-down list of domains that are available.

+

+ **B - Sign-in status** Choose users that are allowed or blocked.

+

+ **C - Location** Choose a location from a drop-down list of countries.

+

+ **D - Assigned product license** Choose from a drop-down list of licenses that are available at your organization. Use this filter to show users who have the license you selected assigned to them. Users may also have additional licenses.

+

+You can also filter by additional user profile details used in your organization such as department, city, state or province, country or region, or job title.

+

+ **Other conditions:**

+

+- **Synchronized users only** Select this box to show all users who have been synced with the local Active Directory, regardless of whether the users have been activated or not.

+- **Users with errors** Select this box to show users who may have provisioning errors.

+- **Unlicensed users** Select this box to find all the users who haven't been assigned a license. The results for this view can also include users who have an Exchange mailbox but don't have a license. To track those users specifically, use the filter **Unlicensed users with Exchange mailboxes or archives**. The results for this view can also include users who have an Exchange archive, but don't have a license.

+- **Unlicensed users with Exchange mailboxes or archives** Select this box to show user accounts that were created in Exchange Online and have an Exchange mailbox, but weren't assigned an Microsoft 365 license. The results of this filter include users who have or who were assigned an Exchange archive.

+> [!NOTE]

+> The **Unlicensed users with Exchange mailboxes** filter works when:

+1. The mailbox has been recently converted from **shared** to **user** and it has no license.

+2. The mailbox has been recently migrated to Microsoft 365 but a license has not been assigned.

+3. The mailbox has been created using PowerShell, and a license has not been assigned.

+4. A new mailbox that has been created on-premise with a New-RemoteMailbox cmdlet is provisioned for the user.

+> [!TIP]

+> If you create a custom view that returns more than 2,000 users, the resulting user list isn't sorted. In this case, use the search box to find users or edit your custom view to refine your search.

+

+### Create a custom user view

+1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a>.

+

+1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a>.

+

+2. On the **Active users** page, select **Filters** and select **New filter**.

+

+3. On the **Custom filter** page, enter the name for your filter, choose the conditions for your custom filter, and then select **Add**. Your custom view is now included in the drop-down list of filters.

+### Edit or delete a custom user view

+1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a>.

+1. In the admin center, go to **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=850628" target="_blank">Active users</a>.

+

+2. On the **Active users** page, select **Filter**, select the filter you want to change, and then select **Edit filter**.

+

+ > [!TIP]

+ > You can edit only custom views.

+

+3. On the **Custom filter** page, edit the information as needed, and then select **Save**. Or, to delete the filter, at the bottom of the page select **Delete**.

+## Resend user password

+

+1. In the admin center, go to the **Users** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=834822" target="_blank">Active users</a> page.

+2. On the **Active users** page, select the user and then select **Reset password**.

+3. Follow the instructions on the **Reset password** page to auto-generate a new password for the user or create one for them, and then select **Reset**.

+4. Enter an email address the user can get to, so they receive the new password, and follow up with them to make sure they got it.

+## Set strong passwords

+1. [Connect to Microsoft 365 with PowerShell](/office365/enterprise/powershell/connect-to-office-365-powershell#connect-with-the-microsoft-azure-active-directory-module-for-windows-powershell).

+2. Using PowerShell, you can turn off strong password requirements for all users with the following command:

+ ```powershell

+ Get-MsolUser | Set-MsolUser -StrongPasswordRequired $false

+3. You can turn **OFF** strong password requirements for specific users with this command:

+ ```powershell

+ Set-MsolUser ΓÇôUserPrincipalName ΓÇôStrongPasswordRequired $false

+ ```

+> [!NOTE]

+> The userPrincipalName must be in the Internet-style sign-in format where the user name is followed by the at sign (@) and a domain name. For example: user@contoso.com.

+> If you're having trouble enrolling your device, see [Troubleshoot Basic Mobility and Security](frequently-asked-questions.yml).

+description: "For devices you can't manage with Basic Mobility and Security, block Exchange ActiveSync app access to email and use Azure AD PowerShell to get details about org devices."

+## Get details about Basic Mobility and Security managed devices

+Additionally, you can use Azure AD PowerShell to get details about the devices in your organization that you set up for Basic Mobility and Security.

+Here's a breakdown for the device details available to you.

+|Detail|What to look for in PowerShell|

+|||

+|Device is enrolled in Basic Mobility and Security. For more info, see [Enroll your mobile device using Basic Mobility and Security](enroll-your-mobile-device.md)|The value of the *isManaged* parameter is:<br/>**True**= device is enrolled.<br/>**False**= device is not enrolled.|

+|Device is compliant with your device security policies. For more info, see [Create device security policies](create-device-security-policies.md)|The value of the *isCompliant* parameter is:<br/>**True** = device is compliant with policies.<br/>**False** = device is not compliant with policies.|

+> [!NOTE]

+> The commands and scripts that follow also return details about any devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).

+Here are a few things you need to set up to run the commands and scripts that follow:

+### Step 1: Download and install the Azure Active Directory Module for Windows PowerShell

+For more info on these steps, see [Connect to Microsoft 365 with PowerShell](/office365/enterprise/powershell/connect-to-office-365-powershell).

+1. Go to [Microsoft Online Services Sign-In Assistant for IT Professionals RTWl](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi) and select **Download for Microsoft Online Services Sign-in Assistant**.

+2. Install the Microsoft Azure Active Directory Module for Windows PowerShell with these steps:

+ 1. Open an administrator-level PowerShell command prompt.

+ 2. Run the `Install-Module MSOnline` command.

+ 3. If prompted to install the NuGet provider, type Y and press ENTER.

+ 4. If prompted to install the module from PSGallery, type Y and press ENTER.

+ 5. After installation, close the PowerShell command window.

+### Step 2: Connect to your Microsoft 365 subscription

+1. In the Windows Azure Active Directory Module for Windows PowerShell, run the following command.

+ ```powershell

+ $UserCredential = Get-Credential

+ ```

+2. In the Windows PowerShell Credential Request dialog box, type the user name and password for your Microsoft 365 global admin account, and then select **OK**.

+3. Run the following command.

+ ```powershell

+ Connect-MsolService -Credential $UserCredential

+ ```

+### Step 3: Make sure you're able to run PowerShell scripts

+> [!NOTE]

+> You can skip this step if you're already set up to run PowerShell scripts.

+To run the Get-MsolUserDeviceComplianceStatus.ps1 script, you need to enable the running of PowerShell scripts.

+1. From your Windows Desktop, select **Start**, and then type Windows PowerShell. Right-click Windows PowerShell, and then select **Run as administrator**.

+2. Run the following command.

+ ```powershell

+ Set-ExecutionPolicy RemoteSigned

+ ```

+3. When prompted, type Y and then press Enter.

+#### Run the Get-MsolDevice cmdlet to display details for all devices in your organization

+1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.

+2. Run the following command.

+ ```powershell

+ Get-MsolDevice -All -ReturnRegisteredOwners | Where-Object {$_.RegisteredOwners.Count -gt 0}

+ ```

+For more examples, see [Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939).

+### Run a script to get device details

+First, save the script to your computer.

+1. Copy and paste the following text into Notepad.

+ ```powershell

+ param (

+ [PSObject[]]$users = @(),

+ [Switch]$export,

+ [String]$exportFileName = "UserDeviceComplianceStatus_" + (Get-Date -Format "yyMMdd_HHMMss") + ".csv",

+ [String]$exportPath = [Environment]::GetFolderPath("Desktop")

+ )

+ [System.Collections.IDictionary]$script:schema = @{

+ DeviceId = ''

+ DeviceOSType = ''

+ DeviceOSVersion = ''

+ DeviceTrustLevel = ''

+ DisplayName = ''

+ IsCompliant = ''

+ IsManaged = ''

+ ApproximateLastLogonTimestamp = ''

+ DeviceObjectId = ''

+ RegisteredOwnerUpn = ''

+ RegisteredOwnerObjectId = ''

+ RegisteredOwnerDisplayName = ''

+ }

+ function createResultObject

+ {

+ [PSObject]$resultObject = New-Object -TypeName PSObject -Property $script:schema

+ return $resultObject

+ }

+ If ($users.Count -eq 0)

+ {

+ $users = Get-MsolUser

+ }

+ [PSObject[]]$result = foreach ($u in $users)

+ {

+ [PSObject]$devices = get-msoldevice -RegisteredOwnerUpn $u.UserPrincipalName

+ foreach ($d in $devices)

+ {

+ [PSObject]$deviceResult = createResultObject

+ $deviceResult.DeviceId = $d.DeviceId

+ $deviceResult.DeviceOSType = $d.DeviceOSType

+ $deviceResult.DeviceOSVersion = $d.DeviceOSVersion

+ $deviceResult.DeviceTrustLevel = $d.DeviceTrustLevel

+ $deviceResult.DisplayName = $d.DisplayName

+ $deviceResult.IsCompliant = $d.GraphDeviceObject.IsCompliant

+ $deviceResult.IsManaged = $d.GraphDeviceObject.IsManaged

+ $deviceResult.DeviceObjectId = $d.ObjectId

+ $deviceResult.RegisteredOwnerUpn = $u.UserPrincipalName

+ $deviceResult.RegisteredOwnerObjectId = $u.ObjectId

+ $deviceResult.RegisteredOwnerDisplayName = $u.DisplayName

+ $deviceResult.ApproximateLastLogonTimestamp = $d.ApproximateLastLogonTimestamp

+ $deviceResult

+ }

+ }

+ If ($export)

+ {

+ $result | Export-Csv -path ($exportPath + "\" + $exportFileName) -NoTypeInformation

+ }

+ Else

+ {

+ $result

+ }

+ ```

+2. Save it as a Windows PowerShell script file by using the file extension .ps1; for example, Get-MsolUserDeviceComplianceStatus.ps1.

+### Run the script to get device information for a single user account

+1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.

+2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.

+ ```powershell

+ cd C:\PS-Scripts

+ ```

+3. Run the following command to identify the user you want to get device details for. This example gets details for bar@example.com.

+ ```powershell

+ $u = Get-MsolUser -UserPrincipalName bar@example.com

+ ```

+4. Run the following command to initiate the script.

+ ```powershell

+ .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export

+ ```

+The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV.

+### Run the script to get device information for a group of users

+1. Open the Microsoft Azure Active Directory Module for Windows PowerShell.

+2. Go to the folder where you saved the script. For example, if you saved it to C:\PS-Scripts, run the following command.

+ ```powershell

+ cd C:\PS-Scripts

+ ```

+3. Run the following command to identify the group you want to get device details for. This example gets details for users in the FinanceStaff group.

+ ```powershell

+ $u = Get-MsolGroupMember -SearchString "FinanceStaff" | % { Get-MsolUser -ObjectId $_.ObjectId }

+ ```

+4. Run the following command to initiate the script.

+ ```powershell

+ .\Get-MsolUserDeviceComplianceStatus.ps1 -User $u -Export

+ ```

+The information is exported to your Windows Desktop as a CSV file. You can use additional parameters to specify the file name and path of the CSV.

+## Related content

+[Microsoft Connect Has Been Retired](/collaborate/connect-redirect)

+[Overview of Basic Mobility and Security](overview.md)

+[Get-MsolDevice](https://go.microsoft.com/fwlink/?linkid=2157939)

+- [Bookings with me: setup and sharing](https://support.microsoft.com/office/bookings-with-me-setup-and-sharing-ad2e28c4-4abd-45c7-9439-27a789d254a2) A personal booking page where you can create meeting types that others can book with you. Custom meeting types give you the ability to customize when you want to meet and how that meeting type is shared with others. You control whether each meeting type is public to your scheduling page or is private and can only be accessed by a select group of people. You can also choose to add a Teams meeting to all meetings booked through your Bookings with me page. You can access your Bookings with me page through Outlook on the web. After you set up your page and publish it, you can share it with others. For example, you can add it to your Outlook signature.

+- [Attendee view](https://support.microsoft.com/office/select-a-meeting-time-in-bookings-with-me-8f3bbe5b-4bc6-4073-bf61-57383c00b43a) When you share your Bookings with me page with others, they will see the attendee view. If the organizer has shared their Bookings with me page link with you, you'll be able to see all of their public meeting types. If the organizer has shared a meeting link, you'll only be able to view that meeting.

+Public meeting types can be accessed by anyone that has your Bookings with me page address. You decide who you share your Bookings with me page address with. For more information, see [Select a meeting time in Bookings with me](https://support.microsoft.com/office/select-a-meeting-time-in-bookings-with-me-8f3bbe5b-4bc6-4073-bf61-57383c00b43a).

+Private meeting types can also generate single use links. Single use links expire after their first booking. For more information, see [setup Bookings with me meeting types](https://support.microsoft.com/office/bookings-with-me-setup-and-sharing-ad2e28c4-4abd-45c7-9439-27a789d254a2).

+Upgrade to TLS 1.2. The following syntax updates the ServicePointManager Security Protocol to allow TLS1.2:

+ [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

+- **Risky browser usage**: Displays activities for events associated with browsing to potentially inappropriate websites.

+ - Risky browser usage

+- **Use automated insider risk features to help discover the highest risk activities**. Insider risk management [sequence detection](insider-risk-management-policies.md#sequence-detection-preview) and [cumulative exfiltration detection](insider-risk-management-policies.md#cumulative-exfiltration-detection-preview) features can help you quickly discover harder to find risks in your organization. Consider fine-tuning your [risk score boosters](insider-risk-management-settings.md#indicators), [file type exclusions](insider-risk-management-settings.md#file-type-exclusions), [domains](insider-risk-management-settings.md#domains), and the minimum [indicator threshold settings](insider-risk-management-settings.md#indicator-level-settings-preview) for your policies.

+- Browsing risky websites

+| Browsing risky websites | Extension | Extension |

+## Additional requirements

+If you're using policies based on the *Risky browser usage* template, at least one *Browsing indicator* must be selected in **Insider risk management** > **Settings** > **Policy indicators**.

+- Latest Microsoft Edge x64, version (91.0.864.41 or higher)

+- Latest *Microsoft Compliance Extension* add-on (1.0.0.44 or higher)

+Use this option to configure a single machine selfhost for each device in your organization when testing browser signal detection.

+2. Expand the following path **Computer/User configuration** \> **Policies** \> **Administrative templates** \> **Classic administrative templates** \> **Microsoft Edge** \> **Extensions**. This path may vary depending on the configuration of your organization.

+- Latest *Microsoft Compliance Extension* version (2.0.0.183 or higher)

+ - [Microsoft Defender for Endpoint alert status](insider-risk-management-settings.md#microsoft-defender-for-endpoint-alert-statuses-preview)

+ If you've selected the *Risky browser usage* policy template, select one or more of the **Browsing indicators**.

+>[!IMPORTANT]

+>Microsoft Purview Insider Risk Management correlates various signals to identify potentially malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. Insider Risk Management enables customers to create policies to manage security and compliance. Built with privacy by design, users are pseudonymized by default, and role-based access controls and audit logs are in place to help ensure user-level privacy.

+Insider risk management policies determine which users are in-scope and which types of risk indicators are configured for alerts. You can quickly create a security policy that applies to all users in your organization or define individual users or groups for management in a policy. Policies support content priorities to focus policy conditions on multiple or specific Microsoft Teams, SharePoint sites, data sensitivity types, and data labels. Using templates, you can select specific risk indicators and customize event thresholds for policy indicators, effectively customizing risk scores, and level and frequency of alerts. Using quick policies, you can even create data leaks or data theft by departing user policies that automatically define policy conditions based on results from the latest analytics scans. Additionally, risk score boosters and anomaly detections help identify risky user activity that is of higher importance or more unusual. Policy windows allow you to define the time frame to apply the policy to alert activities and are used to determine the duration of the policy once activated.

+The **Policy dashboard** allows you to quickly see the policies in your organization, the health of the policy, manually add users to security policies, and to view the status of alerts associated with each policy.

+Insider risk analytics gives you an aggregate view of anonymized user activities related to security and compliance, enabling you to evaluate potential insider risks in your organization without configuring any insider risk policies. This evaluation can help your organization identify potential areas of higher risk and help determine the type and scope of insider risk management policies you may consider configuring. If you decide to act on analytics scan results for general data leaks or data theft by departing users policies, you even have the option to configure a quick policy based on these results.

+## Quick policies from recommended actions (preview)

+For some organizations, getting started with an initial policy can be a challenge. If you're new to insider risk management and using the Recommended actions to get started, you can use a quick policy to expedite the configuration of a *General data leaks* or *Data theft by departing users* policy. Quick policy settings are automatically populated based on results from the latest analytics scan in your organization. For example, if the scan detected potential data leak activities, the quick policy would include the indicators used to detect those activities. You'll just need to review the quick policy settings and configure the policy with a single selection. If you need to customize a quick policy, you can change the conditions during the initial configuration or after the policy has been created. Additionally, you can stay up to date with the detection results for a quick policy by configuring email notifications each time you have a policy warning or each time the policy generates a high severity alert.

+When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area. Data theft for departing users may include downloading files from SharePoint Online, printing files, and copying data to personal cloud messaging and storage services near their employment resignation and end dates. By using either the Microsoft HR connector or the option to automatically check for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these activities and how they correlate with user employment status.

+- When using a DLP policy as the triggering event, make sure you understand and properly configure the in-scope users in both the DLP and insider risk management policies. Only users defined as in-scope for insider risk management policies using the **Data leaks** template will have high severity DLP policy alerts processed. Additionally, only users defined as in-scope in a rule for a high severity DLP alert will be analyzed by the insider risk management policy for consideration. It's important that you don't unknowingly configure in-scope users in both your DLP and insider risk policies in a conflicting manner.

+When users experience employment stressors, they may become disgruntled, which may increase the chances of insider risk activity. This template starts scoring security and compliance related user activity when an indicator associated with disgruntlement is identified. Examples include system signals performance improvement notifications, poor performance reviews, or changes to job level status. Data leaks for disgruntled users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services near employment stressor events.

+When using this template, you must also configure a Microsoft HR connector to periodically import organization profile data for users in your organization. See the [Set up a connector to import HR data](/microsoft-365/compliance/import-hr-data) article for step-by-step guidance to configure the Microsoft 365 HR connector for your organization.

+### General risky browser usage (preview)

+Identifying user visitation to inappropriate or unacceptable web sites on organization devices and networks is an important part of minimizing security, legal, and regulatory risks. Users that inadvertently or purposefully visit these types of websites may expose the organization to legal actions from other users, violate regulatory requirements, elevate network security risks, or jeopardize current and future business operations and opportunities. This misuse is often defined in an organization's acceptable use policy for user devices and organization network resources but is often difficult to quickly identify and act upon.

+To help protect against these risks, this policy can help detect and enable risk scoring for web browsing that might be in violation of your organization's acceptable use policy, such as visiting sites that pose a threat (for example phishing sites) or contain adult content. Several types of categories are available for automatic categorization of web browsing activities by in-scope users.

+When using this policy template, you'll need several prerequisites. For more information, see [Learn about and configure insider risk management browser signal detection](/microsoft-365/compliance/insider-risk-management-browser-support).

+Departing users, whether leaving on positive or negative terms, may be higher risks for security policy violations. To help protect against inadvertent or malicious security violations for departing users, this policy template uses Defender for Endpoint alerts to provide insights into security-related activities. These activities include the user installing malware or other potentially harmful applications and disabling security features on their devices. By using either the [Microsoft HR connector](import-hr-data.md) or the option to automatically check for user account deletion in Azure Active Directory for your organization, this template starts scoring for risk indicators relating to these security activities and how they correlate with user employment status.

+Protecting against security violations for users in your organization may depend on their position, level of access to sensitive information, or risk history. Because security violations by priority users may have a significant impact on your organization's critical areas, this policy template starts scoring on these indicators, and uses Microsoft Defender for Endpoint alerts to provide insights into security-related activities for these users. These activities may include the priority users installing malware or other potentially harmful applications and disabling security features on their devices. Priority users are defined in priority user groups configured in the insider risk management settings area.

+When using this template, you must also configure a Microsoft HR connector to periodically import system signals related to performance improvement notifications, poor performance review status, or job level change information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft HR connector for your organization.

+| **Data leaks by disgruntled users** | Performance improvement, poor performance, or job level change indicators from HR connector | Microsoft HR connector configured for disgruntlement indicators |

+| **General risky browser usage** | User browsing activity related to security that matches at least one selected *Browsing indicator* | See the complete list of prerequisites in the [browser signal detection article](/microsoft-365/compliance/insider-risk-management-browser-support) |

+- **SharePoint sites**: Any activity associated with all file types in defined SharePoint sites is assigned a higher risk score. Users configuring the policy and selecting priority SharePoint sites can select SharePoint sites that they have permission to access. If SharePoint sites aren't available for selection in the policy by the current user, another user with the required permissions can select the sites for the policy later, or the current user should be given access to the required sites.

+- **Trainable classifiers**: Any activity associated with content that is included in a [trainable classifier](/microsoft-365/compliance/classifier-learn-about). Users configuring a policy that select Trainable classifiers in the policy wizard can select up to 5 trainable classifiers to apply to the policy. These classifiers can be existing classifiers that identify patterns of sensitive information like social security, credit card, or bank account numbers or custom classifiers created in your organization.

+## Sequence detection (preview)

+With privacy on by default, insider risk indicators help identify unusual levels of risk activities when evaluated daily for users that are in-scope for insider risk policies. Cumulative exfiltration detection uses machine learning models to help you identify when exfiltration activities that a user performs over a certain time exceeds the normal amount performed by users in your organization for the past 30 days over multiple exfiltration activity types. For example, if a user shared more files than most users over the past month, this activity would be detected and classified as a cumulative exfiltration activity.

+|**Notification messages**|**Policy templates**|**Causes / Try this action to fix**|

+|:|:-|:-|

+|**Policy isn't assigning risk scores to activity**| All policy templates | You may want to review your policy scope and triggering event configuration so that the policy can assign risk scores to activities <br><br> 1. Review the users that are selected for the policy. If you have few users selected, you may want to select additional users. <br> 2. If you're using an HR connector, check that your HR connector is sending the correct data. <br> 3. If you're using a DLP policy as your triggering event, check your DLP policy configuration to ensure it's configured to be used in this policy. <br> 4. For security violation policies, review the Microsoft Defender for Endpoint alert triage status selected in Insider risk settings > Intelligent detections. Confirm that the alert filter isn't too narrow.|

+|**Policy hasn't generated any alerts**| All policy templates|You may want to review your policy configuration so that you're analyzing the most relevant scoring activity. <br><br> 1. Confirm that you've selected indicators that you want to score. The more indicators selected, the more activities are assigned risk scores. <br> 2. Review threshold customization for policy. If the thresholds selected don't align with your organization's risk tolerance, adjust the selections so that alerts are created based on your preferred thresholds. <br> 3. Review the users and groups selected for the policy. Confirm you've selected all of the applicable users and groups. <br> 4. For security violation policies, confirm you've selected the alert triage status that you want to score for Microsoft Defender for Endpoint alerts in Intelligent Detections in settings.|

+|**No users or groups are included in this policy**| All policy templates | Users or groups aren't assigned to the policy. <br><br> Edit your policy and select users or groups for the policy.|

+|**No indicators have been selected for this policy**| All policy templates | Indicators haven't been selected for the policy <br><br> Edit your policy and select appropriate policy indicators for the policy.|

+|**No priority user groups are included in this policy**|- Data leaks by priority users <br> - Security policy violations by priority users|Priority user groups aren't assigned to the policy. <br><br> Configure priority user groups in Insider risk management settings and assign priority user groups to the policy.|

+|**No triggering event has been selected for this policy**| All policy templates | A triggering event isn't configured for the policy <br><br> Risk scores won't be assigned to user activities until you edit the policy and select a triggering event.|

+|**HR connector isn't configured or working as expected**|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|There's an issue with the HR connector. <br><br> 1. If you're using an HR connector, check that your HR connector is sending correct data <br><br> OR <br><br> 2. Select the Azure AD account deleted triggering event.|

+|**No devices are onboarded**|- Data theft by departing users <br> - General data leaks <br> - Data leaks by disgruntled users <br> - Data Leaks by priority users|Device indicators are selected but there aren't any devices onboarded to the compliance portal <br><br> Check whether devices are onboarded and meet requirements.|

+|**HR connector hasn't uploaded data recently**|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|HR connector hasn't imported data in more than 7 days. <br><br> Check that your HR connector is configured correctly and sending data.|

+|**We're unable to check the status of your HR connector right now, please check again later**|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|The insider risk management solution is unable to check the status of your HR connector. <br><br> Check that your HR connector is configured correctly and sending data, or come back and check the policy status.|

+|**DLP policy isn't selected as the triggering event**|- General Data leaks <br> - Data leaks by priority users|A DLP policy hasn't been selected as a triggering event or the selected DLP policy has been deleted. <br><br> Edit the policy and either select an active DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration.|

+|**DLP policy used in this policy is turned off** |- General Data leaks <br> - Data leaks by priority users|DLP policy used in this policy is turned off. <br><br> 1. Turn the DLP policy assigned to this policy on. <br><br> OR <br><br> 2. Edit this policy and either select a new DLP policy or 'User performs an exfiltration activity' as the triggering event in the policy configuration.|

+|**DLP policy doesn't meet requirements**|- General Data leaks <br> - Data leaks by priority users|DLP policies used as triggering events must be configured to generate high severity alerts. <br><br> 1. Edit your DLP policy to assign applicable alerts as *High severity*. <br><br> OR <br><br> 2. Edit this policy and select *User performs an exfiltration activity* as the triggering event.|

+|**Your organization doesn't have a Microsoft Defender for Endpoint subscription**|- General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users|An active Microsoft Defender for Endpoint subscription wasn't detected for your organization. <br><br> Until a Microsoft Defender for Endpoint subscription is added, these policies won't assign risk scores to user activity.|

+|**Microsoft Defender for Endpoint alerts aren't being shared with the compliance portal**|- General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users|Microsoft Defender for Endpoint alerts aren't being shared with the compliance portal. <br><br> Configure sharing of Microsoft Defender for Endpoint alerts.|

+|**You're approaching the maximum limit of users being actively scored for this policy template**|All policy templates|Each policy template has a maximum number of in-scope users. See the template limit section details. <br><br> Review the users in the Users tab and remove any users who don't need to be scored anymore.|

+|**Triggering event is repeatedly occurring for over 15% of users in this policy**|All policy templates|Adjust the triggering event to help reduce how often users are brought into the policy scope.|

+|**Policy template**|**Current in-scope user maximum**|

+|:|:--|

+|General risky browser usage|7,000|

+To create a new insider risk management policy, you'll generally use the policy wizard in **Insider risk management** solution in the Microsoft Purview compliance portal. You can also create quick policies for general data leaks and data theft by departing users from Analytics scans if applicable.

+Complete the following steps to create a new policy using the policy wizard:

+ > Some policy templates have prerequisites that must be configured for the policy to generate relevant alerts. If you haven't configured the applicable policy prerequisites, see **Step 4** in the [Get started with insider risk management](/microsoft-365/compliance/insider-risk-management-configure).

+ If you've selected the *General risky browser usage* policy template, select one or more of the **Browsing indicators**.

+ - **Policy template**: The template used to define the types of risk indicators checked by the policy.

+7. On the **Users and groups** page, select **Include all users and groups** or **Include specific users and groups** to define which users or groups are included in the policy, or if you've chosen a priority users-based template; select **Add or edit priority user groups**. Selecting **Include all users and groups** will look for triggering security and compliance related events for all users and groups in your organization to start assigning risk scores for the policy. Selecting **Include specific users and groups** allows you to define which users and groups to assign to the policy. Guest user accounts aren't supported.

+## Immediately start scoring security-related user activity

+### Microsoft Defender for Endpoint alert statuses (preview)

+### File path exclusions

+By defining file paths to exclude, user activities that map to specific indicators and that occur in these file path locations won't generate policy alerts. Some examples are copying or moving files to a system folder or network share path. You can enter up to 500 file paths for exclusion.

+To add file paths to exclude, complete the following steps:

+1. In the compliance portal, navigate to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **File path exclusion** section, select **Add file paths to exclude**.

+3. On the **Add a file path** pane, enter an exact network share or device path to exclude from risk scoring. You can also use * and *([0-9]) to denote specific folders and sub-folders to be excluded.

+4. Select **Add file paths** to exclude to configure the file path exclusions or **Close** to discard the changes.

+To delete a file path exclusion, select the file path exclusion and select **Delete**.

+### Default file path exclusions

+By default, several file paths are automatically excluded from generating policy alerts. Activities in these file paths are typically benign and could potentially increase the volume of non-actionable alerts. If needed, you can cancel the selection for these default file path exclusions to enable risk scoring for activities in these locations.

+The default file path exclusions are:

+- \Users\\\*\AppData

+- \Users\\\*\AppData\Local

+- \Users\\\*\AppData\Local\Roaming

+- \Users\\\*\AppData\Local\Local\Temp

+The wildcards in these paths denote that all folder levels between the \Users and \AppData are included in the exclusion. For example, activities in *C:\Users\Test1\AppData\Local* and *C:\Users\Test2\AppData\Local*, *C:\Users\Test3\AppData\Local* (and so on) would all be included and not scored for risk as part of the *\Users\\\*\AppData\Local* exclusion selection.

+### Site URL exclusions

+Configure site URL exclusions to prevent potential risk activities that occur in SharePoint (and SharePoint sites associated with Team channel sites) from generating policy alerts. You might want to consider excluding sites and channels that contain non-sensitive files and data that can be shared with stakeholders or the public. You can enter up to 500 site URL paths to exclude.

+To add site URL paths to exclude, complete the following steps:

+1. In the compliance portal, navigate to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Site URL exclusion** section, select **Add or edit SharePoint sites**.

+3. On the **Add or edit SharePoint sites** pane, enter or search for the SharePoint site to exclude from risk scoring. You'll only see SharePoint sites that you have permission to access.

+4. Select **Add** to configure the site URL exclusions or **Cancel** to discard the changes.

+To edit site URL paths to exclude, complete the following steps:

+1. In the compliance portal, navigate to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Site URL exclusion** section, select **Add or edit SharePoint sites**.

+3. On the **Add or edit SharePoint sites** pane, enter or search for the SharePoint site to exclude from risk scoring. You'll only see SharePoint sites that you have permission to access.

+4. Select **Edit** to configure the site URL exclusions or **Cancel** to discard the changes.

+To delete a Site URL exclusion, select the site URL exclusion and select **Delete**.

+### Keyword exclusions

+Configure exclusions for keywords that appear in file names, file paths, or email message subject lines. This allows flexibility for organizations that need to reduce potential alert noise due to flagging of benign terms specified for your organization. Such activities related to files or email subjects containing the keyword will be ignored by your insider risk management policies and won't generate alerts. You can enter up to 500 keywords to exclude.

+Use the **Exclude only if it does not contain** field to define specific groupings of terms to ignore for exclusion, For example, if you want to exclude the keyword 'training,' but not exclude 'compliance training,' you would enter 'compliance' (or 'compliance training') in the **Exclude only if it does not contain** field and 'training' in the **But does contain** field.

+If you just want to exclude specific standalone terms, enter the terms in the **But does contain field** only.

+To add standalone keywords to exclude, complete the following steps:

+1. In the compliance portal, navigate to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Keyword exclusion** section, enter the standalone keywords in the **But does contain** field.

+3. Select **Save** to configure the keyword exclusions.

+To delete a standalone keyword to exclude, complete the following steps:

+1. In the compliance portal, navigate to **Insider risk management** > **Settings** > **Intelligent detections**.

+2. In the **Keyword exclusion** section, select the *X* for the specific standalone keyword in the **But does contain** field. Repeat as needed to remove multiple keywords.

+3. Select **Save** to delete the keyword exclusions.

+### Intentional or unintentional security policy violations (preview)

+### Policies for users based on position, access level, or risk history (preview)

+### Healthcare (preview)

+### Actions and behaviors by disgruntled users (preview)

+### Risky browser usage that could result in a security incident (preview)

+Most organizations provide users with rules and guidelines that clarify how an organization's devices and internet access should be used. These policies help protect both the organization and users from security and regulatory risks. To help identity these types of risky actions, the following insider risk management policy template can help detect and enable risk scoring for web browsing behaviors that might result in a data security incident, such as visiting sites that provide malware or hacking tools.

+- [General risky browser usage (preview)](insider-risk-management-policies.md#general-risky-browser-usage-preview)

+In a PowerShell session, you must [connect to Security & Compliance PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell) to configure the settings for the default sharing link type.

+ - **SpecificPeople**: Sets the default sharing link to specific people (only the people the user specifies)

+ - **Organization**: Sets the default sharing link for only people in your organization

+ - **Anyone**: Sets the default sharing link to anyone with the link, which is equivalent to anonymous access

+ - **View**: Sets the default link permission to view permissions

+ - **Edit**: Sets the default link permission to edit permissions

+Another configuration for the default sharing link type is to use the **DefaultShareLinkToExistingAccess** advanced setting, which is the equivalent of the parameter *DefaultLinkToExistingAccess* from the [Set-SPOSite](/powershell/module/sharepoint-online/set-sposite) cmdlet. When you set this value to **True**, it overrides the other two advanced settings and their values.

+- To set the default sharing link type to people with existing access:

+

+ ````powershell

+ Set-Label -Identity 8faca7b8-8d20-48a3-8ea2-0f96310a848e -AdvancedSettings @{DefaultShareLinkToExistingAccess="True"}

+ ````

+- [Understand tenant isolation](/compliance/assurance/assurance-microsoft-365-isolation-controls#tenant-isolation)

+Although having a single tenant for your organization is ideal, you may be one of many organizations that have multiple tenants. Reasons can include mergers and acquisitions, you want administrative isolation, or you have a decentralized IT.

+Start your tenant planning with [Subscriptions, licenses, accounts, and tenants](subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings.md).

+## Week of September 05, 2022

+| Published On |Topic title | Change |

+|||--|

+| 9/6/2022 | [About the Microsoft Purview Compliance Manager premium assessment trial](/microsoft-365/compliance/compliance-easy-trials-compliance-manager-assessments?view=o365-worldwide) | modified |

+| 9/6/2022 | [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports?view=o365-worldwide) | modified |

+| 9/6/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 9/6/2022 | [Configure the delivery of third-party phishing simulations to users and unfiltered messages to SecOps mailboxes](/microsoft-365/security/office-365-security/configure-advanced-delivery?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft recommendations for EOP and Defender for Office 365 security settings](/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365?view=o365-worldwide) | modified |

+| 9/6/2022 | [Choose your scenarios for Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-choose-scenarios?view=o365-worldwide) | modified |

+| 9/6/2022 | [Start with a pilot deployment of Microsoft 365 for frontline workers](/microsoft-365/frontline/flw-pilot?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft 365 for frontline workers - scenario posters](/microsoft-365/frontline/flw-scenario-posters?view=o365-worldwide) | added |

+| 9/6/2022 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified |

+| 9/6/2022 | [Message delegation](/microsoft-365/frontline/hc-delegates?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page?view=o365-worldwide) | modified |

+| 9/6/2022 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified |

+| 9/6/2022 | [Attack surface reduction rules reporting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide) | added |

+| 9/6/2022 | [What's new in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint?view=o365-worldwide) | modified |

+| 9/6/2022 | [Anti-malware protection](/microsoft-365/security/office-365-security/anti-malware-protection?view=o365-worldwide) | modified |

+| 9/6/2022 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified |

+| 9/6/2022 | [Safe Attachments](/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide) | modified |

+| 9/6/2022 | [Complete Safe Links overview for Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide) | modified |

+| 9/6/2022 | [Microsoft 365 productivity illustrations](/microsoft-365/solutions/productivity-illustrations?view=o365-worldwide) | modified |

+| 9/8/2022 | [Bookings with me](/microsoft-365/bookings/bookings-in-outlook?view=o365-worldwide) | modified |

+| 9/8/2022 | [Attack surface reduction (ASR) rules reporting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide) | modified |

+| 9/8/2022 | [Enable Microsoft 365 support integration for ServiceNow Virtual Agent](/microsoft-365/admin/manage/servicenow-support-integration?view=o365-worldwide) | added |

+| 9/8/2022 | [Enable archive mailboxes for Microsoft 365](/microsoft-365/compliance/enable-archive-mailboxes?view=o365-worldwide) | modified |

+| 9/8/2022 | [Manage Microsoft Defender Antivirus updates and apply baselines](/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus?view=o365-worldwide) | modified |

+| 9/9/2022 | [Microsoft 365 admin center activity reports](/microsoft-365/admin/activity-reports/activity-reports?view=o365-worldwide) | modified |

+| 9/9/2022 | [Top 20 most-viewed admin help articles this month # < 60 chars](/microsoft-365/admin/top-m365-admin-articles?view=o365-worldwide) | modified |

+| 9/9/2022 | [Manage sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-worldwide) | modified |

+| 9/9/2022 | [Manage submissions](/microsoft-365/security/office-365-security/admin-submission?view=o365-worldwide) | modified |

+| 9/9/2022 | [Sign up for Microsoft 365 Business Basic](/microsoft-365/admin/setup/signup-business-basic?view=o365-worldwide) | added |

+| 9/9/2022 | [Set up Microsoft 365 Business Basic](/microsoft-365/admin/setup/setup-business-basic?view=o365-worldwide) | modified |

+| 9/9/2022 | [Accept an email invitation to a Microsoft 365 for business subscription (User)](/microsoft-365/admin/simplified-signup/user-invite-business-standard?view=o365-worldwide) | modified |

+| 9/9/2022 | [Accept an email invitation to a Microsoft 365 for business subscription organization using an Outlook, Yahoo, Gmail or other account (User)](/microsoft-365/admin/simplified-signup/user-invite-msa-nodomain-join?view=o365-worldwide) | modified |

+| 9/9/2022 | About the Microsoft Defender for Office 365 trial | removed |

+| 9/9/2022 | [Allow or block emails using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-email-spoof?view=o365-worldwide) | modified |

+| 9/9/2022 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-files?view=o365-worldwide) | modified |

+| 9/9/2022 | [Allow or block URLs using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/allow-block-urls?view=o365-worldwide) | modified |

+| 9/9/2022 | [Try and evaluate Defender for Office 365](/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365?view=o365-worldwide) | modified |

+|Qatar |QAT |(eDiscovery data location coming soon)|

+ - In Settings page, under the General Configuration Settings, add **WebProtection** as the key and value as **false**.

+ - However, for Unsupervised devices, the control will be displayed under the **Settings > Privacy**

+Microsoft Defender for Endpoint on iOS enables **Optional Permissions** in the onboarding flow. Currently the permissions required by Defender for Endpoint are mandatory in the onboarding flow. With this feature, admins can deploy Defender for Endpoint on BYOD devices without enforcing the mandatory **VPN Permission** during onboarding. End users can onboard the app without the mandatory permissions and can later review these permissions. This feature is currently present only for enrolled devices (MDM).

+>**Optional Permission** is different from **Disable Web Protection**. Optional VPN Permission only helps to skip the permission during onboarding but its available for the end user to later review and enable it. While **Disable Web Protection** allows users to onboard the Defender for Endpoint app without the Web Protection. It cannot be enabled later.

+1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Compliance policies** > **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**.

+## Configure vulnerability assessment of apps

+>[!Note]

+>Vulnerability Assessment of apps on Microsoft Defender for Endpoint for iOS is now in public preview. The following information relates to the prerelease of the product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. If you are interested to participate in the preview, please share your Tenant name and id with us on **mdatpmobile@microsoft.com**.

+Defender for Endpoint on iOS supports vulnerability assessments of apps only for enrolled (MDM) devices.

+Admins can use the following steps to configure the vulnerability assessment of apps.

+### On a Supervised Device

+1. Ensure the device is configured in the [Supervised mode](ios-install.md#complete-deployment-for-supervised-devices).

+1. To enable the feature in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint Security** > **Microsoft Defender for Endpoint** > **Enable App sync for iOS/iPadOS devices**.

+ :::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggleSup" lightbox="images/tvm-app-sync-toggle.png":::

+### On an Unsupervised Device

+1. To enable the feature in [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint Security** > **Microsoft Defender for Endpoint** > **Enable App sync for iOS/iPadOS devices**.

+ :::image type="content" source="images/tvm-app-sync-toggle.png" alt-text="App sync toggle" lightbox="images/tvm-app-sync-toggle.png":::

+1. To get the list of all the apps including un-managed apps, Enable the toggle **Send full application inventory data on personally owned iOS/iPad OS Devices**.

+ :::image type="content" source="images/tvm-full-app-data.png" alt-text="Full App Data" lightbox="images/tvm-full-app-data.png":::

+1. Use the following steps to configure the privacy setting.

+ - Go to **Apps** > **App configuration policies** > **Add** > **Managed devices**.

+ - Give the policy a name, **Platform** > **iOS/iPadOS**.

+ - Select **Microsoft Defender for Endpoint** as the target app.

+ - In Settings page, select Use configuration designer and add **DefenderTVMPrivacyMode** as the key and value type as **String**

+ - To disable privacy and collect the list of apps installed, enter value as `False` and assign this policy to users.

+ - By default, this value is set to `True` for unsupervised devices.

+ - For users with key set as `False`, Defender for Endpoint will send the list of apps installed on the device for vulnerability assessment.

+ - Click **Next** and assign this profile to targeted devices/users.

+ - Turning the above privacy controls on or off will not impact the device compliance check or conditional access.

+1. Once the config is applied, end-user will need to open the app to **Approve** the privacy setting.

+ - Privacy approval screen will come only for unsupervised devices.

+ - Only if end-user approves the privacy, the app information will be sent to the Defender for Endpoint console.

+ :::image type="content" source="images/tvm-user-privacy.png" alt-text="TVM Privacy" lightbox="images/tvm-user-privacy.png":::

+Once the client versions are deployed to target iOS devices, the processing will start. Vulnerabilities found on those devices will start showing up in the Defender Vulnerability Management dashboard. The processing might take few hours (max 24 hours) to complete. Especially for the entire list of apps to show up in the software inventory.

+1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** > **iOS/iPadOS** > **Add** > **iOS store app** and click **Select**.

+ :::image type="content" source="images/ios-deploy-2.png" alt-text="The Add group tab in the Microsoft Endpoint Manager Admin Center" lightbox="images/ios-deploy-2.png":::

+Admins can use the following steps to configure supervised devices.

+Configure the supervised mode for Defender for Endpoint app through an App configuration policy and Device configuration profile.

+#### App configuration policy

+ - Configuration Key: `issupervised`

+ - Configuration Value: `issupervised`

+#### Device configuration profile

+ > [!NOTE]

+ > For devices that run iOS/iPadOS (in Supervised Mode), there is custom **.mobileconfig** profile, called the **ControlFilter** profile available. This profile enables Web Protection **without setting up the local loopback VPN on the device**. This gives end-users a seamless experience while still being protected from phishing and other web-based attacks.

+ Deploy a custom profile on supervised iOS devices. This is for enhanced Anti-phishing capabilities. Follow the steps below:

+1. Download the config profile from [https://aka.ms/mdeiosprofilesupervised](https://aka.ms/mdeiosprofilesupervised)

+1. Navigate to **Devices** > **iOS/iPadOS** > **Configuration profiles** > **Create Profile**

+1. Select **Profile Type** > **Templates** and **Template name** > **Custom**

+1. Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded from the previous step.

+1. In the **Assignment** section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Select **Next**.

+1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.

+>For supervised devices, a VPN is not needed for Web Protection capability and requires admins to set up a configuration profile on supervised devices. To configure for supervised devices, follow the steps in the [Complete deployment for supervised devices](#complete-deployment-for-supervised-devices) section.

+Admins can configure auto-setup of VPN profile. This will automatically set up the Defender for Endpoint VPN profile without having the user to do so while onboarding.

+1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** > **Configuration Profiles** > **Create Profile**.

+Admins can configure Microsoft Defender for Endpoint to deploy and activate silently. In this flow, the administrator creates a deployment profile and the user is simply notified of the installation. Defender for Endpoint is automatically installed without the need for the user to open the app. Follow the steps below to set up zero-touch or silent deployment of Defender for Endpoint on enrolled iOS devices:

+ - To mandate that VPN can't be disabled in users device, Admins can select **Yes** from **Block users from disabling automatic VPN**. By default, it's not configured and users can disable VPN only in the Settings.

+ - To allow Users to Change the VPN toggle from within the app, add **EnableVPNToggleInApp = TRUE**, in the key-value pairs. By default, users can't the change the toggle from within the app.

+ > For supervised devices, although a VPN profile is not required, admins still can set up Zero-touch onboarding by configuring the Defender for Endpoint VPN profile through Intune. The VPN profile will be deployed on the device but will only be present on the device as a pass-through profile and can be deleted after initial onboarding.

+ - Configuration Key: `issupervised`

+ - Configuration Value: `issupervised`

+ Select **Next**.

+|Unified alerting|Alerts from all platforms in the unified M365 security console.|

+|Conditional Access, Conditional launch|Blocking risky devices from accessing corporate resources. Defender for Endpoint risk signals can also be added to app protection policies (MAM).|

+|Privacy Controls|Configure privacy in the threat reports by controlling the data sent by Microsoft Defender for Endpoint. Privacy controls are available for admin and end users. It's there for enrolled and unenrolled devices as well.|

+|Unmanaged BYOD OR devices managed by other Unified Endpoint Managers / Set up app protection policy (MAM)|[Configure Defender risk signals in app protection policy (MAM)](android-configure-mam.md)|

+|Unmanaged BYOD OR devices managed by other UEMs / Set up app protection policy (MAM)|[Configure Defender risk signals in app protection policy (MAM)](ios-install-unmanaged.md)|

+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it in the [PowerShell documentation](/powershell/scripting/overview).

+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](/configmgr), [Group Policy Management Console](use-group-policy-microsoft-defender-antivirus.md), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/101445).

+- m365-security-compliance

+- [Troubleshooting mode](enable-troubleshooting-mode.md) is now available for Windows Server 2012 R2 and 2016 machines running the modern, unified solution. During troubleshooting mode, use `Set-MPPreference -DisableTamperProtection $true` to temporarily disable tamper protection on your device and make your necessary configuration changes. Before you use troubleshooting mode, make sure all of the following components are up to date:

+ - Sense version 10.8049.22439.1084 (KB5005292) or later

+ - Microsoft Defender Antivirus - Platform: 4.18.2207.7 (KB4052623) or later

+ - Microsoft Defender Antivirus - Engine: 1.1.19500.2 (KB2267602) or later

+ - **URL**: Enter the full URL (for example, `https://www.fabrikam.com/marketing.html`), and then select it in the box that appears. You can also provide a top level domain (for example, `https://www.fabrikam.com/*`), and then select it in the box that appears.