Updates from: 09/15/2022 03:23:37
Category Microsoft Docs article Related commit history on GitHub Change details
threat-intelligence Data Sets https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/data-sets.md
Microsoft centralizes numerous data sets into a single platform, Microsoft Defen
Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.
-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, Whois, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details.
+This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, Whois, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details.
![Data Sets Edge Screenshot](media/dataSetsEdgeScreenshot.png)
Our host pair data includes the following:
- What type of redirection is taking place?
-## Hashes
-
-Microsoft partners with Proofpoint to surface MD5 [malware](/microsoft-365/security/intelligence/malware-naming) hashes associated with the domain, host, or IP address a user search. Users are encouraged to purchase an Emerging Threats license by Proofpoint if they wish to analyze MD5 hash details. This data helps users understand actor capabilities, intent, and motives of an attacker while also aiding in connecting infrastructure together. Each result contains a unique hash.
-
-Our hash data includes the following:
--- **Source:** the source used to detect the hash.-- **Sample:** the unique identification code for the detected hash.-- **Collection Date:** the day that the hash sample was collected by the designated source.-
-![Data Tab Hashes](media/dataTabHashes.png)
-
-**Questions this data set may help answer:**
--- Does the domain connect to malware-
- ![Data Sets Hashes](media/dataSetsHashes.png)
--- Does this IP address have malware associated with it?
- ![Data Sets IP Hashes](media/dataSetsIPHashes.png)
--- Are the hashes collected associated with malware?--- How recently was this suspicious activity observed?--- Which vendors/ sources have observed malicious binaries?--- Has the IP or domain queried served as a command-and-control server for malware?--- Can evaluating the file associated with the hash for a given query lead me to other indicators for threat hunting purposes?- ## Cookies Cookies are small pieces of data sent from a server to a client as the user browses the internet. These values sometimes contain a state for the application or little bits of tracking data. Defender TI highlights and indexes cookie names observed when crawling a website and allows users to dig into everywhere we have observed specific cookie names across its crawling and data collection. Cookies are also used by malicious actors to keep track of infected victims or store data to be used later.
threat-intelligence Gathering Vulnerability Intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/gathering-vulnerability-intelligence.md
As the disclaimer states above, suspicious, and malicious indicators have been d
![Tutorial Vulnerability Intel Ip Search](media/tutorialVulnerabilityIntelIpSearch.png)
-5. Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, projects, and hashes.
+5. Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, and projects.
![Tutorial Vulnerability Intel Ip Summary Tab](media/tutorialVulnerabilityIntelIpSummaryTab.png)
As the disclaimer states above, suspicious, and malicious indicators have been d
![Tutorial Vulnerability Intel Domain Pivot](media/tutorialVulnerabilityIntelDomainPivot.png)
-8. Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, hashes, cookies, DNS, and reverse DNS data sets.
+8. Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, cookies, DNS, and reverse DNS data sets.
![Tutorial Vulnerability Intel Domain Review](media/tutorialVulnerabilityIntelDomainReview.gif)
threat-intelligence Searching And Pivoting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/searching-and-pivoting.md
For more information, see [Using projects](using-projects.md).
![Summary Tab Projects](media/summaryTabProjects.png)
-### Hashes
-
-Microsoft partners with several commercial and open-source repositories of malware data to pair it with queried infrastructure to populate the Hash data set. Malware repositories today include ProofpointΓÇÖs Emerging Threats, Hybrid Analysis, and VirusTotal. This data helps users understand actor capabilities, intent, and motives of an attacker while also aiding in connecting infrastructure together. Each result contains a unique hash. Our hash data includes the detection source, sample, and collection date.
-
-![Summary Tab Hashes](media/summaryTabHashes.png)
## Data tab
The following datasets are available in Defender TI:
- Subdomains - Components - Host Pairs-- Hashes - Cookies - Services - DNS
Our host pair data includes the following:
![Data Tab Host Pairs](media/dataTabHostPairs.png)
-### Hashes
-
-Microsoft partners with several commercial and open-source repositories of malware data to pair it with queried infrastructure to populate the Hash data set. Malware repositories today include ProofpointΓÇÖs Emerging Threats, Hybrid Analysis, and VirusTotal. This data helps users understand actor capabilities, intent, and motives of an attacker while also aiding in connecting infrastructure together. Each result contains a unique hash.
-
-Our hash data includes the following:
-
-1. **Source:** the source used to detect the hash.
-2. **Sample:** the unique identification code for the detected hash.
-3. **Collection Date:** the day that the hash sample was collected by the designated source.
-
-![Data Tab Hashes](media/dataTabHashes.png)
### Cookies
threat-intelligence Sorting Filtering And Downloading Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/sorting-filtering-and-downloading-data.md
In this how-to article, youΓÇÖll learn how to sort and filter data for the follo
- Trackers - Components - Host Pairs-- Hashes - Cookies - Services - DNS
The following headers are exported as a result of downloading Host Pairs data:
| **attributeCause** | The cause of the relationship between the parent and child hostname | | **Tags** | Custom or system tags associated with the artifact |
-The following headers are exported as a result of downloading Hashes data:
-
-|   |   |
-|--|-|
-| **source** | The source who observed the MD5 hash sample |
-| **sample** | The MD5 hash |
-| **collection date** | The collection date captured by the source |
The following headers are exported as a result of downloading Cookies data:
The following headers are exported as a result of downloading threat intelligenc
|   |   | |-|-|
-| **type** | Type of indicator (e.g. ip, certificate, domain, hash_sha256) |
+| **type** | Type of indicator (e.g. ip, certificate, domain, _sha256) |
| **value** | Value of the indicator (e.g. IP address, domain, hostname) | | **source** | Source of indicator (RiskIQ or OSINT) |
threat-intelligence What Is Microsoft Defender Threat Intelligence Defender Ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti.md
The description section of the article detail screen contains information about
## Public indicators
-The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources (e.g., VirusTotal for hashes).
+The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources.
![TI Overview Article Public Indicators](media/tiOverviewArticlePublicIndicators.png)
Microsoft centralizes numerous data sets into a single platform, Defender TI, ma
Microsoft collects, analyzes, and indexes internet data to assist users in detecting and responding to threats, prioritizing incidents, and proactively identifying adversariesΓÇÖ infrastructure associated with actor groups targeting their organization. Microsoft collects internet data via itsΓÇÖ PDNS sensor network, global proxy network of virtual users, port scans, and leverages third-party sources for malware and added Domain Name System (DNS) data.
-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.
+This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.
For more information, see:
admin M365 Katakana Glossary https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/m365-katakana-glossary.md
+
+ Title: "Microsoft 365 admin center katakana glossary"
+f1.keywords: NOCSH
++++
+audience: Admin
++
+ms.localizationpriority: medium
+
+- Adm_O365
+
+description: "Learn how to view the Japanese katakana glossary for the Microsoft 365 admin center."
Last updated : 09/14/2022+
+<!-- DO NOT MAKE CHANGES TO THIS ARTICLE WITHOUT FIRST CONTACTING THE MS.REVIEWER -->
+
+# Microsoft 365 admin center katakana glossary
+
+This is a Japanese language-specific article, and isn't available in your language. To view the Japanese article, see [Microsoft 365 admin center katakana glossary](https://go.microsoft.com/fwlink/p/?linkid=2208404).
+
+<!--
+These images are included for the ja-jp article only
+
+-->
admin Secure Your Business Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/secure-your-business-data.md
Title: Top 10 ways to secure your data - Best practices for small and medium-sized businesses
+ Title: Top 10 ways to secure your business
f1.keywords: - CSH
audience: Admin
ms.localizationpriority: medium Previously updated : 08/24/2022 Last updated : 09/14/2022 - highpri - Adm_O365
search.appverid:
- BCS160 - MET150 - MOE150
-description: "Learn the top 10 ways to protect your business, including ransomware, phishing, and malicious attachments."
+description: "Best practices to protect your business from ransomware, phishing, and malicious URLs or attachments."
-# Top 10 ways to secure your data - Best practices for small and medium-sized businesses
+# Top 10 ways to secure your business - Best practices to follow
**Applies to**
description: "Learn the top 10 ways to protect your business, including ransomwa
- Microsoft 365 Business Standard - Microsoft 365 Business Premium
-Microsoft 365 for business plans include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes more capabilities, such as device management, advanced threat protection, and information protection. This article describes steps you can take to secure your business data, and [compares capabilities across Microsoft 365 for business plans](#comparing-microsoft-365-for-business-plans).
+> [!NOTE]
+> This article is designed for small and medium-sized businesses with up to 300 users. If you're an enterprise organization, see [Deploy ransomware protection for your Microsoft 365 tenant](../../solutions/ransomware-protection-microsoft-365.md).
+
+Microsoft 365 for business plans include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes even more capabilities, such as device security, advanced threat protection, and information protection. This article describes how to secure your business, and [compares capabilities across Microsoft 365 for business plans](#comparing-microsoft-365-for-business-plans).
:::image type="content" source="../../media/top-10-ways-secure-data.png" alt-text="Diagram listing top 10 ways to secure business data.":::
Microsoft 365 for business plans include security capabilities, such as antiphis
## Comparing Microsoft 365 for business plans
-Microsoft 365 for business plans include Microsoft Exchange, Microsoft Teams, SharePoint, and OneDrive for secure email, collaboration, and file storage. These plans also include antiphishing, antimalware, and antispam protection. With Microsoft 365 Business Premium, you get more capabilities, such as device management, advanced threat protection, and information protection.
+Microsoft 365 for business plans include Microsoft Exchange, Microsoft Teams, SharePoint, and OneDrive for secure email, collaboration, and file storage. These plans also include baseline antiphishing, antimalware, and antispam protection. With Microsoft 365 Business Premium, you get more capabilities, such as device management, advanced threat protection, and information protection.
The following table compares capabilities in Microsoft 365 for business plans.
The following table compares capabilities in Microsoft 365 for business plans.
(<a id="fn1">1</a>) Microsoft Publisher and Microsoft Access run on Windows laptops and desktops only.
-(<a id="fn2">2</a>) Microsoft Intune is included with certain Microsoft 365 plans. Basic Mobility and Security capabilities are part of the Microsoft 365 Business Basic and Standard. [Choose between Basic Mobility and Security or Intune](../basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md).
+(<a id="fn2">2</a>) Microsoft Intune is included with certain Microsoft 365 plans, such as Microsoft 365 Business Premium. Basic Mobility and Security capabilities are included in Microsoft 365 Business Basic and Standard. [Choose between Basic Mobility and Security or Intune](../basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md).
-(<a id="fn3">3</a>) Defender for Business is included in Microsoft 365 Business Premium. It can also be purchased as an add-on for Microsoft 365 Business Basic or Microsoft 365 Business Standard. See [Get Defender for Business](/microsoft-365/security/defender-business/get-defender-business).
+(<a id="fn3">3</a>) Defender for Business is included in Microsoft 365 Business Premium. Defender for Business can also be added on to Microsoft 365 Business Basic or Standard. See [Get Defender for Business](/microsoft-365/security/defender-business/get-defender-business).
-(<a id="fn4">4</a>) Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. It can also be purchased as an add-on for Microsoft 365 Business Basic or Microsoft 365 Business Standard. See [Defender for Office 365 Plan 1 and Plan 2](../../security/office-365-security/overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).
+(<a id="fn4">4</a>) Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. Defender for Office 365 Plan 1 can also be added on to Microsoft 365 Business Basic or Standard. See [Defender for Office 365 Plan 1 and Plan 2](../../security/office-365-security/overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).
> [!TIP] > For more information about what each plan includes, see [Reimagine productivity with Microsoft 365 and Microsoft Teams](https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products-b?ef_id=8c2a86ec9ea514a008c6e419e036519c:G:s&OCID=AIDcmmwf9kwzdj_SEM_8c2a86ec9ea514a008c6e419e036519c:G:s&lnkd=Bing_O365SMB_Brand&msclkid=8c2a86ec9ea514a008c6e419e036519c).
business-premium Create And Edit Autopilot Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/create-and-edit-autopilot-profiles.md
- Title: "Create and edit Autopilot profiles"-- NOCSH--------- Adm_O365-- M365-subscription-management -- M365-identity-device-management-- Adm_TOC--- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150-- MOE150
-description: "Learn to create an Autopilot profile and apply it to a device, and edit or delete a profile or remove a profile from a device."
--
-# Create and edit Autopilot profiles
-
-You can apply a [Windows Autopilot deployment profile](/mem/autopilot/profiles) to devices that are in a [device group](m365bp-device-groups-mdb.md). Deployment profiles determine the Windows deployment and enrollment experience that users will have.
-
-## Create a profile
-
-A profile applies to a device, or a group of devices,
-
-1. In the Microsoft 365 admin center, choose **Devices** \> **Autopilot**.
-
-2. On the **Autopilot** page, choose the **Profiles** tab \> **Create profile**.
-
-3. On the **Create profile** page, enter a name for the profile that helps you identify it, for example Marketing. Turn on the setting you want, and then choose **Save**. For more information about Autopilot profile settings, see [About Autopilot Profile settings](m365bp-Autopilot-profile-settings.md).
-
- ![Enter name and turn on settings in the Create profile panel.](./../media/63b5a00d-6a5d-48d0-9557-e7531e80702a.png)
-
-### Apply profile to a device
-
-After you create a profile, you can apply it to a device or a group of devices. You can pick an existing profile in the [step-by-step guide](m365bp-add-Autopilot-devices-and-profile.md) and apply it to new devices, or replace an existing profile for a device or group of devices.
-
-1. On the **Prepare Windows** page, choose the **Devices** tab.
-
-2. Select the check box next to a device name, and in the **Device** panel, choose a profile from the **Assigned profile** drop-down list \> **Save**.
-
- ![In the Device panel, select an Assigned profile to apply it.](./../media/ed0ce33f-9241-4403-a5de-2dddffdc6fb9.png)
-
-## Edit, delete, or remove a profile
-
-Once you've assigned a profile to a device, you can update it, even if you've already given the device to a user. When the device connects to the internet, it downloads the latest version of your profile during the setup process. If the user restores their device to its factory default settings, the device will again download the latest updates to your profile.
-
-### Edit a profile
-
-1. On the **Prepare Windows** page, choose the **Profiles** tab.
-
-2. Select the check box next to a device name, and in the **Profile** panel, update any of the available settings \> **Save**.
-
- If you do this task before a user connects the device to the internet, then the profile gets applied to the setup process.
-
-### Delete a profile
-
-1. On the **Prepare Windows** page, choose the **Profiles** tab.
-
-2. Select the check box next to a device name, and in the **Profile** panel, select **Delete profile** \> **Save**.
-
- When you delete a profile, it gets removed from a device or a group of devices it was assigned to.
-
-### Remove a profile
-
-1. On the **Prepare Windows** page, choose the **Devices** tab.
-
-2. Select the check box next to a device name, and in the **Device** panel, choose **None** from the **Assigned profile** drop-down list \> **Save**.
-
-## See also
-
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Add Autopilot Devices And Profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-add-autopilot-devices-and-profile.md
- Title: "Use this step-by-step guide to add Autopilot devices and profile"-- NOCSH------- Previously updated : 08/18/2022--- MiniMaven-- OKR_SMB_M365-- BCS160-- MET150-- MOE150
-description: "Learn how to use Windows Autopilot to set up new Windows 10 devices for your business so they're ready for employee use."
--
-# Use this step-by-step guide to add Autopilot devices and profile
-
-You can use Windows Autopilot to set up **new** Windows 10 devices for your business so they're ready for use when you give them to your employees.
-
-## Device requirements
-
-Devices must meet these requirements:
-
-- Windows 10, version 1703 or later--- New devices that haven't been through Windows out-of-box experience-
-## Use the setup guide to add devices and profiles
-
-If you haven't created device groups or profiles yet, the best way to get started is by using the step-by-step guide. You can also [add Autopilot devices](m365bp-create-and-edit-Autopilot-devices.md) and [assign profiles](../admin/devices/create-and-edit-Autopilot-profiles.md) to them without using the guide.
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
-
-2. On the left navigation pane, choose **Devices** \> **Autopilot**.
-
- :::image type="content" source="../media/Autopilot.png" alt-text="In the Microsoft 365 admin center, choose devices and then Autopilot.":::
-
-3. On the **Autopilot** page, click or tap **Start guide**.
-
- :::image type="content" source="../media/31662655-d1e6-437d-87ea-c0dec5da56f7.png" alt-text="Click Start guide for step-by-step instructions for Autopilot":::
-
-4. On the **Upload .csv file with list of devices** page, browse to a location where you have the prepared .CSV file, then **Open** \> **Next**. The file must have three headers:
-
- - Column A: Device Serial Number
- - Column B: Windows Product ID
- - Column C: Hardware Hash
-
-You can get this information from your hardware vendor, or you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo) to generate a CSV file.
-
-For more information, see [Device list CSV-file](../admin/misc/device-list.md). You can also download a sample file on the **Upload .csv file with list of devices** page.
-
-> [!NOTE]
-> This script uses WMI to retrieve properties needed for a customer to register a device with Windows Autopilot. Note that it is normal for the resulting CSV file to not collect a Windows Product ID (PKID) value since this is not required to register a device and PKID being NULL in the output CSV is totally fine. Only the serial number and hardware hash will be populated.
-
-5. On the **Assign a profile** page, you can either pick an existing profile or create a new one. If you don't have one yet, you'll be prompted to create one.
-
- A profile is a collection of settings that can be applied to a single device or to a group of devices.
-
- The default features are required and are set automatically. The default features are:
-
- - Skip Cortana, OneDrive, and OEM registration.
-
- - Create sign-in experience with your company brand.
-
- - Connect your devices to Azure Active Directory accounts, and automatically enroll them to be managed by Microsoft 365 Business Premium.
-
- For more information, see [About Autopilot Profile settings](m365bp-Autopilot-profile-settings.md).
-
-6. The other settings are **Skip privacy settings** and **Don't allow user to become the local admin**. These are both set to **Off** by default.
-
- Choose **Next**.
-
-7. **You're done** indicates that the profile you created (or chose) will be applied to the device group you created by uploading the list of devices. The settings will be in effect when the device users sign in next. Choose **Close**.
-
-## Related content
-
-[About Autopilot Profile settings](../business-premium/m365bp-Autopilot-profile-settings.md) (article)\
-[Options for protecting your devices and app data](../admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md) (article)\
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp App Protection Settings For Android And Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-app-protection-settings-for-android-and-ios.md
- Title: "Set app protection settings for Android or iOS devices"-- NOCSH------ Previously updated : 07/19/2022---- MiniMaven-- OKR_SMB_M365-- BCS160-- MET150
-description: "Learn how to create, edit, or delete an app management policy, and protect work files on Android or iOS devices."
--
-# Set app protection settings for Android or iOS devices
-
-Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?linkid=2197659) on YouTube.
-
-This article applies to Microsoft 365 Business Premium.
-
-## Watch: Secure Office apps on iOS
-
-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2197828).
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FLvZ?autoplay=false]
-
-You can set up a user access policy that requires mobile users to enter a PIN or fingerprint to sign in, and also encrypts work files stored on their devices.
-
-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.
-
-2. Under **Policies**, choose **Add policy**.
-
-3. In the **Add policy** pane, enter a name under **Policy name**, and choose the policy type that you want under **Policy type**.
-
-4. Turn on **Protect work files when devices are lost or stolen**, and then make sure the following three settings are turned on:
-
- - **Force users to save all work files to OneDrive for Business**
-
- - **Encrypt work files**
-
-5. Turn on **Manage how users access Office files on Mobile devices** and ensure the settings are turned on or set for each item.
-
-6. Under **Files in these apps will be protected**, select the Office apps you want to protect on mobile devices.
-
-7. Under **Who will get these settings?**, all users are selected by default, but you can choose **Change** to select any security groups you've created.
-
-8. To finish creating the policy, choose **Add**.
-
-9. On the **Add policy** page, choose **Close**.
-
-10. On the admin center home page, confirm that your new policy was added by choosing **Policies** and reviewing your policy on the **Policies** page.
-
-## Create an app management policy
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
-
-2. In the left nav, choose **Devices** \> **Policies** \> **Add**.
-
-3. On the **Add policy** pane, enter a unique name for this policy.
-
-4. Under **Policy type**, choose **Application Management for Android** or **Application Management for iOS**, depending on which set of policies you want to create.
-
-5. Expand **Protect work files when devices are lost or stolen** and **Manage how users access Office files on mobile devices**. Configure the settings how you would like. **Manage how users access Office files on mobile devices** is **Off** by default, but we recommend that you turn it **On** and accept the default values. For more information, see [Available settings](#available-settings).
-
- You can always use the **Restore default settings** link to return to the default setting.
-
-
-6. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups that get these settings \> **Select**.
-
-7. Finally, choose **Done** to save the policy, and assign it to devices.
-
-## Edit an app management policy
-
-1. On the **Policies** card, choose **Edit policy**.
-
-2. On the **Edit policy** pane, choose the policy you want to change.
-
-3. Choose **Edit** next to each setting to change the values in the policy. When you change a value, it's automatically saved in the policy.
-
-4. When you're finished, close the **Edit policy** pane.
-
-## Delete an app management policy
-
-1. On the **Policies** page, choose a policy and then **Delete**.
-
-2. On the **Delete policy** pane, choose **Confirm** to delete the policy or policies you chose.
-
-## Available settings
-
-The following tables give detailed information about settings available to protect work files on devices and the settings that control how users access Office files from their mobile devices.
-
- For more information, see [How do protection features in Microsoft 365 Business Premium map to Intune settings](m365bp-map-protection-features-to-intune-settings.md).
-
-### Settings that protect work files
-
-The following settings are available to protect work files if a user's device is lost or stolen:
--
-|Setting |Description |
-|:--|:--|
-|Delete work files from an inactive device after this many days |If a device isn't used for the number of days that you specify here, any work files stored on the device will be deleted automatically. |
-|Force users to save all work files to OneDrive for Business |If this setting is **On**, the only available save location for work files is OneDrive for Business. |
-|Encrypt work files |Keep this setting **On** so that work files are protected by encryption. Even if the device is lost or stolen, no one can read your company data. |
-
-### Settings that control how users access Office files on mobile devices
-
-The following settings are available to manage how users access Office work files:
-
-|Setting |Description |
-|:--|:--|
-|Require a PIN or fingerprint to access Office apps |If this setting is **On** users must provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile devices.|
-|Reset PIN when login fails this many times |To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify. |
-|Require users to sign in again after Office apps have been idle for |This setting determines how long a user can be idle before they're prompted to sign in again. |
-|Deny access to work files on jailbroken or rooted devices |Clever users may have a device that is jailbroken or rooted. This means that the user can modify the operating system, which can make the device more subject to malware. These devices are blocked when this setting is **On**. |
-|Don't allow users to copy content from Office apps into personal apps |We do allow this by default, but if the setting is **On**, the user could copy information in a work file to a personal file. If the setting is **Off**, the user will be unable to copy information from a work account into a personal app or personal account. |
-
-## See also
-
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Autopilot Profile Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-autopilot-profile-settings.md
- Title: "About Autopilot Profile settings"------ 'ZTDProfileSettings'-- 'O365E_ZTDProfileSettings'-- 'BCS365_ZTDProfileSettings'-- Previously updated : 07/19/2022---- MiniMaven-- OKR_SMB_M365-- BCS160-- MET150-- MOE150
-description: "Autopilot profiles help you control how Windows gets installed on user devices. The profiles contain default and optional settings like skip Cortana installation."
--
-# About Autopilot Profile settings
-
-## Autopilot profile settings
-
-You can use Autopilot profiles to control how Windows is installed on user devices. The profiles contain the following settings.
-
-## Autopilot default features (required) that are set automatically
-
-| Setting | Description |
-|:--|:--|
-|Skip Cortana, OneDrive, and OEM registration |Skips the installation of consumer apps like Cortana and personal OneDrive. The device user can install these later as long as the user is a local admin on the device. The original manufacturer registration is skipped because the device will be managed by Microsoft 365 Business Premium. |
-|Sign in experience with your company brand |If your company has a [Add your company branding to Microsoft 365 Sign In page](../admin/setup/customize-sign-in-page.md), the device user will get that experience when signing in. |
-|MDM auto-enrollment with configured AAD accounts. |The user identity will be managed by Azure Active Directory, and users will sign in to Windows and Microsoft 365 with their Microsoft 365 Business Premium credentials. |
-
-## Optional settings
-
-| Setting | Description |
-|:--|:--|
-|Skip privacy settings (Off by default) |If this option is set to **On**, the device user will not see the license agreement for the device and Windows when he or she first signs in. |
-|Don't allow the user to become the local admin |If this option is set to **On**, the device user will not be able to install any personal apps, such as Cortana.|
-
-## See also
-
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Create And Edit Autopilot Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-create-and-edit-autopilot-devices.md
- Title: "Create and edit Autopilot devices"-- NOCSH------ Previously updated : 07/19/2022---- MiniMaven-- OKR_SMB_M365-- BCS160-- MET150-- MOE150
-description: "Learn how to upload devices using Autopilot in Microsoft 365 Business Premium. You can assign a profile to a device or a group of devices."
--
-# Create and edit Autopilot devices
-
-## Upload a list of devices
-
-You can use the [Step-by-step guide](m365bp-add-Autopilot-devices-and-profile.md) to upload devices, but you can also upload devices in the **Devices** tab.
-
-Devices must meet these requirements:
-
-- Windows 10, version 1703 or later
-
-- New devices that haven't been through Windows out-of-box experience-
-1. In the Microsoft 365 admin center, choose **Devices** \> **Autopilot**.
-
-2. On the **Autopilot** page, choose the **Devices** tab \> **Add devices**.
-
- ![In the Devices tab, choose Add devices.](./../media/6ba81e22-c873-40ad-8a72-ce64d15ea6ba.png)
-
-3. On the **Add devices** panel, browse to a [Device list CSV-file](../admin/misc/device-list.md) that you prepared \> **Save** \> **Close**.
-
- You can get this information from your hardware vendor, or you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo) to generate a CSV file.
-
-## Assign a profile to a device or a group of devices
-
-1. On the **Prepare Windows** page, choose the **Devices** tab, and select the check box next to one or more devices.
-
-2. On the **Device** panel, select a profile from the **Assigned profile** drop-down.
-
- If you don't have any profiles yet, see [Create and edit Autopilot profiles](../admin/devices/create-and-edit-Autopilot-profiles.md) for instructions.
-
-## See also
-
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Manage Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-manage-windows-devices.md
- Title: "Enable domain-joined Windows 10 devices to be managed by Microsoft 365 for business"-- CSH------ Previously updated : 07/19/2022---- MiniMaven-- BCS160-- MET150
-description: "Learn how to enable Microsoft 365 to protect local Active-Directory-joined Windows 10 devices in just a few steps."
--
-# Manage Windows devices with Microsoft 365 Business Premium
-
-If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows devices, while still maintaining access to on-premises resources that require local authentication.
-
-To set this up, implement **Hybrid Azure AD joined devices**. These devices are joined to both your on-premises Active Directory and your Azure Active Directory.
-
-> [!NOTE]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).
-
-## Watch: Configure Hybrid Azure Active Directory join
-
-This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3C9hO]
-
-## Before you begin
--- Synchronize users to Azure AD with Azure AD Connect.-- Complete Azure AD Connect Organizational Unit (OU) sync.-- Make sure all the domain users you sync have licenses for Microsoft 365 Business Premium.-
-See [Synchronize domain users to Microsoft 365](../admin/setup/manage-domain-users.md) for the steps.
-
-## Possible device actions and statuses
-
-![In the Device actions list, you can see the Devices states.](./../media/a621c47e-45d9-4e1a-beb9-c03254d40c1d.png)
-
-Devices and their associated actions can have the following states:
-
-|**Status**|**Description**|
-|:--|:--|
-|Managed by Intune |Managed by Microsoft 365 Business Premium. |
-|Retire pending |Microsoft 365 Business Premium is getting ready to remove company data from the device. |
-|Retire in progress |Microsoft 365 Business Premium is currently removing company data from the device. |
-|Retire failed | Remove company data action failed. |
-|Retire canceled |Retire action was canceled. |
-|Wipe pending |Waiting for factory reset to start. |
-|Wipe in progress |Factory reset has been issued. |
-|Wipe failed |Couldn't do factory reset. |
-|Wipe canceled |Factory wipe was canceled. |
-|Unhealthy |An action is pending (or in progress), but the device hasn't checked in for 30+ days. |
-|Delete pending |Delete action is pending. |
-|Discovered |Microsoft 365 Business Premium has detected the device. |
-
-## 1. Verify MDM Authority in Intune
-
-Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/EnrollmentMenu/overview)) and select **Device enrollment**, then on the **Overview** page, make sure **MDM authority** is **Intune**.
--- If **MDM authority** is **None**, click the **MDM authority** to set it to **Intune**.-- If **MDM authority** is **Microsoft Office 365**,go to **Devices** > **Enroll devices** and use the **Add MDM authority** dialog on the right to add **Intune MDM** authority (the **Add MDM Authority** dialog is only available if the **MDM Authority** is set to Microsoft Office 365).-
-## 2. Verify Azure AD is enabled for joining computers
-
-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and select **Azure Active Directory** (select Show all if Azure Active Directory is not visible) in the **Admin centers** list.
-
-2. In the **Azure Active Directory admin center**, go to **Azure Active Directory** , choose **Devices** and then **Device settings**.
-
-3. Verify **Users may join devices to Azure AD** is enabled
-
- 1. To enable all users, set to **All**.
-
- 2. To enable specific users, set to **Selected** to enable a specific group of users.
-
- - Add the desired domain users synced in Azure AD to a [security group](../admin/create-groups/create-groups.md).
-
- - Choose **Select groups** to enable MDM user scope for that security group.
-
-## 3. Verify Azure AD is enabled for MDM
-
-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and select **Endpoint Management** (select **Show all** if **Endpoint Manager** is not visible)
-
-2. In the **Microsoft Endpoint Manager admin center**, go to **Devices** > **Windows** > **Windows Enrollment** > **Automatic Enrollment**.
-
-3. Verify MDM user scope is enabled.
-
- 1. To enroll all computers, set to **All** to automatically enroll all user computers that are joined to Azure AD and new computers when the users add a work account to Windows.
-
- 2. Set to **Some** to enroll the computers of a specific group of users.
-
- - Add the desired domain users synced in Azure AD to a [security group](/admin/create-groups/create-groups.md).
-
- - Choose **Select groups** to enable MDM user scope for that security group.
-
-## 4. Create the required resources
-
-Performing the required tasks to [configure hybrid Azure AD join](/azure/active-directory/devices/hybrid-azuread-join-managed-domains#configure-hybrid-azure-ad-join) has been simplified through the use of the [Initialize-SecMgmtHybirdDeviceEnrollment](https://github.com/microsoft/secmgmt-open-powershell/blob/master/docs/help/Initialize-SecMgmtHybirdDeviceEnrollment.md) cmdlet found in the [SecMgmt](https://www.powershellgallery.com/packages/SecMgmt) PowerShell module. When you invoke this cmdlet it will create and configure the required service connection point and group policy.
-
-You can install this module by invoking the following from an instance of PowerShell:
-
-```powershell
-Install-Module SecMgmt
-```
-
-> [!IMPORTANT]
-> Install this module on the Windows Server running Azure AD Connect.
-
-To create the required service connection point and group policy, you will invoke the [Initialize-SecMgmtHybirdDeviceEnrollment](https://github.com/microsoft/secmgmt-open-powershell/blob/master/docs/help/Initialize-SecMgmtHybirdDeviceEnrollment.md) cmdlet. You will need your Microsoft 365 Business Premium global admin credentials when performing this task. When you are ready to create the resources, invoke the following:
-
-```powershell
-PS C:\> Connect-SecMgmtAccount
-PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'
-```
-
-The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify your Microsoft 365 Business Premium global admin credentials.
-
-## 5. Link the group policy
-
-1. In the Group Policy Management Console (GPMC), right-click on the location where you want to link the policy and select *Link an existing GPO...* from the context menu.
-
-2. Select the policy created in the above step, then click **OK**.
-
-## Get the latest administrative templates
-
-If you do not see the policy **Enable automatic MDM enrollment using default Azure AD credentials**, it may be because you donΓÇÖt have the ADMX installed for Windows 10, version 1803, or later. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
-
-1. Download: [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/102157).
-
-2. Install the package on a Domain Controller.
-
-3. Navigate, depending on the Administrative Templates version to the folder: **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**.
-
-4. Rename the **Policy Definitions** folder in the above path to **PolicyDefinitions**.
-
-5. Copy the **PolicyDefinitions** folder to your SYSVOL share, by default located at `C:\Windows\SYSVOL\domain\Policies`.
-
- If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there.
-
-6. In case you have several Domain Controllers, wait for SYSVOL to replicate for the policies to be available. This procedure will work for any future version of the Administrative Templates as well.
-
-At this point you should be able to see the policy **Enable automatic MDM enrollment using default Azure AD credentials** available.
-
-## Related content
--- [Synchronize domain users to Microsoft 365](../admin/setup/manage-domain-users.md)--- [Create a group in the admin center](../admin/create-groups/create-groups.md)--- [Tutorial: Configure hybrid Azure Active Directory join for managed domains](/azure/active-directory/devices/hybrid-azuread-join-managed-domains)--- [Set up self-service passwords](../admin/add-users/let-users-reset-passwords.md)--- [Set up self-service group management](/azure/active-directory/enterprise-users/groups-self-service-management)--- [Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)-
-## Next objective
-
-[Prepare for Office client deployment](m365bp-prepare-for-office-client-deployment.md)
business-premium M365bp Managed Devices Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-managed-devices-setup.md
- Title: "Set up managed devices"-- NOCSH------ Previously updated : 07/19/2022--- M365-Campaigns-- m365solution-smb--- MiniMaven-- BCS160-- MET150
-description: "How to set up managed devices"
--
-# Set up managed devices
-
-A "managed" device is one that is under control and being monitored by the organization, and is therefore regularly updated, and secure. Having devices under managed control is a critical objective. To bring these devices under control, enroll them in a device manager with Microsoft Intune and Azure Active Directory, both of which are included with Microsoft Business Premium.
-
-1. Set up device and data protection policies in the [setup wizard](../business/set-up.md).
-
-2. Connected the computer to [Azure Active Directory](../business/set-up-windows-devices.md) with their Microsoft 365 username and password.
-
-## Enroll devices in Intune
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-
-2. Select **Devices** > **Enroll devices**.
-
- :::image type="content" source="media/m365bp-endpoint-manager-enroll-devices.png" alt-text="Use Microsoft Endpoint Manager to enroll devices.":::
-
-3. Follow specific device enrollment guidance below.
-
-### For Windows enrollment:
-
-1. Select **Windows** > **Windows enrollment**.
-
-2. From the enrollment methods listed, select **Automatic enrollment**.
-
-### For iOS enrollment:
-
-1. Select **iOS** > **iOS enrollment**.
-
-2. From the list of policies, select a policy to see its details.
-
-3. Select **Properties** to manage the policy.
-
-4. Select **Settings** > **System Security** and configure security details in Intune.
-
-5. Look at configuration profiles.
-
-6. Create a profile and push it to the devices in your organization, as needed.
-
-### For Android enrollment:
-
-1. Select **Android** > **Android enrollment**.
-
-2. Choose **Managed Google Play** and grant Microsoft permission to send information to Google.
-
-## Next objective
-
-Use the following guidance to [onboard devices to Defender for Business capabilities](m365bp-onboard-devices-mdb.md).
-
business-premium M365bp Protect Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protect-devices.md
ms.localizationpriority: high Previously updated : 08/24/2022 Last updated : 09/14/2022 - M365-Campaigns - m365solution-smb
description: "An overview for how to set up and secure managed devices from secu
:::image type="content" source="media/mission6.png" alt-text="Secure managed devices with Defender for Business.":::
-Welcome to your final critical mission. Here, you'll onboard and implement protection for all the managed devices in your organization. [Onboard your devices to Defender for Business](../security/defender-business/mdb-onboard-devices.md) to help ensure those devices are protected from ransomware, malware, phishing, and other threats. You can also make sure Windows devices are protected and ready for Office deployment. When you're done, you can rest assured, knowing you've done your part to protect your organization when these objectives have been achieved!
+**Welcome to your final critical mission**! Here, you'll onboard and implement protection for all the managed devices in your organization. Microsoft Defender for Business capabilities now included in Microsoft 365 Business Premium can help ensure that your organization's devices are protected from ransomware, malware, phishing, and other threats. When you're done completing your objectives, you can rest assured, knowing you've done your part to protect your organization!
Your objectives are to: -- [Set up managed devices](m365bp-managed-devices-setup.md)-- [Onboard enrolled devices and apply policies](m365bp-onboard-devices-mdb.md)-- [Secure Windows devices with default settings](m365bp-secure-windows-devices.md)-- [Review and edit device policies](m365bp-view-edit-create-mdb-policies.md)-- [Manage device groups](m365bp-device-groups-mdb.md)
+- [Upgrade Windows devices running Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro to Windows 10 or 11 Pro](m365bp-upgrade-windows-10-pro.md).
+- [Onboard devices to Defender for Business and apply security policies](m365bp-onboard-devices-mdb.md).
+- [Use Windows Autopilot to set up and configure new devices, or to reset, repurpose, and recover devices](/mem/autopilot/windows-autopilot).
+- [Install Microsoft 365 Apps](../admin/setup/install-applications.md) on any devices that don't already have Office applications
Once these objectives have been achieved, your overall mission to protect your organization against cyberattacks and other cybersecurity threats is a success! Now, make sure to set up your response teams to deal with any situation that may arise while defending the integrity of the system. See your next steps! ## Next steps
+- [Manage devices in Microsoft Defender for Business](../security/defender-business/mdb-manage-devices.md)
- [Set up a security operations process](m365bp-security-incident-quick-start.md). - [Learn about security incident management](m365bp-security-incident-management.md). - [Learn how to maintain your environment](m365bp-maintain-environment.md).
business-premium M365bp Protection Settings For Windows 10 Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-protection-settings-for-windows-10-devices.md
- Title: "Edit or set application protection settings for Windows devices"------ 'Win10AppPolicy'-- 'O365E_Win10AppPolicy'-- 'BCS365_Win10AppPolicy'-- Previously updated : 07/19/2022---- MiniMaven-- BCS160-- MET150-- MOE150
-description: "Learn how to create or edit app management policies and protect work files on your users' personal Windows devices."
--
-# Set or edit application protection settings for Windows devices
-
-Now you need to set up application protection policies for your organization's Windows devices to ensure all your users are protected when they use applications for their work.
-
-## Edit an app management policy for Windows devices
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
-
-2. On the left nav, choose **Devices** \> **Policies** .
-
-3. Choose an existing Windows app policy and then **Edit**.
-
-4. Choose **Edit** next to a setting you want to change and then **Save**.
-
-## Create an app management policy for Windows devices
-
-If your users have personal Windows devices on which they perform work tasks, you can protect your data on those devices.
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
-
-2. On the left nav, choose **Devices** \> **Policies** \> **Add**.
-
-3. On the **Add policy** pane, enter a unique name for this policy.
-
-4. Under **Policy type**, choose **Application Management for Windows 10**.
-
-5. Under **Device type**, choose either **Personal** or **Company Owned**.
-
-6. The **Encrypt work files** is turned on automatically.
-
-7. Set **Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business** to **On** if you don't want the users to save work files on their PC.
-
-8. Expand **Recover data on Windows devices**. We recommend that you turn it **On**.
- Before you can browse to the location of the Data Recovery Agent certificate, you have to first create one. For instructions, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
-
- By default, work files are encrypted using a secret key that is stored on the device and associated with the user's profile. Only the user can open and decrypt the file. However, if a device is lost or a user is removed, a file can be stuck in an encrypted state. An admin can use the Data Recovery Agent (DRA) certificate to decrypt the file.
-
- ![Browse to Data Recovery Agent certificate.](./../media/7d7d664f-b72f-4293-a3e7-d0fa7371366c.png)
-
-9. Expand **Protect additional network and cloud locations** if you want to add additional domains or SharePoint Online locations to make sure that files in all the listed apps are protected. If you need to enter more than one item for either field, use a semicolon (;) between the items.
-
- ![Expand Protect additional network and cloud locations, and enter domains or SharePoint Online sites you own.](./../media/7afaa0c7-ba53-456d-8c61-312c45e09625.png)
-
-10. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups who will get these settings \> **Select**.
-11. Finally, choose **Add** to save the policy, and assign it to devices.
-
-## See also
-
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
-
-## Next objective
-
-[Validate your Windows settings](m365bp-validate-settings-on-windows-10-pcs.md).
business-premium M365bp Secure Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-secure-users.md
ms.localizationpriority: high Previously updated : 08/24/2022 Last updated : 09/14/2022 - M365-Campaigns - m365solution-smb
Microsoft 365 Business Premium is a comprehensive cloud productivity and securit
- **Defend against sophisticated cyberthreats and safeguard your business data** with advanced protection against phishing, ransomware, and data loss. - **Manage and secure devices** (Windows, Mac, iOS, and Android) that connect to your data, and help keep those devices up to date.
-Microsoft 365 Business Premium offers you one comprehensive solution for productivity and security. As an admin or IT Pro, you have everything you need in one place for administration, billing, and 24x7 support, while reducing cost and complexity for your business. This article includes the following sections:
--- [Video: Top 5 benefits of Microsoft 365 Business Premium](#video-top-5-benefits-of-microsoft-365-business-premium)-- [Productivity and advanced security capabilities](#productivity-and-security) that enable you to run your business more securely, across devices, and from almost anywhere-- [Resources to train your team and all staff](#resources-to-train-your-users) on how to work productively while maintaining a more secure environment-- A [downloadable digital threats guide](#download-the-digital-threats-guide) that describes different kinds of threats and how to protect against them in your day-to-day work-- [Next steps](#next-steps)
+Microsoft 365 Business Premium offers you one comprehensive solution for productivity and security. As an admin or IT Pro, you have everything you need in one place for administration, billing, and 24x7 support, while reducing cost and complexity for your business.
## Video: Top 5 benefits of Microsoft 365 Business Premium
Watch the following video to see how Microsoft 365 Business Premium helps your b
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Pq0G]
-> [!TIP]
-> For more information, see [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium?activetab=pivot:overviewtab).
-
-## Productivity and security
-
-Microsoft 365 Business Premium includes your favorite Office productivity apps, collaboration tools like Microsoft Teams, and enterprise-grade security, identity, and device management solutions. With Microsoft 365 Business Premium, you can run your business more securely, across devices, and from almost anywhere. Microsoft 365 Business Premium includes:
--- **Windows 10 and 11 Pro** upgrades for your company's Windows devices-- **Office apps**, such as Word, Excel, and PowerPoint, that you can install on your computers (Windows and Mac), and on your mobile devices (Windows, iOS, and Android). You also get Publisher and Access for your Windows devices.-- **Microsoft Teams, Outlook, and Exchange** for email, calendars, meetings, and collaboration-- **SharePoint and OneDrive** to store and manage your business files-- **Sophisticated protection from threats** like phishing, malware, and ransomware protection-- **Compliance and privacy features** to protect and control access to your and your customers' sensitive information-- **Device management capabilities** that enable your security team to help keep computers, tablets, and phones up to date and secure- > [!TIP] > For more detailed information about what's included in Microsoft 365 Business Premium, see the [Microsoft 365 User Subscription Suites for Small and Medium-sized Businesses](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWR6bM). ## Resources to train your users
-The security recommendations provided in these missions make it much harder for cyberattackers to gain access to your environment. However, an important part of your security strategy includes training members of the organization&mdash;the people in your company who use your systems regularly. Users can be your front line of defense. Everyone needs to know how to work productively while maintaining a more secure environment.
+The security recommendations provided in [this guidance](index.md) make it much harder for cyberattackers to gain access to your environment. However, an important part of your security strategy includes training everyone in your organization&mdash;the people in your company who use your systems regularly. Users can be your first line of defense. Everyone needs to know how to work productively while maintaining a more secure environment.
Resources are available to help everyone in your organization to:
business-premium M365bp Secure Windows Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-secure-windows-devices.md
- Title: "Secure Windows devices"-- CSH------ 'O365E_BCSSetup4WindowsConfig'-- Previously updated : 08/16/2022--- MiniMaven-- BCS160-- MET150-- MOE150
-description: "Learn how to secure your company's Windows devices using built-in settings."
--
-# Secure Windows devices
-
-The objective here is to configure settings that are part of the default device policy for Windows 10 or 11. All users who connect a Windows device, including mobile devices and computers, by signing in with their work account will automatically receive these settings. We recommend that you accept the default policy during setup and add policies later that target specific groups of users.
-
-## Before you begin
-
-Before you can set up Windows devices for Microsoft 365 Business Premium users, make sure all the Windows devices are running Windows 10 Pro.
-
-Windows 10 Pro is a prerequisite for deploying Windows 10 Business, which is a set of cloud services and device management capabilities that complement Windows 10 Pro and Windows 11 Pro, and enable the centralized management and security controls of Microsoft 365 Business Premium.
-
-[Learn more about requirements for Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium?activetab=pivot:techspecstab).
-
-## Windows 10 Pro
-
-If you have Windows devices running previous versions of Windows, such as Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to upgrade those devices to Windows 10 Pro or Windows 11 Pro.
-
-For more information on how to upgrade Windows devices, see [Upgrade Windows devices to Windows 10 Pro](m365bp-upgrade-windows-10-pro.md).
-
-## Secure your Windows 10 and 11 devices
-
-By default all settings are **On**. The following settings are available:
-
-|Setting |Description |
-|:--|:--|
-|Help protect computers from viruses and other threats using Microsoft Defender Antivirus |Requires that Microsoft Defender Antivirus is turned on to protect computers from the dangers of being connected to the internet. |
-|Help protect computers from web-based threats in Microsoft Edge |Turns on settings in Edge that help protect users from malicious sites and downloads. |
-|Help protect files and folders on computers from unauthorized access with BitLocker |BitLocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. For more information, see [BitLocker FAQ](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions). |
-|Turn off device screen when idle for this amount of time |Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off. |
-
-## Next objective
-
-[Manage Windows devices](m365bp-manage-windows-devices.md)
business-premium M365bp Security Incident Quick Start https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-security-incident-quick-start.md
Use the threat analytics dashboard to get an overview of the current threat land
Microsoft 365 Business Premium includes several remediation actions. These actions include manual response actions, actions following automated investigation, and live response actions.
-1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Device inventory**.
+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.
:::image type="content" source="./../medib-deviceinventory.png" alt-text="Screenshot of device inventory":::
business-premium M365bp Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-setup.md
ms.localizationpriority: high Previously updated : 08/05/2022 Last updated : 09/14/2022 f1.keywords: NOCSH
Microsoft 365 Business Premium includes a guided process. The following video sh
As soon as you've completed the guided setup process, make sure to proceed to [bump up security](m365bp-security-overview.md). > [!TIP]
-> - After you have added users, give them a link to the [Employee quick setup guide](../admin/setup/employee-quick-setup.md). The guide walks them through signing in, getting Office apps, and saving, copying, and sharing files.
+> After you have added users, give them a link to the [Employee quick setup guide](../admin/setup/employee-quick-setup.md). The guide walks them through signing in, getting Office apps, and saving, copying, and sharing files.
## Work with a Microsoft partner
business-premium M365bp Trial Playbook Microsoft Business Premium https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-trial-playbook-microsoft-business-premium.md
ms.localizationpriority: high Previously updated : 08/24/2022 Last updated : 09/14/2022 search.appverid: - MOE150 - MET150
description: "Make the most of your Microsoft 365 Business Premium trial. Try ou
# Trial playbook: Microsoft 365 Business Premium
-Welcome to the Microsoft Business Premium trial playbook. This playbook will help you make the most of your 30-day free trial by experiencing how Microsoft 365 Business Premium increases productivity and helps safeguard your organization with advanced security capabilities. Using Microsoft recommendations, learn how you can set up your threat protection features, analyze detected threats, and respond to cyberattacks.
+Welcome to the Microsoft Business Premium trial playbook! This playbook will help you make the most of your 30-day free trial. You can see firsthand how Microsoft 365 Business Premium increases productivity and helps safeguard your organization with advanced security capabilities. Use this playbook to set up your threat protection features, analyze detected threats, and respond to cyberattacks.
## Set up the Microsoft 365 Business Premium trial When you [start a trial or purchase Microsoft 365 Business Premium](get-microsoft-365-business-premium.md), your first step is to get everything set up. > [!TIP]
-> Save this playbook to your browser favorites. When links in the playbook take you away from this location, simply return to this playbook to continue.
+> Save this playbook to your browser favorites. When links in the playbook take you away from this location, it'll be easier to return to this playbook to continue.
-First, [set up your trial](../business-premium/m365bp-setup.md)!
+1. [Set up your trial](../business-premium/m365bp-setup.md)!
-After you've initiated the trial and completed the setup process, it can take up to two hours for changes to take effect.
+ After you've initiated the trial and completed the setup process, it can take up to two hours for changes to take effect.
-Microsoft 365 Business Premium includes [Preset security policies](/security/office-365-security/preset-security-policies.md) that you can use in your environment. These policies represent a baseline protection profile that's suitable for most users. Standard protection includes:
+2. Use your [preset security policies](/security/office-365-security/preset-security-policies.md). These policies represent a baseline protection profile that's suitable for most users. Standard protection includes:
-- [Safe Links](../security/office-365-security/safe-links.md), [Safe Attachments](../security/office-365-security/safe-attachments.md) and [Anti-Phishing](../security/office-365-security/anti-phishing-protection.md) policies that are scoped to the entire tenant or the subset of users you may have chosen during the trial setup process. (Your trial subscription is for up to 25 users.)
+ - [Safe Links](../security/office-365-security/safe-links.md), [Safe Attachments](../security/office-365-security/safe-attachments.md) and [Anti-Phishing](../security/office-365-security/anti-phishing-protection.md) policies that are scoped to the entire tenant or the subset of users you may have chosen during the trial setup process. (Your trial subscription is for up to 25 users.)
-- Protection for productivity apps, such as [SharePoint](/sharepoint/introduction), [OneDrive](/onedrive/one-drive-quickstart-small-business), [Office apps](/deployoffice/about-microsoft-365-apps), and [Microsoft Teams](/microsoftteams/teams-overview).
+ - Protection for productivity apps, such as [SharePoint](/sharepoint/introduction), [OneDrive](/onedrive/one-drive-quickstart-small-business), [Office apps](/deployoffice/about-microsoft-365-apps), and [Microsoft Teams](/microsoftteams/teams-overview).
## Add a domain
Microsoft 365 Business Premium includes Defender for Business, a new security so
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-2. Run the [setup wizard](../security/defender-business/mdb-use-wizard.md).
+2. Go to **Assets** > **Devices**. If Defender for Business isn't already set up, you will be prompted to run the [setup wizard](../security/defender-business/mdb-use-wizard.md).
3. [Onboard devices](../security/defender-business/mdb-onboard-devices.md).
business-premium M365bp Validate Settings On Android Or Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-validate-settings-on-android-or-ios.md
- Title: "Validate app protection settings on Android or iOS devices"-- NOCSH------ Previously updated : 07/19/2022--- MSB365-- BCS160-- MET150
-description: "Learn how to validate the Microsoft 365 Business Premium app protection settings on your Android or iOS devices. Making security settings for your applications is critical in order to protect the files on your mobile apps and devices from any kind of security threats."
--
-# Validate app protection settings on Android or iOS devices
--
-Follow the instructions in the following sections to validate app protection settings on Android or iOS devices.
-
-## [Android](#tab/Android)
-
-### Check that the app protection settings are working on user devices
-
-After you [set app protection settings for Android or iOS devices](../business-premium/m365bp-app-protection-settings-for-android-and-ios.md) to protect the apps, you can follow these steps to validate the settings you chose.
-
-First, make sure that the policy applies to the app in which you're going to validate it.
-
-1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.
-
-2. Choose **Application policy for Android** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook, for example.
-
- ![Screenshot showing all the apps for which this policy protects files.](../business-premium/media/b3be3ddd-f683-4073-8d7a-9c639a636a2c.png)
-
-### Validate Require a PIN or a fingerprint to access Office apps
-
-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require a PIN or fingerprint to access Office apps** is set to **On**.
-
-![Make sure that the Require a PIN or fingerprint to access Office apps is set to On.](../business-premium/media/f37eb5b2-7e26-49fb-9bd6-d955d196bacf.png)
-
-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
-
-2. You'll also be prompted to enter a PIN or use a fingerprint.
-
- ![Enter a PIN on your Android device to access Office apps.](../business-premium/media/9e8ecfee-8122-4a3a-8918-eece80344310.png)
-
-### Validate Reset PIN after number of failed attempts
-
-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Reset PIN after number of failed attempts** is set to some number. This is 5 by default.
-
-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
-
-2. Enter an incorrect PIN as many times as specified by the policy. You'll see a prompt that states **PIN Attempt Limit Reached** to reset the PIN.
-
- ![Screenshot indicating after too many incorrect PIN attempts, you need to reset your PIN.](../business-premium/media/fca6fcb4-bb5c-477f-af5e-5dc937e8b835.png)
-
-3. Press **Reset PIN**. You'll be prompted to sign in with the user's Microsoft 365 Business Premium credentials, and then required to set a new PIN.
-
-### Validate Force users to save all work files to OneDrive for Business
-
-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Force users to save all work files to OneDrive for Business** is set to **On**.
-
-![Verify that Force users to save all work files to OneDrive for Business is set to On.](../business-premium/media/7140fa1d-966d-481c-829f-330c06abb5a5.png)
-
-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
-
-2. Open an email that contains an attachment and tap the down arrow icon next to the attachment's information.
-
- ![Tap the down arrow next to an attachment to try to save it.](../business-premium/media/b22573bb-91ce-455f-84fa-8feb2846b117.png)
-
- You'll see **Cannot save to device** on the bottom of the screen.
-
- ![Warning text that indicates cannot save a file locally to an Android.](../business-premium/media/52ca3f3d-7ed0-4a52-9621-4872da6ea9c5.png)
-
- > [!NOTE]
- > Saving to OneDrive for Business is not enabled for Android at this time, so you can only see that saving locally is blocked.
-
-### Validate Require user to sign in again if Office apps have been idle for a specified time
-
-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require users to sign in again after Office apps have been idle for** is set to some number of minutes. This is 30 minutes by default.
-
-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
-
-1. You should now see Outlook's inbox. Let the Android device idle untouched for at least 30 minutes (or some other amount of time, longer than what you specified in the policy). The device will likely dim.
-
-1. Access Outlook on the Android device again.
-
-1. You'll be prompted to enter your PIN before you can access Outlook again.
-
-### Validate Protect work files with encryption
-
-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Protect work files with encryption** is set to **On**, and **Force users to save all work files to OneDrive for Business** is set to **Off**.
-
-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
-
-1. Open an email that contains a few image file attachments.
-
-1. Tap the down arrow icon next to the attachment's info to save it.
-
- ![Tap the down arrow to save the figure file to the Android device.](../business-premium/media/08a9e21e-4022-45d5-acff-59cface651e7.png)
-
-1. You may be prompted to allow Outlook to access photos, media, and files on your device. Tap **Allow**.
-
-1. At the bottom of the screen, choose to **Save to Device** and then open the **Gallery** app.
-
-1. You should see an encrypted photo (or more, if you saved multiple image file attachments) in the list. It may appear in the Pictures list as a gray square with a white exclamation point within a white circle in the center of the gray square.
-
- ![An encrypted image file in the Gallery app.](../business-premium/media/25936414-bd7e-421d-824e-6e59b877722d.png)
-
-### [iOS](#tab/iOS)
-
-## Check that the App protection settings are working on user devices
-
-After you [set app configurations for iOS devices](../business-premium/m365bp-protection-settings-for-windows-10-devices.md) to protect apps, you can follow these steps to validate that the settings you chose work.
-
-First, make sure that the policy applies to the app in which you're going to validate it.
-
-1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.
-
-1. Choose **Application policy for iOS** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook for example.
-
- ![Screenshot that shows all the apps for which this policy protects files.](../business-premium/media/842441b8-e7b1-4b86-9edd-d94d1f77b6f4.png)
-
-### Validate Require a PIN to access Office apps
-
-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require a PIN or fingerprint to access Office apps** is set to **On**.
-
-![Make sure that the Require a PIN or fingerprint to access Office apps is set to On.](../business-premium/media/f37eb5b2-7e26-49fb-9bd6-d955d196bacf.png)
-
-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
-
-1. You'll also be prompted to enter a PIN or use a fingerprint.
-
- ![Enter a PIN on your IOS device to access Office apps.](../business-premium/media/06fc5cf3-9f19-4090-b23c-14bb59805b7a.png)
-
-### Validate Reset PIN after number of failed attempts
-
-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Reset PIN after number of failed attempts** is set to some number. This is 5 by default.
-
-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.
-
-1. Enter an incorrect PIN as many times as specified by the policy. You'll see a prompt that states **PIN Attempt Limit Reached** to reset the PIN.
-
- ![Screenshot warning PIN reset after too many incorrect attempts.](../business-premium/media/fab5c089-a4a5-4e8d-8c95-b8eed1dfa262.png)
-
-1. Press **OK**. You'll be prompted to sign in with the user's Microsoft 365 Business Premium credentials, and then required to set a new PIN.
-
-### Validate Force users to save all work files to OneDrive for Business
-
-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Force users to save all work files to OneDrive for Business** is set to **On**.
-
-![Verify that Force users to save all work files to OneDrive for Business is set to On.](../business-premium/media/7140fa1d-966d-481c-829f-330c06abb5a5.png)
-
-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
-
-1. Open an email that contains an attachment, open the attachment and choose **Save** on the bottom of the screen.
-
- ![Tap the Save option after you open an attachment to try to save it.](../business-premium/media/b419b070-1530-4f14-86a8-8d89933a2b25.png)
-
-1. You should only see an option for OneDrive for Business. If not, tap **Add Account** and select **OneDrive for Business** from the **Add Storage Account** screen. Provide the end user's Microsoft 365 Business Premium to sign in when prompted.
-
- Tap **Save** and select **OneDrive for Business**.
-
-### Validate Require user to sign in again if Office apps have been idle for a specified time
-
-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require users to sign in again after Office apps have been idle for** is set to some number of minutes. This is 30 minutes by default.
-
-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
-
-1. You should now see Outlook's inbox. Let the iOS device untouched for at least 30 minutes (or some other amount of time, longer than what you specified in the policy). The device will likely dim.
-
-1. Access Outlook on the iOS device again.
-
-1. You'll be prompted to enter your PIN before you can access Outlook again.
-
-### Validate Protect work files with encryption
-
-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Protect work files with encryption** is set to **On**, and **Force users to save all work files to OneDrive for Business** is set to **Off**.
-
-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.
-
-1. Open an email that contains a few image file attachments.
-
-1. Tap the attachment and then tap the **Save** option under it.
-
-1. Open **Photos** app from the home screen. You should see an encrypted photo (or more, if you saved multiple image file attachments) saved, but encrypted.
-
-## See also
-
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
business-premium M365bp Validate Settings On Windows 10 Pcs https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-validate-settings-on-windows-10-pcs.md
- Title: "Validate app protection settings for Windows 10 PCs"-- NOCSH--------- Adm_O365-- M365-subscription-management-- M365-identity-device-management-- Adm_TOC--- Adm_O365-- Core_O365Admin_Migration-- MiniMaven-- MSB365-- OKR_SMB_M365-- seo-marvel-mar-- AdminSurgePortfolio-- BCS160-- MET150
-description: "Learn how to verify that Microsoft 365 Business Premium app protection settings took effect on your users' Windows 10 devices."
--
-# Validate device protection settings for Windows 10 or 11 PCs
-
-## Verify that Windows 10 or 11 device policies are set
-
-After you [set up device policies](../business-premium/m365bp-protection-settings-for-windows-10-devices.md), it may take up to a few hours for the policy to take effect on users' devices. You can confirm that the policies took effect by looking at various Windows Settings screens on the users' devices. Because the users won't be able to modify the Windows Update and Microsoft Defender Antivirus settings on their Windows 10 or 11 devices, many options will be grayed out.
-
-1. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Restart options** and confirm that all settings are grayed out.
-
- ![All the Restart options are grayed out.](../business-premium/media/31308da9-18b0-47c5-bbf6-d5fa6747c376.png)
-
-2. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Advanced options** and confirm that all settings are grayed out.
-
- ![Windows Advanced updates options are all grayed out.](../business-premium/media/049cf281-d503-4be9-898b-c0a3286c7fc2.png)
-
-3. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Advanced options** \> **Choose how updates are delivered**.
-
- Confirm that you can see the message (in red) that some settings are hidden or managed by your organization, and all the options are grayed out.
-
- ![Choose how updates are delivered page indicates settings are hidden or managed by your organization.](../business-premium/media/6b3e37c5-da41-4afd-9983-b4f406216b59.png)
-
-4. To open the Windows Defender Security Center, go to **Settings** \> **Update &amp; security** \> **Windows Defender** \> click **Open Windows Defender Security Center** \> **Virus &amp; thread protection** \> **Virus &amp; threat protection settings**.
-
-5. Verify that all options are grayed out.
-
- ![The Virus and threat protection settings are grayed out.](../business-premium/media/9ca68d40-a5d9-49d7-92a4-c581688b5926.png)
-
-## Related content
-
-[Microsoft 365 for business documentation and resources](/admin)
-
-[Set device configurations for Windows 10 PCs](../business-premium/m365bp-protection-settings-for-windows-10-devices.md)
-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)
-
-## Next objective
-
-[Review and edit protection policies](m365bp-view-edit-create-mdb-policies.md)
business-premium M365bp View Edit Create Mdb Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-premium/m365bp-view-edit-create-mdb-policies.md
ms.localizationpriority: high Last updated : 09/14/2022 f1.keywords: NOCSH
# View and edit device protection policies
-In Microsoft 365 Business Premium, security settings for managed devices are configured through device protection policies in Microsoft Defender's security center or the Admin center. To help simplify setup and configuration, there are pre-configured policies that help protect your organization's devices as soon as they are onboarded. You can use the default policies, edit existing policies, or create your own policies.
+In Microsoft 365 Business Premium, security settings for managed devices are configured through device protection policies in the Microsoft 365 Defender portal or in the Microsoft Endpoint Manager admin center. To help simplify setup and configuration, there are pre-configured policies that help protect your organization's devices as soon as they are onboarded. You can use the default policies, edit existing policies, or create your own policies.
**This guidance describes how to**: - Get an overview of your default policies-- Work with device policies in Defender security center, Admin center, and Intune.
+- Work with device policies in either the Microsoft 365 Defender portal or the Microsoft Endpoint Manager admin center (Intune).
## About the default device protection policies
Microsoft 365 Business Premium includes two main types of policies to protect yo
- **Firewall policies**, which determine what network traffic is permitted to flow to and from your organization's devices.
-These policies are part of Microsoft Defender for Business, included in your Microsoft 365 Business Premium subscription. Information is provided for working with policies in the Microsoft Defender security center as well as how to work with policies in the Admin center and Intune.
+These policies are part of Microsoft Defender for Business, included in your Microsoft 365 Business Premium subscription. Information is provided for working with policies in the Microsoft 365 Defender portal or in the Microsoft Endpoint Manager admin center.
-## Working with device polices in the Microsoft Defender security center
+## Working with device polices in the Microsoft 365 Defender portal
The following details apply to working with your policies in the security center. ### View existing device protection policies
-To view your existing device protection policies in the security center:
+To view your existing device protection policies in the Microsoft 365 Defender portal:
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
To create a new device protection policy:
- Make any needed changes by selecting **Edit**. - When youΓÇÖre ready to proceed, choose **Create policy**.
-## Using device policies in the Admin center
-
-The following information describes viewing and managing policies in the Microsoft Business Premium Admin center.
-
-### Working with device policies
-
-To work with policies in the Admin center:
-
-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.
-
-1. On the left nav, choose **Devices** \> **Policies**.
-
- On this page, you can create, edit, change target group, or delete a policy.
-
- ![Screenshot of the Policies page.](../media/devicepolicies.png)
-
-### View and manage devices
-
-To view and manage policies:
-
-1. On the left nav, choose **Devices** \> **Manage**.
-
- On this page, you can select one or more devices and remove company data. For Windows 10 devices for which you have set device protections settings, you can also choose to reset the device to factory settings.
-
- ![Manage devices page.](../media/devicesmanage.png)
-
-## Working with device policies in Intune
+## Working with device policies in the Microsoft Endpoint Manager admin center
Use the following information to create and manage device policies in Intune, done through Endpoint security in the Microsoft Endpoint Manager admin center.
commerce Manage Billing Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/manage-billing-profiles.md
A billing profile contains a payment method, Bill-to information, and other invo
> [!NOTE] >
-> Not all accounts have a billing profile. If you're not sure if you have a one, you can [view a list of your billing profiles]
-(manage-billing-profiles.md#view-my-billing-profiles).
+> Not all accounts have a billing profile. If you're not sure if you have a one, you can [view a list of your billing profiles](manage-billing-profiles.md#view-my-billing-profiles).
## What are billing profile roles?
compliance Collection Statistics Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/collection-statistics-reports.md
Here are other reasons why the estimated results from a draft collection can be
- **Unindexed items**. If the draft collection included searching all Exchange mailboxes or all SharePoint sites, then only unindexed items from content locations that contain items that match the collection criteria will be added to the review set. In other words, if no results are found in a mailbox or site, then any unindexed items in that mailbox or site won't be added to the review set. However, unindexed items from all content locations (even those that don't contain items that match the collection query) will be included in the estimated collection results.
+- **Partially indexed items**: Selection of this option adds partially indexed items from additional data sources to the review set. If the collection searched additional data sources (as specified on the **Additional locations** page in the collections wizard), there may be partially indexed items from these locations that you want to add to the review set. Custodial and non-custodial data sources typically don't have partially indexed items. That's because the Advanced indexing process reindexes items when custodial and non-custodial data sources are added to a case. Also, Adding partially indexed items will increase the number of items added to the review set. <p> After partially indexed items are added to the review set, you can apply a filter to specifically view these items. For more information, see [Filter partially indexed items](review-set-search.md#filter-partially-indexed-items)
+ Alternatively, if the draft collection included specific content locations (which means that specific mailboxes or sites where specified on the **Additional locations** page in the draft collection wizard), then unindexed items (that aren't excluded by the collection criteria) from the content locations specified in the search will be exported. In this case, the estimated number of unindexed items and the number of unindexed items that are added to the review set should be the same.
compliance Communication Compliance Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md
If you don't have an existing Office 365 Enterprise E5 plan and want to try comm
> [!NOTE] > Office 365 Advanced Compliance is no longer sold as a standalone subscription. When current subscriptions expire, customers should transition to one of the subscriptions above, which contain the same or additional compliance features.
-## Recommended actions
+## Recommended actions (preview)
-Recommended actions can help your organization get started with communication compliance capabilities and get the most out of your existing policies. Included on the **Policies** page, recommended actions provide insights and summarizes sensitive information types and inappropriate content activities in communications in your organization. Insights are supported by [data classification](/microsoft-365/compliance/data-classification-overview) and the application of sensitivity labels, retention labels, and sensitive information type classification. These insights don't include any personally identifiable information (PII) for users in your organization.
+Recommended actions can help your organization quickly get started with communication compliance. Included on the **Overview** page, recommended actions will help guide you through the steps to configure and deploy policies.
+
+The following recommendations are available to help you get started with or maximize your communication compliance configuration:
+
+- **Get to know communication compliance**: Before setting up things, review our official documentation to learn about, plan for, and deploy communication compliance in your organization.
+- **Assign permissions to ensure your team can get their jobs done**: Ensure that only the appropriate stakeholders can access the solution, by assigning team members responsible for managing communication compliance features and investigating and reviewing alerts.
+- **Create distribution groups for users' whose communications you want to detect**: We recommend creating distribution groups containing users who will be included in communication compliance policies.
+- **Create your first policy to start detecting communications**: To investigate potential regulatory compliance violations, you must first set up a policy that detects potential violations across your organization's internal and/or external communications.
+- **Review alerts to investigate detected messages and take action**: Messages that match a policy's conditions will trigger alerts that provide context around a policy violation so you can investigate and take action if needed.
+- **Review reports for quick insights into how policies are performing**: Get quick insights into how your policies are performing, view detailed reports to drill down further, and export results for further analysis.
+
+Each recommended action included in this experience has three attributes:
+
+- **Action**: The name and description of the recommended action.
+- **Recommended, required or optional**: Whether the recommended action is highly recommended, required, or optional for communication compliance features to function as expected.
+- **Estimated time to complete**: Estimated time to complete the recommended action in minutes.
+
+Select a recommendation from the list to get started with configuring communication compliance. Each recommended action guides you through the required activities for the recommendation, including any requirements, what to expect, and the impact of configuring the feature in your organization. Some recommended actions will be automatically marked as complete when configured. If not, you'll need to manually select the action as complete when configured.
+
+Also included on the Policies page, recommended actions insights help summarize current sensitive information types and potential regulatory compliance violations in communications in your organization. Insights are supported by [data classification](/microsoft-365/compliance/data-classification-overview) and the application of sensitivity labels, retention labels, and sensitive information type classification. These insights are aggregated and don't include any personally identifiable information (PII) for users in your organization.
![Communication compliance recommended actions.](../media/communication-compliance-recommended-actions.png)
-Activity in messages containing inappropriate content is aggregated by [classifier type](/microsoft-365/compliance/communication-compliance-policies#classifiers) from existing policies that use the inappropriate content template or custom policies that use classifiers for inappropriate content. Investigate alerts for these messages on the Alert dashboard for your policies.
+Activity in messages is aggregated by [classifier type](/microsoft-365/compliance/communication-compliance-policies#classifiers) from existing policies that use the *Detect inappropriate text* policy template or custom policies that use classifiers. Investigate alerts for these messages on the **Alert dashboard** for your policies.
+
+Activity involving [sensitive information types](/microsoft-365/compliance/communication-compliance-policies#sensitive-information-types) is detected in messages covered in existing policies and for messages that aren't covered by existing policies. Insight messages that aren't covered by existing policies can't be investigated and remediated, a new policy must be created to detect and remediate similar activity in future messages. Insights are aggregated for all sensitive information types, including ones that your organization hasn't previously defined in an existing communication compliance policy. Use these insights to create a new communication compliance policy or to update existing policies. After creating a new policy, messages alerts for this policy might or might not match an equal number of messages identified in a similar insight. Your policy might have different conditions, a different number of in-scope users, and only detects message activity that occurs after the policy is active.
-Activity involving [sensitive information types](/microsoft-365/compliance/communication-compliance-policies#sensitive-information-types) is detected in messages covered in existing policies and for messages that aren't covered by existing policies. Insights are aggregated for all sensitive information types, including ones that your organization hasn't previously defined in an existing communication compliance policy. Use these insights to create a new communication compliance policy or to update existing policies.
+>[!TIP]
+>Don't want to see the recommended action insights? Open a request with Microsoft Support to disable the display of these insight widgets for your organization.
## Step 1 (required): Enable permissions for communication compliance
compliance Communication Compliance Investigate Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-investigate-remediate.md
After reviewing the message basics, it's time to open a message to examine the d
- **Attachments**: This option allows you to examine Modern attachments that match policy conditions. Modern attachments content is extracted as text and is viewable on the Pending alerts dashboard for a policy. For more information, see the [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-channels). - **Source**: This view is the standard message view commonly seen in most web-based messaging platforms. The header information is formatted in the normal style and the message body supports imbedded graphic files and word-wrapped text. If [optical character recognition (OCR)](/microsoft-365/compliance/communication-compliance-policies#optical-character-recognition-ocr) is enabled for the policy, images containing printed or handwritten text that match policy conditional are viewed as a child item for the associated message in this view.-- **Plain text**: Text view displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms or keywords matched in the associated communication compliance policy. Keyword highlighting can help you quickly scan long messages and attachments for the area of interest. In some cases, highlighted text may be only in attachments for messages matching policy conditions. Keyword highlighting isn't supported for terms identified by built-in classifiers assigned to a policy. Embedded files aren't displayed and the line numbering this view is helpful for referencing pertinent details among multiple reviewers.
+- **Plain text**: Text view that displays a line-numbered text-only view of the message and includes keyword highlighting in messages and attachments for sensitive info type terms, terms identified by built-in classifiers assigned to a policy, or for terms included in a dedicated keyword dictionary assigned to a policy. Keyword highlighting can help direct you to the area of interest in long messages and attachments. In some cases, highlighted text might be only in attachments for messages matching policy conditions. Embedded files aren't displayed and the line numbering in this view is helpful for referencing pertinent details among multiple reviewers.
- **Conversation (preview)**: Available for Microsoft Teams chat messages, this view displays up to five messages before and after an alert message to help reviewers view the activity in the conversational context. This context helps reviewers to quickly evaluate messages and make more informed message resolution decisions. Real-time message additions to conversations are displayed, including all inline images, emojis, and stickers available in Teams. Image or text file attachments to messages aren't displayed. Notifications are automatically displayed for messages that have been edited or for messages that have been deleted from the conversation window. When a message is resolved, the associated conversational messages aren't retained with the resolved message. Conversation messages are available for up to 60 days after the alert message is identified. - **User history**: User history view displays all other alerts generated by any communication compliance policy for the user sending the message. - **Pattern detected notification**: Many harassing and bullying actions over time and involve reoccurring instances of the same behavior by a user. The *Pattern detected* notification is displayed in the alert details and raises attention to the alert. Detection of patterns is on a per-policy basis and evaluates behavior over the last 30 days when at least two messages are sent to the same recipient by a sender. Investigators and reviewers can use this notification to identify repeated behavior to evaluate the alert as appropriate.
compliance Communication Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance.md
Communication compliance policies scan and capture messages across several commu
To learn more about messaging channel support in communication compliance policies, see [Detect channel signals with communication compliance](/microsoft-365/compliance/communication-compliance-channels).
+## Get started with recommended actions (preview)
+
+Whether you're setting up communication compliance for the first time or getting started with creating new policies, the new [recommended actions](/microsoft-365/compliance/communication-compliance-configure#recommended-actions-preview) experience can help you get the most out of communication compliance capabilities. Recommended actions include setting up permissions, creating distribution groups, creating a policy, and more
+ ## Workflow Communication compliance helps you address common pain points associated with complying with internal policies and regulatory compliance requirements. With focused policy templates and a flexible workflow, you can use actionable insights to quickly resolve detected compliance issues.
compliance Create A Custom Sensitive Information Type In Scc Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md
Note that for email, the message body and each attachment are treated as separat
The more evidence that a pattern requires, the more confidence you have that an actual entity (such as employee ID) has been identified when the pattern is matched. For example, you have more confidence in a pattern that requires a nine-digit ID number, hire date, and keyword in close proximity, than you do in a pattern that requires only a nine-digit ID number.
-The Pattern element has a required confidenceLevel attribute. You can think of the value of confidenceLevel (an integer between 1 and 100) as a unique ID for each pattern in an entity ΓÇö the patterns in an entity must have different confidence levels that you assign. The precise value of the integer doesn't matter ΓÇö simply pick numbers that make sense to your compliance team. After you upload your custom sensitive information type and then create a policy, you can reference these confidence levels in the conditions of the rules that you create.
+The Pattern element has a required confidenceLevel attribute. You can think of the value of confidenceLevel (a value among 65/75/85 indicating Low/Medium/High confidence levels) as a unique ID for each pattern in an entity. After you upload your custom sensitive information type and then create a policy, you can reference these confidence levels in the conditions of the rules that you create.
![XML markup showing Pattern elements with different values for confidenceLevel attribute.](../media/sit-xml-markedup-2.png)
compliance Disposition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/disposition.md
As you can see from the example shown, the actions supported are:
- **Approve disposal**: - When this action is selected for an interim stage of disposition review (you've configured multiple stages): The item moves to the next disposition stage.
- - When this action is selected for the final stage of disposition review, or there's only one stage of disposition: The item is marked as eligible for permanent deletion, which a timer job then actions within 7 days. The exact timing for the item to then be permanently deleted depends on the workload. For more information, see [How retention works for SharePoint and OneDrive](retention-policies-sharepoint.md#how-retention-works-for-sharepoint-and-onedrive) and [How retention works for Exchange](retention-policies-exchange.md#how-retention-works-for-exchange).
+ - When this action is selected for the final stage of disposition review, or there's only one stage of disposition: The item is marked as eligible for permanent deletion, which happens within 15 days.
- **Relabel**: - When this action is selected, the item exits the disposition review process for the original label. The item is then subject to the retention settings of the newly selected retention label.
compliance Encryption Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/encryption-sensitivity-labels.md
Before you can use encryption, you might need to do some configuration tasks. Wh
You might need to make some changes on your network devices such as firewalls. For details, see [Firewalls and network infrastructure](/azure/information-protection/requirements#firewalls-and-network-infrastructure) from the Azure Information Protection documentation.
+- Check your Azure AD configuration
+
+ There are some Azure Active Directory (Azure AD) configurations that can prevent authorized access to encrypted content. For example, cross-tenant access settings and Conditional Access policies. For more information, see [Azure AD configuration for encrypted content](encryption-azure-ad-configuration.md).
+ - Configure Exchange for Azure Information Protection Exchange doesn't have to be configured for Azure Information Protection before users can apply labels in Outlook to encrypt their emails. However, until Exchange is configured for Azure Information Protection, you don't get the full functionality of using Azure Rights Management protection with Exchange.
Before you can use encryption, you might need to do some configuration tasks. Wh
4. On the **Encryption** page, select one of the following options:
- - **Remove encryption if the file or email is encrypted**: This option is supported by the Azure Information Protection unified labeling client only. When you select this option and use built-in labeling, the label might not display in apps, or display and not make any encryption changes.
+ - **Remove encryption if the file or email is encrypted**: When you select this option, applying the label will remove existing encryption, even if it was applied independently from a sensitivity label.
- For more information about this scenario, see the [What happens to existing encryption when a label's applied](#what-happens-to-existing-encryption-when-a-labels-applied) section. It's important to understand that this setting can result in a sensitivity label that users might not be able to apply when they don't have sufficient permissions.
+ It's important to understand that this setting can result in a sensitivity label that users might not be able to apply when they don't have sufficient permissions to remove the existing encryption. For more information about this scenario, see the [What happens to existing encryption when a label's applied](#what-happens-to-existing-encryption-when-a-labels-applied) section.
- **Configure encryption settings**: Turns on encryption and makes the encryption settings visible:
Before you can use encryption, you might need to do some configuration tasks. Wh
### What happens to existing encryption when a label's applied
-> [!NOTE]
-> The option **Remove encryption if the file or email is encrypted** is supported only by the Azure Information Protection unified labeling client. You can achieve the same effect for emails by [configuring a mail flow rule](define-mail-flow-rules-to-encrypt-email.md#use-the-eac-to-create-a-rule-to-remove-encryption-from-email-messages-with-microsoft-purview-message-encryption).
- If a sensitivity label is applied to unencrypted content, the outcome of the encryption options you can select is self-explanatory. For example, if you didn't select **Encrypt files and emails**, the content remains unencrypted. However, the content might be already encrypted. For example, another user might have applied:
However, the content might be already encrypted. For example, another user might
The following table identifies what happens to existing encryption when a sensitivity label is applied to that content:
-| | Encryption: Not selected | Encryption: Configured | Encryption: Remove <sup>\*</sup> |
+| | Encryption: Not selected | Encryption: Configured | Encryption: Remove |
|:--|:--|:--|:--| |**Permissions specified by a user**|Original encryption is preserved|New label encryption is applied|Original encryption is removed| |**Protection template**|Original encryption is preserved|New label encryption is applied|Original encryption is removed| |**Label with administator-defined permissions**|Original encryption is removed|New label encryption is applied|Original encryption is removed|
-**Footnote:**
-
-<sup>\*</sup>
-Supported by the Azure Information Protection unified labeling client only
- In the cases where the new label encryption is applied or the original encryption is removed, this happens only if the user who applies the label has a usage right or role that supports this action: - The [usage right](/azure/information-protection/configure-usage-rights#usage-rights-and-descriptions) Export or Full Control.
compliance Endpoint Dlp Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md
Endpoint DLP supports monitoring of these file types through policy:
- .txt files - .rtf files - .c files-- .class files
+- .class files (Windows only)
- .cpp files - .cs files - .h files
Onboarding and offboarding are handled via scripts you download from the Device
Use the procedures in [Getting started with Microsoft 365 Endpoint DLP](endpoint-dlp-getting-started.md) to onboard devices.
-If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices will automatically show up in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP. .
+If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices will automatically show up in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP.
> [!div class="mx-imgBorder"] > ![managed devices list.](../media/endpoint-dlp-learn-about-2-device-list.png)
compliance Sensitivity Labels Office Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-office-apps.md
For a more consistent label experience with meaningful reporting, provide approp
## Encryption-based label matching for documents
-When a document has been encrypted with administrator-defined permissions, the encryption information includes information about a matching sensitivity label. As a result, when a user opens that document in an Office app, the matching label is displayed in the Office app and persists if the document is saved.
+When a document has been encrypted with administrator-defined permissions, the encryption policy is embedded in the document. This happens independently from labeling. For example, when an Office attachment inherits encryption from an email message, or a user has applied a protection template by using Information Rights Management (IRM) in their Office app. If a sensitivity label in the tenant matches that same encryption policy, Office apps will automatically assign that matching label to the document.
In this scenario, the matching sensitivity label can label an unlabeled document, and replace an existing label that doesn't apply encryption. For example, the **General** label is replaced with **Confidential / All Employees**. Content markings from the matching label aren't automatically applied, unless the document was previously unlabeled and you're using the AIP Add-in.
However, you will also see this behavior with a labeling scenario for email atta
As an auditing event that's displayed in Activity Explorer, this user applied the label, not the email sender.
-Encryption-based label matching works only within the tenant, for admin-defined permissions, and the matching sensitivity label must be published to the user who opens the document.
+Encryption-based label matching works only within the tenant, for admin-defined permissions, and the matching sensitivity label must be published to the user who opens the document. The matching label persists if the document is saved.
## Sensitivity label compatibility
compliance Sensitivity Labels Sharepoint Default Label https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-default-label.md
description: "Configure a default sensitivity label for a SharePoint document li
>*[Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).* > [!NOTE]
-> This feature is gradually rolling out in preview and subject to change. It is also a premium feature with licensing details to be provided when the feature becomes generally available (GA).
+> This feature is in preview and subject to change. It is also a premium feature with licensing details to be provided when the feature becomes generally available (GA).
> > To read the preview announcement, see the [blog post](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/public-preview-default-label-for-a-document-library-in/ba-p/3585136).
For an existing document library:
If you're creating a new document library, you can configure the same **Default sensitivity labels** setting from the **Create document library** flyout pane.
-> [!NOTE]
-> These new settings are gradually rolling out to tenants. If you don't see them, try again in a few days.
+The permissions required to set and change a default sensitivity label for a SharePoint library are inherited. As with the ability to change the library name and description, any SharePoint site member has this permission.
## Monitoring application of library default sensitivity labels
compliance Teams Workflow In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/teams-workflow-in-advanced-ediscovery.md
There are six categories of Teams content that you can collect and process using
## Where Teams content is stored
-A prerequisite to managing Teams content in eDiscovery (Premium) is to understand the type of Teams content that you can collect, process, and review in eDiscovery (Premium) and where that content is stored in Microsoft 365. The following table lists Teams content type and where each is stored.
+A prerequisite to managing Teams content in eDiscovery (Premium) is to understand the type of Teams content that you can collect, process, and review in eDiscovery (Premium) and where that content is stored in Microsoft 365.
+
+Teams data is stored in Azure Cosmos DB. Teams compliance records captured by the substrate are in Exchange Online and are available for ediscovery.
+
+The following table lists Teams content type and where each is stored for complaince purpose. The data stored in Exchange online is hidden from clients. eDiscovery never operates against the real Teams message data, which remains in Azure Cosmos DB.
|&nbsp;|Location of chat messages and posts|Location of files and attachments| ||||
enterprise Cross Tenant Mailbox Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/cross-tenant-mailbox-migration.md
f1.keywords:-- NOCSH
+ - NOCSH
Last updated 06/20/2022 -- it-pro-- admindeeplinkMAC-- admindeeplinkEXCHANGE
+ - it-pro
+ - admindeeplinkMAC
+ - admindeeplinkEXCHANGE
-- M365-subscription-management
+ - M365-subscription-management
# Cross-tenant mailbox migration (preview)
Cross-tenant Exchange mailbox migrations are supported for tenants in hybrid or
This article describes the process for cross-tenant mailbox moves and provides guidance on how to prepare source and target tenants for the Exchange Online mailbox content moves.
- > [!NOTE]
- > We've recently updated our setup steps to enable cross-tenant mailbox migration to no longer require Azure Key Vault! If this is the first time you are onboarding to this preview, no action is required, and you can go ahead and follow the steps detailed in this document. If you have started configuring your tenants using the previous AKV method, we highly recommend you stop or remove that configuration to begin using this new method. If you have mailbox migrations in progress with the previous AKV method, then please wait until your existing migrations are complete and follow the steps below to enable the new simplified method. Azure Key Vault required setup steps are archived but can be found **[here](https://github.com/microsoft/cross-tenant/wiki/V1-Content#cross-tenant-mailbox-migration-preview)**, for reference.
+> [!IMPORTANT]
+> When a mailbox is migrated Cross-Tenant with this feature, all email, including email held for litigation, is migrated. After successful migration, the source mailbox is deleted. This means that after the migration, under no circumstances (including mailboxes on litigation or retention hold), is the source mailbox available, discoverable, or accessible in the source tenant.
+> Currently we are investigating an issue where in some scenarios, Teams chat data is also held in the mailbox, but the Teams chat data is not migrated. If Teams chat data must be preserved, do not use this feature to migrate the mailbox.
+
+> [!NOTE]
+> If you are interested in previewing our new feature Domain Sharing for email alongside your cross-tenant mailbox migrations, please complete the form at [aka.ms/domainshringpreview](https://aka.ms/domainshringpreview). Domain sharing for email enables users in separate Microsoft 365 tenants to send and receive email using addresses from the same custom domain. The feature is intended to solve scenarios where users in separate tenants need to represent a common corporate brand in their email addresses. The current preview supports sharing domains indefinitely and shared domains during cross-tenant mailbox migration coexistence.
## Preparing source and target tenants
To obtain the tenant ID of a subscription, sign in to the [Microsoft 365 admin c
### Configuration steps to enable your tenants for cross-tenant mailbox migrations
- > [!NOTE]
- > You must configure the target (destination) first. To complete these steps, you are not required to have or know the tenant admin credentials for both source and target tenant. Steps can be performed individually for each tenant by different administrators.
+> [!NOTE]
+> You must configure the target (destination) first. To complete these steps, you are not required to have or know the tenant admin credentials for both source and target tenant. Steps can be performed individually for each tenant by different administrators.
### Prepare the target (destination) tenant by creating the migration application and secret
To obtain the tenant ID of a subscription, sign in to the [Microsoft 365 admin c
18. In the Add a client secret window, enter a description, and configure your desired expiration settings.
- > [!NOTE]
- > This is the password that will be used when creating your migration endpoint. It is extremely important that you copy this password to your clipboard and or copy this password to secure/secret password safe location. This is the only time you will be able to see this password! If you do somehow lose it or need to reset it, you can log back into our Azure portal, go to App registrations, find your migration app, select Secrets & certificates, and create a new secret for your app.
+ > [!NOTE]
+ > This is the password that will be used when creating your migration endpoint. It is extremely important that you copy this password to your clipboard and or copy this password to secure/secret password safe location. This is the only time you will be able to see this password! If you do somehow lose it or need to reset it, you can log back into our Azure portal, go to App registrations, find your migration app, select Secrets & certificates, and create a new secret for your app.
19. Now that you've successfully created the migration application and secret, you'll need to consent to the application. To consent to the application, go back to the Azure Active Directory landing page, click on Enterprise applications in the left navigation, find your migration app you created, select it, and select Permissions on the left navigation.
Users migrating must be present in the target tenant and Exchange Online system
Ensure the following objects and attributes are set in the target organization.
->[!TIP]
->Microsoft is developing a feature to provide a secure automated method to set many of the attributes in the following section. This feature, named Cross-Tenant Identity Mapping, is currently looking for customers willing to participate in a small private preview. For more information about this pre-release feature and how it can simplify your cross-tenant migration processes, see the article **[Cross-Tenant Identity Mapping](cross-tenant-identity-mapping.md)**.
+> [!TIP]
+> Microsoft is developing a feature to provide a secure automated method to set many of the attributes in the following section. This feature, named Cross-Tenant Identity Mapping, is currently looking for customers willing to participate in a small private preview. For more information about this pre-release feature and how it can simplify your cross-tenant migration processes, see the article **[Cross-Tenant Identity Mapping](cross-tenant-identity-mapping.md)**.
1. For any mailbox moving from a source organization, you must provision a MailUser object in the Target organization: - The Target MailUser must have these attributes from the source mailbox or assigned with the new User object:
- - ExchangeGUID (direct flow from source to target): The mailbox GUID must match. The move process will not proceed if this isn't present on target object.
- - ArchiveGUID (direct flow from source to target): The archive GUID must match. The move process won't proceed if this isn't present on the target object. (This is only required if the source mailbox is Archive enabled).
- - LegacyExchangeDN (flow as proxyAddress, "x500:\<LegacyExchangeDN>"): The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes won't proceed if these aren't present on the target object.
- - UserPrincipalName: UPN will align to the user's NEW identity or target company (for example, user@northwindtraders.onmicrosoft.com).
- - Primary SMTPAddress: Primary SMTP address will align to the user's NEW company (for example, user@northwind.com).
- - TargetAddress/ExternalEmailAddress: MailUser will reference the user's current mailbox hosted in source tenant (for example user@contoso.onmicrosoft.com). When assigning this value, verify that you have/are also assigning PrimarySMTPAddress or this value will set the PrimarySMTPAddress, which will cause move failures.
- - You can't add legacy smtp proxy addresses from source mailbox to target MailUser. For example, you can't maintain contoso.com on the MEU in fabrikam.onmicrosoft.com tenant objects). Domains are associated with one Azure AD or Exchange Online tenant only.
+
+ - ExchangeGUID (direct flow from source to target): The mailbox GUID must match. The move process will not proceed if this isn't present on target object.
+ - ArchiveGUID (direct flow from source to target): The archive GUID must match. The move process won't proceed if this isn't present on the target object. (This is only required if the source mailbox is Archive enabled).
+ - LegacyExchangeDN (flow as proxyAddress, "x500:\<LegacyExchangeDN>"): The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes won't proceed if these aren't present on the target object.
+ - UserPrincipalName: UPN will align to the user's NEW identity or target company (for example, user@northwindtraders.onmicrosoft.com).
+ - Primary SMTPAddress: Primary SMTP address will align to the user's NEW company (for example, user@northwind.com).
+ - TargetAddress/ExternalEmailAddress: MailUser will reference the user's current mailbox hosted in source tenant (for example user@contoso.onmicrosoft.com). When assigning this value, verify that you have/are also assigning PrimarySMTPAddress or this value will set the PrimarySMTPAddress, which will cause move failures.
+ - You can't add legacy smtp proxy addresses from source mailbox to target MailUser. For example, you can't maintain contoso.com on the MEU in fabrikam.onmicrosoft.com tenant objects). Domains are associated with one Azure AD or Exchange Online tenant only.
Example **target** MailUser object:
Ensure the following objects and attributes are set in the target organization.
2. If the source mailbox is on LitigationHold and the source mailbox Recoverable Items size is greater than our database default (30 GB), moves will not proceed since the target quota is less than the source mailbox size. You can update the target MailUser object to transition the ELC mailbox flags from the source environment to the target, which triggers the target system to expand the quota of the MailUser to 100 GB, thus allowing the move to the target. These instructions will work only for hybrid identity running Azure AD Connect, as the commands to stamp the ELC flags are not exposed to tenant administrators.
- > [!NOTE]
- > SAMPLE ΓÇô AS IS, NO WARRANTY
- >
- > This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.
+ > [!NOTE]
+ > SAMPLE ΓÇô AS IS, NO WARRANTY
+ >
+ > This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.
- ```powershell
- $ELCValue = 0
- if ($source.LitigationHoldEnabled) {$ELCValue = $ELCValue + 8} if ($source.SingleItemRecoveryEnabled) {$ELCValue = $ELCValue + 16} if ($ELCValue -gt 0) {Set-ADUser -Server $domainController -Identity $destination.SamAccountName -Replace @{msExchELCMailboxFlags=$ELCValue}}
- ```
+ ```powershell
+ $ELCValue = 0
+ if ($source.LitigationHoldEnabled) {$ELCValue = $ELCValue + 8} if ($source.SingleItemRecoveryEnabled) {$ELCValue = $ELCValue + 16} if ($ELCValue -gt 0) {Set-ADUser -Server $domainController -Identity $destination.SamAccountName -Replace @{msExchELCMailboxFlags=$ELCValue}}
+ ```
3. Non-hybrid target tenants can modify the quota on the Recoverable Items folder for the MailUsers prior to migration by running the following command to enable Litigation Hold on the MailUser object and increasing the quota to 100 GB:
Ensure the following objects and attributes are set in the target organization.
4. Users in the target organization must be licensed with appropriate Exchange Online subscriptions applicable for the organization. You may apply a license in advance of a mailbox move but ONLY once the target MailUser is properly set up with ExchangeGUID and proxy addresses. Applying a license before the ExchangeGUID is applied will result in a new mailbox provisioned in target organization.
- > [!NOTE]
- > When you apply a license on a Mailbox or MailUser object, all SMTP type proxyAddresses are scrubbed to ensure only verified domains are included in the Exchange EmailAddresses array.
+ > [!NOTE]
+ > When you apply a license on a Mailbox or MailUser object, all SMTP type proxyAddresses are scrubbed to ensure only verified domains are included in the Exchange EmailAddresses array.
5. You must ensure that the target MailUser has no previous ExchangeGuid that does not match the Source ExchangeGuid. This might occur if the target MEU was previously licensed for Exchange Online and provisioned a mailbox. If the target MailUser was previously licensed for or had an ExchangeGuid that does not match the Source ExchangeGuid, you need to perform a cleanup of the cloud MEU. For these cloud MEUs, you can run `Set-User <identity> -PermanentlyClearPreviousMailboxInfo`.
- > [!CAUTION]
- > This process is irreversible. If the object has a softDeleted mailbox, it cannot be restored after this point. Once cleared, however, you can synchronize the correct ExchangeGuid to the target object and MRS will connect the source mailbox to the newly created target mailbox. (Reference EHLO blog on the new parameter.)
+ > [!CAUTION]
+ > This process is irreversible. If the object has a softDeleted mailbox, it cannot be restored after this point. Once cleared, however, you can synchronize the correct ExchangeGuid to the target object and MRS will connect the source mailbox to the newly created target mailbox. (Reference EHLO blog on the new parameter.)
- Find objects that were previously mailboxes using this command.
+ Find objects that were previously mailboxes using this command.
- ```powershell
- Get-User <identity> | select Name, *recipient* | Format-Table -AutoSize
- ```
+ ```powershell
+ Get-User <identity> | select Name, *recipient* | Format-Table -AutoSize
+ ```
- Here is an example.
+ Here is an example.
- ```powershell
- Get-User John@northwindtraders.com |select name, *recipient*| Format-Table -AutoSize
+ ```powershell
+ Get-User John@northwindtraders.com |select name, *recipient*| Format-Table -AutoSize
- Name PreviousRecipientTypeDetails RecipientType RecipientTypeDetails
- - - - --
- John UserMailbox MailUser MailUser
- ```
+ Name PreviousRecipientTypeDetails RecipientType RecipientTypeDetails
+ - - - --
+ John UserMailbox MailUser MailUser
+ ```
- Clear the soft-deleted mailbox using this command.
+ Clear the soft-deleted mailbox using this command.
- ```powershell
- Set-User <identity> -PermanentlyClearPreviousMailboxInfo
- ```
+ ```powershell
+ Set-User <identity> -PermanentlyClearPreviousMailboxInfo
+ ```
- Here is an example.
+ Here is an example.
- ```powershell
- Set-User John@northwindtraders.com -PermanentlyClearPreviousMailboxInfo -Confirm
+ ```powershell
+ Set-User John@northwindtraders.com -PermanentlyClearPreviousMailboxInfo -Confirm
- Are you sure you want to perform this action?
- Delete all existing information about user "John@northwindtraders.com"?. This operation will clear existing values from Previous home MDB and Previous Mailbox GUID of the user. After deletion, reconnecting to the previous mailbox that existed in the cloud will not be possible and any content it had will be unrecoverable PERMANENTLY.
- Do you want to continue?
- [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
- ```
+ Are you sure you want to perform this action?
+ Delete all existing information about user "John@northwindtraders.com"?. This operation will clear existing values from Previous home MDB and Previous Mailbox GUID of the user. After deletion, reconnecting to the previous mailbox that existed in the cloud will not be possible and any content it had will be unrecoverable PERMANENTLY.
+ Do you want to continue?
+ [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y
+ ```
### Perform mailbox migrations
T2Tbatch Syncing ExchangeRemoteMove 1
> > [For an example CSV file click here](/exchange/csv-files-for-mailbox-migration-exchange-2013-help)
-Migration batch submission is also supported from the new <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> when selecting the cross-tenant option.
+Migration batch submission is also supported from the new [Exchange admin center](https://go.microsoft.com/fwlink/p/?linkid=2059104) when selecting the cross-tenant option.
### Update on-premises MailUsers
Once the mailbox moves from source to target, you should ensure that the on-prem
### Do we need to update RemoteMailboxes in source on-premises after the move?
-Yes, you should update the targetAddress (RemoteRoutingAddress/ExternalEmailAddress) of the source on-premises users when the source tenant mailbox moves to target tenant. While mail routing can follow the referrals across multiple mail users with different targetAddresses, Free/Busy lookups for mail users MUST target the location of the mailbox user. Free/Busy lookups will not chase multiple redirects.
+Yes, you should update the targetAddress (RemoteRoutingAddress/ExternalEmailAddress) of the source on-premises users when the source tenant mailbox moves to target tenant. While mail routing can follow the referrals across multiple mail users with different targetAddresses, Free/Busy lookups for mail users MUST target the location of the mailbox user. Free/Busy lookups will not chase multiple redirects.
### Do Teams meetings migrate cross-tenant?
The meetings will move, however the Teams meeting URL does not update when items
### Does the Teams chat folder content migrate cross-tenant?
-No, the Teams chat folder content does not migrate cross-tenant.
+No, the Teams chat folder content does not migrate cross-tenant. When a mailbox is migrated Cross-Tenant with this feature, all email, including email held for litigation, is migrated. After successful migration, the source mailbox is deleted. This means that after the migration, under no circumstances (including mailboxes on litigation or retention hold), is the source mailbox available, discoverable, or accessible in the source tenant.
### How can I see just moves that are cross-tenant moves, not my onboarding and off-boarding moves?
Get-MoveRequest -Flags "CrossTenant"
> [!NOTE] > SAMPLE ΓÇô AS IS, NO WARRANTY
-> This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory Domain Services (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.
+> This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory Domain Services (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.
- ```powershell
- # This will export users from the source tenant with the CustomAttribute1 = "Cross-Tenant-Project"
- # These are the 'target' users to be moved to the Northwind org tenant
- $outFileUsers = "$home\desktop\UsersToMigrate.txt"
- $outFileUsersXML = "$home\desktop\UsersToMigrate.xml"
- Get-Mailbox -Filter "CustomAttribute1 -like 'Cross-Tenant-Project'" -ResultSize Unlimited | Select-Object -ExpandProperty Alias | Out-File $outFileUsers
- $mailboxes = Get-Content $outFileUsers
- $mailboxes | ForEach-Object {Get-Mailbox $_} | Select-Object PrimarySMTPAddress,Alias,SamAccountName,FirstName,LastName,DisplayName,Name,ExchangeGuid,ArchiveGuid,LegacyExchangeDn,EmailAddresses | Export-Clixml $outFileUsersXML
- ```
+```powershell
+# This will export users from the source tenant with the CustomAttribute1 = "Cross-Tenant-Project"
+# These are the 'target' users to be moved to the Northwind org tenant
+$outFileUsers = "$home\desktop\UsersToMigrate.txt"
+$outFileUsersXML = "$home\desktop\UsersToMigrate.xml"
+Get-Mailbox -Filter "CustomAttribute1 -like 'Cross-Tenant-Project'" -ResultSize Unlimited | Select-Object -ExpandProperty Alias | Out-File $outFileUsers
+$mailboxes = Get-Content $outFileUsers
+$mailboxes | ForEach-Object {Get-Mailbox $_} | Select-Object PrimarySMTPAddress,Alias,SamAccountName,FirstName,LastName,DisplayName,Name,ExchangeGuid,ArchiveGuid,LegacyExchangeDn,EmailAddresses | Export-Clixml $outFileUsersXML
+```
- ```powershell
- # Copy the file $outfile to the desktop of the target on-premises then run the below to create MEU in Target
- $mailboxes = Import-Clixml $home\desktop\UsersToMigrate.xml
- add-type -AssemblyName System.Web
- foreach ($m in $mailboxes) {
- $organization = "@contoso.onmicrosoft.com"
- $mosi = $m.Alias+$organization
- $Password = [System.Web.Security.Membership]::GeneratePassword(16,4) | ConvertTo-SecureString -AsPlainText -Force
- $x500 = "x500:" +$m.LegacyExchangeDn
- $tmpUser = New-MailUser -MicrosoftOnlineServicesID $mosi -PrimarySmtpAddress $mosi -ExternalEmailAddress $m.PrimarySmtpAddress -FirstName $m.FirstName -LastName $m.LastName -Name $m.Name -DisplayName $m.DisplayName -Alias $m.Alias -Password $Password
- $tmpUser | Set-MailUser -EmailAddresses @{add=$x500} -ExchangeGuid $m.ExchangeGuid -ArchiveGuid $m.ArchiveGuid -CustomAttribute1 "Cross-Tenant-Project"
- $tmpx500 = $m.EmailAddresses | ?{$_ -match "x500"}
- $tmpx500 | %{Set-MailUser $m.Alias -EmailAddresses @{add="$_"}}
- }
- ```
+```powershell
+# Copy the file $outfile to the desktop of the target on-premises then run the below to create MEU in Target
+$mailboxes = Import-Clixml $home\desktop\UsersToMigrate.xml
+add-type -AssemblyName System.Web
+foreach ($m in $mailboxes) {
+ $organization = "@contoso.onmicrosoft.com"
+ $mosi = $m.Alias+$organization
+ $Password = [System.Web.Security.Membership]::GeneratePassword(16,4) | ConvertTo-SecureString -AsPlainText -Force
+ $x500 = "x500:" +$m.LegacyExchangeDn
+ $tmpUser = New-MailUser -MicrosoftOnlineServicesID $mosi -PrimarySmtpAddress $mosi -ExternalEmailAddress $m.PrimarySmtpAddress -FirstName $m.FirstName -LastName $m.LastName -Name $m.Name -DisplayName $m.DisplayName -Alias $m.Alias -Password $Password
+ $tmpUser | Set-MailUser -EmailAddresses @{add=$x500} -ExchangeGuid $m.ExchangeGuid -ArchiveGuid $m.ArchiveGuid -CustomAttribute1 "Cross-Tenant-Project"
+ $tmpx500 = $m.EmailAddresses | ?{$_ -match "x500"}
+ $tmpx500 | %{Set-MailUser $m.Alias -EmailAddresses @{add="$_"}}
+ }
+```
- ```powershell
- # Now sync the changes from On-Premises to Azure and Exchange Online in the Target tenant
- # This action should create the target mail enabled users (MEUs) in the Target tenant
- Start-ADSyncSyncCycle
- ```
+```powershell
+# Now sync the changes from On-Premises to Azure and Exchange Online in the Target tenant
+# This action should create the target mail enabled users (MEUs) in the Target tenant
+Start-ADSyncSyncCycle
+```
### How do we access Outlook on Day 1 after the user mailbox is moved?
x500:/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn
> [!NOTE] > In addition to this X500 proxy, you will need to copy all X500 proxies from the mailbox in the source to the mailbox in the target.
-### Can the source and target tenant utilize the same domain name?
+### Can the source and target tenants utilize the same domain name?
-No. The source and target tenant domain names must be unique. For example, a source domain of contoso.com and the target domain of fourthcoffee.com.
+No, the source tenant and target tenant domain names must be unique. For example, a source domain of contoso.com and the target domain of fourthcoffee.com.
### Will shared mailboxes move and still work?
To help you plan your migration, the table present [here](/exchange/mailbox-migr
Do remember that this feature is currently in preview and the SLA, and any applicable Service Levels do not apply to any performance or availability issues during the preview status of this feature.
-### Protecting documents in the source tenant consumable by users in the destination tenant.**
+### Protecting documents in the source tenant consumable by users in the destination tenant.\*\*
Cross-tenant migration only migrates mailbox data and nothing else. There are multiple other options, which are documented in the following blog post that may help: <https://techcommunity.microsoft.com/t5/security-compliance-and-identity/mergers-and-spinoffs/ba-p/910455>
-### Can I have the same labels in the destination tenant as you had in the source tenant, either as the only set of labels or an additional set of labels for the migrated users depending on alignment between the organizations.**
+### Can I have the same labels in the destination tenant as you had in the source tenant, either as the only set of labels or an additional set of labels for the migrated users depending on alignment between the organizations.\*\*
Because cross-tenant migrations do not export labels and there is no way to share labels between tenants, you can only achieve this by recreating the labels in the destination tenant.
This can be done before the migration is complete, but you should not assign a l
SMTP:LaraN@contoso.onmicrosoft.com {SMTP:lara.newton@northwind.com} ```
- > [!NOTE]
- > The _contoso.onmicrosoft.com_ address is _not_ present in the EmailAddresses / proxyAddresses array.
+ > [!NOTE]
+ > The _contoso.onmicrosoft.com_ address is _not_ present in the EmailAddresses / proxyAddresses array.
- **Issue: MailUser objects with "external" primary SMTP addresses are modified / reset to "internal" company claimed domains**
- MailUser objects are pointers to non-local mailboxes. In the case for cross-tenant mailbox migrations, we use MailUser objects to represent either the source mailbox (from the target organization's perspective) or target mailbox (from the source organization's perspective). The MailUsers will have an ExternalEmailAddress (targetAddress) that points to the smtp address of the actual mailbox (ProxyTest@fabrikam.onmicrosoft.com) and primarySMTP address that represents the displayed SMTP address of the mailbox user in the directory. Some organizations choose to display the primary SMTP address as an external SMTP address, not as an address owned/verified by the local tenant (such as fabrikam.com rather than as contoso.com). However, once an Exchange service plan object is applied to the MailUser via licensing operations, the primary SMTP address is modified to show as a domain verified by the local organization (contoso.com). There are two potential reasons:
+ MailUser objects are pointers to non-local mailboxes. In the case for cross-tenant mailbox migrations, we use MailUser objects to represent either the source mailbox (from the target organization's perspective) or target mailbox (from the source organization's perspective). The MailUsers will have an ExternalEmailAddress (targetAddress) that points to the smtp address of the actual mailbox (ProxyTest@fabrikam.onmicrosoft.com) and primarySMTP address that represents the displayed SMTP address of the mailbox user in the directory. Some organizations choose to display the primary SMTP address as an external SMTP address, not as an address owned/verified by the local tenant (such as fabrikam.com rather than as contoso.com). However, once an Exchange service plan object is applied to the MailUser via licensing operations, the primary SMTP address is modified to show as a domain verified by the local organization (contoso.com). There are two potential reasons:
- When any Exchange service plan is applied to a MailUser, the Azure AD process starts to enforce proxy scrubbing to ensure that the local organization is not able to send mail out, spoof, or mail from another tenant. Any SMTP address on a recipient object with these service plans will be removed if the address is not verified by the local organization. As is the case in the example, the Fabikam.com domain is NOT verified by the contoso.onmicrosoft.com tenant, so the scrubbing removes that fabrikam.com domain. If you wish to persist these external domains on MailUser, either before the migration or after migration, you need to alter your migration processes to strip licenses after the move completes or before the move to ensure that the users have the expected external branding applied. You will need to ensure that the mailbox object is properly licensed to not affect mail service. - An example script to remove the service plans on a MailUser in the contoso.onmicrosoft.com tenant is shown here.
This can be done before the migration is complete, but you should not assign a l
Set-MsolUserLicense -UserPrincipalName ProxyTest@contoso.com LicenseOptions $lo ```
- Results in the set of ServicePlans assigned are shown here.
+ Results in the set of ServicePlans assigned are shown here.
```powershell (Get-MsolUser -UserPrincipalName ProxyTest@contoso.com).licenses | Select-Object -ExpandProperty ServiceStatus |sort ProvisioningStatus -Descending
This can be done before the migration is complete, but you should not assign a l
| Name | | |
- | eDiscovery (Premium) Storage (500 GB) |
+ | eDiscovery (Premium) Storage (500 GB) |
| Customer Lockbox | | Data Loss Prevention | | Exchange Enterprise CAL Services (EOP, DLP) |
This can be done before the migration is complete, but you should not assign a l
| Exchange Online Plan 1 | | Exchange Online POP | | Exchange Online Protection |
- | Graph Connectors Search with Index |
+ | Graph Connectors Search with Index |
| Information Barriers | | Information Protection for Office 365 - Premium | | Information Protection for Office 365 - Standard | | Insights by MyAnalytics | | Microsoft Information Governance |
- | Microsoft Purview Audit (Premium) |
+ | Microsoft Purview Audit (Premium) |
| Microsoft Bookings | | Microsoft Business Center | | Microsoft Data Investigations |
- | Microsoft MyAnalytics (Full)
- | Microsoft Communications Compliance |
+ | Microsoft MyAnalytics (Full) |
+ | Microsoft Communications Compliance |
| Microsoft Communications DLP | | Microsoft Customer Key | | Microsoft 365 Advanced Auditing | | Microsoft Records Management |
- | Office 365 eDiscovery (Premium) |
+ | Office 365 eDiscovery (Premium) |
| Office 365 Advanced eDiscovery | | Microsoft Defender for Office 365 (Plan 1) | | Microsoft Defender for Office 365 (Plan 2) |
enterprise Microsoft 365 Vpn Securing Teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-securing-teams.md
Last updated 3/3/2022 audience: Admin -+ ms.localizationpriority: medium search.appverid: - MET150
enterprise Microsoft 365 Vpn Split Tunnel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel.md
Last updated 3/3/2022 audience: Admin -+ ms.localizationpriority: medium search.appverid: - MET150
enterprise Microsoft 365 Vpn Stream And Live Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-vpn-stream-and-live-events.md
Last updated 3/3/2022 audience: Admin -+ ms.localizationpriority: medium search.appverid: - MET150
enterprise Microsoft Azure Architectures For Sharepoint 2013 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-azure-architectures-for-sharepoint-2013.md
Last updated 12/15/2017 audience: ITPro -+ ms.localizationpriority: medium f1.keywords:
enterprise Migrate Data To Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/migrate-data-to-office-365.md
audience: ITPro -+ ms.localizationpriority: medium search.appverid:
enterprise Minification And Bundling In Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/minification-and-bundling-in-sharepoint-online.md
Last updated 1/18/2022 audience: Admin -+ ms.localizationpriority: medium - Ent_O365
enterprise Modern Auth For Office 2013 And 2016 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-auth-for-office-2013-and-2016.md
Last updated 8/1/2017 audience: Admin -+ ms.localizationpriority: medium f1.keywords: - CSH
enterprise Modern Custom Extensions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-custom-extensions.md
Last updated 03/11/2020 audience: Admin -+ ms.localizationpriority: medium - Ent_O365
Additionally, if there are too many extensions on a page they can impact the pag
If an extension is impacting page load time or there are too many extensions on the page, the result appears in the **Attention required** section of the results. Click the result to see details about which extension is loading slowly or too many extensions has been highlighted. Future updates to the Page Diagnostics for SharePoint tool may include updates to analysis rules, so please ensure you always have the latest version of the tool.
-![Page load time results.](../media/page-diagnostics-for-spo/pagediag-extensions-load-time.png)
+![Screenshot showing page load time results.](../media/page-diagnostics-for-spo/pagediag-extensions-load-time.png)
Information available in the results includes:
Page authors can also use the audit result to see whether a page has too many ex
Before you make page revisions to remediate performance issues, make a note of the page load time in the analysis results. Run the tool again after your revision to see if the new result is within the baseline standard, and check the new page load time to see if there was an improvement.
-![Page load time results.](../media/modern-portal-optimization/pagediag-page-load-time.png)
+![Example of page load time results.](../media/modern-portal-optimization/pagediag-page-load-time.png)
>[!NOTE] >Page load time can vary based on a variety of factors such as network load, time of day, and other transient conditions. You should test page load time a few times before and after making changes to help you average the results.
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
Last updated 05/11/2022 ms.audience: ITPro -+ ms.localizationpriority: medium - Ent_O365
enterprise Modern Iframe Optimization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-iframe-optimization.md
Last updated 03/11/2020 audience: ITPro -+ ms.localizationpriority: medium - Ent_O365
enterprise Modern Image Optimization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-image-optimization.md
Last updated 03/11/2020 audience: ITPro -+ ms.localizationpriority: medium - Ent_O365
enterprise Modern Page Call Optimization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-page-call-optimization.md
Last updated 03/11/2020 audience: ITPro -+ ms.localizationpriority: medium - Ent_O365
enterprise Modern Page Weight Optimization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-page-weight-optimization.md
Last updated 03/11/2020 audience: ITPro -+ ms.localizationpriority: medium - Ent_O365
enterprise Modern Portal Limits https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-portal-limits.md
Last updated 10/9/2019 audience: Admin -+ ms.localizationpriority: medium - Strat_O365_Enterprise
enterprise Modern Web Part Optimization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-web-part-optimization.md
Last updated 03/11/2020 audience: Admin -+ ms.localizationpriority: medium - Ent_O365
enterprise Monitor Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/monitor-connectivity.md
Last updated 8/4/2020 audience: ITPro -+ ms.localizationpriority: medium f1.keywords:
enterprise Move Onedrive Between Geo Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/move-onedrive-between-geo-locations.md
audience: ITPro -+ f1.keywords: - NOCSH
enterprise Move Sharepoint Between Geo Locations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/move-sharepoint-between-geo-locations.md
audience: ITPro -+ - Strat_SP_gtc - SPO_Content
enterprise Moving Data To New Datacenter Geos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/moving-data-to-new-datacenter-geos.md
Last updated 06/02/2022 audience: ITPro -+ ms.localizationpriority: medium search.appverid: - MET150
enterprise Multi Factor Authentication Microsoft 365 Test Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-factor-authentication-microsoft-365-test-environment.md
Last updated 12/12/2019 audience: ITPro -+ ms.localizationpriority: medium
enterprise Multi Geo Add Group With Pdl https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-add-group-with-pdl.md
audience: ITPro -+ f1.keywords: - NOCSH
enterprise Multi Geo Capabilities In Exchange Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-exchange-online.md
audience: ITPro -+ f1.keywords: - NOCSH
enterprise Multi Geo Capabilities In Onedrive And Sharepoint Online In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-onedrive-and-sharepoint-online-in-microsoft-365.md
audience: ITPro -+ f1.keywords: - NOCSH
enterprise Multi Geo Capabilities In Teams In Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-capabilities-in-teams-in-microsoft-365.md
audience: ITPro -+ f1.keywords: - NOCSH
enterprise Multi Geo Ediscovery Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-ediscovery-configuration.md
audience: ITPro -+ f1.keywords: - NOCSH
enterprise Multi Geo Tenant Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-tenant-configuration.md
audience: ITPro -+ - SPO_Content - Strat_SP_gtc
enterprise Multi Geo User Experience https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/multi-geo-user-experience.md
audience: ITPro -+ - SPO_Content - Strat_SP_gtc
enterprise Nat Support With Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/nat-support-with-microsoft-365.md
Last updated 1/24/2017 audience: Admin -+ ms.localizationpriority: medium f1.keywords:
enterprise Navigation Options For Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/navigation-options-for-sharepoint-online.md
Last updated 4/7/2020 audience: Admin -+ ms.localizationpriority: medium - Ent_O365
enterprise Network And Migration Planning https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-and-migration-planning.md
Last updated 6/29/2018 audience: Admin -+ ms.localizationpriority: medium - Ent_O365
enterprise Network Planning And Performance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-planning-and-performance.md
Last updated 2/18/2022 audience: Admin -+ ms.localizationpriority: medium f1.keywords:
enterprise Network Planning With Expressroute https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-planning-with-expressroute.md
Last updated 2/14/2018 audience: ITPro -+ ms.localizationpriority: medium f1.keywords:
enterprise Network Requests In Office 2016 For Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-requests-in-office-2016-for-mac.md
Last updated 11/9/2018 audience: ITPro -+ ms.localizationpriority: medium f1.keywords:
enterprise Networking Roadmap Microsoft 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/networking-roadmap-microsoft-365.md
Last updated 03/03/2022 audience: ITPro -+ ms.localizationpriority: medium - M365-subscription-management
lighthouse M365 Lighthouse Device Security Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-device-security-overview.md
Title: "Overview of the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse"
+ Title: "Overview of the Device security page in Microsoft 365 Lighthouse"
f1.keywords: NOCSH
search.appverid: MET150
description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthouse, learn how to view security risks."
-# Overview of the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse
+# Overview of the Device security page in Microsoft 365 Lighthouse
-Microsoft Defender for Endpoint provides endpoint security to secure your customers' devices from ransomware, malware, phishing, and other threats. Microsoft 365 Lighthouse allows you to view endpoint security insights and information for all your customer tenants.
+Microsoft Defender for Endpoint provides endpoint security to secure your customers' devices from ransomware, malware, phishing, and other threats. Microsoft 365 Lighthouse allows you to view endpoint security insights and information for all your managed tenants.
-You can access the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse from the **Security incidents** card on the Home page or from the left navigation pane by selecting **Devices** > **Device security**. You'll see any security incidents and alerts in your tenants that need attention, and devices that have been onboarded to Microsoft Defender for Endpoint.
+You can access the Device security page in Microsoft 365 Lighthouse from the **Security incidents** card on the Home page or from the left navigation pane by selecting **Devices** > **Device security**. You'll see any security incidents and alerts in your tenants that need attention, and devices that have been onboarded to Microsoft Defender for Endpoint.
## Incidents and alerts tab
-The Incidents and alerts tab provides a multi-tenant incidents queue of incidents and alerts that were flagged from devices in your customers' network. By default, the queue displays any active incidents seen in the last 30 days. You can select any incident or alert to view more information.
+The Incidents and alerts tab provides a multi-tenant view of incidents and alerts that were flagged from devices in your customers' network. By default, the tab displays any active incidents seen in the last 30 days. You can select any incident or alert to open the details pane to view more information. From the details pane, you can also resolve the incident or alert or assign it to yourself.
## Devices tab
-The Devices tab lists all of the devices in your customer tenants that have been onboarded to Microsoft Defender for Endpoint. This list includes devices that are managed by Microsoft Endpoint Manager and Microsoft Defender for Endpoint.
+The Devices tab lists all of the devices in your managed tenants that have been onboarded to Microsoft Defender for Endpoint. This list includes devices that are managed by Microsoft Endpoint Manager and Microsoft Defender for Endpoint.
The Devices tab also includes the following options: - **Export**: Select to export device compliance data to an Excel comma-separated values (.csv) file. - **Search**: Enter keywords to quickly locate a specific device in the list. ## Related content [Manage Microsoft Defender for Endpoint incidents](../security/defender-endpoint/manage-incidents.md) (article)\
lti Onedrive Lti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/onedrive-lti.md
Title: Integrate Microsoft OneDrive LTI with Canvas--++ audience: admin
f1.keywords:
- CSH ms.localizationpriority: medium-
-description: Create and grade assignments, build and curate course content, and collaborate on files in real time with the new Microsoft OneDrive Learning Tools Interoperability App for Canvas.
+description: Create and grade assignments, build and curate course content, and collaborate on files in real time with the Microsoft OneDrive LTI for Canvas.
# Integrate Microsoft OneDrive LTI with Canvas
Integrating Microsoft OneDrive LTI with Canvas is a two-step process. The first
## Recommended browser settings - Cookies should be enabled for Microsoft OneDrive.-- Popups should not be blocked for Microsoft OneDrive.
+- Popups shouldn't be blocked for Microsoft OneDrive.
> [!NOTE] >
Integrating Microsoft OneDrive LTI with Canvas is a two-step process. The first
> [!CAUTION] > If this step isn't performed, the following step will give you an error, and you won't be able to take this step for an hour once you've gotten the error.
-3. Select the **Create new LTI Tenant** button. On the LTI Registration page select **Canvas** in the dropdown and enter the base URL of your Canvas instance.
+3. Select the **Create new LTI Tenant** button. On the LTI Registration page, select **Canvas** in the dropdown and enter the base URL of your Canvas instance.
> [!NOTE] > If your Canvas instance is, for example, `https://contoso.test.instructure.com`, then the complete URL should be entered.
A Canvas administrator can enable Microsoft OneDrive LTI for all courses. If Mic
## Collaboration Settings for Microsoft OneDrive LTI in Canvas Courses
-> [!NOTE]
-> For collaboration to work for educators and students, you shouldn't enable the collaboration setting. To make sure the setting isn't enabled, follow the steps below.
+For OneDrive Collaborations to work for educators and students, ensure the **External Collaborations Tools** setting is turned off. To turn off the **External Collaborations Tool** setting, follow the steps below.
-1. Sign in as an admin and go to the **Settings** section.
+1. Sign to Canvas as an admin and go to the **Settings** section.
1. Go to **Feature Options** section, and then go to the **Course** section.
-1. Set the **External Collaborations Tool** feature to be not enabled.
+1. Set the **External Collaborations Tool** toggle to the off position.
-> [!NOTE]
-> Collaboration can be assigned to individual students and to groups of students. Assigning to individual students works by default. To be able to assign collaboration to group of students, follow these steps:
+Collaborations can be assigned to individual students and to groups of students in a course. Collaborations in Canvas Groups isn't currently supported.
+
+Assigning to individual students works by default. To assign collaboration to groups of students, follow these steps:
-1. Login as admin and go to the **Developer Keys** section.
-1. Find the key with value 170000000000710 and set it to **On**.
+1. Sign into Canvas as an admin and go to the **Developer Keys** section.
+1. Find the key with value `170000000000710` and set it to **On**.
lti Teams Classes And Meetings With Schoology https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/teams-classes-and-meetings-with-schoology.md
For an overview of Microsoft LTI, see [Integrating Microsoft products with your
> [!NOTE] > The person who performs this integration should be an administrator of Schoology. However, Schoology users with access to the Schoology **App Center** can also install the Microsoft Teams Meetings LTI app.
-## Register the Teams Meetings LTI app in Schoology
+## Register the Teams Meetings LTI app for Schoology
1. Sign into your Schoology instance as an administrator with access to install and configure apps. 1. Access the **Microsoft Teams Meetings** app in the [**App Center**](https://app.schoology.com/apps) by opening this direct link [Microsoft Teams Meetings on Schoology](https://app.schoology.com/apps/profile/6017478062). 1. Select the **Install LTI 1.3 App** button to begin the installation process. 1. Select the **I agree** button.
-1. You'll be asked if this should be installed for your entire organization, or just for you. Select **Add to Organization**, and you'll be redirected to the **Organization Apps** page to complete the configuration.
+1. You'll be asked if this app should be installed for your entire organization, or just for you. Select **Add to Organization**, and you'll be redirected to the **Organization Apps** page to complete the configuration.
1. From the [**Organization Apps list**](https://app.schoology.com/apps/school_apps), locate the **Microsoft Teams Meetings** app and select the **Configure** button. 1. Copy the **Deployment ID** assigned to your deployment of the app. 1. This ID will be used in the **Microsoft LMS Gateway** configuration process. 1. From the [**Organization Apps list**](https://app.schoology.com/apps/school_apps), locate the **Microsoft Teams Meetings** app and select the **Install/Remove** button.
+ 1. To install the app for all users, choose the **All Users** checkbox.
+ 1. Select only the roles that will have access to Microsoft Teams in your organization, like teachers, students, or system administrators.
1. To install the app for all courses, choose the **All Courses** checkbox. 1. Don't check the **Course Admins Only** option to ensure the app is available to all members of the course.
+ 1. To install the app for all groups, choose the **All Groups** checkbox.
> [!NOTE] > If you choose not to install the app for all courses, then *Course Admins* must install the app for themselves by either:
security Compare Mdb M365 Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/compare-mdb-m365-plans.md
Microsoft offers a wide variety of cloud solutions and services, including plans
| **[Microsoft 365 Business Premium](../../business-premium/index.md)** | **Defender for Business capabilities, together with productivity and additional security capabilities**<ul><li>[Microsoft 365 Business Standard](../../admin/admin-overview/what-is-microsoft-365-for-business.md) (Office apps and services, and Microsoft Teams)</li><li>[Shared computer activation](/deployoffice/overview-shared-computer-activation) (for deploying Microsoft 365 Apps)</li><li>[Windows 10/11 Business](../../business-premium/m365bp-upgrade-windows-10-pro.md) (upgrade from previous versions of Windows Pro)</li><li>[Windows Autopilot](/mem/autopilot/windows-autopilot) (for setting up and configuring Windows devices)</li><li>[Exchange Online Protection](../office-365-security/exchange-online-protection-overview.md) (antiphishing, antispam, antimalware, and spoof intelligence for email)</li><li>[Microsoft Defender for Office 365 Plan 1](../office-365-security/overview.md) (advanced antiphishing, real-time detections, Safe Attachments, Safe Links)</li><li>[Auto-expanding archiving](../../compliance/autoexpanding-archiving.md) (for email)</li><li>[Azure Active Directory Premium Plan 1](/azure/active-directory/fundamentals/active-directory-whatis) (identity management)</li><li>[Microsoft Intune](/mem/intune/fundamentals/what-is-intune) (device onboarding and management)</li><li>[Azure Information Protection Premium Plan 1](/azure/information-protection/what-is-information-protection) (protection for sensitive information)</li><li>[Azure Virtual Desktop](/azure/virtual-desktop/overview) (centrally managed, secure virtual machines in the cloud)</li></ul> |
-(<a id="fna">a</a>) Microsoft Intune is required to modify or customize attack surface reduction rules. Intune is included in Microsoft 365 Business Premium.
+(<a id="fna">a</a>) Microsoft Intune is required to modify or customize attack surface reduction rules. Intune can be added on to the standalone version of Defender for Business. Intune is included in Microsoft 365 Business Premium.
(<a id="fnb">b</a>) Microsoft Intune is required to onboard iOS and Android devices. See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).
Defender for Business brings the enterprise-grade capabilities of Defender for E
|[Centralized management](../defender-endpoint/manage-atp-post-migration.md) <sup>[[1](#fn1)]</sup> | :::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::| |[Simplified client configuration](mdb-simplified-configuration.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::| | | |[Microsoft Defender Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::| |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
-|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
+|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md) <sup>[[2](#fn2)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
|[Next-generation protection](../defender-endpoint/next-generation-protection.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
-|[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) <sup>[[2](#fn2)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
-|[Automated investigation and response](../defender-endpoint/automated-investigations.md) <sup>[[3](#fn3)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: ||:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
-|[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention <sup>[[4](#fn4)]</sup> | | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
-|[Threat analytics](../defender-endpoint/threat-analytics.md) <sup>[[5](#fn5)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
-|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, Mac, iOS, and Android OS) <sup>[[6](#fn6)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
+|[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) <sup>[[3](#fn3)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
+|[Automated investigation and response](../defender-endpoint/automated-investigations.md) <sup>[[4](#fn4)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: ||:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
+|[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention <sup>[[5](#fn5)]</sup> | | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
+|[Threat analytics](../defender-endpoint/threat-analytics.md) <sup>[[6](#fn6)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
+|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, Mac, iOS, and Android OS) <sup>[[7](#fn7)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
|[Microsoft Threat Experts](../defender-endpoint/microsoft-threat-experts.md)| | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::| |Partner APIs|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|
-|[Microsoft 365 Lighthouse integration](../../lighthouse/m365-lighthouse-overview.md) <br/>(For viewing security incidents across customer tenants) <sup>[[7](#fn7)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |
+|[Microsoft 365 Lighthouse integration](../../lighthouse/m365-lighthouse-overview.md) <br/>(For viewing security incidents across customer tenants) <sup>[[8](#fn8)]</sup>|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |
(<a id="fn1">1</a>) Onboard and manage devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) or by using Microsoft Intune, managed in the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)).
-(<a id="fn2">2</a>) Endpoint detection and response (EDR) capabilities in Defender for Business include behavior-based detection and the following manual response actions:
+(<a id="fn2">2</a>) Intune is required to configure and manage [ASR rules](../defender-endpoint/attack-surface-reduction.md).
+
+(<a id="fn3">3</a>) Endpoint detection and response (EDR) capabilities in Defender for Business include behavior-based detection and the following manual response actions:
- Run antivirus scan - Isolate device - Stop and quarantine a file - Add an indicator to block or allow a file
-(<a id="fn3">3</a>) In Defender for Business, automated investigation and response is turned on by default, tenant wide. Turning off automated investigation and response affects real-time protection. See [Review settings for advanced features](mdb-configure-security-settings.md#review-settings-for-advanced-features).
+(<a id="fn4">4</a>) In Defender for Business, automated investigation and response is turned on by default, tenant wide. Turning off automated investigation and response affects real-time protection. See [Review settings for advanced features](mdb-configure-security-settings.md#review-settings-for-advanced-features).
-(<a id="fn4">4</a>) There's no timeline view in Defender for Business.
+(<a id="fn5">5</a>) There's no timeline view in Defender for Business.
-(<a id="fn5">5</a>) In Defender for Business, threat analytics are optimized for small and medium-sized businesses.
+(<a id="fn6">6</a>) In Defender for Business, threat analytics are optimized for small and medium-sized businesses.
-(<a id="fn6">6</a>) See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).
+(<a id="fn7">7</a>) See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).
-(<a id="fn7">7</a>) The ability to view incidents across tenants using Defender for Endpoint is new!
+(<a id="fn8">8</a>) The ability to view incidents across tenants using Defender for Endpoint is new!
-Also see [Compare Microsoft endpoint security plans](../defender-endpoint/defender-endpoint-plan-1-2.md).
+> [!TIP]
+> Also see [Compare Microsoft endpoint security plans](../defender-endpoint/defender-endpoint-plan-1-2.md).
## Next steps
security Mdb Manage Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md
ms.localizationpriority: medium Previously updated : 08/11/2022 Last updated : 09/14/2022 f1.keywords: NOCSH
In Defender for Business, you can manage devices as follows:
1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-2. In the navigation pane, choose **Device inventory**.
+2. In the navigation pane, go to **Assets** > **Devices**.
3. Select a device to open its flyout panel, where you can learn more about its status and take action.
In Defender for Business, you can manage devices as follows:
:::image type="content" source="../../medib-selected-device.png" alt-text="Screenshot of a selected device with details and actions available":::
-1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Device inventory**.
+1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, go to **Assets** > **Devices**.
2. Select a device to open its flyout panel, and review the information that is displayed.
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
ms.localizationpriority: medium Previously updated : 09/13/2022 Last updated : 09/14/2022 f1.keywords: NOCSH
Choose one of the following options to onboard Windows client devices to Defende
- [Local script](#local-script-for-windows-10-and-11) (for onboarding devices manually in the Microsoft 365 Defender portal) - [Group Policy](#group-policy-for-windows-10-and-11) (if you're already using Group Policy in your organization)-- [Microsoft Intune](#intune-for-windows-10-and-11)
+- [Microsoft Intune](#intune-for-windows-10-and-11) (if you're already using Intune)
### Local script for Windows 10 and 11 You can use a local script to onboard Windows client devices. When you run the onboarding script on a device: - It creates a trust with Azure Active Directory, if that trust doesn't already exist.-- It enrolls the device in Microsoft Intune, if it isn't already enrolled and then onboards the device to Defender for Business.
+- It enrolls the device in Microsoft Intune if it isn't already enrolled, and then onboards the device to Defender for Business.
- The local script method works even if you don't currently have Intune, and this is the recommended method for Defender for Business customers. > [!TIP]
After you've onboarded Windows devices to Defender for Business, you can run a d
1. On the Windows device, create a folder: `C:\test-MDATP-test`.
-2. Open a command prompt as an administrator.
+2. Open Command Prompt as an administrator.
3. In the Command Prompt window, run the following PowerShell command:
After the command runs, the Command Prompt window will close automatically. If s
## View a list of onboarded devices
-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). On the navigation pane, under **Endpoints**, choose **Device inventory**.
+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**.
## Next steps
To view the list of devices that are onboarded to Defender for Business, go to t
Choose one of the following options to onboard Mac: - [Local script for Mac](#local-script-for-mac) (*recommended*)-- [Intune for Mac](#intune-for-mac)
+- [Intune for Mac](#intune-for-mac) (if you're already using Intune)
### Local script for Mac
-When you run the local script on a Mac:
+When you run the local script on Mac:
-- It creates a trust with Azure Active Directory, if that trust doesn't already exist.-- It enrolls the Mac in Microsoft Intune, if it isn't already enrolled and then onboards the Mac to Defender for Business.
+- It creates a trust with Azure Active Directory if that trust doesn't already exist.
+- It enrolls the Mac in Microsoft Intune if it isn't already enrolled, and then onboards the Mac to Defender for Business.
- We recommend that you onboard up to 10 devices at a time using this method. 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.
When you run the local script on a Mac:
4. Select **Download onboarding package**, and save it to a removable drive. Also select **Download installation package**, and save it to your removable device.
-5. On a Mac, save the installation package as `wdav.pkg` to a local directory.
+5. On Mac, save the installation package as `wdav.pkg` to a local directory.
6. Save the onboarding package as `WindowsDefenderATPOnboardingPackage.zip` to the same directory you used for the installation package.
When you run the local script on a Mac:
10. Use the following Python command in Bash to run the onboarding package: `/usr/bin/python MicrosoftDefenderATPOnboardingMacOs.sh`
-After a Mac is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).
+After Mac is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).
### Intune for Mac
-You can enroll Mac computers in Intune by using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). There are several methods available for enrolling Mac in Intune. We recommend one of the following methods:
+If you already have Intune, you can enroll Mac computers by using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). There are several methods available for enrolling Mac in Intune. We recommend one of the following methods:
- [Choose an option for company-owned Mac](#options-for-company-owned-mac) - [Ask users to enroll their own Mac in Intune](#ask-users-to-enroll-their-own-mac-in-intune)
After a device is enrolled in Intune, you can add it to a device group. [Learn m
## View a list of onboarded devices
-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, under **Endpoints**, choose **Device inventory**.
+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**.
## Next steps
After you onboard your Windows Server endpoint to Defender for Business, you can
1. On the Windows Server device, create a folder: `C:\test-MDATP-test`.
-2. Open a command prompt as an administrator.
+2. Open Command Prompt as an administrator.
3. In the Command Prompt window, run the following PowerShell command:
You can use the following methods to onboard an instance of Linux Server to Defe
## View a list of onboarded devices
-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, under **Endpoints**, choose **Device inventory**.
+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**.
## Next steps
Use Microsoft Intune to onboard mobile devices, such as Android and iOS/iPadOS d
After a device is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md). > [!NOTE]
-> Defender for Business standalone does not include the Intune license that is required to onboard iOS and Android devices. You can add Intune to your Defender for Business subscription to onboard mobile devices.
+> The standalone version of Defender for Business does not include the Intune license that is required to onboard iOS and Android devices. You can add Intune to your Defender for Business subscription to onboard mobile devices. Intune is included in Microsoft 365 Business Premium.
## View a list of onboarded devices
-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). On the navigation pane, under **Endpoints**, choose **Device inventory**.
+To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, go to **Assets** > **Devices**.
## Next steps
security Mdb Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-reports.md
ms.localizationpriority: medium Previously updated : 08/11/2022 Last updated : 09/14/2022 f1.keywords: NOCSH
Several reports are available in the Microsoft 365 Defender portal ([https://sec
||| | **Security report** | The security report provides information about your company's identities, devices, and apps. To access this report, in the navigation pane, choose **Reports** > **General** > **Security report**. <br/><br/>You can view similar information on the home page of your Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). | | **Threat protection** | The threat protection report provides information about alerts and alert trends. Use the **Alert trends** column to view information about alerts that were triggered over the last 30 days. Use the **Alert status** column to view current snapshot information about alerts, such as categories of unresolved alerts and their classification. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Threat protection**. <br/><br/>You can also use the **Incidents** list to view information about alerts. In the navigation pane, choose **Incidents** to view and manage current incidents. To learn more, see [View and manage incidents in Defender for Business](mdb-view-manage-incidents.md). |
-| **Device health and compliance** | The device health and compliance report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health and compliance**. <br/><br/>You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |
-| **Vulnerable devices** | The vulnerable devices report provides information about devices and trends. Use the **Trends** column to view information about devices that had alerts over the last 30 days. Use the **Status** column to view current snapshot information about devices that have alerts. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Vulnerable devices**.<br/><br/>**TIP**: You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |
+| **Device health and compliance** | The device health and compliance report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health and compliance**. <br/><br/>You can use the **Devices** list to view information about your company's devices. In the navigation pane, go to **Assets** > **Devices**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |
+| **Vulnerable devices** | The vulnerable devices report provides information about devices and trends. Use the **Trends** column to view information about devices that had alerts over the last 30 days. Use the **Status** column to view current snapshot information about devices that have alerts. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Vulnerable devices**.<br/><br/>**TIP**: You can use the **Devices** list to view information about your company's devices. In the navigation pane, go to **Assets** > **Devices**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |
| **Web protection** | The web protection report shows attempts to access phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, and sites that are explicitly blocked. Categories of blocked sites include adult content, leisure sites, legal liability sites, and more. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Web protection**.<br/><br/>If you haven't yet configured web protection for your company, choose the **Settings** button in a report view. Then, under **Rules**, choose **Web content filtering**. To learn more about web content filtering, see [Web content filtering](../defender-endpoint/web-content-filtering.md). | | **Firewall** | The firewall report shows blocked inbound, outbound, and app connections. This report also shows remote IPs connected by multiple devices, and remote IPs with the most connection attempts. <br/><br/>If you haven't yet configured your firewall protection, in the navigation pane, choose **Endpoints** > **Configuration management** > **Device configuration**. To learn more, see [Firewall in Defender for Business](mdb-firewall.md). | | **Device control** | The device control report shows information about media usage, such as the use of removable storage devices in your organization. |
security Mdb Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md
ms.localizationpriority: medium Previously updated : 08/10/2022 Last updated : 09/14/2022 f1.keywords: NOCSH
The following table lists the basic requirements you need to configure and use D
| User accounts |<ul><li>User accounts are created in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).</li><li>Licenses for Defender for Business (or Microsoft 365 Business Premium) are assigned in the Microsoft 365 admin center.</li></ul>To get help with this task, see [Add users and assign licenses](mdb-add-users.md). | | Permissions | To sign up for Defender for Business, you must be a Global Admin.<br/><br/>To access the Microsoft 365 Defender portal, users must have one of the following [roles in Azure AD](mdb-roles-permissions.md) assigned:<ul><li>Security Reader</li><li>Security Admin</li><li>Global Admin</li></ul>To learn more, see [Roles and permissions in Defender for Business](mdb-roles-permissions.md). | | Browser requirements | Microsoft Edge or Google Chrome |
-| Client device operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <ul><li>Windows 10 or 11 Business</li><li>Windows 10 or 11 Professional</li><li>Windows 10 or 11 Enterprise</li><li>Mac (the three most-current releases are supported)</li></ul><br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. <br/><br/>If you're already managing devices in Microsoft Intune, you can continue to use the Microsoft Endpoint Manager admin center. In that case, the following other operating systems are supported: <ul><li>iOS and iPadOS</li><li>Android OS</li></ul> |
+| Client device operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <ul><li>Windows 10 or 11 Business</li><li>Windows 10 or 11 Professional</li><li>Windows 10 or 11 Enterprise</li><li>Mac (the three most-current releases are supported)</li></ul>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. <br/><br/>If you're already managing devices in Microsoft Intune, you can continue to use the Microsoft Endpoint Manager admin center.<sup>[[1](#fn1)]</sup> In that case, the following other operating systems are supported: <ul><li>iOS and iPadOS</li><li>Android OS</li></ul> |
| Server requirements | If you're planning to onboard an instance of Windows Server or Linux Server, you must meet the following requirements: <ul><li>The **Preview features** setting is turned on. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), go to **Settings** > **Endpoints** > **General** > **Advanced features** > **Preview features**.</li><li>Enforcement scope for Windows Server is turned on. In the Microsoft 365 Defender portal, go to **Settings** > **Endpoints** > **Configuration management** > **Enforcement scope**. Select **Use MDE to enforce security configuration settings from MEM**, select **Windows Server**, and then select **Save**.</li><li>Linux Server endpoints meet the [prerequisites for Microsoft Defender for Endpoint on Linux](../defender-endpoint/microsoft-defender-endpoint-linux.md#prerequisites).</li></ul> |
+(<a id="fn1">1</a>) Microsoft Intune is not included in the standalone version of Defender for Business. Intune can be added onto Defender for Business. Intune is included in Microsoft 365 Business Premium.
+ > [!NOTE] > [Azure Active Directory (Azure AD)](/azure/active-directory/fundamentals/active-directory-whatis) is used to manage user permissions and device groups. Azure AD is included in your Defender for Business subscription. > - If you don't have a Microsoft 365 subscription before you start your trial, Azure AD will be provisioned for you during the activation process.
security Mdb Respond Mitigate Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-respond-mitigate-threats.md
ms.localizationpriority: medium Previously updated : 08/11/2022 Last updated : 09/14/2022 f1.keywords: NOCSH
The Microsoft 365 Defender portal enables your security team to respond to and m
:::image type="content" source="../../medib-examplecards.png" alt-text="Screenshot of cards in the Microsoft 365 Defender portal":::
-3. Select a button or link on the card to view more information and take action. As an example, our **Devices at risk** card includes a **View details** button. Selecting that button takes us to the **Device inventory** page, as shown in the following image:
+3. Select a button or link on the card to view more information and take action. As an example, our **Devices at risk** card includes a **View details** button. Selecting that button takes us to the **Devices** list, as shown in the following image:
:::image type="content" source="../../medib-deviceinventory.png" alt-text="Screenshot of device inventory":::
- The **Device inventory** page lists company devices, along with their risk level and exposure level.
+ The **Devices** page lists company devices, along with their risk level and exposure level.
4. Select an item, such as a device. A flyout pane opens and displays more information about alerts and incidents generated for that item, as shown in the following image:
security Mdb Use Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-use-wizard.md
Defender for Business was designed to save small and medium-sized businesses tim
The setup wizard is designed to run the first time someone in your company signs into the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)).
-If your company has been using Microsoft 365 Business Premium, the Defender for Business setup wizard will run the first time someone goes to **Endpoints** > **Device inventory**.
+If your company has been using Microsoft 365 Business Premium, the Defender for Business setup wizard will run the first time someone goes to **Assets** > **Devices**.
The setup wizard start screen looks like the following image:
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
##### [Customize controlled folder access](customize-controlled-folders.md) #### [Device Control]() ##### [Removable Storage Protection](device-control-removable-storage-protection.md)
-##### [Removable Storage Access Control](device-control-removable-storage-access-control.md)
+##### [Removable Storage Access Control]()
+###### [Overview](device-control-removable-storage-access-control.md)
+###### [Deploy and manage using Intune](deploy-manage-removable-storage-intune.md)
+###### [Deploy and manage using group policy](deploy-manage-removable-storage-group-policy.md)
+###### [Frequently asked questions](device-control-removable-storage-access-control-faq.md)
##### [Device Installation](mde-device-control-device-installation.md) ##### [Device Control Printer Protection](printer-protection.md) ##### [Device Control Reports](device-control-report.md)
####### [Export software vulnerabilities assessment](get-assessment-software-vulnerabilities.md) ###### [Browser extensions]()
-####### [Export broswer extenstions assessment](get-assessment-browser-extensions.md)
-####### [Get browser extenstions permisson information](get-browser-extensions-permission-info.md)
+####### [Export browser extentions assessment](get-assessment-browser-extensions.md)
+####### [Get browser extentions permission information](get-browser-extensions-permission-info.md)
###### [Automated investigation]() ####### [Investigation methods and properties](investigation.md)
security Access Mssp Portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/access-mssp-portal.md
audience: ITPro
+search.appverid: met150
# Access the Microsoft 365 Defender MSSP customer portal
security Add Or Remove Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/add-or-remove-machine-tags.md
+search.appverid: met150
# Add or remove machine tags API
security Advanced Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-features.md
audience: ITPro
+search.appverid: met150
# Configure advanced features in Defender for Endpoint
security Advanced Hunting Devicealertevents Table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-devicealertevents-table.md
Last updated 01/22/2020
+search.appverid: met150
# DeviceAlertEvents
security Advanced Hunting Schema Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/advanced-hunting-schema-reference.md
Last updated 01/14/2020
+search.appverid: met150
# Understand the advanced hunting schema in Microsoft Defender for Endpoint
security Alerts Queue Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response.md
Last updated 09/03/2018
+search.appverid: met150
# Alerts queue in Microsoft 365 Defender
security Alerts Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md
Last updated 03/27/2020
+search.appverid: met150
# View and organize the Microsoft Defender for Endpoint Alerts queue
security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts.md
+search.appverid: met150
# Alert resource type
security Analyzer Feedback https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-feedback.md
- M365-security-compliance
+search.appverid: met150
# Provide feedback on the Microsoft Defender for Endpoint client analyzer tool
security Analyzer Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/analyzer-report.md
audience: ITPro
+search.appverid: met150
# Understand the client analyzer HTML report
security Android Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md
- m365-security-compliance
+search.appverid: met150
# Configure Defender for Endpoint on Android features
security Android Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md
- m365-security-compliance
+search.appverid: met150
# Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune
security Android Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-privacy.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender for Endpoint on Android - Privacy information
security Android Support Signin https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-support-signin.md
- m365-security-compliance
+search.appverid: met150
# Troubleshooting issues on Microsoft Defender for Endpoint on Android
security Android Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-whatsnew.md
audience: ITPro
+search.appverid: met150
# What's new in Microsoft Defender for Endpoint on Android
security Api Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-explorer.md
+search.appverid: met150
# API Explorer
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-hello-world.md
+search.appverid: met150
# Microsoft Defender for Endpoint API - Hello World
security Api Microsoft Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-microsoft-flow.md
+search.appverid: met150
# How to use Power Automate Connector to set up a Flow for events
security Api Power Bi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-power-bi.md
+search.appverid: met150
# Create custom reports using Power BI
security Api Release Notes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-release-notes.md
ms.technology: mde
+search.appverid: met150
# Microsoft Defender for Endpoint API release notes
security Apis Intro https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/apis-intro.md
ms.technology: mde
+search.appverid: met150
# Access the Microsoft Defender for Endpoint APIs
security Attack Surface Reduction Rules Deployment Implement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement.md
- m365solution-asr-rules - highpri Last updated 1/18/2022
+search.appverid: met150
# Enable attack surface reduction (ASR) rules
security Attack Surface Reduction Rules Deployment Operationalize https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize.md
- m365solution-asr-rules - highpri Last updated 1/18/2022
+search.appverid: met150
# Operationalize attack surface reduction (ASR) rules
security Attack Surface Reduction Rules Deployment Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan.md
- m365solution-asr-rules - highpri Last updated 1/18/2022
+search.appverid: met150
# Plan attack surface reduction (ASR) rules deployment
security Attack Surface Reduction Rules Deployment Test https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test.md
- m365solution-asr-rules - highpri Last updated 1/18/2022
+search.appverid: met150
# Test attack surface reduction (ASR) rules
security Attack Surface Reduction Rules Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment.md
- m365solution-asr-rules - highpri Last updated 1/18/2022
+search.appverid: met150
# Attack surface reduction (ASR) rules deployment overview
security Attack Surface Reduction Rules Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference.md
ms.technology: mde
Last updated 08/10/2022
+search.appverid: met150
# Attack surface reduction rules reference
security Attack Surface Reduction Rules Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report.md
ms.technology: mde
Last updated 08/25/2022
+search.appverid: met150
# Attack surface reduction (ASR) rules report
security Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction.md
- m365initiative-m365-defender - M365-security-compliance
+search.appverid: met150
# Attack surface reduction rules overview
security Auto Investigation Action Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/auto-investigation-action-center.md
ms.technology: mde
+search.appverid: met150
# Visit the Action center to see remediation actions
security Automated Investigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automated-investigations.md
+search.appverid: met150
# Overview of automated investigations
security Automation Levels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/automation-levels.md
+search.appverid: met150
# Automation levels in automated investigation and remediation capabilities
security Basic Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/basic-permissions.md
audience: ITPro
ms.technology: mde
+search.appverid: met150
# Use basic permissions to access the portal
security Batch Update Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/batch-update-alerts.md
ms.technology: mde
+search.appverid: met150
# Batch update alerts
security Behavioral Blocking Containment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/behavioral-blocking-containment.md
- admindeeplinkDEFENDER ms.technology: mde
+search.appverid: met150
# Behavioral blocking and containment
security Check Sensor Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/check-sensor-status.md
Last updated 04/24/2018 ms.technology: mde
+search.appverid: met150
# Check sensor health state at Microsoft Defender for Endpoint
security Client Behavioral Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/client-behavioral-blocking.md
- edr
+search.appverid: met150
# Client behavioral blocking
security Cloud Protection Microsoft Antivirus Sample Submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md
Last updated 02/24/2022
+search.appverid: met150
# Cloud protection and sample submission at Microsoft Defender Antivirus
security Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus.md
Last updated 10/18/2021
+search.appverid: met150
# Cloud protection and Microsoft Defender Antivirus
security Collect Diagnostic Data Update Compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data-update-compliance.md
+search.appverid: met150
# Collect update compliance diagnostic data for Microsoft Defender Antivirus assessment
security Collect Diagnostic Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-diagnostic-data.md
+search.appverid: met150
# Collect Microsoft Defender Antivirus diagnostic data
security Collect Investigation Package https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/collect-investigation-package.md
+search.appverid: met150
# Collect investigation package API
security Command Line Arguments Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus.md
Last updated 05/24/2021
+search.appverid: met150
# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
security Common Errors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-errors.md
+search.appverid: met150
# Common REST API error codes
security Common Exclusion Mistakes Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus.md
Last updated 06/16/2022
+search.appverid: met150
# Common mistakes to avoid when defining exclusions
security Community https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/community.md
Last updated 04/24/2018
+search.appverid: met150
security Configuration Management Reference Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus.md
+search.appverid: met150
# Manage Microsoft Defender Antivirus in your business
security Configure Advanced Scan Types Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus.md
Last updated 12/03/2021
+search.appverid: met150
# Configure Microsoft Defender Antivirus scanning options
security Configure Automated Investigations Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation.md
audience: ITPro
+search.appverid: met150
# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
security Configure Block At First Sight Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus.md
Last updated 07/11/2022
+search.appverid: met150
# Turn on block at first sight
security Configure Cloud Block Timeout Period Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
Last updated 10/18/2021
+search.appverid: met150
# Configure the cloud block timeout period
security Configure Conditional Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-conditional-access.md
audience: ITPro
+search.appverid: met150
# Configure Conditional Access in Microsoft Defender for Endpoint
security Configure Contextual File Folder Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus.md
audience: ITPro
+search.appverid: met150
# Contextual file and folder exclusions
security Configure Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-device-discovery.md
+search.appverid: met150
# Configure device discovery
security Configure Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-email-notifications.md
audience: ITPro
+search.appverid: met150
# Configure alert notifications in Microsoft Defender for Endpoint
security Configure Endpoints Gp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md
Last updated 12/07/2021
+search.appverid: met150
# Onboard Windows devices using Group Policy
security Configure Endpoints Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-mdm.md
+search.appverid: met150
# Onboard Windows devices to Defender for Endpoint using Intune
security Configure Endpoints Sccm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md
Last updated 09/22/2021
+search.appverid: met150
# Onboard Windows devices using Configuration Manager
security Configure Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus.md
ms.audience: ITPro
+search.appverid: met150
# Configure and validate exclusions for Microsoft Defender Antivirus scans
security Configure Extension File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+search.appverid: met150
# Configure and validate exclusions based on file extension and folder location
security Configure Local Policy Overrides Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-local-policy-overrides-microsoft-defender-antivirus.md
Last updated 08/02/2022
+search.appverid: met150
# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
security Configure Machines Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-asr.md
+search.appverid: met150
# Optimize ASR rule deployment and detections
security Configure Machines Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-onboarding.md
audience: ITPro
+search.appverid: met150
# Get devices onboarded to Microsoft Defender for Endpoint
security Configure Machines Security Baseline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines-security-baseline.md
audience: ITPro
+search.appverid: met150
# Increase compliance to the Microsoft Defender for Endpoint security baseline
security Configure Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-machines.md
+search.appverid: met150
# Ensure your devices are configured properly
security Configure Microsoft Defender Antivirus Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features.md
+search.appverid: met150
# Configure Microsoft Defender Antivirus features
security Configure Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Configure and manage Microsoft Threat Experts capabilities
security Configure Mssp Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-notifications.md
audience: ITPro
+search.appverid: met150
# Configure alert notifications that are sent to MSSPs
security Configure Mssp Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-mssp-support.md
+search.appverid: met150
# Configure managed security service provider integration
security Configure Network Connections Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md
Last updated 06/28/2022
+search.appverid: met150
# Configure and validate Microsoft Defender Antivirus network connections
security Configure Notifications Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus.md
Last updated 10/18/2021
+search.appverid: met150
# Configure Microsoft Defender Antivirus notifications that appear on endpoints
security Configure Process Opened File Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+search.appverid: met150
# Configure exclusions for files opened by processes
security Configure Protection Features Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus.md
+search.appverid: met150
# Configure behavioral, heuristic, and real-time protection
security Configure Proxy Internet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md
The static proxy is configurable through group policy (GP), both the settings un
> If you are using 'TelemetryProxyServer' setting on devices that are otherwise **completely offline**, then it is recommended to add the additional registry setting `PreferStaticProxyForHttpRequest` with a value of `1`.<br> > Parent registry path location for "PreferStaticProxyForHttpRequest" is "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection"<br> > The following command can be used to insert the registry value in the correct location:<br>
-> ```reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v PreferStaticProxyForHttpRequest /t REG_DWORD /d 1 /f```
+> ```reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v PreferStaticProxyForHttpRequest /t REG_DWORD /d 1 /f```<br>
+> The above registry value is applicable only starting with MsSense.exe version 10.8210.* and later, or version 10.8049.* and later (on Windows Server 2012R2/2016 with the unified agent)
security Configure Real Time Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus.md
Last updated 10/22/2021
+search.appverid: met150
# Enable and configure Microsoft Defender Antivirus always-on protection in Group Policy
security Configure Remediation Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus.md
Last updated 10/18/2021
+search.appverid: met150
# Configure remediation for Microsoft Defender Antivirus detections
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
If you've previously onboarded your servers using MMA, follow the guidance provi
The following specifics apply to the new unified solution package for Windows Server 2012 R2 and 2016:
+- An operating system update can introduce an installation issue on machines with slower disks due to a timeout with service installation. Installation fails with the message "Could not find c:\program files\windows defender\mpasdesc.dll, - 310 WinDefend". Please use the latest installation package, as well as the latest [install.ps1](https://github.com/microsoft/mdefordownlevelserver) script to assist in clearing the failed installation if required.
- Ensure connectivity requirements as specified in [Enable access to Microsoft Defender for Endpoint service URLs in the proxy server](/microsoft-365/security/defender-endpoint/configure-proxy-internet?enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server) are met. They're equivalent to those requirements for Windows Server 2019. - We've identified an issue with Windows Server 2012 R2 connectivity to cloud when static TelemetryProxyServer is used **and** the certificate revocation list (CRL) URLs aren't reachable from the SYSTEM account context. The immediate mitigation is to either use an alternative proxy option ("system-wide") that provides such connectivity, or configure the same proxy via the WinInet setting on the SYSTEM account context. Alternatively, use the instructions provided at [Workaround for a known issue with TelemetryProxyServer on disconnected machines](#workaround-for-a-known-issue-with-telemetryproxyserver-on-disconnected-machines) to install a certificate as a workaround.
security Configure Server Exclusions Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus.md
+search.appverid: met150
# Configure Microsoft Defender Antivirus exclusions on Windows Server
security Configure Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-updates.md
- m365-security-compliance - m365-initiative-defender-endpoint
+search.appverid: met150
# Create a custom gradual rollout process for Microsoft Defender updates
security Configure Vulnerability Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-vulnerability-email-notifications.md
audience: ITPro
+search.appverid: met150
# Configure vulnerability email notifications in Microsoft Defender for Endpoint
security Connected Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md
audience: ITPro
+search.appverid: met150
# Connected applications in Microsoft Defender for Endpoint
security Contact Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/contact-support.md
audience: ITPro
+search.appverid: met150
# Contact Microsoft Defender for Endpoint support
security Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md
Last updated
+search.appverid: met150
# Protect important folders with controlled folder access
security Create Alert By Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/create-alert-by-reference.md
+search.appverid: met150
# Create alert API
security Customize Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-controlled-folders.md
Last updated
+search.appverid: met150
# Customize controlled folder access
security Customize Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-exploit-protection.md
Last updated 08/09/2022
+search.appverid: met150
# Customize exploit protection
security Customize Run Review Remediate Scans Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+search.appverid: met150
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
security Data Collection Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-collection-analyzer.md
audience: ITPro
+search.appverid: met150
# Data collection for advanced troubleshooting on Windows
security Data Retention Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-retention-settings.md
audience: ITPro
+search.appverid: met150
+ # Verify data storage location and update data retention settings for Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Data Storage Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/data-storage-privacy.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender for Endpoint data storage and privacy
security Defender Endpoint False Positives Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives.md
- FPFN - admindeeplinkDEFENDER
+search.appverid: met150
# Address false positives/negatives in Microsoft Defender for Endpoint
security Delete Ti Indicator By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/delete-ti-indicator-by-id.md
+search.appverid: met150
# Delete Indicator API
security Deploy Manage Removable Storage Group Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-group-policy.md
+
+ Title: Deploy and manage Removable Storage Access Control using group policy
+description: Use group policy to deploy and manage removable storage access control.
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+++
+ms.technology: mde
Last updated : 09/09/2022+
+search.appverid: met150
++
+# Deploy and manage Removable Storage Access Control using group policy
+
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+> [!NOTE]
+> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806).
+
+The Removable Storage Access Control feature enables you to apply a policy by using group policy to either user or device, or both.
+
+## Device Control Removable Storage Access Control policies
+
+You can use the following properties to create a removable storage group.
+
+> [!NOTE]
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+## Licensing requirements
+
+Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control through group policy, you must have Microsoft 365 E5.
+
+## Deploy using group policy
+
+1. Enable or Disable Removable Storage Access Control:
+
+ You can enable or disable Device control as follows:
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**.
+ - In the **Device Control** window, select **Enabled**.
+
+ :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy " lightbox="images/enable-rsac-gp.png":::
+
+> [!NOTE]
+> If you don't see this group policy objects, you need to add the group policy administrative template. You can download administrative template (WindowsDefender.adml and WindowsDefender.admx) from https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples.
+
+2. Set Default Enforcement:
+
+ You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).
+
+ For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create Allow policy for Printer. Otherwise, this Default Enforcement will be applied to Printer as well.
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control** > **Select Device Control Default Enforcement**
+
+ - In the **Select Device Control Default Enforcement** pane, select **Default Deny**:
+
+ :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy" lightbox="images/set-default-enforcement-deny-gp.png":::
+
+3. Create one XML file for removable storage group(s):
+
+ Use the properties in removable storage group to create an XML file for the Removable storage group(s), save the XML file to network share, and define the setting as follows:
+
+ - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.
+
+ :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups" lightbox="images/define-device-control-policy-grps-gp.png":::
+
+ - In the **Define device control policy groups** window, specify the network share file path containing the XML groups data.
+
+> [!NOTE]
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+4. Create one XML file for access policy rule(s):
+
+ Use the properties in removable storage access policy rule(s) to create a XML for each group's removable storage access policy rule, save the XML file to network share, and devlier the setting setting as follows:
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**.
+
+ :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules" lightbox="images/define-device-cntrl-policy-rules-gp.png":::
+
+ - In the **Define device control policy rules** window, select **Enabled**, and enter the network share file path containing the XML rules data.
+
+> [!NOTE]
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+5. Set location for a copy of the file (evidence):
+
+ If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.
+
+ - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**.
+
+ - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path.
+
+ :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png":::
+
+## Scenarios
+
+Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control. Note that in the following samples, 'Default Enforcement' hasn't been used because the 'Default Enforcement' will apply to both the removable storage and the printer.
+
+### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs
+
+For this scenario, you need to create two groups - one group for any removable storage and another group for approved USBs. You also need to create two policies - one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.
+
+1. Create groups
+
+ 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.
+
+ ![A screenshot of removable storage](https://user-images.githubusercontent.com/81826151/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png)
+
+ 2. Group 2: Approved USBs based on device properties.
+
+ ![A screenshot of approved USBs](https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png)
+
+ Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.
+
+ > [!TIP]
+ > Replace `&` with `&amp;` in the value.
+
+2. Create policy
+
+ 1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs.
+
+ ![A screenshot of block write and execute access](https://user-images.githubusercontent.com/81826151/188237490-d736ace1-4912-4788-9e94-3fc506692a41.png)
++
+ 2. Policy 2: Audit Write and Execute access for allowed USBs.
+
+ ![A screenshot of audit write and execute access](https://user-images.githubusercontent.com/81826151/188237598-b28dd534-9ea4-4cdd-832b-afff50f9897b.png)
+
+ What does '54' mean in the policy? It's 18 + 36 = 54:
+
+ - Write access: disk level 2 + file system level 16 = 18.
+ - Execute: disk level 4 + file system level 32 = 36.
+
+ Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%201%20GPO%20Policy%20-%20Prevent%20Write%20and%20Execute%20access%20to%20all%20but%20allow%20specific%20approved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.
+
+### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs
+
+For this scenario, you need to create two groups - one group for any removable storage and another group for blocked USBs. You also need to create two policies - one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.
+
+1. Create groups
+
+ 1. Group 1: Any removable storage, CD/DVD, and windows portable devices.
+
+ ![A screenshot of removable storage in groups](https://user-images.githubusercontent.com/81826151/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png)
+
+ 2. Group 2: Blocked USBs based on device properties.
+
+ ![A screenshot of blocked USBs](https://user-images.githubusercontent.com/81826151/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png)
+
+ Combine these two groups into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml). See step 3 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.
+
+ > [!TIP]
+ > Replace `&` with `&amp;` in the value.
+
+2. Create policy
+
+ 1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs.
+
+ ![A screenshot of specific unapproved USBs](https://user-images.githubusercontent.com/81826151/188239025-218a1985-b198-4f7e-b323-b4b6fb7e274e.png)
+
+ 2. Policy 2: Audit Write and Execute access for others.
+
+ ![A screenshot of audit write and execute access in group policy](https://user-images.githubusercontent.com/81826151/188239144-3e6a2781-6927-487a-aa01-498a0904ad98.png)
+
+ What does '54' mean in the policy? It's 18 + 36 = 54:
+
+ - Write access: disk level 2 + file system level 16 = 18.
+ - Execute: disk level 4 + file system level 32 = 36.
+
+ Combine these two policy rules into [one XML file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Scenario%202%20GPO%20Policy%20-%20Audit%20Write%20and%20Execute%20access%20to%20all%20but%20block%20specific%20unapproved%20USBs.xml). See step 4 from the [Deploy using group policy](deploy-manage-removable-storage-group-policy.md#deploy-using-group-policy) section to deploy this configuration.
+
security Deploy Manage Removable Storage Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune.md
+
+ Title: Deploy and manage Removable Storage Access Control using Intune
+description: Use Intune OMA-URI and Intune user interface to deploy and manage removable storage access control.
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+++
+ms.technology: mde
Last updated : 09/09/2022+
+search.appverid: met150
++
+# Deploy and manage Removable Storage Access Control using Intune
+
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+> [!NOTE]
+> The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806).
+
+The Removable Storage Access Control feature enables you to apply policy by using OMA-URI to either user or device, or both.
+
+## Licensing requirements
+
+Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3.
+
+### Permission
+
+For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions.
+
+- Policy and profile Manager role
+- Custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles
+- Global administrator
+
+## Deploy Removable Storage Access Control by using Intune OMA-URI
+
+Go to Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > Custom**.
+
+1. Enable or Disable Device control as follows:
+
+ - Under **Custom** > **Configuration settings**, select **Add**.
+ - In the **Add Row** pane, specify the following settings:
+ - **Name** as **Enable Device Control**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`
+ - **Data Type** as **Integer**
+ - **Value** as **1**
+
+ `Disable: 0`
+ `Enable: 1`
+
+ - Select **Save**.
+
+ :::image type="content" source="images/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy" lightbox="images/enable-rsac.png":::
+
+2. Set Default Enforcement:
+
+ You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`).
+
+ For example, you can have either a **Deny** or an **Allow** policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. You can set **Default Deny** through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` will be blocked. If you only want to manage storage, make sure to create an **Allow** policy for your printer; otherwise, this default enforcement will be applied to printers as well.
+
+ - In the **Add Row** pane, specify the following settings:
+ - **Name** as **Default Deny**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`
+ - **Data Type** as **Integer**
+ - **Value** as **1** or **2**
+
+ `DefaultEnforcementAllow = 1`
+ `DefaultEnforcementDeny = 2`
+
+ - Select **Save**.
+
+ :::image type="content" source="images/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny" lightbox="images/default-deny.png":::
+
+3. Create one XML file for each group:
+
+ You can create a removable storage group for each group as follows:
+
+ - In the **Add Row** pane, enter:
+ - **Name** as **Any Removable Storage Group**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b**[GroupId]**%7d/GroupData`
+ - **Data Type** as **String (XML file)**
+ - **Custom XML** as selected XML file
+
+ Here is one group example XML file for any removable storage and CDROM and Windows portable devices: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml>
+
+ :::image type="content" source="images/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="images/any-removable-storage-group.png":::
+
+> [!NOTE]
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+4. Create one XML file for each access control or policy rule:
+
+ You can create a policy and apply it to related removable storage group as follows:
+
+ - In the **Add Row** pane, enter:
+ - **Name** as **Allow Read Activity**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7b**[PolicyRule Id]**%7d/RuleData`
+ - **Data Type** as **String (XML file)**
+ - **Custom XML** as **Allow Read.xml** file
+
+ Here is one group example XML file for Allow Read access for each removable storage: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml>
+
+ :::image type="content" source="images/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy" lightbox= "images/allow-read-activity.png":::
+
+> [!NOTE]
+> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+
+5. Set location for a copy of the file (evidence):
+
+ If you want to have a copy of the file (evidence) when Write access happens, set right **Options** in your removable storage access policy rule in the XML file, and then specify the location where system can save the copy.
+
+ - In the **Add Row** pane, enter:
+ - **Name** as **Evidence folder location**
+ - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DataDuplicationRemoteLocation`
+ - **Data Type** as **String**
+
+ :::image type="content" source="../../media/device-control-oma-uri-edit-row.png" alt-text="Set location for file evidence":::
+
+## Scenarios
+
+Here are some common scenarios to help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control.
+
+### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs
+
+For this scenario, you need to create two groups - one group for any removable storage and another group for approved USBs. You also need to create two policies - one policy to deny Write and Execute access for any removable storage group and the other policy to audit the approved USBs group.
+
+1. Create groups
+
+ 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.
+
+ :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot showing removable storage" lightbox= "media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
+
+ 2. Group 2: Approved USBs based on device properties.
+
+ :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs" lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
+
+ > [!TIP]
+ > Replace `&` with `&amp;` in the value in the XML file.
+
+2. Create policy
+
+ 1. Policy 1: Block Write and Execute access for any removable storage group but allow approved USBs.
+
+ :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1" lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png":::
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
+
+ 2. Policy 2: Audit Write and Execute access for allowed USBs.
+
+ :::image type="content" source="media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png" alt-text="A screenshot of policy 2" lightbox= "media/188243552-5d2a90ab-dba6-450f-ad8f-86a862f6e739.png":::
+
+ What does '54' mean in the policy? It's 18 + 36 = 54:
+
+ - Write access: disk level 2 + file system level 16 = 18.
+ - Execute: disk level 4 + file system level 32 = 36.
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Audit%20Write%20and%20Execute%20access%20to%20aproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
+
+### Scenario 2: Audit Write and Execute access for all but block specific blocked USBs
+
+For this scenario, you need to create two groups - one group for any removable storage and another group for blocked USBs. You also need to create two policies - one policy to audit Write and Execute access for any removable storage group and the other policy to deny the blocked USBs group.
+
+1. Create groups
+
+ 1. Group 1: Any removable storage, CD/DVD, and Windows portable devices.
+
+ :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot of group 1" lightbox="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
+
+ 2. Group 2: Unapproved USBs based on device properties.
+
+ :::image type="content" source="media/188243875-0693ebcf-00c3-45bd-afd3-57a79df9dce6.png" alt-text="A screenshot of group 2" lightbox= "media/188243875-0693ebcf-00c3-45bd-afd3-57a79df9dce6.png":::
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unapproved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
++
+ > [!TIP]
+ > Replace `&` with `&amp;` in the value in the XML file.
+
+2. Create policy
+
+ 1. Policy 1: Block Write and Execute access for all but block specific unapproved USBs.
+
+ :::image type="content" source="media/188244024-62355ded-353c-4d3a-ba61-4520d48f5a18.png" alt-text="A screenshot of policy for blocking unapproved USBs" lightbox= "media/188244024-62355ded-353c-4d3a-ba61-4520d48f5a18.png":::
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%202%20Audit%20Write%20and%20Execute%20access%20to%20all%20but%20block%20specific%20unapproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
+
+ 2. Policy 2: Audit Write and Execute access for others.
+
+ :::image type="content" source="media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png" alt-text="A screenshot of audit write and execute access" lightbox= "media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png":::
+
+ What does '54' mean in the policy? It's 18 + 36 = 54:
+
+ - Write access: disk level 2 + file system level 16 = 18.
+ - Execute: disk level 4 + file system level 32 = 36.
+
+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%202%20Audit%20Write%20and%20Execute%20access%20to%20others.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.
+
+## Use Intune user interface
+
+This capability is available in the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>).
+
+Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**.
security Deploy Manage Report Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md
- M365-security-compliance
+search.appverid: met150
# Deploy, manage, and report on Microsoft Defender Antivirus
security Deploy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus.md
+search.appverid: met150
# Deploy and enable Microsoft Defender Antivirus
security Deployment Phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-phases.md
- highpri
+search.appverid: met150
# Microsoft Defender for Endpoint deployment overview
security Deployment Rings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md
- highpri
+search.appverid: met150
# Deploy Microsoft Defender for Endpoint in rings
security Deployment Strategy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Plan your Microsoft Defender for Endpoint deployment
security Deployment Vdi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus.md
+search.appverid: met150
# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
security Detect Block Potentially Unwanted Apps Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+search.appverid: met150
# Detect and block potentially unwanted applications
security Device Control Removable Storage Access Control Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control-faq.md
+
+ Title: Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions
+description: Answers frequently asked questions on MDE device control removable storage.
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+++
+ms.technology: mde
Last updated : 08/25/2022+
+search.appverid: met150
++
+# Microsoft Defender for Endpoint Device Control Removable Storage frequently asked questions
+
+**Applies to:**
+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+## How do I generate GUID for Group ID/PolicyRule ID/Entry ID?
+
+You can generate the GUID through online open source, or through PowerShell. For more information, see [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid).
+
+![Screenshot of GUID in PowerShell.](https://user-images.githubusercontent.com/81826151/159046476-26ea0a21-8087-4f01-b8ae-5aa73b392d8f.png)
+
+## What are the removable storage media and policy limitations?
+
+The backend call is done through OMA-URI (GET to read or PATCH to update) either from the Microsoft Endpoint Manager admin center (Intune), or through Microsoft Graph API. The limitation is the same as any OMA-URI custom configuration profile at Microsoft, which is officially 350,000 characters for XML files.
+
+For example, if you need two blocks of entries per user SID to "Allow" / "Audit allowed" specific users, and then two blocks of entries at the end to "Deny" all, you'll be able to manage 2,276 users.
+
+## Why doesn't the policy work?
+
+1. The most common reason is there's no required [anti-malware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).
+
+2. Another reason could be that the XML file isn't correctly formatted. For example, not using the correct markdown formatting for the "&" character in the XML file or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files causing the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**), and then update.
+
+3. If you're deploying and managing the policy by using Group Policy, make sure to combine all PolicyRule into one XML file within a parent node called PolicyRules. Also combine all Group into one XML file within a parent node called Groups. If you manage through Intune, keep one PolicyRule one XML file, and one Group one XML file.
+
+If it still doesn't work, contact support, and share your support cab. To get that file, use Command Prompt as an administrator:
+
+`"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles`
+
+## Why is there no configuration UX for some policy groups?
+
+There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on your Group Policy. But, you can still get the related .adml and .admx files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.
+
+## How do I confirm that the latest policy has been deployed to the target machine?
+
+You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine.
++
+## How can I know which machine is using out of date anti-malware client version in the organization?
+
+You can use following query to get anti-malware client version on the Microsoft 365 security portal:
+
+```kusto
+//check the anti-malware client version
+DeviceFileEvents
+|where FileName == "MsMpEng.exe"
+|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
+|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
+//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
+|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
+|order by PlatformVersion desc
+```
+
+## How do I find the media property in the Device Manager?
+
+1. Plug in the media.
+
+2. Open Device Manager.
+
+ ![Screenshot of Device Manager.](https://user-images.githubusercontent.com/81826151/181859412-affd6aa1-09ad-44bf-9541-330499cc2c87.png)
+
+3. Locate the media in the Device Manager, right-click, and then select **Properties**.
+
+ :::image type="content" alt-text="Screenshot of media in the Device Manager." source="https://user-images.githubusercontent.com/81826151/181859700-62a6f704-b12e-41e3-a048-7d63432654a4.png":::
+
+4. Open **Details**, and select **Properties**.
+
+ :::image type="content" alt-text="Screenshot of device property in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png":::
+
security Device Control Removable Storage Access Control https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control.md
Previously updated : 08/08/2022 Last updated : 09/09/2022
+search.appverid: met150
# Microsoft Defender for Endpoint Device Control Removable Storage Access Control
> [!NOTE] > The Group Policy management and Intune OMA-URI/Custom Policy management of this product are now generally available (4.18.2106): See [Tech Community blog: Protect your removable storage and printer with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806).
-## Device Control Removable Storage Access Control Overview
+## Overview
Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature enables you to audit, allow or prevent the read, write or execute access to removable storage with or without exclusion.
Microsoft Defender for Endpoint Device Control Removable Storage Access Control
Microsoft Defender for Endpoint Device Control Removable Storage Access Control feature gives you the following capabilities:
-|Capability|Deploy through Intune|Deploy through Group Policy|
-||||
-|Removable Media Group Creation <br/>Allows you to create reusable removable media group|Step 4 and 6 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Step 4 and 6 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|
-|Policy Creation<br/>Allows you to create policy to enforce each removable media group|Step 5 and 7 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Steps 5 and 7 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|
-|Default Enforcement<br/>Allows you to set default access (Deny or Allow) to removable media if there is no policy|Step 2 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri) | Step 2 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|
-|Enable or Disable Removable Storage Access Control<br/>If you set Disable, it will disable the Removable Storage Access Control policy on this machine| Step 1 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Step 1 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|
-|Capture file information<br/>Allows you to create policy to capture file information when Write access happens| | Step 10 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy) |
- ### Prepare your endpoints
-Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have antimalware client version **4.18.2103.3 or later**.
+Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have the anti-malware client version **4.18.2103.3 or later**.
- **4.18.2104 or later**: Add `SerialNumberId`, `VID_PID`, filepath-based GPO support, and `ComputerSid` - **4.18.2105 or later**: Add Wildcard support for `HardwareId/DeviceId/InstancePathId/FriendlyNameId/SerialNumberId`, the combination of specific user on specific machine, removeable SSD (a SanDisk Extreme SSD)/USB Attached SCSI (UAS) support -- **4.18.2107 or later**: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add `AccountName` into [advanced hunting](device-control-removable-storage-access-control.md#view-device-control-removable-storage-access-control-data-in-microsoft-defender-for-endpoint)
+- **4.18.2107 or later**: Add Windows Portable Device (WPD) support (for mobile devices, such as tablets); add `AccountName` into [advanced hunting](device-control-removable-storage-access-control.md#view-data-in-microsoft-defender-for-endpoint)
-- **4.18.2205 or later**: Expand the default enforcement to **Printer**. If you set it to **Deny**, it will block Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer.
+- **4.18.2205 or later**: Expand the default enforcement to **Printer**. If you set it to **Deny**, it will block Printer as well, so if you only want to manage storage, make sure to create a custom policy to allow Printer
> [!NOTE] > None of Windows Security components need to be active as you can run Removable Storage Access Control independent of Windows Security status.
-## Device Control Removable Storage Access Control Policies
+## Device Control Removable Storage Access Control properties
-You can use the following properties to create a removable storage group:
+The Removable Storage Access Control includes Removable storage group creation and access policy rule creation:
-> [!NOTE]
-> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.
+ - Removable storage group allows you to create group. For example, authorized USB group or encrypted USB group.
+ - Access policy rule allows you to create policy to restrict each removable storage group. For example, only allow authorized user to Write access-authorized USB group.
-### Removable Storage Group
+Here are the properties you can use when you create the group and policy XML files.
+
+### Removable storage group
|Property Name|Description|Options| |||| |**GroupId**|GUID, a unique ID, represents the group and will be used in the policy.||
-|**DescriptorIdList**|List the device properties you want to use to cover in the group. All properties are case sensitive. |**PrimaryId**: The Primary ID includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`. <p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It is the `Device instance path` in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. <p>**DeviceId**: To transform `Device instance path` to Device ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` <p>**HardwareId**: A string that identifies the device in the system, for example, `USBSTOR\DiskGeneric_Flash_Disk___8.07`, It is `Hardware Ids` in the Device Manager. <br>**Note**: Hardware Id is not unique; different devices might share the same value.<p>**FriendlyNameId**: It is a string attached to the device, for example, `Generic Flash Disk USB Device`. It is the `Friendly name` in the Device Manager. <p>**BusId**: For example, USB, SCSI <p>**SerialNumberId**: You can find SerialNumberId from `Device instance path` in the Device Manager, for example, `03003324080520232521` is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\\`03003324080520232521`&0 <p>**VID_PID**: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform `Device instance path` to Vendor ID and Product ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751 <p> **Note**: See [How do I find the media property in the Device Manager?](#how-do-i-find-the-media-property-in-the-device-manager) under [Frequently asked questions](#frequently-asked-questions) section below to understand how to find the property in Device Manager.|
+|**DescriptorIdList**|List the device properties you want to use to cover in the group. All properties are case sensitive. |**PrimaryId**: The Primary ID includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`. <p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It's the `Device instance path` in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. <p>**DeviceId**: To transform `Device instance path` to Device ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` <p>**HardwareId**: A string that identifies the device in the system, for example, `USBSTOR\DiskGeneric_Flash_Disk___8.07`. It's `Hardware Ids` in the Device Manager. <br>**Note**: Hardware ID is not unique; different devices might share the same value.<p>**FriendlyNameId**: It's a string attached to the device, for example, `Generic Flash Disk USB Device`. It's the `Friendly name` in the Device Manager. <p>**BusId**: For example, USB, SCSI <p>**SerialNumberId**: You can find SerialNumberId from `Device instance path` in the Device Manager, for example, `03003324080520232521` is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\\`03003324080520232521`&0 <p>**VID_PID**: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform `Device instance path` to Vendor ID and Product ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751 <p> **Note**: See [How do I find the media property in the Device Manager?](device-control-removable-storage-access-control-faq.md#how-do-i-find-the-media-property-in-the-device-manager) to understand how to find the property in Device Manager.|
|**MatchType**|When there are multiple device properties being used in the `DescriptorIDList`, MatchType defines the relationship.|**MatchAll**: Any attributes under the `DescriptorIdList` will be **And** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will check to see whether the USB meets both values. <p> **MatchAny**: The attributes under the DescriptorIdList will be **Or** relationship; for example, if administrator puts `DeviceID` and `InstancePathID`, for every connected USB, system will do the enforcement as long as the USB has either an identical **DeviceID** or **InstanceID** value.|
-### Access Control Policy
+### Access policy rule
+ You can use the following properties to create the access control policy: | Property Name | Description | Options | |||| | **PolicyRule Id** | GUID, a unique ID, represents the policy and will be used in the reporting and troubleshooting. | | | **IncludedIdList** | The group(s) that the policy will be applied to. If multiple groups are added, the policy will be applied to any media in all those groups.|The Group ID/GUID must be used at this instance. <p> The following example shows the usage of GroupID: <p> `<IncludedIdList> <GroupId> {EAA4CCE5-F6C9-4760-8BAD-FDCC76A2ACA1}</GroupId> </IncludedIdList>` |
-| **ExcludedIDList** | The group(s) that the policy will not be applied to. | The Group ID/GUID must be used at this instance. |
+| **ExcludedIDList** | The group(s) that the policy won't be applied to. | The Group ID/GUID must be used at this instance. |
| **Entry Id** | One PolicyRule can have multiple entries; each entry with a unique GUID tells Device Control one restriction.| | | **Type** | Defines the action for the removable storage groups in IncludedIDList. <p>Enforcement: Allow or Deny <p>Audit: AuditAllowed or AuditDenied<p> | Allow<p>Deny <p>AuditAllowed: Defines notification and event when access is allowed <p>AuditDenied: Defines notification and event when access is denied; has to work together with **Deny** entry.<p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is **Allow** and **Deny**. |
-| **Sid** | Local user Sid or user Sid group or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine. | |
-| **ComputerSid** | Local computer Sid or computer Sid group or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry. | |
-| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system will not send event. <p>8: capture file information and have a copy of the file as evidence for Write access. <p>16: capture file information for Write access. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event |
+| **SID** | Local user SID or user SID group or the SID of the AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means applying the policy over the machine. | |
+| **ComputerSID** | Local computer SID or computer SID group or the SID of the AD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry. | |
+| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system won't send event. <p>8: capture file information and have a copy of the file as evidence for Write access. <p>16: capture file information for Write access. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system won't show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event |
|AccessMask|Defines the access. | **Disk level access**: <p>1: Read <p>2: Write <p>4: Execute <p>**File system level access**: <p>8: File system Read <p>16: File system Write <p>32: File system Execute <p><p>You can have multiple access by performing binary OR operation, for example, the AccessMask for Read and Write and Execute will be 7; the AccessMask for Read and Write will be 3.|
-## Device Control Removable Storage Access Control Scenarios
-
-To help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control, we have put together some common scenarios for you to follow.
-
-### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs
-
-1. Create groups
-
- 1. Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
- 2. Group 2: Approved USBs based on device properties. An example for this use case is:
- Instance ID - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Approved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
- > [!TIP]
- > Replace `&` with `&amp;` in the value.
-
-2. Create policy
-
- 1. Policy 1: Block Write and Execute Access but allow approved USBs. An example for this use case is: PolicyRule **c544a991-5786-4402-949e-a032cb790d0e** in the sample [Scenario 1 Block Write and Execute Access but allow approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
- 2. Policy 2: Audit Write and Execute access to allowed USBs. An example for this use case is: PolicyRule **36ae1037-a639-4cff-946b-b36c53089a4c** in the sample [Scenario 1 Audit Write and Execute access to approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
-### Scenario 2: Audit Write and Execute access to all but block specific unapproved USBs
-
-1. Create groups
-
- 1. Group 1: Any removable storage and CD/DVD. An example for this use case is:
- Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
- 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
- > [!TIP]
- > Replace `&` with `&amp;` in the value.
-
-2. Create policy
-
- 1. Policy 1: Block Write and Execute access to all but block specific unapproved USBs. An example of this use case is: PolicyRule **23b8e437-66ac-4b32-b3d7-24044637fc98** in the sample [Scenario 2 Audit Write and Execute access to all but block specific unapproved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
- 2. Policy 2: Audit Write and Execute access to others. An example of this use case is: PolicyRule **b58ab853-9a6f-405c-a194-740e69422b48** in the sample [Scenario 2 Audit Write and Execute access to others.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.
-
-## Deploying and managing Removable Storage Access Control by using Intune OMA-URI
-
-The Removable Storage Access Control feature enables you to apply policy by using OMA-URI to either user or device, or both.
-
-### Licensing requirements
-
-Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5.
-
-### Permission
-
-For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions.
--- Policy and profile Manager role-- Custom role with Create/Edit/Update/Read/Delete/View Reports permissions turned on for Device Configuration profiles-- Global administrator-
-### Deploying Removable Storage Access Control by using Intune OMA-URI
-
-To block a specific removable storage class but allow specific media, you can use 'IncludedIdList a group through PrimaryId and ExcludedIDList a group through DeviceId/HardwareId/etc.'
-
-Go to Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > Custom**
-
-1. Enable or Disable Device control as follows:
-
- - Under **Custom** > **Configuration settings**, select **Add**.
- - In the **Add Row** pane, specify the following settings:
- - **Name** as **Enable Device Control**
- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`
- - **Data Type** as **Integer**
- - **Value** as **1**
-
- `Disable: 0`
- `Enable: 1`
-
- - Select **Save**.
-
- :::image type="content" source="images/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy" lightbox="images/enable-rsac.png":::
-
-2. Set Default Enforcement:
-
- You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`).
-
- For example, you can have either a **Deny** or an **Allow** policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. You can set **Default Deny** through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` will be blocked. If you only want to manage storage, make sure to create an **Allow** policy for your printer; otherwise, this default enforcement will be applied to printers as well.
-
- - In the **Add Row** pane, specify the following settings:
- - **Name** as **Default Deny**
- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`
- - **Data Type** as **Integer**
- - **Value** as **1** or **2**
-
- `DefaultEnforcementAllow = 1`
- `DefaultEnforcementDeny = 2`
-
- - Select **Save**.
-
- :::image type="content" source="images/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny" lightbox="images/default-deny.png":::
-
-3. Audit Default Deny:
-
- You can create an Audit policy for Default Deny as follows:
-
- - In the **Add Row** pane, enter:
- - **Name** as **Audit Default Deny**
- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf3520ea7-fd1b-4237-8ebc-96911db44f8e%7d/RuleData`
-
- :::image type="content" source="images/audit-default-deny-1.png" alt-text="Screenshot of creating Audit Default Deny policy." lightbox="images/audit-default-deny-1.png":::
-
- - **Data Type** as **String (XML file)**
- - **Custom XML** as **Audit Default Deny.xml** file.
-
- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Audit%20Default%20Deny.xml>
-
- Use the following XML data to create your Audit policy for Default Deny:
-
- :::image type="content" source="images/audit-default-deny-xml-file-1.png" alt-text="Screenshot of audit default deny xml file.":::
-
-4. ReadOnly - Group:
-
- You can create a removable storage group with ReadOnly access as follows:
-
- - In the **Add Row** pane, enter:
- - **Name** as **Any Removable Storage Group**
- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData`
-
- :::image type="content" source="images/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="images/any-removable-storage-group.png":::
-
- - **Data Type** as **String (XML file)**
- - **Custom XML** as **Any Removable Storage and CD-DVD and WPD Group.xml** file
-
- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml>
-
- Use the following XML data to create 'Any Removable Storage and CD-DVD and WPD Group' with ReadOnly access:
-
- :::image type="content" source="images/read-only-group-xml-file.png" alt-text="Screenshot of read only group xml file":::
-
-5. ReadOnly - Policy:
-
- You can create a ReadOnly policy and apply it to the ReadOnly removable storage group to allow read activity as follows:
-
- - In the **Add Row** pane, enter:
- - **Name** as **Allow Read Activity**
- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf7e75634-7eec-4e67-bec5-5e7750cb9e02%7d/RuleData`
-
- :::image type="content" source="images/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy" lightbox= "images/allow-read-activity.png":::
-
- - **Data Type** as **String (XML file)**
- - **Custom XML** as **Allow Read.xml** file
-
- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml>
-
- Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group:
-
- :::image type="content" source="images/read-only-policy-xml-file.png" alt-text="Screenshot of read only policy xml file":::
-
-6. Create a Group for Allowed Media: You can create your allowed media group as follows:
- - In the **Add Row** pane, enter:
- - **Name** as **Approved USBs Group**
- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b65fa649a-a111-4912-9294-fb6337a25038%7d/GroupData`
-
- :::image type="content" source="images/create-group-allowed-medias.png" alt-text="Screenshot of creating Approved USBs group" lightbox="images/create-group-allowed-medias.png":::
-
- - **Data Type** as **String (XML file)**
- - **Custom XML** as **Approved USBs Group.xml** file
-
- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml>
-
- Use the following XML data to create allowed media group:
-
- :::image type="content" source="images/create-group-allowed-medias-xml-file.png" alt-text="Screenshot of creating group for allowed medias xml file":::
-
-7. Create a policy to allow the approved USB Group: You can create a policy to allow the approved USB group as follows:
- - In the **Add Row** pane, enter:
- - **Name** as **Allow access and Audit file information**
- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb2061588-029e-427d-8404-6dfec096a571%7d/RuleData`
-
- :::image type="content" source="images/allow-access-audit-file-information-1.png" alt-text="Screenshot of Allow access and audit file information" lightbox= "images/allow-access-audit-file-information-1.png":::
-
- - **Data Type** as **String (XML file)**
- - **Custom XML** as **Allow full access and audit file.xml** file
-
- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20full%20access%20and%20audit%20file.xml>
-
- Use the following XML data to create policy to allow the approved USB group:
-
- :::image type="content" source="images/create-policy-allow-approved-usb-group-xml-intune.png" alt-text="Screenshot of creating policy to allow the approved USB Group XML file":::
-
- What does '47' mean in the policy? It's 9 + 2 + 36 = 47:
-
- - Read access: 1 + 8 = 9.
- - Write access: disk level 2.
- - Execute: 4 + 32 = 36.
-
-## Deploying and managing policy by using Intune user interface
-
-This capability is available in the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>). Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**.
-
-## Deploying and managing Removable Storage Access Control by using Group Policy
+For specific guidance, see:
-The Removable Storage Access Control feature enables you to apply a policy by using Group Policy to either user or device, or both.
-
-### Licensing
-
-Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5.
-
-### Deploying Removable Storage Access Control by using Group Policy
-
-1. Enable or Disable Removable Storage Access Control:
-
- You can enable Device control as follows:
-
- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**
- - In the **Device Control** window, select **Enabled**.
-
- :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy " lightbox="images/enable-rsac-gp.png":::
-
-> [!NOTE]
-> If you don't see this group policy objects, you need to add group policy administrative template. you can download administrative template (WindowsDefender.adml and WindowsDefender.admx) from https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples.
-
-2. Set Default Enforcement:
-
- You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).
-
- For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create Allow policy for Printer, otherwise, this Default Enforcement will be applied to Printer as well.
-
- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control** > **Select Device Control Default Enforcement**
-
- - In the **Select Device Control Default Enforcement** pane, select **Default Deny**:
-
- :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy" lightbox="images/set-default-enforcement-deny-gp.png":::
-
-3. Audit Default Deny:
-
- Use the following XML data to create Audit policy for Default Deny:
-
- :::image type="content" source="images/audit-default-deny-gp.png" alt-text="Screenshot of audit default deny xml data":::
-
-4. ReadOnly - Group:
-
- Use the following XML data to create removable storage group with ReadOnly access:
-
- :::image type="content" source="images/read-only-group-gp.png" alt-text="Screen shot of Read only removable storage group xml data":::
-
-5. ReadOnly - Policy:
-
- Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group to allow read activity:
-
- :::image type="content" source="images/read-only-policy-gp.png" alt-text="Screenshot of Read only policy xml data." lightbox="images/read-only-policy-gp.png":::
-
-6. Create a group for allowed Media:
-
- Use the following XML data to create removable storage allowed media group:
-
- :::image type="content" source="images/create-group-allowed-medias-gp.png" alt-text="Screenshot of xml data for creating group for allowed medias" lightbox="images/create-group-allowed-medias-gp.png":::
-
-7. Create a policy to allow the approved USB Group:
-
- Use the following XML data to create a policy to allow the approved USB group:
-
- :::image type="content" source="images/create-policy-allow-approved-usb-group-xml.png" alt-text="Screenshot of XML data to create policy to allow the approved USB Group using Group Policy" lightbox="images/create-policy-allow-approved-usb-group-xml.png":::
-
- What does '47' mean in the policy? It's 9 + 2 + 36 = 47:
-
- - Read access: 1+8 = 9.
- - Write access: disk level 2.
- - Execute: 4 + 32 = 36.
-
-8. Combine groups into one XML file:
-
- You can combine device control policy groups into one XML file as follows:
-
- - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.
-
- :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups" lightbox="images/define-device-control-policy-grps-gp.png":::
-
- - In the **Define device control policy groups** window, specify the file path containing the XML groups data.
-
- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml>
-
- The following is the device control policy groups xml schema:
-
- :::image type="content" source="images/combine-grps-xml-file-gp.png" alt-text="Screenshot of combine groups into one XML file":::
-
-9. Combine policies into one XML file:
-
- You can combine device control policy rules into one XML file as follows:
-
- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**.
-
- :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules" lightbox="images/define-device-cntrl-policy-rules-gp.png":::
-
- - In the **Define device control policy rules** window, select **Enabled**, and enter the file path containing the XML rules data.
-
- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Policies.xml>
-
- The following is the device control policy rules xml schema:
-
- :::image type="content" source="images/combine-policies-xml-gp.png" alt-text="Screenshot of combine policies into one XML file":::
-
-10. Set location for a copy of the file (evidence):
-
- If you want to have a copy of the file (evidence) when Write access happens, specify the location where system can save the copy.
-
- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**.
-
- - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path.
-
- :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png":::
+| Topic | Description |
+|||
+| [Deploying Removable Storage Access Control by using Group Policy](deploy-manage-removable-storage-group-policy.md) | Use Group Policy to deploy the policy.|
+| [Deploying Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md) | Use Intune to deploy the policy.|
-## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint
+## View data in Microsoft Defender for Endpoint
The [Microsoft 365 Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control. To access the Microsoft 365 security, you must have the following subscription:
DeviceEvents
``` :::image type="content" source="images/block-removable-storage.png" alt-text="The screen depicting the blockage of the removable storage.":::-
-## Frequently asked questions
-
-### How to generate GUID for Group Id/PolicyRule Id/Entry Id?
-
-You can generate the GUID through online open source, or through PowerShell - [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid)
-
-![Screenshot of GUID in PowerShell.](https://user-images.githubusercontent.com/81826151/159046476-26ea0a21-8087-4f01-b8ae-5aa73b392d8f.png)
-
-### What are the removable storage media and policy limitations?
-
-Either from the Microsoft Endpoint Manager admin center (Intune) or through Microsoft Graph API, the backend call is done through OMA-URI (GET to read or PATCH to update) and therefore the limitation is the same as any OMA-URI custom configuration profile in Microsoft which is officially 350,000 characters for XML files.
-
-For example, if you need two blocks of entries per user SID to "Allow"/"Audit allowed" specific users and two blocks of entries at the end to "Deny" all, you will be able to manage 2,276 users.
-
-### Why doesn't the policy work?
-
-1. The most common reason is there's no required [antimalware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).
-
-2. Another reason could be that the XML file isn't correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files, which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.
-
-3. If you are deploying and managing the policy by using Group Policy, please make sure to combine all PolicyRule into one XML file within a parent node called PolicyRules and all Group into one XML file within a parent node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file.
-
-If it still doesn't work, you contact support, and share your support cab. To get that file, use Command Prompt as an administrator:
-
-`"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles`
-
-### There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on my Group Policy
-
-We don't backport the Group Policy configuration UX, but you can still get the related adml and admx files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.
-
-### How do I confirm that the latest policy has been deployed to the target machine?
-
-You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine.
--
-### How can I know which machine is using out of date antimalware client version in the organization?
-
-You can use following query to get antimalware client version on the Microsoft 365 security portal:
-
-```kusto
-//check the antimalware client version
-DeviceFileEvents
-|where FileName == "MsMpEng.exe"
-|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"
-|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))
-//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion
-|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion
-|order by PlatformVersion desc
-```
-
-### How do I find the media property in the Device Manager?
-
-1. Plug in the media.
-
-2. Open Device Manager.
-
- ![Screenshot of Device Manager.](https://user-images.githubusercontent.com/81826151/181859412-affd6aa1-09ad-44bf-9541-330499cc2c87.png)
-
-3. Locate the media in the Device Manager, right-click, and then select **Properties**.
-
- :::image type="content" alt-text="Screenshot of media in the Device Manager." source="https://user-images.githubusercontent.com/81826151/181859700-62a6f704-b12e-41e3-a048-7d63432654a4.png":::
-
-4. Open **Details**, and select **Properties**.
-
- :::image type="content" alt-text="Screenshot of device property in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png":::
-
security Device Control Removable Storage Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-protection.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender for Endpoint Device Control Removable Storage Protection
security Device Control Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md
audience: ITPro
+search.appverid: met150
+ # Device control report **Applies to:**
security Device Discovery Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery-faq.md
audience: ITPro
+search.appverid: met150
# Device discovery frequently asked questions
security Device Discovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md
+search.appverid: met150
# Device discovery overview
security Device Health Export Antivirus Health Report Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-export-antivirus-health-report-api.md
+search.appverid: met150
# Export device antivirus health report
security Device Timeline Event Flag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender for Endpoint device timeline event flags
security Download Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/download-client-analyzer.md
audience: ITPro
+search.appverid: met150
# Download the Microsoft Defender for Endpoint client analyzer
security Edr In Block Mode https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md
Last updated 08/19/2022
+search.appverid: met150
# Endpoint detection and response (EDR) in block mode
security Enable Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction.md
- M365-security-compliance Last updated 1/18/2022
+search.appverid: met150
# Enable attack surface reduction rules
security Enable Cloud Protection Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus.md
+search.appverid: met150
# Turn on cloud protection in Microsoft Defender Antivirus
security Enable Controlled Folders https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-controlled-folders.md
Last updated
+search.appverid: met150
# Enable controlled folder access
security Enable Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md
Last updated 07/27/2022
+search.appverid: met150
# Enable exploit protection
security Enable Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-network-protection.md
Last updated
+search.appverid: met150
# Turn on network protection
security Enable Update Mdav To Latest Ws https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws.md
+search.appverid: met150
# Enable and update Defender Antivirus to the latest version on Windows Server
security Evaluate Controlled Folder Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access.md
Last updated
+search.appverid: met150
# Evaluate controlled folder access
security Evaluate Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-exploit-protection.md
Last updated
+search.appverid: met150
# Evaluate exploit protection
You can set mitigations in a testing mode for specific programs by using the Win
- Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You'll be notified if you need to restart the process, app, or Windows.
+4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in test mode only. You'll be notified if you need to restart the process, app, or Windows.
5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ### PowerShell
-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
+To set app-level mitigations to test mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.
Configure each mitigation in the following format:
Where:
- \<Mitigation\>: - The mitigation's cmdlet as defined in the following table. Each mitigation is separated with a comma.
-|Mitigation|Audit mode cmdlet|
+|Mitigation|Test mode cmdlet|
||| |Arbitrary Code Guard (ACG)|`AuditDynamicCode`| |Block low integrity images|`AuditImageLoad`
Where:
|Disable Win32k system calls|`AuditSystemCall`| |Do not allow child processes|`AuditChildProcess`|
-For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:
+For example, to enable Arbitrary Code Guard (ACG) in test mode for an app named *testing.exe*, run the following command:
```PowerShell Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode
security Evaluate Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus.md
+search.appverid: met150
# Evaluate Microsoft Defender Antivirus
security Evaluate Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluate-network-protection.md
- M365-security-compliance Last updated
+search.appverid: met150
# Evaluate network protection
security Evaluation Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md
- highpri
+search.appverid: met150
# Microsoft Defender for Endpoint evaluation lab
security Event Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/event-error-codes.md
Last updated 05/21/2018
+search.appverid: met150
security Exclude Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exclude-devices.md
audience: ITPro
+search.appverid: met150
# Exclude devices
security Exploit Protection Reference https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection-reference.md
Last updated 10/19/2021
+search.appverid: met150
# Exploit Protection Reference
security Exploit Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection.md
- m365initiative-m365-defender - M365-security-compliance
+search.appverid: met150
# Protect devices from exploits
security Export Security Baseline Assessment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/export-security-baseline-assessment.md
+search.appverid: met150
# Export security baselines assessment per device
security Exposed Apis Create App Nativeapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-nativeapp.md
+search.appverid: met150
# Use Microsoft Defender for Endpoint APIs
security Exposed Apis Create App Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-partners.md
+search.appverid: met150
# Partner access through Microsoft Defender for Endpoint APIs
security Exposed Apis Create App Webapp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-create-app-webapp.md
+search.appverid: met150
# Create an app to access Microsoft Defender for Endpoint without a user
security Exposed Apis Full Sample Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-full-sample-powershell.md
Last updated 04/27/2022
+search.appverid: met150
# Microsoft Defender for Endpoint APIs using PowerShell
security Exposed Apis List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-list.md
+search.appverid: met150
# Supported Microsoft Defender for Endpoint APIs
security Exposed Apis Odata Samples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exposed-apis-odata-samples.md
+search.appverid: met150
# OData queries with Microsoft Defender for Endpoint
security Faqs Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/faqs-tamper-protection.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Frequently asked questions on tamper protection
security Feedback Loop Blocking https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/feedback-loop-blocking.md
- edr
+search.appverid: met150
# Feedback-loop blocking
security Fetch Alerts Mssp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fetch-alerts-mssp.md
+search.appverid: met150
# Fetch alerts from MSSP customer tenant
security Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/files.md
+search.appverid: met150
# File resource type
security Find Defender Malware Name https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-defender-malware-name.md
audience: ITPro
+search.appverid: met150
# Find malware detection names for Microsoft Defender for Endpoint
security Find Machine Info By Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machine-info-by-ip.md
+search.appverid: met150
# Find device information by internal IP API
security Find Machines By Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machines-by-ip.md
+search.appverid: met150
# Find devices by internal IP API
security Find Machines By Tag https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/find-machines-by-tag.md
+search.appverid: met150
# Find devices by tag API
security Fix Unhealthy Sensors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors.md
Last updated 11/23/2020
+search.appverid: met150
# Fix unhealthy sensors in Microsoft Defender for Endpoint
security Get Alert Info By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-info-by-id.md
+search.appverid: met150
# Get alert information by ID API
security Get Alert Related Domain Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-domain-info.md
+search.appverid: met150
# Get alert related domain information API
security Get Alert Related Files Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-files-info.md
+search.appverid: met150
# Get alert related files information API
security Get Alert Related Ip Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-ip-info.md
+search.appverid: met150
# Get alert-related IPs' information API
security Get Alert Related Machine Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-machine-info.md
+search.appverid: met150
# Get alert related machine information API
security Get Alert Related User Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alert-related-user-info.md
+search.appverid: met150
# Get alert related user information API
security Get Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-alerts.md
+search.appverid: met150
# List alerts API
security Get All Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-recommendations.md
+search.appverid: met150
# List all recommendations
security Get All Vulnerabilities By Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities-by-machines.md
+search.appverid: met150
# List vulnerabilities by machine and software
security Get All Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-all-vulnerabilities.md
+search.appverid: met150
# List vulnerabilities
security Get Assessment Browser Extensions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-browser-extensions.md
+search.appverid: met150
# Export browser extensions assessment per device
security Get Assessment Non Cpe Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-non-cpe-software-inventory.md
+search.appverid: met150
# Export non product code software inventory assessment per device
security Get Assessment Secure Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-secure-config.md
+search.appverid: met150
# Export secure configuration assessment per device
security Get Assessment Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-inventory.md
+search.appverid: met150
# Export software inventory assessment per device
security Get Assessment Software Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-assessment-software-vulnerabilities.md
+search.appverid: met150
# Export software vulnerabilities assessment per device
security Get Browser Extensions Permission Info https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-browser-extensions-permission-info.md
+search.appverid: met150
# Get browser extensions permission information
security Get Device Secure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-device-secure-score.md
+search.appverid: met150
# Get device secure score
security Get Discovered Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-discovered-vulnerabilities.md
+search.appverid: met150
# Get discovered vulnerabilities
security Get Domain Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-alerts.md
+search.appverid: met150
# Get domain-related alerts API
security Get Domain Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-related-machines.md
+search.appverid: met150
# Get domain-related machines API
security Get Domain Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-domain-statistics.md
+search.appverid: met150
# Get domain statistics API
security Get Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-exposure-score.md
+search.appverid: met150
# Get exposure score
security Get File Information https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-information.md
+search.appverid: met150
# Get file information API
security Get File Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-alerts.md
+search.appverid: met150
# Get file-related alerts API
security Get File Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-related-machines.md
+search.appverid: met150
# Get file-related machines API
security Get File Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-file-statistics.md
+search.appverid: met150
# Get file statistics API
security Get Installed Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-installed-software.md
+search.appverid: met150
# Get installed software
security Get Investigation Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-investigation-collection.md
+search.appverid: met150
# List Investigations API
security Get Investigation Object https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-investigation-object.md
+search.appverid: met150
# Get Investigation API
security Get Ip Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-related-alerts.md
+search.appverid: met150
# Get IP related alerts API
security Get Ip Statistics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ip-statistics.md
+search.appverid: met150
# Get IP statistics API
security Get Machine By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-by-id.md
+search.appverid: met150
# Get machine by ID API
Empty
## Response If successful and device exists - 200 OK with the [machine](machine.md) entity in the body.
-If machine with the specified ID was not found - 404 Not Found.
+If machine with the specified ID wasn't found - 404 Not Found.
## Example ### Request example
-Here is an example of the request.
+Here's an example of the request.
```http GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
### Response example
-Here is an example of the response.
+Here's an example of the response.
```http HTTP/1.1 200 OK
security Get Machine Group Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-group-exposure-score.md
+search.appverid: met150
# List exposure score by device group
security Get Machine Log On Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-log-on-users.md
+search.appverid: met150
# Get machine logon users API
security Get Machine Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machine-related-alerts.md
+search.appverid: met150
# Get machine related alerts API
security Get Machineaction Object https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machineaction-object.md
+search.appverid: met150
# Get machineAction API
security Get Machineactions Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machineactions-collection.md
+search.appverid: met150
# List MachineActions API
security Get Machines By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-software.md
+search.appverid: met150
# List devices by software
security Get Machines By Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines-by-vulnerability.md
+search.appverid: met150
# List devices by vulnerability
security Get Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-machines.md
+search.appverid: met150
# List machines API
security Get Missing Kbs Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-machine.md
+search.appverid: met150
# Get missing KBs by device ID
security Get Missing Kbs Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-missing-kbs-software.md
+search.appverid: met150
# Get missing KBs by software ID
security Get Package Sas Uri https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-package-sas-uri.md
+search.appverid: met150
# Get package SAS URI API
security Get Recommendation By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-by-id.md
+search.appverid: met150
# Get recommendation by ID
security Get Recommendation Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-machines.md
+search.appverid: met150
# List devices by recommendation
security Get Recommendation Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-recommendation-vulnerabilities.md
+search.appverid: met150
# List vulnerabilities by recommendation
security Get Remediation All Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-all-activities.md
+search.appverid: met150
# List all remediation activities
security Get Remediation Exposed Devices Activities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-exposed-devices-activities.md
+search.appverid: met150
# List exposed devices of one remediation activity
rbacGroupName|String|Name of the device group this device is associated with|Ser
### Request example ```http
-GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c/machinereferences
+GET https://api.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c/machinereferences
``` ### Response example ```json {
- "@odata.context": "https://wpatdadi-luna-stg.cloudapp.net/api/$metadata#MachineReferences",
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
"value": [ { "id": "3cb5df6bb3640a2d37ad09fcd357b182d684fafc",
security Get Remediation Methods Properties https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-methods-properties.md
+search.appverid: met150
# Remediation activity methods and properties
security Get Remediation One Activity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-remediation-one-activity.md
+search.appverid: met150
# Get one remediation activity by ID
vendorId|String|Related vendor name|Microsoft
### Request example ```http
-GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c
+GET https://api.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c
``` ### Response example ```json {
- "@odata.context": "https://wpatdadi-luna-stg.cloudapp.net/api/$metadata#RemediationTasks/$entity",
+ "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#RemediationTasks/$entity",
"id": "03942ef5-aecb-4c6e-b555-d6a97013844c", "title": "Update Microsoft Silverlight", "createdOn": "2021-02-10T13:20:36.4718166Z",
security Get Security Baselines Assessment Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-baselines-assessment-configurations.md
+search.appverid: met150
# List security baselines assessment configurations
security Get Security Baselines Assessment Profiles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-baselines-assessment-profiles.md
+search.appverid: met150
# List all security baselines assessment profiles
security Get Security Recommendations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-security-recommendations.md
+search.appverid: met150
# Get security recommendations
security Get Software By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-by-id.md
+search.appverid: met150
# Get software by ID
security Get Software Ver Distribution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software-ver-distribution.md
+search.appverid: met150
# List software version distribution
security Get Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-software.md
+search.appverid: met150
# List software inventory API
security Get Started Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-started-partner-integration.md
audience: ITPro
+search.appverid: met150
# Become a Microsoft Defender for Endpoint partner
security Get Ti Indicators Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-ti-indicators-collection.md
+search.appverid: met150
# List Indicators API
security Get User Related Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-alerts.md
+search.appverid: met150
# Get user-related alerts API
security Get User Related Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-user-related-machines.md
+search.appverid: met150
# Get user-related machines API
security Get Vuln By Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vuln-by-software.md
+search.appverid: met150
# List vulnerabilities by software
security Get Vulnerability By Id https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-vulnerability-by-id.md
+search.appverid: met150
# Get vulnerability by ID
security Grant Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/grant-mssp-access.md
audience: ITPro
+search.appverid: met150
# Grant managed security service provider (MSSP) access (preview)
security Health Status https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/health-status.md
audience: ITPro
+search.appverid: met150
# Investigate agent health issues
The following table provides information on the values returned when you run the
|Value|Description| ||| |automatic_definition_update_enabled|True if automatic antivirus definition updates are enabled, false otherwise.|
-|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: <ul><li>**None**: No suspicious samples are submitted to Microsoft.</li><li>**Safe**: Only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.</li><li>**All**: All suspicious samples are submitted to Microsoft.</li></ul>|
+|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: <ul><li>**None**: No suspicious samples are submitted to Microsoft.</li><li>**Safe**: Only suspicious samples that don't contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.</li><li>**All**: All suspicious samples are submitted to Microsoft.</li></ul>|
|cloud_diagnostic_enabled|True if optional diagnostic data collection is enabled, false otherwise. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576).| |cloud_enabled|True if cloud-delivered protection is enabled, false otherwise.|
-|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but is not limited to, other security products and other applications known to cause compatibility issues.|
+|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but isn't limited to, other security products and other applications known to cause compatibility issues.|
|definitions_status|Status of antivirus definitions.| |definitions_updated|Date and time of last antivirus definition update.| |definitions_updated_minutes_ago|Number of minutes since last antivirus definition update.|
The following table provides information on the values returned when you run the
|licensed|True if the device is onboarded to a tenant, false otherwise.| |log_level|Current log level for the product.| |machine_guid|Unique machine identifier used by the antivirus component.|
-|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: <ul><li>**starting** - Network protection is starting</li><li>**failed_to_start** - Network protection couldn't be started due to an error</li><li>**started** - Network protection is currently running on the device</li><li>**restarting** - Network protection is currently restarting</li><li>**stopping** - Network protection is stopping</li><li>**stopped** - Network protection is not running</li></ul>|
-|org_id|Organization that the device is onboarded to. If the device is not yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
+|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: <ul><li>**starting** - Network protection is starting</li><li>**failed_to_start** - Network protection couldn't be started due to an error</li><li>**started** - Network protection is currently running on the device</li><li>**restarting** - Network protection is currently restarting</li><li>**stopping** - Network protection is stopping</li><li>**stopped** - Network protection isn't running</li></ul>|
+|org_id|Organization that the device is onboarded to. If the device isn't yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|
|passive_mode_enabled|True if the antivirus component is set to run in passive mode, false otherwise.| |product_expiration|Date and time when the current product version reaches end of support.| |real_time_protection_available|True if the real-time protection component is healthy, false otherwise.| |real_time_protection_enabled|True if real-time antivirus protection is enabled, false otherwise.|
-|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection is not operating as expected, this prints unavailable.|
+|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection isn't operating as expected, this prints unavailable.|
|release_ring|Release ring. For more information, see [Deployment rings](deployment-rings.md).| |
security Helpful Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/helpful-resources.md
audience: ITPro
+search.appverid: met150
# Helpful Microsoft Defender for Endpoint resources
security Host Firewall Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md
+search.appverid: met150
# Host firewall reporting in Microsoft Defender for Endpoint
security Import Export Exploit Protection Emet Xml https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-export-exploit-protection-emet-xml.md
Last updated
+search.appverid: met150
# Import, export, and deploy exploit protection configurations
security Import Ti Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/import-ti-indicators.md
+search.appverid: met150
# Import Indicators API
security Indicator Certificates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-certificates.md
audience: ITPro
+search.appverid: met150
# Create indicators based on certificates
security Indicator File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-file.md
audience: ITPro
+search.appverid: met150
# Create indicators for files
security Indicator Ip Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-ip-domain.md
audience: ITPro
+search.appverid: met150
# Create indicators for IPs and URLs/domains
security Indicator Manage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/indicator-manage.md
audience: ITPro
+search.appverid: met150
# Manage indicators
security Information Protection Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md
audience: ITPro
+search.appverid: met150
# Use sensitivity labels to prioritize incident response
security Initiate Autoir Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/initiate-autoir-investigation.md
+search.appverid: met150
+ # Start Investigation API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-alerts.md
Last updated 04/24/2018
+search.appverid: met150
# Investigate alerts in Microsoft Defender for Endpoint
security Investigate Behind Proxy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-behind-proxy.md
- m365-security-compliance
+search.appverid: met150
# Investigate connection events that occur behind forward proxies
security Investigate Domain https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-domain.md
Last updated 04/24/2018
+search.appverid: met150
+ # Investigate domains and URLs associated with a Microsoft Defender for Endpoint alert [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Investigate Files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-files.md
Last updated 04/24/2018
+search.appverid: met150
# Investigate a file associated with a Microsoft Defender for Endpoint alert
security Investigate Ip https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-ip.md
Last updated 04/24/2018
+search.appverid: met150
# Investigate an IP address associated with a Microsoft Defender for Endpoint alert
security Investigate Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md
audience: ITPro
+search.appverid: met150
# Investigate devices in the Microsoft Defender for Endpoint Devices list
The **Security assessments** card shows the overall exposure level, security rec
:::image type="content" source="images/security-assessments.png" alt-text="The security assessments card" lightbox="images/security-assessments.png"::: - ### Device health status
-The **Device health status** card shows a summarized health report for the specific device. One of the following status is displayed at the top of the card to indicate the overall status of the device:
+The **Device health status** card shows a summarized health report for the specific device. One of the following messages is displayed at the top of the card to indicate the overall status of the device (listed in order of highest to lowest priority):
-- Device is up to date-- Platform is not up to date-- Full scan failed-- Quick scan failed-- Engine is not up to date-- Security intelligence is not up to date - Defender Antivirus not active
+- Security intelligence is not up to date
+- Engine is not up to date
+- Quick scan failed
+- Full scan failed
+- Platform is not up to date
+- Security intelligence update status is unknown
+- Engine update status is unknown
+- Quick scan status is unknown
+- Full scan status is unknown
+- Platform update status is unknown
+- Device is up to date
- Status not available for macOS & Linux Other information in the card include: the last full scan, last quick scan, security intelligence update version, engine update version, platform update version, and Defender Antivirus mode.
->[!NOTE]
->The overall status message for macOS and Linux devices currently shows up as 'Status not available for macOS & Linux'. Currently, the status summary is only available for Windows devices. All other information in the table is up to date to show the individual states of each device health signal for all supported platforms.
+Please note that a grey circle indicates that the data is unknown.
+
+> [!NOTE]
+> The overall status message for macOS and Linux devices currently shows up as 'Status not available for macOS & Linux'. Currently, the status summary is only available for Windows devices. All other information in the table is up to date to show the individual states of each device health signal for all supported platforms.
To gain an in-depth view of the device health report, you can go to **Reports > Devices health**. For more information, see [Device health and compliance report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/machine-reports). :::image type="content" source="images/device-health-status.png" alt-text="The device health status card" lightbox="images/device-health-status.png"::: -- ## Related topics - [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md)
To gain an in-depth view of the device health report, you can go to **Reports >
- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md) - [Investigate a user account in Defender for Endpoint](investigate-user.md) - [Security recommendation](tvm-security-recommendation.md)-- [Software inventory](tvm-software-inventory.md)
+- [Software inventory](tvm-software-inventory.md)
security Investigate User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-user.md
Last updated 04/24/2018
+search.appverid: met150
+ # Investigate a user account in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigation.md
+search.appverid: met150
# Investigation resource type
security Ios Configure Features https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md
- m365-security-compliance
+search.appverid: met150
# Configure Microsoft Defender for Endpoint on iOS features
security Ios Install Unmanaged https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md
- m365-security-compliance
+search.appverid: met150
# Deploy Microsoft Defender for Endpoint on unenrolled iOS devices
security Ios Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md
- m365-security-compliance
+search.appverid: met150
# Deploy Microsoft Defender for Endpoint on iOS
security Ios Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-privacy.md
- m365-security-compliance
+search.appverid: met150
# Privacy information - Microsoft Defender for Endpoint on iOS
security Ios Troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-troubleshoot.md
- m365-security-compliance
+search.appverid: met150
# Troubleshoot issues and find answers to FAQs on Microsoft Defender for Endpoint on iOS
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
- m365-security-compliance
+search.appverid: met150
# What's new in Microsoft Defender for Endpoint on iOS
security Isolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/isolate-machine.md
+search.appverid: met150
# Isolate machine API
security Limited Periodic Scanning Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus.md
+search.appverid: met150
security Linux Deploy Defender For Endpoint With Chef https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef.md
audience: ITPro
+search.appverid: met150
# Deploy Defender for Endpoint on Linux with Chef
security Linux Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-exclusions.md
- m365-security-compliance
+search.appverid: met150
# Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
security Linux Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-manually.md
- m365-security-compliance
+search.appverid: met150
# Deploy Microsoft Defender for Endpoint on Linux manually
security Linux Install With Ansible https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-ansible.md
- m365-security-compliance
+search.appverid: met150
# Deploy Microsoft Defender for Endpoint on Linux with Ansible
security Linux Install With Puppet https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-install-with-puppet.md
- m365-security-compliance
+search.appverid: met150
# Deploy Microsoft Defender for Endpoint on Linux with Puppet
security Linux Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-preferences.md
- m365-security-compliance
+search.appverid: met150
# Set preferences for Microsoft Defender for Endpoint on Linux
security Linux Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-privacy.md
audience: ITPro
+search.appverid: met150
# Privacy for Microsoft Defender for Endpoint on Linux
security Linux Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-pua.md
- m365-security-compliance
+search.appverid: met150
# Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux
security Linux Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-resources.md
- m365-security-compliance
+search.appverid: met150
# Resources
security Linux Schedule Scan Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde.md
audience: ITPro
+search.appverid: met150
# Schedule scans with Microsoft Defender for Endpoint (Linux)
crontab -l
crontab -u username -l ```
-### To backup crontab entries
+### To back up crontab entries
```bash crontab -l > /var/tmp/cron_backup.dat
crontab -u username -r
+ΓÇöΓÇöΓÇöΓÇöΓÇö- minute (values: 0 - 59) (special characters: , \- \* /) <br> | +ΓÇöΓÇöΓÇöΓÇö- hour (values: 0 - 23) (special characters: , \- \* /) <br> | | +ΓÇöΓÇöΓÇö- day of month (values: 1 - 31) (special characters: , \- \* / L W C) <br>
-| | | +ΓÇöΓÇö- month (values: 1 - 12) (special characters: , \- \* / ) <br>
+| | | +ΓÇöΓÇö- month (values: 1 - 12) (special characters: , \- \* /) <br>
| | | | +ΓÇö- day of week (values: 0 - 6) (Sunday=0 or 7) (special characters: , \- \* / L W C) <br> | | | | |*****command to be executed
security Linux Static Proxy Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration.md
- m365-security-compliance
+search.appverid: met150
# Configure Microsoft Defender for Endpoint on Linux for static proxy discovery
security Linux Support Connectivity https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-connectivity.md
- m365-security-compliance
+search.appverid: met150
# Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux
security Linux Support Events https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-events.md
+search.appverid: met150
# Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux
security Linux Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-install.md
- m365-security-compliance
+search.appverid: met150
# Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux
security Linux Update Mde Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-mde-linux.md
audience: ITPro
+search.appverid: met150
# Schedule an update of the Microsoft Defender for Endpoint (Linux)
security Linux Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md
- m365-security-compliance
+search.appverid: met150
# Deploy updates for Microsoft Defender for Endpoint on Linux
security Linux Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md
- m365-security-compliance
+search.appverid: met150
# What's new in Microsoft Defender for Endpoint on Linux
security List Recommendation Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/list-recommendation-software.md
+search.appverid: met150
# List software by recommendation
security Live Response Command Examples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md
audience: ITPro
+search.appverid: met150
# Live response command examples
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
audience: ITPro
+search.appverid: met150
# Investigate entities on devices using live response
security Mac Device Control Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-intune.md
- m365-security-compliance
+search.appverid: met150
# Examples of device control policies for Intune
security Mac Device Control Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-jamf.md
- m365-security-compliance
+search.appverid: met150
# Examples of device control policies for JAMF
security Mac Device Control Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-device-control-overview.md
- m365-security-compliance
+search.appverid: met150
# Device control for macOS
security Mac Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-exclusions.md
- m365-security-compliance
+search.appverid: met150
# Configure and validate exclusions for Microsoft Defender for Endpoint on macOS
security Mac Install Jamfpro Login https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login.md
- m365-security-compliance
+search.appverid: met150
# Log in to Jamf Pro
security Mac Install Manually https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md
+search.appverid: met150
# Manual deployment for Microsoft Defender for Endpoint on macOS
security Mac Install With Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md
- m365-security-compliance
+search.appverid: met150
# Intune-based deployment for Microsoft Defender for Endpoint on macOS
security Mac Install With Jamf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-jamf.md
- m365-security-compliance
+search.appverid: met150
# Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro
security Mac Install With Other Mdm https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm.md
- m365-security-compliance
+search.appverid: met150
# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on macOS
security Mac Jamfpro Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md
- m365-security-compliance
+search.appverid: met150
# Set up Microsoft Defender for Endpoint on macOS device groups in Jamf Pro
security Mac Jamfpro Enroll Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices.md
- m365-security-compliance
+search.appverid: met150
# Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro
security Mac Jamfpro Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md
- m365-security-compliance
+search.appverid: met150
# Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro
security Mac Preferences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-preferences.md
- m365-security-compliance
+search.appverid: met150
# Set preferences for Microsoft Defender for Endpoint on macOS
security Mac Privacy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-privacy.md
- m365-security-compliance
+search.appverid: met150
# Privacy for Microsoft Defender for Endpoint on macOS
security Mac Pua https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-pua.md
- m365-security-compliance
+search.appverid: met150
# Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on macOS
security Mac Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-resources.md
- m365-security-compliance
+search.appverid: met150
# Resources for Microsoft Defender for Endpoint on macOS
security Mac Schedule Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-schedule-scan.md
- m365-security-compliance
+search.appverid: met150
# Schedule scans with Microsoft Defender for Endpoint on macOS
security Mac Support Install https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-install.md
- m365-security-compliance
+search.appverid: met150
# Troubleshoot installation issues for Microsoft Defender for Endpoint on macOS
security Mac Support Kext https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-kext.md
- m365-security-compliance
+search.appverid: met150
# Troubleshoot kernel extension issues in Microsoft Defender for Endpoint on macOS
security Mac Support License https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md
- m365-security-compliance
+search.appverid: met150
# Troubleshoot license issues for Microsoft Defender for Endpoint on macOS
security Mac Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-perf.md
- m365-security-compliance
+search.appverid: met150
# Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS
security Mac Updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-updates.md
- m365-security-compliance
+search.appverid: met150
# Deploy updates for Microsoft Defender for Endpoint on macOS
security Mac Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-whatsnew.md
- m365-security-compliance
+search.appverid: met150
# What's new in Microsoft Defender for Endpoint on Mac
security Machine Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-groups.md
audience: ITPro
+search.appverid: met150
# Create and manage device groups
security Machine Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md
audience: ITPro
+search.appverid: met150
# Create and manage device tags
security Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine.md
+search.appverid: met150
# Machine resource type
security Machineaction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machineaction.md
audience: ITPro
+search.appverid: met150
# MachineAction resource type
security Machines View Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md
audience: ITPro
+search.appverid: met150
# Device inventory
security Manage Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-alerts.md
audience: ITPro
+search.appverid: met150
# Manage Microsoft Defender for Endpoint alerts
security Manage Auto Investigation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-auto-investigation.md
+search.appverid: met150
# Review remediation actions following an automated investigation
security Manage Automation File Uploads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-file-uploads.md
audience: ITPro
+search.appverid: met150
# Manage automation file uploads
security Manage Automation Folder Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md
audience: ITPro
+search.appverid: met150
# Manage automation folder exclusions
security Manage Event Based Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus.md
+search.appverid: met150
# Manage event-based forced updates
security Manage Gradual Rollout https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-gradual-rollout.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Manage the gradual rollout process for Microsoft Defender updates
security Manage Indicators https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-indicators.md
audience: ITPro
+search.appverid: met150
# Create indicators
security Manage Mde Post Migration Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-configuration-manager.md
Last updated 07/01/2022
+search.appverid: met150
# Manage Microsoft Defender for Endpoint with Configuration Manager
security Manage Mde Post Migration Group Policy Objects https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-group-policy-objects.md
- M365-security-compliance
+search.appverid: met150
# Manage Microsoft Defender for Endpoint with Group Policy Objects
security Manage Mde Post Migration Intune https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-intune.md
Last updated 07/01/2022
+search.appverid: met150
# Manage Microsoft Defender for Endpoint with Intune
security Manage Mde Post Migration Other Tools https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration-other-tools.md
+search.appverid: met150
# Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
security Manage Mde Post Migration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-mde-post-migration.md
Last updated 07/01/2022
+search.appverid: met150
# Manage Microsoft Defender for Endpoint after initial setup or migration
security Manage Outdated Endpoints Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus.md
+search.appverid: met150
# Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date
security Manage Protection Updates Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus.md
+search.appverid: met150
# Manage the sources for Microsoft Defender Antivirus protection updates
security Manage Suppression Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-suppression-rules.md
audience: ITPro
+search.appverid: met150
# Manage suppression rules
security Manage Tamper Protection Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-configuration-manager.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Manage tamper protection using tenant attach with Configuration Manager, version 2006
security Manage Tamper Protection Individual Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-individual-device.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Manage tamper protection on an individual device
security Manage Tamper Protection Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-365-defender.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Manage tamper protection for your organization using Microsoft 365 Defender portal
security Manage Tamper Protection Microsoft Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-tamper-protection-microsoft-endpoint-manager.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Manage tamper protection for your organization using Microsoft Endpoint Manager
security Manage Updates Baselines Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Manage Microsoft Defender Antivirus updates and apply baselines
security Manage Updates Mobile Devices Vms Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+search.appverid: met150
# Manage updates for mobile devices and virtual machines (VMs)
security Management Apis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/management-apis.md
+search.appverid: met150
# Overview of management and APIs
security Mde Device Control Device Installation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-device-control-device-installation.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender for Endpoint Device Control Device Installation
security Microsoft Cloud App Security Config https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config.md
audience: ITPro
+search.appverid: met150
# Configure Microsoft Defender for Cloud Apps in Microsoft Defender for Endpoint
security Microsoft Cloud App Security Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration.md
Last updated 10/18/2018
+search.appverid: met150
# Microsoft Defender for Cloud Apps in Defender for Endpoint overview
security Microsoft Defender Antivirus Compatibility https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender Antivirus compatibility with other security products
security Microsoft Defender Antivirus Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender Antivirus in Windows
security Microsoft Defender Endpoint Android https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender for Endpoint on Android
security Microsoft Defender Endpoint Ios https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender for Endpoint on iOS
security Microsoft Defender Endpoint Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender for Endpoint on Linux
security Microsoft Defender Endpoint Mac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender for Endpoint on Mac
security Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md
+search.appverid: met150
# Microsoft Defender for Endpoint
security Microsoft Defender Offline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md
+search.appverid: met150
# Run and review the results of a Microsoft Defender Offline scan
security Microsoft Defender Security Center Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus.md
+search.appverid: met150
# Microsoft Defender Antivirus in the Windows Security app
security Microsoft Threat Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-threat-experts.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Microsoft Threat Experts
security Migrating Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-asr-rules.md
+search.appverid: met150
# Migrating from a third-party HIPS to ASR rules
security Migrating Mde Server To Cloud https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud.md
Last updated 07/19/2022
+search.appverid: met150
# Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud
security Migration Guides https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migration-guides.md
f1.keywords: NOCSH Last updated 07/01/2022
+search.appverid: met150
# Move to Microsoft Defender for Endpoint
security Minimum Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Minimum requirements for Microsoft Defender for Endpoint
security Mssp List https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-list.md
audience: ITPro
+search.appverid: met150
# Supported managed security service providers
security Mssp Support https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mssp-support.md
audience: ITPro
+search.appverid: met150
# Managed security service provider partnership opportunities
security Mtd https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mtd.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender for Endpoint - Mobile Threat Defense
security Network Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-devices.md
+search.appverid: met150
+ # Network device discovery and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Network Protection Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-linux.md
- m365initiative-m365-defender - M365-security-compliance Last updated
+search.appverid: met150
# Network protection for Linux
security Network Protection Macos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-macos.md
- m365initiative-m365-defender - M365-security-compliance Last updated
+search.appverid: met150
# Network protection for macOS
security Network Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection.md
- m365initiative-m365-defender - M365-security-compliance
+search.appverid: met150
# Protect your network
security Next Generation Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/next-generation-protection.md
+search.appverid: met150
# Next-generation protection overview
security Non Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md
- m365solution-evalutatemtp
+search.appverid: met150
# Microsoft Defender for Endpoint for non-Windows platforms
security Offboard Machine Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machine-api.md
+search.appverid: met150
# Offboard machine API
security Offboard Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/offboard-machines.md
audience: ITPro
+search.appverid: met150
# Offboard devices from the Microsoft Defender for Endpoint service
security Office 365 Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus.md
+search.appverid: met150
# Better together: Microsoft Defender Antivirus and Office 365
security Onboard Configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Onboard devices and configure Microsoft Defender for Endpoint capabilities
security Onboard Downlevel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md
audience: ITPro
+search.appverid: met150
# Onboard previous versions of Windows
security Onboard Offline Machines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md
audience: ITPro
+search.appverid: met150
# Onboard devices without Internet access to Microsoft Defender for Endpoint
security Onboard Windows Client https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-client.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Defender for Endpoint onboarding Windows Client
security Onboard Windows Multi Session Device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-multi-session-device.md
+search.appverid: met150
# Onboard Windows devices in Azure Virtual Desktop
security Onboard Windows Server https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-windows-server.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Defender for Endpoint onboarding Windows Server
security Onboarding Endpoint Configuration Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md
+search.appverid: met150
# Onboarding using Microsoft Endpoint Configuration Manager
Follow the steps below to onboard endpoints using Microsoft Endpoint Configurati
:::image type="content" source="images/configmgr-device-collections.png" alt-text="The Microsoft Endpoint Configuration Manager wizard1" lightbox="images/configmgr-device-collections.png":::
-2. Right Click **Device Collection** and select **Create Device Collection**.
+2. Right select **Device Collection** and select **Create Device Collection**.
:::image type="content" source="images/configmgr-create-device-collection.png" alt-text="The Microsoft Endpoint Configuration Manager wizard2" lightbox="images/configmgr-create-device-collection.png":::
Follow the steps below to onboard endpoints using Microsoft Endpoint Configurati
:::image type="content" source="images/configmgr-query-rule.png" alt-text="The Microsoft Endpoint Configuration Manager wizard4" lightbox="images/configmgr-query-rule.png":::
-5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
+5. Select **Next** on the **Direct Membership Wizard** and select on **Edit Query Statement**.
:::image type="content" source="images/configmgr-direct-membership.png" alt-text="The Microsoft Endpoint Configuration Manager wizard5" lightbox="images/configmgr-direct-membership.png":::
Follow the steps below to onboard endpoints using Microsoft Endpoint Configurati
:::image type="content" source="images/configmgr-criteria.png" alt-text="The Microsoft Endpoint Configuration Manager wizard6" lightbox="images/configmgr-criteria.png":::
-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
+7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and select on **OK**.
:::image type="content" source="images/configmgr-simple-value.png" alt-text="The Microsoft Endpoint Configuration Manager wizard7" lightbox="images/configmgr-simple-value.png":::
From within the Microsoft 365 Defender portal it is possible to download the `.o
1. From a <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, select [Settings and then Onboarding](https://security.microsoft.com/preferences2/onboarding).
-2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
+2. Under Deployment method, select the supported version of **Microsoft Endpoint Configuration Manager**.
:::image type="content" source="images/mdatp-onboarding-wizard.png" alt-text="The Microsoft Endpoint Configuration Manager wizard10" lightbox="images/mdatp-onboarding-wizard.png":::
From within the Microsoft 365 Defender portal it is possible to download the `.o
:::image type="content" source="images/configmgr-policy-name.png" alt-text="The Microsoft Endpoint Configuration Manager wizard13" lightbox="images/configmgr-policy-name.png":::
-8. Click **Browse**.
+8. Select **Browse**.
9. Navigate to the location of the downloaded file from step 4 above.
-10. Click **Next**.
+10. Select **Next**.
11. Configure the Agent with the appropriate samples (**None** or **All file types**). :::image type="content" source="images/configmgr-config-settings.png" alt-text="The configuration settings1" lightbox="images/configmgr-config-settings.png":::
-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
+12. Select the appropriate telemetry (**Normal** or **Expedited**) then select **Next**.
:::image type="content" source="images/configmgr-telemetry.png" alt-text="The configuration settings2" lightbox="images/configmgr-telemetry.png":::
-13. Verify the configuration, then click **Next**.
+13. Verify the configuration, then select **Next**.
:::image type="content" source="images/configmgr-verify-configuration.png" alt-text="The configuration settings3" lightbox="images/configmgr-verify-configuration.png":::
-14. Click **Close** when the Wizard completes.
+14. Select **Close** when the Wizard completes.
15. In the Microsoft Endpoint Configuration Manager console, right-click the Defender for Endpoint policy you just created and select **Deploy**. :::image type="content" source="images/configmgr-deploy.png" alt-text="The configuration settings4" lightbox="images/configmgr-deploy.png":::
-16. On the right panel, select the previously created collection and click **OK**.
+16. On the right panel, select the previously created collection and select **OK**.
:::image type="content" source="images/configmgr-select-collection.png" alt-text="The configuration settings5" lightbox="images/configmgr-select-collection.png"::: #### Previous versions of Windows Client (Windows 7 and Windows 8.1)
-Follow the steps below to identify the Defender for Endpoint Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
+Follow the steps below to identify the Defender for Endpoint Workspace ID and Workspace Key that will be required for the onboarding of previous versions of Windows.
1. From a <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>, select **Settings** \> **Endpoints** \> **Onboarding** (under **Device Management**).
-2. Under operating system choose **Windows 7 SP1 and 8.1**.
+2. Under operating system, choose **Windows 7 SP1 and 8.1**.
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
Once completed, you should see onboarded endpoints in the portal within an hour.
### Next generation protection
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
+Microsoft Defender Antivirus is a built-in anti-malware solution that provides next generation protection for desktops, portable computers, and servers.
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
Microsoft Defender Antivirus is a built-in antimalware solution that provides ne
[Quick scan versus full scan and custom scan](/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
- For more details, see [Windows Security configuration framework](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework).
+ For more information, see [Windows Security configuration framework](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework).
:::image type="content" source="images/cd7daeb392ad5a36f2d3a15d650f1e96.png" alt-text="The next-generation protection pane2" lightbox="images/cd7daeb392ad5a36f2d3a15d650f1e96.png":::
Microsoft Defender Antivirus is a built-in antimalware solution that provides ne
:::image type="content" source="images/3876ca687391bfc0ce215d221c683970.png" alt-text="The next-generation protection pane9" lightbox="images/3876ca687391bfc0ce215d221c683970.png":::
-3. Right-click on the newly created antimalware policy and select **Deploy**.
+3. Right-click on the newly created anti-malware policy and select **Deploy**.
:::image type="content" source="images/f5508317cd8c7870627cb4726acd5f3d.png" alt-text="The next-generation protection pane10" lightbox="images/f5508317cd8c7870627cb4726acd5f3d.png":::
-4. Target the new antimalware policy to your Windows collection and click **OK**.
+4. Target the new anti-malware policy to your Windows collection and select **OK**.
:::image type="content" source="images/configmgr-select-collection.png" alt-text="The next-generation protection pane11" lightbox="images/configmgr-select-collection.png":::
After completing this task, you now have successfully configured Microsoft Defen
The attack surface reduction pillar of Defender for Endpoint includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection, and Exploit Protection.
-All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft 365 Defender portal. The goal with a deployment is to step-by-step move security controls into block mode.
+All these features provide a test mode and a block mode. In test mode, there's no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft 365 Defender portal. The goal with a deployment is to step-by-step move security controls into block mode.
-To set ASR rules in Audit mode:
+To set ASR rules in test mode:
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
To set ASR rules in Audit mode:
2. Select **Attack Surface Reduction**.
-3. Set rules to **Audit** and click **Next**.
+3. Set rules to **Audit** and select **Next**.
:::image type="content" source="images/d18e40c9e60aecf1f9a93065cb7567bd.png" alt-text="The Microsoft Endpoint Configuration Manager console1" lightbox="images/d18e40c9e60aecf1f9a93065cb7567bd.png":::
-4. Confirm the new Exploit Guard policy by clicking on **Next**.
+4. Confirm the new Exploit Guard policy by selecting **Next**.
:::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Microsoft Endpoint Configuration Manager console2" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png":::
-5. Once the policy is created click **Close**.
+5. Once the policy is created select **Close**.
:::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Microsoft Endpoint Configuration Manager console3" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png":::
To set ASR rules in Audit mode:
:::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager console4" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png":::
-7. Target the policy to the newly created Windows collection and click **OK**.
+7. Target the policy to the newly created Windows collection and select **OK**.
:::image type="content" source="images/0ccfe3e803be4b56c668b220b51da7f7.png" alt-text="The Microsoft Endpoint Configuration Manager console5" lightbox="images/0ccfe3e803be4b56c668b220b51da7f7.png":::
-After completing this task, you now have successfully configured ASR rules in audit mode.
+After completing this task, you now have successfully configured ASR rules in test mode.
Below are additional steps to verify whether ASR rules are correctly applied to endpoints. (This may take few minutes)
Below are additional steps to verify whether ASR rules are correctly applied to
2. Select **Configuration management** from left side menu.
-3. Click **Go to attack surface management** in the Attack surface management panel.
+3. Select **Go to attack surface management** in the Attack surface management panel.
:::image type="content" source="images/security-center-attack-surface-mgnt-tile.png" alt-text="The attack surface management" lightbox="images/security-center-attack-surface-mgnt-tile.png":::
-4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+4. Select **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each device.
:::image type="content" source="images/f91f406e6e0aae197a947d3b0e8b2d0d.png" alt-text="The attack surface reduction rules reports1" lightbox="images/f91f406e6e0aae197a947d3b0e8b2d0d.png":::
-5. Click each device shows configuration details of ASR rules.
+5. Select each device shows configuration details of ASR rules.
:::image type="content" source="images/24bfb16ed561cbb468bd8ce51130ca9d.png" alt-text="The attack surface reduction rules reports2" lightbox="images/24bfb16ed561cbb468bd8ce51130ca9d.png"::: See [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr) for more details.
-#### Set Network Protection rules in Audit mode
+#### Set Network Protection rules in test mode
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
See [Optimize ASR rule deployment and detections](/microsoft-365/security/defend
2. Select **Network protection**.
-3. Set the setting to **Audit** and click **Next**.
+3. Set the setting to **Audit** and select **Next**.
:::image type="content" source="images/c039b2e05dba1ade6fb4512456380c9f.png" alt-text="The System Center Configuration Manager2" lightbox="images/c039b2e05dba1ade6fb4512456380c9f.png":::
-4. Confirm the new Exploit Guard Policy by clicking **Next**.
+4. Confirm the new Exploit Guard Policy by selecting **Next**.
:::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Exploit Guard policy1" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png":::
-5. Once the policy is created click on **Close**.
+5. Once the policy is created select on **Close**.
:::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Exploit Guard policy2" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png":::
See [Optimize ASR rule deployment and detections](/microsoft-365/security/defend
:::image type="content" source="images/0ccfe3e803be4b56c668b220b51da7f7.png" alt-text="The Microsoft Endpoint Configuration Manager-2" lightbox="images/0ccfe3e803be4b56c668b220b51da7f7.png":::
-After completing this task, you now have successfully configured Network Protection in audit mode.
+After completing this task, you now have successfully configured Network Protection in test mode.
-#### To set Controlled Folder Access rules in Audit mode
+#### To set Controlled Folder Access rules in test mode
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance** > **Overview** > **Endpoint Protection** > **Windows Defender Exploit Guard** and then choose **Create Exploit Guard Policy**.
After completing this task, you now have successfully configured Network Protect
2. Select **Controlled folder access**.
-3. Set the configuration to **Audit** and click **Next**.
+3. Set the configuration to **Audit** and select **Next**.
:::image type="content" source="images/a8b934dab2dbba289cf64fe30e0e8aa4.png" alt-text="The Microsoft Endpoint Configuration Manager-4" lightbox="images/a8b934dab2dbba289cf64fe30e0e8aa4.png":::
-4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+4. Confirm the new Exploit Guard Policy by selecting **Next**.
:::image type="content" source="images/0a6536f2c4024c08709cac8fcf800060.png" alt-text="The Microsoft Endpoint Configuration Manager-5" lightbox="images/0a6536f2c4024c08709cac8fcf800060.png":::
-5. Once the policy is created click on **Close**.
+5. Once the policy is created select on **Close**.
:::image type="content" source="images/95d23a07c2c8bc79176788f28cef7557.png" alt-text="The Microsoft Endpoint Configuration Manager-6" lightbox="images/95d23a07c2c8bc79176788f28cef7557.png":::
After completing this task, you now have successfully configured Network Protect
:::image type="content" source="images/8999dd697e3b495c04eb911f8b68a1ef.png" alt-text="The Microsoft Endpoint Configuration Manager-7" lightbox="images/8999dd697e3b495c04eb911f8b68a1ef.png"::: -
-7. Target the policy to the newly created Windows collection and click **OK**.
-
+7. Target the policy to the newly created Windows collection and select **OK**.
:::image type="content" source="images/0ccfe3e803be4b56c668b220b51da7f7.png" alt-text="The Microsoft Endpoint Configuration Manager-8" lightbox="images/0ccfe3e803be4b56c668b220b51da7f7.png":::
-You have now successfully configured Controlled folder access in audit mode.
+You have now successfully configured Controlled folder access in test mode.
## Related topic
security Onboarding Endpoint Manager https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md
- highpri
+search.appverid: met150
# Onboarding using Microsoft Endpoint Manager
security Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md
- highpri
+search.appverid: met150
# Onboard to the Microsoft Defender for Endpoint service
security Overview Attack Surface Reduction https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction.md
- m365initiative-m365-defender - M365-security-compliance Last updated 05/16/2022
+search.appverid: met150
# Understand and use attack surface reduction capabilities
security Overview Client Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-client-analyzer.md
audience: ITPro
+search.appverid: met150
# Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer
security Overview Endpoint Detection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response.md
audience: ITPro
+search.appverid: met150
# Overview of endpoint detection and response
security Partner Applications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md
audience: ITPro
+search.appverid: met150
# Partner applications in Microsoft Defender for Endpoint
security Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-integration.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender for Endpoint partner opportunities and scenarios
security Post Ti Indicator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/post-ti-indicator.md
+search.appverid: met150
# Submit or Update Indicator API
security Preferences Setup https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/preferences-setup.md
audience: ITPro
+search.appverid: met150
# Configure general Defender for Endpoint settings
security Prepare Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prepare-deployment.md
- highpri
+search.appverid: met150
# Prepare Microsoft Defender for Endpoint deployment
security Prevent Changes To Security Settings With Tamper Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md
- M365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Protect security settings with tamper protection
security Prevent End User Interaction Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus.md
+search.appverid: met150
# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
security Printer Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection.md
+search.appverid: met150
# Device Control Printer Protection
security Production Deployment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/production-deployment.md
+search.appverid: met150
# Set up Microsoft Defender for Endpoint deployment
security Raw Data Export Event Hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-event-hub.md
+search.appverid: met150
# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs
security Raw Data Export Storage https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export-storage.md
+search.appverid: met150
# Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account
security Raw Data Export https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/raw-data-export.md
+search.appverid: met150
# Raw Data Streaming API
security Rbac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/rbac.md
audience: ITPro
+search.appverid: met150
# Manage portal access using role-based access control
security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/recommendation.md
+search.appverid: met150
# Recommendation resource type
security Report Monitor Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus.md
+search.appverid: met150
# Report on Microsoft Defender Antivirus
security Respond File Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-file-alerts.md
audience: ITPro
+search.appverid: met150
# Take response actions on a file
security Respond Machine Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md
audience: ITPro
+search.appverid: met150
# Take response actions on a device
security Restore Quarantined Files Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus.md
+search.appverid: met150
# Restore quarantined files in Microsoft Defender Antivirus
security Restrict Code Execution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/restrict-code-execution.md
+search.appverid: met150
# Restrict app execution API
security Review Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-alerts.md
Last updated 5/1/2020
+search.appverid: met150
# Review alerts in Microsoft Defender for Endpoint
security Review Scan Results Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus.md
+search.appverid: met150
# Review Microsoft Defender Antivirus scan results
security Run Advanced Query Api https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-api.md
+search.appverid: met150
# Advanced hunting API
security Run Advanced Query Sample Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-sample-powershell.md
+search.appverid: met150
# Advanced Hunting using PowerShell
security Run Advanced Query Sample Python https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-advanced-query-sample-python.md
+search.appverid: met150
# Advanced Hunting using Python
security Run Analyzer Macos Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux.md
audience: ITPro
+search.appverid: met150
# Run the client analyzer on macOS and Linux
security Run Analyzer Windows https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-analyzer-windows.md
- m365initiative-m365-defender
+search.appverid: met150
# Run the client analyzer on Windows
security Run Av Scan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-av-scan.md
+search.appverid: met150
# Run antivirus scan API
security Run Scan Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus.md
+search.appverid: met150
# Configure and run on-demand Microsoft Defender Antivirus scans
security Schedule Antivirus Scan In Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde.md
audience: ITPro
+search.appverid: met150
# Schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux
security Schedule Antivirus Scans Group Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy.md
+search.appverid: met150
# Schedule antivirus scans using Group Policy
security Schedule Antivirus Scans Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell.md
+search.appverid: met150
# Schedule antivirus scans using PowerShell
security Schedule Antivirus Scans Wmi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi.md
+search.appverid: met150
# Schedule antivirus scans using Windows Management Instrumentation (WMI)
security Schedule Antivirus Scans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scans.md
+search.appverid: met150
# Configure scheduled quick or full Microsoft Defender Antivirus scans
security Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/score.md
+search.appverid: met150
# Score resource type
security Security Operations Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/security-operations-dashboard.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender Security Center Security operations dashboard
security Set Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/set-device-value.md
+search.appverid: met150
# Set device value API
security Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/software.md
+search.appverid: met150
# Software resource type
security Specify Additional Definitions Network Traffic Inspection Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-additional-definitions-network-traffic-inspection-mdav.md
+search.appverid: met150
# Specify additional definition sets for network traffic inspection
You can specify additional definition sets for network traffic inspection using
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)-- [How to create and deploy antimalware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- [How to create and deploy anti-malware policies: Cloud-protection service](/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
security Specify Cloud Protection Level Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus.md
+search.appverid: met150
# Specify the cloud protection level
security Stop And Quarantine File https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/stop-and-quarantine-file.md
+search.appverid: met150
# Stop and quarantine file API
security Supported Capabilities By Platform https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Supported Microsoft Defender for Endpoint capabilities by platform
security Switch To Mde Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-overview.md
Last updated 11/29/2021
+search.appverid: met150
# Make the switch from non-Microsoft endpoint protection to Microsoft Defender for Endpoint
security Switch To Mde Phase 1 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-1.md
- admindeeplinkDEFENDER Last updated 04/01/2022
+search.appverid: met150
# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
security Switch To Mde Phase 2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-2.md
+search.appverid: met150
# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
security Switch To Mde Phase 3 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md
Last updated 04/01/2022
+search.appverid: met150
# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
security Switch To Mde Troubleshooting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-troubleshooting.md
Last updated 05/20/2022
+search.appverid: met150
# Troubleshooting issues when switching to Microsoft Defender for Endpoint
security Tamperprotection Macos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tamperprotection-macos.md
- M365-security-compliance
+search.appverid: met150
# Protect macOS security settings with tamper protection
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-analytics-analyst-reports.md
audience: ITPro
+search.appverid: met150
# The analyst report in threat analytics
security Threat Indicator Concepts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-indicator-concepts.md
audience: ITPro
+search.appverid: met150
# Understand threat intelligence concepts
security Threat Protection Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-integration.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender for Endpoint and other Microsoft solutions
security Threat Protection Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md
audience: ITPro
+search.appverid: met150
# Threat protection report in Microsoft Defender for Endpoint
security Ti Indicator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ti-indicator.md
+search.appverid: met150
# Indicator resource type
security Time Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/time-settings.md
audience: ITPro
+search.appverid: met150
# Microsoft 365 Defender time zone settings
security Troubleshoot Asr Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules.md
+search.appverid: met150
# Report and troubleshoot Microsoft Defender for Endpoint ASR Rules
security Troubleshoot Asr https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-asr.md
+search.appverid: met150
# Troubleshoot attack surface reduction rules
To add an exclusion, see [Customize Attack surface reduction](attack-surface-red
## Report a false positive or false negative
-Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md).
+Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/support/report-exploit-guard) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md).
## Collect diagnostic data for file submissions
security Troubleshoot Auditd Performance Issues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-auditd-performance-issues.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on Linux
security Troubleshoot Cloud Connect Mdemac https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac.md
audience: ITPro
+search.appverid: met150
# Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS
security Troubleshoot Collect Support Log https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md
audience: ITPro
+search.appverid: met150
# Collect support logs in Microsoft Defender for Endpoint using live response
security Troubleshoot Exploit Protection Mitigations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations.md
+search.appverid: met150
# Troubleshoot exploit protection mitigations
security Troubleshoot Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-live-response.md
audience: ITPro
+search.appverid: met150
# Troubleshoot Microsoft Defender for Endpoint live response issues
security Troubleshoot Mdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-mdatp.md
audience: ITPro
+search.appverid: met150
# Troubleshoot service issues
The following date and time formats are currently not supported:
### Use of comma to indicate thousand
-Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
+Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5 K is displayed as 15.5 K.
> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-troubleshoot-belowfoldlink)
security Troubleshoot Microsoft Defender Antivirus When Migrating https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating.md
+search.appverid: met150
# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
security Troubleshoot Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus.md
+search.appverid: met150
# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
security Troubleshoot Np https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-np.md
+search.appverid: met150
# Troubleshoot network protection
security Troubleshoot Onboarding Error Messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages.md
audience: ITPro
+search.appverid: met150
# Troubleshoot subscription and portal access issues
security Troubleshoot Onboarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-onboarding.md
audience: ITPro
+search.appverid: met150
# Troubleshoot Microsoft Defender for Endpoint onboarding issues
security Troubleshoot Reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-reporting.md
+search.appverid: met150
# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
security Troubleshoot Security Config Mgt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md
audience: ITPro
+search.appverid: met150
# Troubleshoot onboarding issues related to Security Management for Microsoft Defender for Endpoint
security Troubleshoot Siem https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-siem.md
audience: ITPro
+search.appverid: met150
# Troubleshoot SIEM tool integration issues
security Tune Performance Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md
+search.appverid: met150
# Performance analyzer for Microsoft Defender Antivirus
security Turn On Definition Retirement https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/turn-on-definition-retirement.md
+search.appverid: met150
# Turn on definition retirement
security Unisolate Machine https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/unisolate-machine.md
+search.appverid: met150
# Release device from isolation API
security Unrestrict Code Execution https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/unrestrict-code-execution.md
+search.appverid: met150
# Remove app restriction API
security Update Alert https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-alert.md
+search.appverid: met150
# Update alert
security Update Machine Method https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/update-machine-method.md
+search.appverid: met150
# Update machine
security Use Group Policy Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus.md
audience: ITPro
+search.appverid: met150
# Use Group Policy settings to configure and manage Microsoft Defender Antivirus
security Use Intune Config Manager Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus.md
audience: ITPro
+search.appverid: met150
# Use Microsoft Endpoint Manager to configure and manage Microsoft Defender Antivirus
security Use Powershell Cmdlets Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus.md
audience: ITPro
+search.appverid: met150
# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
security Use Wmi Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus.md
audience: ITPro
+search.appverid: met150
# Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus
security User Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user-roles.md
+search.appverid: met150
# Create and manage roles for role-based access control
security User https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/user.md
+search.appverid: met150
# User resource type
security View Incidents Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/view-incidents-queue.md
audience: ITPro
+search.appverid: met150
# View and organize the Microsoft Defender for Endpoint Incidents queue
security Vulnerability https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/vulnerability.md
+search.appverid: met150
# Vulnerability resource type
security Web Content Filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md
+search.appverid: met150
# Web content filtering
security Web Protection Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-protection-response.md
audience: ITPro
+search.appverid: met150
# Respond to web threats
security Whats New In Microsoft Defender Endpoint https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md
For more information on Microsoft Defender for Endpoint on other operating syste
## September 2022 - [Device health reporting is now generally available](machine-reports.md). <br/>The device health report provides high-level information about the health and security of your endpoints. The report includes trending information showing the sensor health state, antivirus status, OS platforms, Windows 10 versions, and Microsoft Defender Antivirus update versions.-- [Troubleshooting mode](enable-troubleshooting-mode.md) is now available for Windows Server 2012 R2 and 2016 machines running the modern, unified solution. During troubleshooting mode, use `Set-MPPreference -DisableTamperProtection $true` to temporarily disable tamper protection on your device and make your necessary configuration changes. Before you use troubleshooting mode, make sure all of the following components are up to date:
- - Sense version 10.8049.22439.1084 (KB5005292) or later
- - Microsoft Defender Antivirus - Platform: 4.18.2207.7 (KB4052623) or later
- - Microsoft Defender Antivirus - Engine: 1.1.19500.2 (KB2267602) or later
+- [Troubleshooting mode](enable-troubleshooting-mode.md) is now available for more Windows operating systems, including Windows Server 2012 R2 and above. Please refer to the article for more details about the required updates.
## August 2022
security Why Cloud Protection Should Be On Mdav https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-cloud-protection-should-be-on-mdav.md
Last updated 10/22/2021
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Why cloud protection should be enabled for Microsoft Defender Antivirus
security Why Use Microsoft Defender Antivirus https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus.md
+search.appverid: met150
# Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint
security Directory Service Accounts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/directory-service-accounts.md
+search.appverid: met150
# Microsoft Defender for Identity Directory Services account in Microsoft 365 Defender
security Entity Tags https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/entity-tags.md
+search.appverid: met150
# Defender for Identity entity tags in Microsoft 365 Defender
security Exclusions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/exclusions.md
+search.appverid: met150
# Configure Defender for Identity detection exclusions in Microsoft 365 Defender
security Manage Security Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/manage-security-alerts.md
+search.appverid: met150
# Defender for Identity security alerts in Microsoft 365 Defender
security Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/notifications.md
+search.appverid: met150
# Defender for Identity notifications in Microsoft 365 Defender
security Sensor Health https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/sensor-health.md
+search.appverid: met150
# Microsoft Defender for Identity sensor health and settings in Microsoft 365 Defender
security Vpn Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-identity/vpn-integration.md
+search.appverid: met150
# Defender for Identity VPN integration in Microsoft 365 Defender
security Defender Vulnerability Management Faq https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-faq.md
audience: ITPro
+search.appverid: met150
# Microsoft Defender Vulnerability Management frequently asked questions
security Defender Vulnerability Management Trial https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial.md
audience: ITPro
+search.appverid: met150
# About the Microsoft Defender Vulnerability Management public preview trial
security Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management.md
audience: ITPro
+search.appverid: met150
# What is Microsoft Defender Vulnerability Management
security Threat And Vuln Mgt Event Timeline https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/threat-and-vuln-mgt-event-timeline.md
audience: ITPro
+search.appverid: met150
+ # Event timeline [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Trial Playbook Defender Vulnerability Management https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/trial-playbook-defender-vulnerability-management.md
audience: ITPro
+search.appverid: met150
# Trial playbook: Microsoft Defender Vulnerability Management
security Tvm Assign Device Value https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-assign-device-value.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Assign device value
security Tvm Block Vuln Apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps.md
audience: ITPro
- m365-security-compliance
+search.appverid: met150
# Block vulnerable applications (beta)
security Tvm Browser Extensions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-browser-extensions.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Browser extensions assessment
security Tvm Certificate Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-certificate-inventory.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Certificate inventory
security Tvm Dashboard Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-dashboard-insights.md
- m365initiative-defender-endpoint
+search.appverid: met150
+ # Dashboard insights [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm End Of Support Software https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-end-of-support-software.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Plan for end-of-support software and software versions [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Exception https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-exception.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Create and view exceptions for security recommendations [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Exposure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Exposure score in Defender Vulnerability Management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Hunt Exposed Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-hunt-exposed-devices.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Hunt for exposed devices
security Tvm Manage Log4shell Guidance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-manage-Log4shell-guidance.md
- m365-initiative-defender-endpoint
+search.appverid: met150
# Learn how to manage the Log4Shell vulnerability in Microsoft Defender for Endpoint
security Tvm Microsoft Secure Score Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-microsoft-secure-score-devices.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Microsoft Secure Score for Devices [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Network Share Assessment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-network-share-assessment.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Network share configuration assessment
security Tvm Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-prerequisites.md
audience: ITPro
+search.appverid: met150
# Prerequisites & permissions for Microsoft Defender Vulnerability Management
security Tvm Remediation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-remediation.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Remediate vulnerabilities [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Security Baselines https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-security-baselines.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Security baselines assessment
security Tvm Security Recommendation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Security recommendations [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Software Inventory https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-software-inventory.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Software inventory in Defender Vulnerability Management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Supported Os https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-supported-os.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Supported operating systems, platforms and capabilities [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Vulnerable Devices Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-vulnerable-devices-report.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Vulnerable devices report
security Tvm Weaknesses https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
+ # Vulnerabilities in my organization [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security Tvm Zero Day Vulnerabilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-zero-day-vulnerabilities.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Mitigate zero-day vulnerabilities
security Advanced Hunting Modes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-modes.md
- m365initiative-m365-defender
+search.appverid: met150
# Choose between guided and advanced modes to hunt in Microsoft 365 Defender
security Advanced Hunting Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-overview.md
- m365initiative-m365-defender
+search.appverid: met150
# Proactively hunt for threats with advanced hunting in Microsoft 365 Defender
security Alert Grading For Malicious Exchange Connectors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-for-malicious-exchange-connectors.md
search.appverid: - MOE150
+ - MET150
# Alert grading for malicious exchange connectors
security Alert Grading Password Spray https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-password-spray.md
search.appverid: - MOE150
+ - met150
+ # Suspicious password spray-related IP activity [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Alert Grading Playbook Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-email-forwarding.md
search.appverid: - MOE150
+ - met150
+ # Alert grading for suspicious email forwarding activity [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Alert Grading Playbook Inbox Forwarding Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-inbox-forwarding-rules.md
search.appverid: - MOE150
+ - met150
+ # Alert grading for suspicious inbox forwarding rules [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Alert Grading Playbook Inbox Manipulation Rules https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/alert-grading-playbook-inbox-manipulation-rules.md
search.appverid: - MOE150
+ - met150
+ # Alert grading for suspicious inbox manipulation rules [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Api Get Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-get-incident.md
audience: ITPro
+search.appverid: met150
# Get incident information API
Empty
## Response If successful, this method returns 200 OK, and the incident entity in the response body.
-If incident with the specified id was not found - 404 Not Found.
+If incident with the specified id wasn't found - 404 Not Found.
## Example ### Request
-Here is an example of the request.
+Here's an example of the request.
```http GET https://api.security.microsoft.com/api/incidents/{id}
security Before You Begin Defender Experts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-defender-experts.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Before you begin using Defender Experts for Hunting
security Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/defender-experts-for-hunting.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Microsoft Defender Experts for Hunting
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
search.appverid: - MOE150
+ - met150
+ # Investigate alerts in Microsoft 365 Defender [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Investigate Dlp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-dlp.md
search.appverid: - MOE150
+ - met150
+ # Investigate data loss incidents with Microsoft 365 Defender [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
security Investigate Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md
search.appverid: - MOE150
+ - MET150
# Investigate incidents in Microsoft 365 Defender
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
search.appverid: - MOE150
+ - MET150
# Manage incidents in Microsoft 365 Defender
security Onboarding Defender Experts For Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md
- m365-security-compliance - m365initiative-defender-endpoint
+search.appverid: met150
# Start using Microsoft Defender Experts for Hunting
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics.md
- m365initiative-m365-defender
+search.appverid: met150
# Threat analytics in Microsoft 365 Defender
security Mdo Trial Banner https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/mdo-trial-banner.md
ms.prod: w10
+search.appverid: met150
> [!TIP]
security Microsoft Defender For Office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/microsoft-defender-for-office.md
ms.prod: m365-security
+search.appverid: met150
> [!NOTE]
security Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/microsoft-defender.md
ms.prod: m365-security
+search.appverid: met150
> [!NOTE]
security Prerelease https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/prerelease.md
Last updated 12/18/2019
f1.keywords: - NOCSH
+search.appverid: met150
> [!IMPORTANT]
security Coordinated Malware Eradication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/coordinated-malware-eradication.md
audience: ITPro
ms.technology: m365d
+search.appverid: met150
+ # Coordinated Malware Eradication ![coordinated-malware-eradication.](../../media/security-intelligence-images/coordinated-malware.png)
security Cybersecurity Industry Partners https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/cybersecurity-industry-partners.md
audience: ITPro
ms.technology: m365d
+search.appverid: met150
+ # Industry collaboration programs There are various industry-wide collaboration programs with different objectives and requirements, provided by Microsoft. Enrolling in the right program can help you protect your customers, gain more insight into the current threat landscape, or help disrupting the malware ecosystem.
security Developer Resources https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/developer-resources.md
audience: ITPro
ms.technology: m365d
+search.appverid: met150
# Software developer resources
security Microsoft Bug Bounty Program https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/microsoft-bug-bounty-program.md
ms.localizationpriority: medium ms.technology: m365d
+search.appverid: met150
# About the Microsoft Bug Bounty Program
security Virus Information Alliance Criteria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/virus-information-alliance-criteria.md
audience: ITPro
ms.technology: m365d
+search.appverid: met150
+ # Virus Information Alliance The Virus Information Alliance (VIA) is a public anti-malware collaboration program for security software providers, security service providers, anti-malware testing organizations, and other organizations involved in fighting cyber crime.
security Virus Initiative Criteria https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/intelligence/virus-initiative-criteria.md
audience: ITPro
ms.technology: m365d
+search.appverid: met150
# Microsoft Virus Initiative
security Admin Review Reported Message https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-review-reported-message.md
description: Learn how to review messages that are reported and give feedback to your users.
+search.appverid: met150
# Admin review for reported messages
security Attack Simulation Training End User Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-end-user-notifications.md
- m365initiative-defender-office365 description: Admins can learn how to create end-user notification email messages for Attack simulation training in Microsoft Defender for Office 365 Plan 2.
+search.appverid: met150
# End-user notifications for Attack simulation training
security Attack Simulation Training Insights https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-insights.md
description: Admins can learn how Attack simulation training in the Microsoft 365 Defender portal affects users and can gain insights from simulation and training outcomes.
+search.appverid: met150
# Insights and reports for Attack simulation training in Defender for Office 365
security Attack Simulation Training Login Pages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-login-pages.md
- m365initiative-defender-office365 description: Admins can learn how to create and manage login pages for simulated phishing attacks in Microsoft Defender for Office 365 Plan 2.
+search.appverid: met150
# Login pages in Attack simulation training
security Attack Simulation Training Payload Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payload-automations.md
- m365initiative-defender-office365 description: Admins can learn how to use payload automations (payload harvesting) to collect and launch automated simulations for Attack simulation training in Microsoft Defender for Office 365 Plan 2.
+search.appverid: met150
# Payload automations for Attack simulation training
security Attack Simulation Training Payloads https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-payloads.md
description: Admins can learn how to create and manage payloads for Attack simulation training in Microsoft Defender for Office 365 Plan 2.
+search.appverid: met150
# Payloads in Attack simulation training in Defender for Office 365
security Attack Simulation Training Simulation Automations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations.md
- m365initiative-defender-office365 description: Admins can learn how to create automated simulations that contain specific techniques and payloads that launch when the specified conditions are met in Microsoft Defender for Office 365 Plan 2.
+search.appverid: met150
# Simulation automations for Attack simulation training
security Attack Simulation Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training.md
description: Admins can learn how to simulate phishing attacks and train their users on phishing prevention using Attack simulation training in Microsoft Defender for Office 365 Plan 2.
+search.appverid: met150
# Simulate a phishing attack with Attack simulation training in Defender for Office 365
security Configure Anti Phishing Policies Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
description: Admins can learn how to create, modify, and delete the anti-phishing policies that are available in Exchange Online Protection (EOP) organizations with or without Exchange Online mailboxes.
+search.appverid: met150
# Configure anti-phishing policies in EOP
security Configure Mdo Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-mdo-anti-phishing-policies.md
description: Admins can learn how to create, modify, and delete the advanced anti-phishing policies that are available in organizations with Microsoft Defender for Office 365.
+search.appverid: met150
# Configure anti-phishing policies in Microsoft Defender for Office 365
security Email Security In Microsoft Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md
- seo-marvel-apr2020
+search.appverid: met150
# Email security with Threat Explorer in Microsoft Defender for Office 365
security Exchange Online Protection Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/exchange-online-protection-overview.md
description: Learn how Exchange Online Protection (EOP) can help protect your on-premises email organization in standalone and hybrid environments.
+search.appverid: met150
# Exchange Online Protection overview
security External Email Forwarding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/external-email-forwarding.md
description: This article covers topics including external email forwarding, Automatic forwarding, 5.7.520 Access Denied messages, disabling external forwarding, 'Your administrator has disabled external forwarding' messages, as well as outbound anti-spam policy.
+search.appverid: met150
# Control automatic external email forwarding in Microsoft 365
security Help And Support For Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/help-and-support-for-eop.md
description: Microsoft provides help for EOP in a variety of places and methods
+search.appverid: met150
# Help and support for EOP
security How Policies And Protections Are Combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
description: Admins can learn about the application order of protections in Exchange Online Protection (EOP), and how the priority value in protection policies determines which policy is applied.
+search.appverid: met150
# Order and precedence of email protection
security Identity Access Policies Guest Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies-guest-access.md
- zerotrust-solution - highpri
+search.appverid: met150
# Policies for allowing guest access and B2B external user access
security Identity Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
- zerotrust-solution - highpri
+search.appverid: met150
# Common Zero Trust identity and device access policies
security Identity Access Prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
- zerotrust-solution - highpri
+search.appverid: met150
# Prerequisite work for implementing Zero Trust identity and device access policies
security Mail Flow In Eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mail-flow-in-eop.md
description: Admin can learn about the options for configuring mail flow and rou
+search.appverid: met150
# Mail flow in EOP
security Mail Flow Insights V2 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mail-flow-insights-v2.md
description: Admins can learn about the insights and reports that are available
+search.appverid: met150
# Mail flow insights in the Security & Compliance Center
security Mcas Saas Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mcas-saas-access-policies.md
- zerotrust-solution
+search.appverid: met150
# Recommended Microsoft Defender for Cloud Apps policies for SaaS apps
security Mdo Data Retention https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-data-retention.md
f1.keywords:
Previously updated : Last updated : 09/14/2022 audience: ITPro ms.localizationpriority: medium - M365-security-compliance description: Microsoft Defender for Office 365 data retention informationThreat Explorer/ Real-Time detections
+search.appverid: met150
# Data retention information for Microsoft Defender for Office 365
security Mdo Email Entity Page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
ms.localizationpriority: medium - M365-security-compliance - m365initiative-defender-office365 description: Microsoft Defender for Office 365 E5 and P1 and P2 customers can now get a 360-degree view of each email with email entity page.
+search.appverid: met150
+ # The Email entity page [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
Users will see enriched detonation details for known malicious attachments or UR
1. *Detonation Summary* gives a basic summary for detonation such as *analysis time*, the time when detonation occurred, OS and application, the operating system and application in which the detonation occurred, file size, and verdict reason. 1. *Screenshots* show the screenshots captured during detonation. There can be multiple screenshots during detonation. No screenshots are captured for - Container type files like .zip or .rar.
- - If a URL opens into a link that directly downloads a file. However, you will see the downloaded file in the detonation chain.
+ - If a URL opens into a link that directly downloads a file. However, you'll see the downloaded file in the detonation chain.
1. *Behavior Details* are an export that shows behavior details like exact events that took place during detonation, and observables that contain URLs, IPs, domains, and files that were found during detonation (and can either be problematic or benign). Be aware, there may be no behavior details for: - Container files like .zip or .rar that are holding other files.
Users will see enriched detonation details for known malicious attachments or UR
*Tags*: These are tags applied to users. If the user is a recipient, admins will see a *recipient* tag. Likewise, if the user is a sender, a *sender* tag. This will appear in the left side of the email entities page (in the part that's described as *sticky* and, thus, anchored to the page).
-*Latest delivery location*: The latest delivery location is the location where an email landed after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest delivery location is not intended to inform admins of the message's *current* location. For example, if a user deletes a message, or moves it to archive, the delivery location won't be updated. However, if a system action has taken place and updated the location (like a ZAP resulting in an email moving to quarantine) this would update the Latest delivery location to quarantine.
+*Latest delivery location*: The latest delivery location is the location where an email landed after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest delivery location isn't intended to inform admins of the message's *current* location. For example, if a user deletes a message, or moves it to archive, the delivery location won't be updated. However, if a system action has taken place and updated the location (like a ZAP resulting in an email moving to quarantine) this would update the Latest delivery location to quarantine.
*Email details*: Details required for a deeper understanding of email available in the *Analysis* tab.
Users will see enriched detonation details for known malicious attachments or UR
- *Primary Override: Source*: Primary override and source refer to the tenant or user setting which impacted the delivery of the email, overriding the delivery location given by the system (as per the threat and detection technology). As an example, this could be an email blocked due to a tenant configured transport rule or an email allowed due to an end-user setting for Safe Senders. -- *All Overrides*: All Overrides refer to the list of overrides (tenant or user settings) that was applied on the email, which may or may not have impacted the delivery of an email. As an example, if a tenant configured transport rule, as well as a tenant configured policy setting (for example, from the Tenant Allow Block list), is applied to an email, then both will be listed in this field. You can check the primary override field to determine the setting that impacted the delivery of the email.
+- *All Overrides*: All Overrides refer to the list of overrides (tenant or user settings) that was applied on the email, which may or may not have impacted the delivery of an email. As an example, if a tenant configured transport rule, as well as a tenant configured policy setting (for example, from the Tenant Allow Block lists), is applied to an email, then both will be listed in this field. You can check the primary override field to determine the setting that impacted the delivery of the email.
- *Bulk Complaint Level (BCL)*: The bulk complaint level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).
Users will see enriched detonation details for known malicious attachments or UR
- *Client type*: Indicates the Client type from which the email was sent like REST. -- *Forwarding*: For scenarios with autoforwaridng, it indicates the forwarding user as well as the forwarding type like ETR or SMTP forwarding.
+- *Forwarding*: For scenarios with autoforwarding, it indicates the forwarding user as well as the forwarding type like ETR or SMTP forwarding.
- *Distribution list*: Shows the distribution list, if the recipient received the email as a member of the list. It shows the top level distribution list if there are nested distribution lists involved. -- *To, Cc*: Indicates the addresses which are listed in To, Cc fields of an email. The information in these fields is restricted to 5000 characters.
+- *To, Cc*: Indicates the addresses that are listed in To, Cc fields of an email. The information in these fields is restricted to 5000 characters.
- *Domain Name*: Is the sender domain name.
Users will see enriched detonation details for known malicious attachments or UR
- DomainKeys Identified Mail (**DKIM**): - Pass: Indicates the DKIM check for the message passed. - Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.
- - None: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.
+ - None: Indicates that the message wasn't signed. This may or may not indicate that the domain has a DKIM record or the DKIM record doesn't evaluate to a result, only that this message was not signed.
- Domain-based Message Authentication, Reporting, and Conformance (**DMARC**): - Pass: Indicates the DMARC check for the message passed.
Users will see enriched detonation details for known malicious attachments or UR
*Composite Authentication*: This is a value used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It uses the *From:* domain of the mail as the basis of evaluation. ## Actions into Email entity Page
-Security teams can now take email actions like soft delete and hard delete, move to junk, move to inbox, trigger an investigation, submit to Microsoft for review in line, and et cetera. **Tenant level block** actions like file and URL or sender can also be trigged from Email entity page.
+Security teams can now take email actions like soft delete and hard delete, move to junk, move to inbox, trigger an investigation, submit to Microsoft for review in line, and et cetera. **Tenant level block** actions like file and URL or sender can also be triggered from the Email entity page.
-You will be able to click on **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need.
+You will be able to select **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need.
![Take action from entity page.](../../media/Take-ActionWizard-Email-entity.png) In the Action wizard you can take email actions, email submissions, block sender and sender domain, investigative actions and two step approval (add to remediation) in the same side pane. This follows a consistent flow for ease of use. The Action wizard uses the same system as is used by Explorer actions (for Delete, Submissions, and Investigation actions), for example. You will be able to see and track these actions in the
See [permissions](permissions-microsoft-365-security-center.md) required to take
### Email summary panel
-The email summary panel is a summarized view of the full email entity page. It contains standardized details about the email (e.g., detections), as well as context-specific information (e.g., for Quarantine or Submissions metadata). The email summary panel replaces the traditional Real-time Detections, Threat Explorer, Submissions, and Reporting flyouts.
+The email summary panel is a summarized view of the full email entity page. It contains standardized details about the email (for example, detections), as well as context-specific information (for example, for Quarantine or Submissions metadata). The email summary panel replaces the traditional Real-time Detections, Threat Explorer, Submissions, and Reporting flyouts.
> [!div class="mx-imgBorder"] > ![Open the email entity link.](../../medio.png)
The email summary panel is divided into the following sections:
- *Email details*: Contains information about email properties like sender name, sender address, time received, authentication details, and other several other details. -- *URLs*: By default, you will see 3 URLs and their corresponding threats. You can always click **View all URLs** to expand and see all URLs and export them.
+- *URLs*: By default, you will see 3 URLs and their corresponding threats. You can always select **View all URLs** to expand and see all URLs and export them.
-- *Attachments*: By default, you will see 3 attachments. You can always click **View all attachments** to expand and see all attachments.
+- *Attachments*: By default, you will see 3 attachments. You can always select **View all attachments** to expand and see all attachments.
-In addition to the above sections, you will also see sections specific to few experiences which are integrated with the summary panel:
+In addition to the above sections, you will also see sections specific to few experiences that are integrated with the summary panel:
- Submissions:
security Message Trace Scc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-trace-scc.md
description: Admins can use the message trace link in the Microsoft 365 Defender portal to find out what happened to messages.
+search.appverid: met150
# Message trace in the Microsoft 365 Defender portal
security Mfi Auto Forwarded Messages Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report.md
description: Admins can learn about the Auto-forwarded messages report in the Ma
+search.appverid: met150
# Auto-forwarded messages insight in the Security & Compliance Center
security Mfi Domain Mail Flow Status Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight.md
description: Admins can learn how to use the Top domain mail flow status insight in the Mail flow dashboard in the Security & Compliance Center to troubleshoot mail flow issues related to their MX records.
+search.appverid: met150
# Top domain mail flow status insight in the Security & Compliance Center
security Mfi Mail Flow Map Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-flow-map-report.md
description: Admins can learn how to use the Mail flow map in the Mail flow dashboard in the Security & Compliance Center to visualize and track how mail flows to and from their organization over connectors and without using connectors.
+search.appverid: met150
# Mail flow map in the Security & Compliance Center
security Mfi Mail Loop Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-loop-insight.md
description: Admins can learn how to use the Fix possible mail loop insight in the Mail flow dashboard in the Security & Compliance Center to identify and fix mail loops in their organization.
+search.appverid: met150
# Fix possible mail loop insight in the Security & Compliance Center
security Mfi New Domains Being Forwarded Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email.md
description: Admins can learn how to use the New domains being forwarded email i
+search.appverid: met150
# New domains being forwarded email insight in the Security & Compliance Center
security Mfi New Users Forwarding Email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email.md
description: Admins can learn how to use the New users forwarding email insight
+search.appverid: met150
# New users forwarding email insight in the Security & Compliance Center
security Mfi Non Accepted Domain Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report.md
description: Admins can learn how to use the Non-accepted domain report in the Mail flow dashboard in the Security & Compliance Center to monitor messages from your on-premises organization where the sender's domain isn't configured in Microsoft 365.
+search.appverid: met150
# Non-accepted domain report in the Security & Compliance Center
security Mfi Non Delivery Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-delivery-report.md
description: Admins can learn how to use the Non-delivery details report in the Mail flow dashboard in the Security & Compliance Center to monitor the most frequently encountered error codes in non-delivery reports (also known as NDRs or bounce messages) from senders in your organization.
+search.appverid: met150
# Non-delivery report in the Security & Compliance Center
security Mfi Outbound And Inbound Mail Flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow.md
ms.assetid: f2738dec-41b0-43c4-b814-84c0a4e45c6d
description: Admins can learn about the Outbound and inbound mail flow insight in the Mail flow dashboard in the Security & Compliance Center.
+search.appverid: met150
# Outbound and inbound mail flow insight in the Security & Compliance Center
security Mfi Queue Alerts And Queues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues.md
description: Admins can learn how to use the Queues widget in the Mail flow dash
+search.appverid: met150
# Queues insight in the Security & Compliance Center
security Mfi Slow Mail Flow Rules Insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight.md
description: Admins can learn how to use the Fix slow mail flow rules insight in the Security & Compliance Center to identify and fix inefficient or broken mail flow rules (also known as transport rules) in their organization.
+search.appverid: met150
# Fix slow mail flow rules insight in the Security & Compliance Center
security Mfi Smtp Auth Clients Report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report.md
description: Admins can learn how to use the SMTP Auth insight and report in the Mail flow dashboard in the Security & Compliance Center to monitor email senders in their organization that use authenticated SMTP (SMTP AUTH) to send email messages.
+search.appverid: met150
# SMTP Auth clients insight and report in the Security & Compliance Center
security Microsoft 365 Continuous Access Evaluation https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-continuous-access-evaluation.md
- m365solution-scenario - highpri
+search.appverid: met150
+ # Continuous access evaluation for Microsoft 365 Modern cloud services that use OAuth 2.0 for authentication traditionally rely on access token expiration to revoke a user account's access. In practice, this means even if an administrator revokes a user account's access, the user will still have access until the access token expires, which for Microsoft 365 by default, used to be up to an hour after the initial revocation event took place.
security Microsoft 365 Policies Configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
- zerotrust-solution - highpri
+search.appverid: met150
+ # Zero Trust identity and device access configurations Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to an organization's technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries.
security Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
description: Admins can learn how to apply Standard and Strict policy settings across the protection features of Exchange Online Protection (EOP) and Microsoft Defender for Office 365
+search.appverid: met150
# Preset security policies in EOP and Microsoft Defender for Office 365
security Protection Stack Microsoft Defender For Office365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protection-stack-microsoft-defender-for-office365.md
description: Follow the path of an incoming message through the threat filtering
+search.appverid: met150
+ # Step-by-step threat protection in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)]
security Real Time Detections https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/real-time-detections.md
- seo-marvel-apr2020
+search.appverid: met150
# Explorer and Real-time detections
security Remove Blocked Connectors https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/remove-blocked-connectors.md
description: Learn how to remove blocked connectors in Microsoft 365 Defender.
+search.appverid: met150
# Remove blocked connectors from the Restricted entities portal
security Report False Positives And False Negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/report-false-positives-and-false-negatives.md
description: Learn how to report false positives and false negatives in Outlook using the Report Message feature.
+search.appverid: met150
# Report false positives and false negatives in Outlook
security Reporting And Message Trace In Exchange Online Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reporting-and-message-trace-in-exchange-online-protection.md
description: In this article, you'll learn about reports and troubleshooting tools available to Microsoft Exchange Online Protection (EOP) admins.
+search.appverid: met150
# Reporting and message trace in EOP
security Respond Compromised Connector https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/respond-compromised-connector.md
description: Learn how to recognize and respond to a compromised connector in Microsoft 365.
+search.appverid: met150
# Respond to a compromised connector
security Secure Email Recommended Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/secure-email-recommended-policies.md
- zerotrust-solution - highpri
+search.appverid: met150
# Policy recommendations for securing email
security Set Up Anti Phishing Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-anti-phishing-policies.md
description: Admins can learn about the anti-phishing policies that are available in Exchange Online Protection (EOP) and Microsoft Defender for Office 365.
+search.appverid: met150
# Anti-phishing policies in Microsoft 365
security Set Up Safe Links Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-safe-links-policies.md
Creating a custom Safe Links policy in the Microsoft 365 Defender portal creates
- **Do not rewrite the following URLs in email** section: Click **Manage (nn) URLs** to allow access to specific URLs that would otherwise be blocked by Safe Links. > [!NOTE]
- > Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [URL allow entries in the Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.
+ > Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [URL allow entries in the Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal) to override the Safe Links URL verdict.
1. In the **Manage URLs to not rewrite** flyout that appears, click ![Add URLs icon.](../../media/m365-cc-sc-create-icon.png) **Add URLs**. 2. In the **Add URLs** flyout that appears, type the URL or value that you want, select the entry that appears below the box, and then click **Save**. Repeat this step as many times as necessary.
security Sharepoint File Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sharepoint-file-access-policies.md
- zerotrust-solution - highpri
+search.appverid: met150
# Policy recommendations for securing SharePoint sites and files
security Siem Server Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
description: Get an overview of Security Information and Event Management (SIEM) server integration with your Microsoft 365 cloud services and applications
+search.appverid: met150
# Security Information and Event Management (SIEM) server integration with Microsoft 365 services and applications
security Assess The Impact Of Security Configuration Changes With Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/assess-the-impact-of-security-configuration-changes-with-explorer.md
Title: Assess the impact of security configuration changes with Explorer description: Examples and walkthrough of using Explorer to determine the impact of a security control (configuration) change in Microsoft Defender for Office 365 search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Assess the impact of security configuration changes with Explorer
security Connect Microsoft Defender For Office 365 To Microsoft Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/connect-microsoft-defender-for-office-365-to-microsoft-sentinel.md
Title: Connect Microsoft Defender for Office 365 to Microsoft Sentinel description: The steps to connect Microsoft Defender for Office 365 to Sentinel. Add your Microsoft Defender for Office 365 data (*and* data from the rest of the Microsoft 365 Defender suite), including incidents, to Microsoft Sentinel for a single pane of glass into your security. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Connect Microsoft Defender for Office 365 to Microsoft Sentinel
security Defense In Depth Guide https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/defense-in-depth-guide.md
Title: Getting started with defense in-depth configuration for email security description: Step-by-step configuration guidance on how to get security value from Microsoft Defender for Office 365 when you have third party email filtering. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Getting the best security value from Microsoft Defender for Office 365 when you have third party email filtering
security Deploy And Configure The Report Message Add In https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/deploy-and-configure-the-report-message-add-in.md
Title: How-to deploy and configure the report message add-in description: The steps to deploy and configure Microsoft's phish reporting add-in(s) aimed at security administrators. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Deploy and configure the report message add-in to users.
security Ensuring You Always Have The Optimal Security Controls With Preset Security Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md
Title: Steps to quickly set up the Standard or Strict preset security policies for Microsoft Defender for Office 365 description: Step to setup preset security policies in Microsoft Defender for Office 365 so you have the security recommended by the product. Preset policies set a security profile of either *Standard* or *Strict*. Set these and Microsoft Defender for Office 365 will manage and maintain these security controls for you. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Set up steps for the Standard or Strict preset security policies in Microsoft Defender for Office 365
security How To Configure Quarantine Permissions With Quarantine Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-configure-quarantine-permissions-with-quarantine-policies.md
Title: How to configure quarantine permissions and policies description: The steps to configure quarantine policies and permissions across different groups, including AdminOnlyPolicy, limited access, full access, and providing security admins and users with a simple way to manage false positive folders. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# How to configure quarantine permissions and policies
security How To Enable Dmarc Reporting For Microsoft Online Email Routing Address Moera And Parked Domains https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains.md
Title: How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains description: The steps to configure DMARC for MOERA and parked domains. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains
security How To Handle False Negatives In Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-negatives-in-microsoft-defender-for-office-365.md
Title: (False Negatives) How to handle malicious emails that are delivered to recipients using Microsoft Defender for Office 365 description: The steps to handle malicious emails coming through to end users and inboxes (as False Negatives) with Microsoft Defender for Office 365 in order to prevent loss of business. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# How to handle malicious emails that are delivered to recipients (False Negatives), using Microsoft Defender for Office 365
security How To Handle False Positives In Microsoft Defender For Office 365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-handle-false-positives-in-microsoft-defender-for-office-365.md
Title: (False Positives) How to handle legitimate emails getting blocked from delivery using Microsoft Defender for Office 365 description: The steps to handle legitimate email getting blocked(False Positive) by Microsoft Defender for Office 365 in order to prevent lose of business. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# How to handle Legitimate emails getting blocked (False Positive), using Microsoft Defender for Office 365
security How To Prioritize And Manage Automated Investigations And Response Air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-and-manage-automated-investigations-and-response-air.md
Title: How to prioritize and manage Automated Investigations and Response (AIR). description: How to steps to analyze and approve AIR actions directly from the Action Center. When alerts are triggered, Automated Investigation and Response (AIR) determines the scope of impact of a threat in your organization and provided recommended remediation actions. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Prioritize and manage Automated Investigations and Response (AIR)
security How To Prioritize Manage Investigate And Respond To Incidents In Microsoft 365 Defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-prioritize-manage-investigate-and-respond-to-incidents-in-microsoft-365-defender.md
Title: How to prioritize, Manage, Investigate & Respond to Incidents in Microsoft 365 Defender description: The steps to manage alerts triggered in Microsoft 365 Defender. Automated investigation and response (AIR) hunt across the subscription and determines the impact and scope of a threat, and combines the information into a single Incident. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Prioritize, Manage, Investigate & Respond to Incidents in Microsoft 365 Defender
security How To Run Attack Simulations For Your Team https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-run-attack-simulations-for-your-team.md
Title: How to run attack simulations for your team description: The steps to send an Attack Simulation payload to your target users for your team or organization for training. Simulated attacks can help you identify and find vulnerable users, policies and practices before a real attack impacts your organization. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# How to run attack simulations for your team
security How To Setup Attack Simulation Training For Automated Attacks And Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md
Title: How to setup automated attacks and training within Attack simulation training description: The steps to automate Attack Simulation training and send a payload to target users. By following this guide, you will learn to create automated attack flows with specific techniques and payloads. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# How to setup automated attacks and training within Attack simulation training
security Optimize And Correct Security Policies With Configuration Analyzer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/optimize-and-correct-security-policies-with-configuration-analyzer.md
Title: Optimize and correct security policies with configuration analyzer description: The steps to optimize and correct security policies with configuration analyzer. Configuration analyzer is a central location and single pane of glass for administering and viewing the email security policies you have configured in your tenant. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
+ # Optimize and correct security policies with configuration analyzer Configuration analyzer is a central location and single pane of glass for administering and viewing the email security policies you have configured in your tenant. You can perform a side-to-side comparison of your settings to our Standard and Strict recommended settings, apply recommendations and view historical changes that affected your posture.
security Protect Your C Suite With Priority Account Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/protect-your-c-suite-with-priority-account-protection.md
Title: Protect your c-suite with Priority account protection in Microsoft Defender for Office 365 Plan 2 description: The steps to protect your c-suite with priority account protection. Tagging an account as a Priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
+ # Protect your c-suite with priority account protection Priority account protection helps IT and security teams ensure a high quality of service and protection for the critical people within your organization. Tagging an account as a priority account will enable the additional protection tuned for the mail flow patterns targeting company executives, along with extra visibility in reports, alerts, and investigations.
security Search For Emails And Remediate Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/search-for-emails-and-remediate-threats.md
Title: Search for emails and remediate threats using Threat Explorer in Microsoft 365 Defender description: The steps to do manual remediation in Threat Explorer in Microsoft 365 Defender, including how to get the best performance and scenarios that call for remediation. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Steps to use manual email remediation in Threat Explorer
security Stay Informed With Message Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/stay-informed-with-message-center.md
Title: Steps to set up a weekly digest email of message center changes for Microsoft Defender for Office 365 description: The steps to setup a weekly digest email of message center activity to stay up-to-date about changes to Microsoft Defender for Office 365. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Set up a digest notification of changes to Microsoft Defender for Office 365 using the message center
security Step By Step Guide Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/step-by-step-guide-overview.md
Title: Microsoft Defender for Office 365 step-by-step guides and how to use them description: What are the step-by-step-guides for Microsoft 365 Defender for Office 365? See *only the steps needed to complete a task* and set up features. Information for use in trial subscriptions and production. Guidance designed to minimise information overload and speed up your configuration and use. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Welcome to the Microsoft Defender for Office 365 step-by-step guides
security Track And Respond To Emerging Threats With Campaigns https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/track-and-respond-to-emerging-threats-with-campaigns.md
Title: Track and respond to emerging security threats with campaigns view in Microsoft Defender for Office 365 description: Walkthrough of threat campaigns within Microsoft Defender for Office 365 to demonstrate how they can be used to investigate a coordinated email attack against your organization. search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Track and respond to emerging threats with campaigns in Microsoft Defender for Office 365
security Utilize Microsoft Defender For Office 365 In Sharepoint Online https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online.md
Title: Use Microsoft Defender for Office 365 in SharePoint Online description: The steps to ensure that you can use, and get the value from, Microsoft Defender for Office 365 in SharePoint Online and OneDrive for Business search.product: ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library
audience: ITPro
ms.technology: mdo
+search.appverid: met150
# Use Microsoft Defender for Office 365 with SharePoint Online
security Teams Access Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/teams-access-policies.md
- m365solution-scenario - zerotrust-solution
+search.appverid: met150
# Policy recommendations for securing Teams chats, groups, and files
security Threat Explorer Views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md
audience: ITPro
ms.localizationpriority: medium - M365-security-compliance - m365initiative-defender-office365
description: Learn about how to use Threat Explorer and the real-time detections
+search.appverid: met150
# Views in Threat Explorer and real-time detections
security Threat Hunting In Threat Explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-hunting-in-threat-explorer.md
- seo-marvel-apr2020
+search.appverid: met150
# Threat hunting in Threat Explorer for Microsoft Defender for Office 365
solutions Allow Members To Send As Or Send On Behalf Of Group https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/allow-members-to-send-as-or-send-on-behalf-of-group.md
audience: Admin -+ ms.localizationpriority: medium - M365-subscription-management
solutions Choose Domain To Create Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/choose-domain-to-create-groups.md
audience: Admin -+ ms.localizationpriority: medium - M365-subscription-management
solutions Contoso Remote Onsite Work https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/contoso-remote-onsite-work.md
audience: ITPro -++ ms.localizationpriority: medium - M365-subscription-management
solutions Groups Naming Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-naming-policy.md
audience: Admin -++ ms.localizationpriority: medium - M365-subscription-management
solutions Manage Creation Of Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/manage-creation-of-groups.md
audience: Admin -++ ms.localizationpriority: medium - M365-subscription-management
solutions Microsoft 365 Groups Expiration Policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/microsoft-365-groups-expiration-policy.md
audience: Admin -++ ms.localizationpriority: medium - M365-subscription-management
whiteboard Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/whiteboard/index.md
The resources in this section help the admin in your organization to set up and
| If you're looking for this information | Go to this resource | |:--|:--|
+|Learn how to set up and manage access to Whiteboard for US Government GCC environments|[Manage access to Whiteboard - GCC](manage-whiteboard-access-gcc.md)|
+|Find where your Whiteboard content and data are stored in Azure and OneDrive for Business in US Government GCC environments |[Manage data for Whiteboard - GCC](manage-data-gcc.md) |
+|Learn about the sharing experience in Teams and how to share links to specific users in US Government GCC environments |[Manage sharing for Whiteboard - GCC](manage-sharing-gcc.md) |
+|Learn which clients are currently supported for Whiteboard in US Government GCC environments |[Manage clients for Whiteboard - GCC](manage-clients-gcc.md) |
|Learn how to set up and manage access to Whiteboard for US Government GCC High environments|[Manage access to Whiteboard - GCC High](manage-whiteboard-access-gcc-high.md)| |Find where your Whiteboard content and data are stored in Azure and OneDrive for Business in US Government GCC High environments |[Manage data for Whiteboard - GCC High](manage-data-gcc-high.md) | |Learn about the sharing experience in Teams and how to share links to specific users in US Government GCC High environments |[Manage sharing for Whiteboard - GCC High](manage-sharing-gcc-high.md) |
The resources in this section help the admin in your organization to set up and
| If you're looking for this information | Go to this resource | |:--|:--|
-|Find PowerShell cmdlet help references to manage Microsoft Whiteboard|[PowerShell for Whiteboard](/powershell/module/whiteboard/)|
---
+|Find PowerShell cmdlet help references to manage Microsoft Whiteboard|[PowerShell for Whiteboard](/powershell/module/whiteboard/)|