-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, Whois, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details.

-## Hashes

-Microsoft partners with Proofpoint to surface MD5 [malware](/microsoft-365/security/intelligence/malware-naming) hashes associated with the domain, host, or IP address a user search. Users are encouraged to purchase an Emerging Threats license by Proofpoint if they wish to analyze MD5 hash details. This data helps users understand actor capabilities, intent, and motives of an attacker while also aiding in connecting infrastructure together. Each result contains a unique hash.

-Our hash data includes the following:

-

-**Questions this data set may help answer:**

- 

- 

-5. Review the Summary tab results that return: reputation, analyst insights, articles, services, resolutions, certificates, projects, and hashes.

-8. Navigate to the Data tab and review the resolutions, Whois, certificates, subdomains, trackers, components, hashes, cookies, DNS, and reverse DNS data sets.

-### Hashes

-Microsoft partners with several commercial and open-source repositories of malware data to pair it with queried infrastructure to populate the Hash data set. Malware repositories today include ProofpointΓÇÖs Emerging Threats, Hybrid Analysis, and VirusTotal. This data helps users understand actor capabilities, intent, and motives of an attacker while also aiding in connecting infrastructure together. Each result contains a unique hash. Our hash data includes the detection source, sample, and collection date.

-

-### Hashes

-Microsoft partners with several commercial and open-source repositories of malware data to pair it with queried infrastructure to populate the Hash data set. Malware repositories today include ProofpointΓÇÖs Emerging Threats, Hybrid Analysis, and VirusTotal. This data helps users understand actor capabilities, intent, and motives of an attacker while also aiding in connecting infrastructure together. Each result contains a unique hash.

-Our hash data includes the following:

-1. **Source:** the source used to detect the hash.

-2. **Sample:** the unique identification code for the detected hash.

-3. **Collection Date:** the day that the hash sample was collected by the designated source.

-

-The following headers are exported as a result of downloading Hashes data:

-|   |   |

-|--|-|

-| **source** | The source who observed the MD5 hash sample |

-| **sample** | The MD5 hash |

-| **collection date** | The collection date captured by the source |

-| **type** | Type of indicator (e.g. ip, certificate, domain, hash_sha256) |

-The public indicators section of the screen shows the previously published indicators related to the article. The links in the public indicators take one to the underlying Defender TI data or relevant external sources (e.g., VirusTotal for hashes).

-This internet data is categorized into two distinct groups: traditional and advanced. Traditional data sets include Resolutions, WHOIS, SSL Certificates, Subdomains, Hashes, DNS, Reverse DNS, and Services. Advanced data sets include Trackers, Components, Host Pairs, and Cookies. Trackers, Components, Host Pairs, and Cookies data sets are collected from observing the Document Object Model (DOM) of web pages crawled. Additionally, Components and Trackers are also observed from detection rules that are triggered based on the banner responses from port scans or SSL Certificate details. Many of these data sets have various methods to sort, filter, and download data, making it easier to access information that may be associated with a specific artifact type or time in history.

-description: "Learn the top 10 ways to protect your business, including ransomware, phishing, and malicious attachments."

-# Top 10 ways to secure your data - Best practices for small and medium-sized businesses

-Microsoft 365 for business plans include security capabilities, such as antiphishing, antispam, and antimalware protection. Microsoft 365 Business Premium includes more capabilities, such as device management, advanced threat protection, and information protection. This article describes steps you can take to secure your business data, and [compares capabilities across Microsoft 365 for business plans](#comparing-microsoft-365-for-business-plans).

-Microsoft 365 for business plans include Microsoft Exchange, Microsoft Teams, SharePoint, and OneDrive for secure email, collaboration, and file storage. These plans also include antiphishing, antimalware, and antispam protection. With Microsoft 365 Business Premium, you get more capabilities, such as device management, advanced threat protection, and information protection.

-(<a id="fn2">2</a>) Microsoft Intune is included with certain Microsoft 365 plans. Basic Mobility and Security capabilities are part of the Microsoft 365 Business Basic and Standard. [Choose between Basic Mobility and Security or Intune](../basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md).

-(<a id="fn3">3</a>) Defender for Business is included in Microsoft 365 Business Premium. It can also be purchased as an add-on for Microsoft 365 Business Basic or Microsoft 365 Business Standard. See [Get Defender for Business](/microsoft-365/security/defender-business/get-defender-business).

-(<a id="fn4">4</a>) Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. It can also be purchased as an add-on for Microsoft 365 Business Basic or Microsoft 365 Business Standard. See [Defender for Office 365 Plan 1 and Plan 2](../../security/office-365-security/overview.md#microsoft-defender-for-office-365-plan-1-vs-plan-2-cheat-sheet).

-description: "Learn to create an Autopilot profile and apply it to a device, and edit or delete a profile or remove a profile from a device."

-# Create and edit Autopilot profiles

-You can apply a [Windows Autopilot deployment profile](/mem/autopilot/profiles) to devices that are in a [device group](m365bp-device-groups-mdb.md). Deployment profiles determine the Windows deployment and enrollment experience that users will have.

-## Create a profile

-A profile applies to a device, or a group of devices,

-

-1. In the Microsoft 365 admin center, choose **Devices** \> **Autopilot**.

-

-2. On the **Autopilot** page, choose the **Profiles** tab \> **Create profile**.

-3. On the **Create profile** page, enter a name for the profile that helps you identify it, for example Marketing. Turn on the setting you want, and then choose **Save**. For more information about Autopilot profile settings, see [About Autopilot Profile settings](m365bp-Autopilot-profile-settings.md).

- 

-

-### Apply profile to a device

-After you create a profile, you can apply it to a device or a group of devices. You can pick an existing profile in the [step-by-step guide](m365bp-add-Autopilot-devices-and-profile.md) and apply it to new devices, or replace an existing profile for a device or group of devices.

-

-1. On the **Prepare Windows** page, choose the **Devices** tab.

-2. Select the check box next to a device name, and in the **Device** panel, choose a profile from the **Assigned profile** drop-down list \> **Save**.

- 

-

-## Edit, delete, or remove a profile

-Once you've assigned a profile to a device, you can update it, even if you've already given the device to a user. When the device connects to the internet, it downloads the latest version of your profile during the setup process. If the user restores their device to its factory default settings, the device will again download the latest updates to your profile.

-

-### Edit a profile

-1. On the **Prepare Windows** page, choose the **Profiles** tab.

-2. Select the check box next to a device name, and in the **Profile** panel, update any of the available settings \> **Save**.

- If you do this task before a user connects the device to the internet, then the profile gets applied to the setup process.

-### Delete a profile

-1. On the **Prepare Windows** page, choose the **Profiles** tab.

-2. Select the check box next to a device name, and in the **Profile** panel, select **Delete profile** \> **Save**.

- When you delete a profile, it gets removed from a device or a group of devices it was assigned to.

-### Remove a profile

-1. On the **Prepare Windows** page, choose the **Devices** tab.

-2. Select the check box next to a device name, and in the **Device** panel, choose **None** from the **Assigned profile** drop-down list \> **Save**.

-## See also

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-description: "Learn how to use Windows Autopilot to set up new Windows 10 devices for your business so they're ready for employee use."

-# Use this step-by-step guide to add Autopilot devices and profile

-You can use Windows Autopilot to set up **new** Windows 10 devices for your business so they're ready for use when you give them to your employees.

-

-## Device requirements

-Devices must meet these requirements:

-

-## Use the setup guide to add devices and profiles

-If you haven't created device groups or profiles yet, the best way to get started is by using the step-by-step guide. You can also [add Autopilot devices](m365bp-create-and-edit-Autopilot-devices.md) and [assign profiles](../admin/devices/create-and-edit-Autopilot-profiles.md) to them without using the guide.

-

-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

-2. On the left navigation pane, choose **Devices** \> **Autopilot**.

- :::image type="content" source="../media/Autopilot.png" alt-text="In the Microsoft 365 admin center, choose devices and then Autopilot.":::

-

-3. On the **Autopilot** page, click or tap **Start guide**.

- :::image type="content" source="../media/31662655-d1e6-437d-87ea-c0dec5da56f7.png" alt-text="Click Start guide for step-by-step instructions for Autopilot":::

-

-4. On the **Upload .csv file with list of devices** page, browse to a location where you have the prepared .CSV file, then **Open** \> **Next**. The file must have three headers:

- - Column A: Device Serial Number

- - Column B: Windows Product ID

- - Column C: Hardware Hash

-You can get this information from your hardware vendor, or you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo) to generate a CSV file.

-For more information, see [Device list CSV-file](../admin/misc/device-list.md). You can also download a sample file on the **Upload .csv file with list of devices** page.

-> [!NOTE]

-> This script uses WMI to retrieve properties needed for a customer to register a device with Windows Autopilot. Note that it is normal for the resulting CSV file to not collect a Windows Product ID (PKID) value since this is not required to register a device and PKID being NULL in the output CSV is totally fine. Only the serial number and hardware hash will be populated.

-5. On the **Assign a profile** page, you can either pick an existing profile or create a new one. If you don't have one yet, you'll be prompted to create one.

- A profile is a collection of settings that can be applied to a single device or to a group of devices.

- The default features are required and are set automatically. The default features are:

- - Skip Cortana, OneDrive, and OEM registration.

- - Create sign-in experience with your company brand.

- - Connect your devices to Azure Active Directory accounts, and automatically enroll them to be managed by Microsoft 365 Business Premium.

- For more information, see [About Autopilot Profile settings](m365bp-Autopilot-profile-settings.md).

-6. The other settings are **Skip privacy settings** and **Don't allow user to become the local admin**. These are both set to **Off** by default.

- Choose **Next**.

-7. **You're done** indicates that the profile you created (or chose) will be applied to the device group you created by uploading the list of devices. The settings will be in effect when the device users sign in next. Choose **Close**.

-## Related content

-[About Autopilot Profile settings](../business-premium/m365bp-Autopilot-profile-settings.md) (article)\

-[Options for protecting your devices and app data](../admin/basic-mobility-security/choose-between-basic-mobility-and-security-and-intune.md) (article)\

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-description: "Learn how to create, edit, or delete an app management policy, and protect work files on Android or iOS devices."

-# Set app protection settings for Android or iOS devices

-Check out [Microsoft 365 small business help](https://go.microsoft.com/fwlink/?linkid=2197659) on YouTube.

-This article applies to Microsoft 365 Business Premium.

-## Watch: Secure Office apps on iOS

-Check out this video and others on our [YouTube channel](https://go.microsoft.com/fwlink/?linkid=2197828).

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE1FLvZ?autoplay=false]

-You can set up a user access policy that requires mobile users to enter a PIN or fingerprint to sign in, and also encrypts work files stored on their devices.

-1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">Microsoft 365 admin center</a>.

-2. Under **Policies**, choose **Add policy**.

-3. In the **Add policy** pane, enter a name under **Policy name**, and choose the policy type that you want under **Policy type**.

-4. Turn on **Protect work files when devices are lost or stolen**, and then make sure the following three settings are turned on:

-

- - **Force users to save all work files to OneDrive for Business**

-

- - **Encrypt work files**

-5. Turn on **Manage how users access Office files on Mobile devices** and ensure the settings are turned on or set for each item.

-6. Under **Files in these apps will be protected**, select the Office apps you want to protect on mobile devices.

-7. Under **Who will get these settings?**, all users are selected by default, but you can choose **Change** to select any security groups you've created.

-8. To finish creating the policy, choose **Add**.

-9. On the **Add policy** page, choose **Close**.

-10. On the admin center home page, confirm that your new policy was added by choosing **Policies** and reviewing your policy on the **Policies** page.

-## Create an app management policy

-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

-2. In the left nav, choose **Devices** \> **Policies** \> **Add**.

-

-3. On the **Add policy** pane, enter a unique name for this policy.

-4. Under **Policy type**, choose **Application Management for Android** or **Application Management for iOS**, depending on which set of policies you want to create.

-5. Expand **Protect work files when devices are lost or stolen** and **Manage how users access Office files on mobile devices**. Configure the settings how you would like. **Manage how users access Office files on mobile devices** is **Off** by default, but we recommend that you turn it **On** and accept the default values. For more information, see [Available settings](#available-settings).

- You can always use the **Restore default settings** link to return to the default setting.

-

-6. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups that get these settings \> **Select**.

-7. Finally, choose **Done** to save the policy, and assign it to devices.

-## Edit an app management policy

-1. On the **Policies** card, choose **Edit policy**.

-2. On the **Edit policy** pane, choose the policy you want to change.

-3. Choose **Edit** next to each setting to change the values in the policy. When you change a value, it's automatically saved in the policy.

-4. When you're finished, close the **Edit policy** pane.

-## Delete an app management policy

-1. On the **Policies** page, choose a policy and then **Delete**.

-2. On the **Delete policy** pane, choose **Confirm** to delete the policy or policies you chose.

-## Available settings

-The following tables give detailed information about settings available to protect work files on devices and the settings that control how users access Office files from their mobile devices.

-

- For more information, see [How do protection features in Microsoft 365 Business Premium map to Intune settings](m365bp-map-protection-features-to-intune-settings.md).

-

-### Settings that protect work files

-The following settings are available to protect work files if a user's device is lost or stolen:

-|Setting |Description |

-|:--|:--|

-|Delete work files from an inactive device after this many days |If a device isn't used for the number of days that you specify here, any work files stored on the device will be deleted automatically. |

-|Force users to save all work files to OneDrive for Business |If this setting is **On**, the only available save location for work files is OneDrive for Business. |

-|Encrypt work files |Keep this setting **On** so that work files are protected by encryption. Even if the device is lost or stolen, no one can read your company data. |

-### Settings that control how users access Office files on mobile devices

-The following settings are available to manage how users access Office work files:

-|Setting |Description |

-|:--|:--|

-|Require a PIN or fingerprint to access Office apps |If this setting is **On** users must provide another form of authentication, in addition to their username and password, before they can use Office apps on their mobile devices.|

-|Reset PIN when login fails this many times |To prevent an unauthorized user from randomly guessing a PIN, the PIN will reset after the number of wrong entries that you specify. |

-|Require users to sign in again after Office apps have been idle for |This setting determines how long a user can be idle before they're prompted to sign in again. |

-|Deny access to work files on jailbroken or rooted devices |Clever users may have a device that is jailbroken or rooted. This means that the user can modify the operating system, which can make the device more subject to malware. These devices are blocked when this setting is **On**. |

-|Don't allow users to copy content from Office apps into personal apps |We do allow this by default, but if the setting is **On**, the user could copy information in a work file to a personal file. If the setting is **Off**, the user will be unable to copy information from a work account into a personal app or personal account. |

-## See also

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-description: "Autopilot profiles help you control how Windows gets installed on user devices. The profiles contain default and optional settings like skip Cortana installation."

-# About Autopilot Profile settings

-## Autopilot profile settings

-You can use Autopilot profiles to control how Windows is installed on user devices. The profiles contain the following settings.

-

-## Autopilot default features (required) that are set automatically

-

-| Setting | Description |

-|:--|:--|

-|Skip Cortana, OneDrive, and OEM registration |Skips the installation of consumer apps like Cortana and personal OneDrive. The device user can install these later as long as the user is a local admin on the device. The original manufacturer registration is skipped because the device will be managed by Microsoft 365 Business Premium. |

-|Sign in experience with your company brand |If your company has a [Add your company branding to Microsoft 365 Sign In page](../admin/setup/customize-sign-in-page.md), the device user will get that experience when signing in. |

-|MDM auto-enrollment with configured AAD accounts. |The user identity will be managed by Azure Active Directory, and users will sign in to Windows and Microsoft 365 with their Microsoft 365 Business Premium credentials. |

-## Optional settings

-

-| Setting | Description |

-|:--|:--|

-|Skip privacy settings (Off by default) |If this option is set to **On**, the device user will not see the license agreement for the device and Windows when he or she first signs in. |

-|Don't allow the user to become the local admin |If this option is set to **On**, the device user will not be able to install any personal apps, such as Cortana.|

-## See also

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-description: "Learn how to upload devices using Autopilot in Microsoft 365 Business Premium. You can assign a profile to a device or a group of devices."

-# Create and edit Autopilot devices

-## Upload a list of devices

-You can use the [Step-by-step guide](m365bp-add-Autopilot-devices-and-profile.md) to upload devices, but you can also upload devices in the **Devices** tab.

-

-Devices must meet these requirements:

-

-

-1. In the Microsoft 365 admin center, choose **Devices** \> **Autopilot**.

-

-2. On the **Autopilot** page, choose the **Devices** tab \> **Add devices**.

-

- 

-

-3. On the **Add devices** panel, browse to a [Device list CSV-file](../admin/misc/device-list.md) that you prepared \> **Save** \> **Close**.

-

- You can get this information from your hardware vendor, or you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo) to generate a CSV file.

-

-## Assign a profile to a device or a group of devices

-1. On the **Prepare Windows** page, choose the **Devices** tab, and select the check box next to one or more devices.

-

-2. On the **Device** panel, select a profile from the **Assigned profile** drop-down.

-

- If you don't have any profiles yet, see [Create and edit Autopilot profiles](../admin/devices/create-and-edit-Autopilot-profiles.md) for instructions.

-## See also

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-description: "Learn how to enable Microsoft 365 to protect local Active-Directory-joined Windows 10 devices in just a few steps."

-# Manage Windows devices with Microsoft 365 Business Premium

-If your organization uses Windows Server Active Directory on-premises, you can set up Microsoft 365 Business Premium to protect your Windows devices, while still maintaining access to on-premises resources that require local authentication.

-To set this up, implement **Hybrid Azure AD joined devices**. These devices are joined to both your on-premises Active Directory and your Azure Active Directory.

-> [!NOTE]

-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. This offering provides additional security features for devices. [Learn more about Defender for Business](../security/defender-business/mdb-overview.md).

-## Watch: Configure Hybrid Azure Active Directory join

-This video describes the steps for how to set this up for the most common scenario, which is also detailed in the steps that follow.

-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE3C9hO]

-

-## Before you begin

-See [Synchronize domain users to Microsoft 365](../admin/setup/manage-domain-users.md) for the steps.

-## Possible device actions and statuses

-

-

-Devices and their associated actions can have the following states:

-

-|**Status**|**Description**|

-|:--|:--|

-|Managed by Intune |Managed by Microsoft 365 Business Premium. |

-|Retire pending |Microsoft 365 Business Premium is getting ready to remove company data from the device. |

-|Retire in progress |Microsoft 365 Business Premium is currently removing company data from the device. |

-|Retire failed | Remove company data action failed. |

-|Retire canceled |Retire action was canceled. |

-|Wipe pending |Waiting for factory reset to start. |

-|Wipe in progress |Factory reset has been issued. |

-|Wipe failed |Couldn't do factory reset. |

-|Wipe canceled |Factory wipe was canceled. |

-|Unhealthy |An action is pending (or in progress), but the device hasn't checked in for 30+ days. |

-|Delete pending |Delete action is pending. |

-|Discovered |Microsoft 365 Business Premium has detected the device. |

-## 1. Verify MDM Authority in Intune

-Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com/#blade/Microsoft_Intune_Enrollment/EnrollmentMenu/overview)) and select **Device enrollment**, then on the **Overview** page, make sure **MDM authority** is **Intune**.

-## 2. Verify Azure AD is enabled for joining computers

-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and select **Azure Active Directory** (select Show all if Azure Active Directory is not visible) in the **Admin centers** list.

-2. In the **Azure Active Directory admin center**, go to **Azure Active Directory** , choose **Devices** and then **Device settings**.

-3. Verify **Users may join devices to Azure AD** is enabled

- 1. To enable all users, set to **All**.

- 2. To enable specific users, set to **Selected** to enable a specific group of users.

- - Add the desired domain users synced in Azure AD to a [security group](../admin/create-groups/create-groups.md).

- - Choose **Select groups** to enable MDM user scope for that security group.

-## 3. Verify Azure AD is enabled for MDM

-1. Go to the Microsoft 365 admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=2024339" target="_blank">https://admin.microsoft.com</a> and select **Endpoint Management** (select **Show all** if **Endpoint Manager** is not visible)

-2. In the **Microsoft Endpoint Manager admin center**, go to **Devices** > **Windows** > **Windows Enrollment** > **Automatic Enrollment**.

-3. Verify MDM user scope is enabled.

- 1. To enroll all computers, set to **All** to automatically enroll all user computers that are joined to Azure AD and new computers when the users add a work account to Windows.

-

- 2. Set to **Some** to enroll the computers of a specific group of users.

-

- - Add the desired domain users synced in Azure AD to a [security group](/admin/create-groups/create-groups.md).

-

- - Choose **Select groups** to enable MDM user scope for that security group.

-## 4. Create the required resources

-Performing the required tasks to [configure hybrid Azure AD join](/azure/active-directory/devices/hybrid-azuread-join-managed-domains#configure-hybrid-azure-ad-join) has been simplified through the use of the [Initialize-SecMgmtHybirdDeviceEnrollment](https://github.com/microsoft/secmgmt-open-powershell/blob/master/docs/help/Initialize-SecMgmtHybirdDeviceEnrollment.md) cmdlet found in the [SecMgmt](https://www.powershellgallery.com/packages/SecMgmt) PowerShell module. When you invoke this cmdlet it will create and configure the required service connection point and group policy.

-You can install this module by invoking the following from an instance of PowerShell:

-```powershell

-Install-Module SecMgmt

-```

-> [!IMPORTANT]

-> Install this module on the Windows Server running Azure AD Connect.

-To create the required service connection point and group policy, you will invoke the [Initialize-SecMgmtHybirdDeviceEnrollment](https://github.com/microsoft/secmgmt-open-powershell/blob/master/docs/help/Initialize-SecMgmtHybirdDeviceEnrollment.md) cmdlet. You will need your Microsoft 365 Business Premium global admin credentials when performing this task. When you are ready to create the resources, invoke the following:

-```powershell

-PS C:\> Connect-SecMgmtAccount

-PS C:\> Initialize-SecMgmtHybirdDeviceEnrollment -GroupPolicyDisplayName 'Device Management'

-```

-The first command will establish a connection with the Microsoft cloud, and when you are prompted, specify your Microsoft 365 Business Premium global admin credentials.

-## 5. Link the group policy

-1. In the Group Policy Management Console (GPMC), right-click on the location where you want to link the policy and select *Link an existing GPO...* from the context menu.

-2. Select the policy created in the above step, then click **OK**.

-## Get the latest administrative templates

-If you do not see the policy **Enable automatic MDM enrollment using default Azure AD credentials**, it may be because you donΓÇÖt have the ADMX installed for Windows 10, version 1803, or later. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):

-1. Download: [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/102157).

-2. Install the package on a Domain Controller.

-3. Navigate, depending on the Administrative Templates version to the folder: **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**.

-4. Rename the **Policy Definitions** folder in the above path to **PolicyDefinitions**.

-5. Copy the **PolicyDefinitions** folder to your SYSVOL share, by default located at `C:\Windows\SYSVOL\domain\Policies`.

- If you plan to use a central policy store for your entire domain, add the contents of PolicyDefinitions there.

-6. In case you have several Domain Controllers, wait for SYSVOL to replicate for the policies to be available. This procedure will work for any future version of the Administrative Templates as well.

-At this point you should be able to see the policy **Enable automatic MDM enrollment using default Azure AD credentials** available.

-## Related content

-## Next objective

-[Prepare for Office client deployment](m365bp-prepare-for-office-client-deployment.md)

-description: "How to set up managed devices"

-# Set up managed devices

-A "managed" device is one that is under control and being monitored by the organization, and is therefore regularly updated, and secure. Having devices under managed control is a critical objective. To bring these devices under control, enroll them in a device manager with Microsoft Intune and Azure Active Directory, both of which are included with Microsoft Business Premium.

-1. Set up device and data protection policies in the [setup wizard](../business/set-up.md).

-2. Connected the computer to [Azure Active Directory](../business/set-up-windows-devices.md) with their Microsoft 365 username and password.

-## Enroll devices in Intune

-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.

-2. Select **Devices** > **Enroll devices**.

- :::image type="content" source="media/m365bp-endpoint-manager-enroll-devices.png" alt-text="Use Microsoft Endpoint Manager to enroll devices.":::

-3. Follow specific device enrollment guidance below.

-### For Windows enrollment:

-1. Select **Windows** > **Windows enrollment**.

-2. From the enrollment methods listed, select **Automatic enrollment**.

-### For iOS enrollment:

-1. Select **iOS** > **iOS enrollment**.

-2. From the list of policies, select a policy to see its details.

-3. Select **Properties** to manage the policy.

-4. Select **Settings** > **System Security** and configure security details in Intune.

-5. Look at configuration profiles.

-6. Create a profile and push it to the devices in your organization, as needed.

-### For Android enrollment:

-1. Select **Android** > **Android enrollment**.

-2. Choose **Managed Google Play** and grant Microsoft permission to send information to Google.

-## Next objective

-Use the following guidance to [onboard devices to Defender for Business capabilities](m365bp-onboard-devices-mdb.md).

-Welcome to your final critical mission. Here, you'll onboard and implement protection for all the managed devices in your organization. [Onboard your devices to Defender for Business](../security/defender-business/mdb-onboard-devices.md) to help ensure those devices are protected from ransomware, malware, phishing, and other threats. You can also make sure Windows devices are protected and ready for Office deployment. When you're done, you can rest assured, knowing you've done your part to protect your organization when these objectives have been achieved!

-description: "Learn how to create or edit app management policies and protect work files on your users' personal Windows devices."

-# Set or edit application protection settings for Windows devices

-Now you need to set up application protection policies for your organization's Windows devices to ensure all your users are protected when they use applications for their work.

-## Edit an app management policy for Windows devices

-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

-2. On the left nav, choose **Devices** \> **Policies** .

-3. Choose an existing Windows app policy and then **Edit**.

-4. Choose **Edit** next to a setting you want to change and then **Save**.

-## Create an app management policy for Windows devices

-If your users have personal Windows devices on which they perform work tasks, you can protect your data on those devices.

-

-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

-2. On the left nav, choose **Devices** \> **Policies** \> **Add**.

-3. On the **Add policy** pane, enter a unique name for this policy.

-4. Under **Policy type**, choose **Application Management for Windows 10**.

-5. Under **Device type**, choose either **Personal** or **Company Owned**.

-6. The **Encrypt work files** is turned on automatically.

-7. Set **Prevent users from copying company data to personal files and force them to save work files to OneDrive for Business** to **On** if you don't want the users to save work files on their PC.

-8. Expand **Recover data on Windows devices**. We recommend that you turn it **On**.

- Before you can browse to the location of the Data Recovery Agent certificate, you have to first create one. For instructions, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).

- By default, work files are encrypted using a secret key that is stored on the device and associated with the user's profile. Only the user can open and decrypt the file. However, if a device is lost or a user is removed, a file can be stuck in an encrypted state. An admin can use the Data Recovery Agent (DRA) certificate to decrypt the file.

- 

-

-9. Expand **Protect additional network and cloud locations** if you want to add additional domains or SharePoint Online locations to make sure that files in all the listed apps are protected. If you need to enter more than one item for either field, use a semicolon (;) between the items.

- 

-

-10. Next decide **Who will get these settings?** If you don't want to use the default **All Users** security group, choose **Change**, choose the security groups who will get these settings \> **Select**.

-11. Finally, choose **Add** to save the policy, and assign it to devices.

-## See also

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-## Next objective

-[Validate your Windows settings](m365bp-validate-settings-on-windows-10-pcs.md).

-Microsoft 365 Business Premium offers you one comprehensive solution for productivity and security. As an admin or IT Pro, you have everything you need in one place for administration, billing, and 24x7 support, while reducing cost and complexity for your business. This article includes the following sections:

-> [!TIP]

-> For more information, see [Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium?activetab=pivot:overviewtab).

-## Productivity and security

-Microsoft 365 Business Premium includes your favorite Office productivity apps, collaboration tools like Microsoft Teams, and enterprise-grade security, identity, and device management solutions. With Microsoft 365 Business Premium, you can run your business more securely, across devices, and from almost anywhere. Microsoft 365 Business Premium includes:

-The security recommendations provided in these missions make it much harder for cyberattackers to gain access to your environment. However, an important part of your security strategy includes training members of the organization&mdash;the people in your company who use your systems regularly. Users can be your front line of defense. Everyone needs to know how to work productively while maintaining a more secure environment.

-description: "Learn how to secure your company's Windows devices using built-in settings."

-# Secure Windows devices

-The objective here is to configure settings that are part of the default device policy for Windows 10 or 11. All users who connect a Windows device, including mobile devices and computers, by signing in with their work account will automatically receive these settings. We recommend that you accept the default policy during setup and add policies later that target specific groups of users.

-## Before you begin

-Before you can set up Windows devices for Microsoft 365 Business Premium users, make sure all the Windows devices are running Windows 10 Pro.

-Windows 10 Pro is a prerequisite for deploying Windows 10 Business, which is a set of cloud services and device management capabilities that complement Windows 10 Pro and Windows 11 Pro, and enable the centralized management and security controls of Microsoft 365 Business Premium.

-[Learn more about requirements for Microsoft 365 Business Premium](https://www.microsoft.com/microsoft-365/business/microsoft-365-business-premium?activetab=pivot:techspecstab).

-## Windows 10 Pro

-If you have Windows devices running previous versions of Windows, such as Windows 7 Pro, Windows 8 Pro, or Windows 8.1 Pro, your Microsoft 365 Business Premium subscription entitles you to upgrade those devices to Windows 10 Pro or Windows 11 Pro.

-

-For more information on how to upgrade Windows devices, see [Upgrade Windows devices to Windows 10 Pro](m365bp-upgrade-windows-10-pro.md).

-## Secure your Windows 10 and 11 devices

-By default all settings are **On**. The following settings are available:

-|Setting |Description |

-|:--|:--|

-|Help protect computers from viruses and other threats using Microsoft Defender Antivirus |Requires that Microsoft Defender Antivirus is turned on to protect computers from the dangers of being connected to the internet. |

-|Help protect computers from web-based threats in Microsoft Edge |Turns on settings in Edge that help protect users from malicious sites and downloads. |

-|Help protect files and folders on computers from unauthorized access with BitLocker |BitLocker protects data by encrypting the computer hard drives and protect against data exposure if a computer is lost or stolen. For more information, see [BitLocker FAQ](/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions). |

-|Turn off device screen when idle for this amount of time |Makes sure that company data is protected if a user is idle. A user may be working in a public location, like a coffee shop, and step away or be distracted for just a moment, leaving their device vulnerable to random glances. This setting lets you control how long the user can be idle before the screen shuts off. |

-## Next objective

-[Manage Windows devices](m365bp-manage-windows-devices.md)

-1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Device inventory**.

-> - After you have added users, give them a link to the [Employee quick setup guide](../admin/setup/employee-quick-setup.md). The guide walks them through signing in, getting Office apps, and saving, copying, and sharing files.

-Welcome to the Microsoft Business Premium trial playbook. This playbook will help you make the most of your 30-day free trial by experiencing how Microsoft 365 Business Premium increases productivity and helps safeguard your organization with advanced security capabilities. Using Microsoft recommendations, learn how you can set up your threat protection features, analyze detected threats, and respond to cyberattacks.

-> Save this playbook to your browser favorites. When links in the playbook take you away from this location, simply return to this playbook to continue.

-First, [set up your trial](../business-premium/m365bp-setup.md)!

-After you've initiated the trial and completed the setup process, it can take up to two hours for changes to take effect.

-Microsoft 365 Business Premium includes [Preset security policies](/security/office-365-security/preset-security-policies.md) that you can use in your environment. These policies represent a baseline protection profile that's suitable for most users. Standard protection includes:

-2. Run the [setup wizard](../security/defender-business/mdb-use-wizard.md).

-description: "Learn how to validate the Microsoft 365 Business Premium app protection settings on your Android or iOS devices. Making security settings for your applications is critical in order to protect the files on your mobile apps and devices from any kind of security threats."

-# Validate app protection settings on Android or iOS devices

-Follow the instructions in the following sections to validate app protection settings on Android or iOS devices.

-

-## [Android](#tab/Android)

-### Check that the app protection settings are working on user devices

-After you [set app protection settings for Android or iOS devices](../business-premium/m365bp-app-protection-settings-for-android-and-ios.md) to protect the apps, you can follow these steps to validate the settings you chose.

-

-First, make sure that the policy applies to the app in which you're going to validate it.

-

-1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.

-2. Choose **Application policy for Android** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook, for example.

- 

-

-### Validate Require a PIN or a fingerprint to access Office apps

-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require a PIN or fingerprint to access Office apps** is set to **On**.

-

-

-

-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.

-2. You'll also be prompted to enter a PIN or use a fingerprint.

- 

-

-### Validate Reset PIN after number of failed attempts

-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Reset PIN after number of failed attempts** is set to some number. This is 5 by default.

-

-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.

-2. Enter an incorrect PIN as many times as specified by the policy. You'll see a prompt that states **PIN Attempt Limit Reached** to reset the PIN.

- 

-

-3. Press **Reset PIN**. You'll be prompted to sign in with the user's Microsoft 365 Business Premium credentials, and then required to set a new PIN.

-### Validate Force users to save all work files to OneDrive for Business

-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Force users to save all work files to OneDrive for Business** is set to **On**.

-

-

-

-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.

-2. Open an email that contains an attachment and tap the down arrow icon next to the attachment's information.

- 

-

- You'll see **Cannot save to device** on the bottom of the screen.

- 

-

- > [!NOTE]

- > Saving to OneDrive for Business is not enabled for Android at this time, so you can only see that saving locally is blocked.

-

-### Validate Require user to sign in again if Office apps have been idle for a specified time

-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require users to sign in again after Office apps have been idle for** is set to some number of minutes. This is 30 minutes by default.

-

-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.

-1. You should now see Outlook's inbox. Let the Android device idle untouched for at least 30 minutes (or some other amount of time, longer than what you specified in the policy). The device will likely dim.

-1. Access Outlook on the Android device again.

-1. You'll be prompted to enter your PIN before you can access Outlook again.

-### Validate Protect work files with encryption

-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Protect work files with encryption** is set to **On**, and **Force users to save all work files to OneDrive for Business** is set to **Off**.

-

-1. In the user's Android device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.

-1. Open an email that contains a few image file attachments.

-1. Tap the down arrow icon next to the attachment's info to save it.

- 

-

-1. You may be prompted to allow Outlook to access photos, media, and files on your device. Tap **Allow**.

-1. At the bottom of the screen, choose to **Save to Device** and then open the **Gallery** app.

-1. You should see an encrypted photo (or more, if you saved multiple image file attachments) in the list. It may appear in the Pictures list as a gray square with a white exclamation point within a white circle in the center of the gray square.

- 

-

-### [iOS](#tab/iOS)

-## Check that the App protection settings are working on user devices

-After you [set app configurations for iOS devices](../business-premium/m365bp-protection-settings-for-windows-10-devices.md) to protect apps, you can follow these steps to validate that the settings you chose work.

-

-First, make sure that the policy applies to the app in which you're going to validate it.

-

-1. In the Microsoft 365 Business Premium [admin center](https://admin.microsoft.com), go to **Policies** \> **Edit policy**.

-1. Choose **Application policy for iOS** for the settings you created at setup, or another policy you created, and verify that it's enforced for Outlook for example.

- 

-

-### Validate Require a PIN to access Office apps

-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require a PIN or fingerprint to access Office apps** is set to **On**.

-

-

-

-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.

-1. You'll also be prompted to enter a PIN or use a fingerprint.

- 

-

-### Validate Reset PIN after number of failed attempts

-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Reset PIN after number of failed attempts** is set to some number. This is 5 by default.

-

-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials.

-1. Enter an incorrect PIN as many times as specified by the policy. You'll see a prompt that states **PIN Attempt Limit Reached** to reset the PIN.

- 

-

-1. Press **OK**. You'll be prompted to sign in with the user's Microsoft 365 Business Premium credentials, and then required to set a new PIN.

-### Validate Force users to save all work files to OneDrive for Business

-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Force users to save all work files to OneDrive for Business** is set to **On**.

-

-

-

-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.

-1. Open an email that contains an attachment, open the attachment and choose **Save** on the bottom of the screen.

- 

-

-1. You should only see an option for OneDrive for Business. If not, tap **Add Account** and select **OneDrive for Business** from the **Add Storage Account** screen. Provide the end user's Microsoft 365 Business Premium to sign in when prompted.

- Tap **Save** and select **OneDrive for Business**.

-### Validate Require user to sign in again if Office apps have been idle for a specified time

-In the **Edit policy** pane, choose **Edit** next to **Office documents access control**, expand **Manage how users access Office files on mobile devices**, and make sure that **Require users to sign in again after Office apps have been idle for** is set to some number of minutes. This is 30 minutes by default.

-

-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.

-1. You should now see Outlook's inbox. Let the iOS device untouched for at least 30 minutes (or some other amount of time, longer than what you specified in the policy). The device will likely dim.

-1. Access Outlook on the iOS device again.

-1. You'll be prompted to enter your PIN before you can access Outlook again.

-### Validate Protect work files with encryption

-In the **Edit policy** pane, choose **Edit** next to **Protection against lost or stolen devices**, expand **Protect work files when devices are lost or stolen**, and make sure that **Protect work files with encryption** is set to **On**, and **Force users to save all work files to OneDrive for Business** is set to **Off**.

-

-1. In the user's iOS device, open Outlook and sign in with the user's Microsoft 365 Business Premium credentials, and enter a PIN if requested.

-1. Open an email that contains a few image file attachments.

-1. Tap the attachment and then tap the **Save** option under it.

-1. Open **Photos** app from the home screen. You should see an encrypted photo (or more, if you saved multiple image file attachments) saved, but encrypted.

-## See also

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-description: "Learn how to verify that Microsoft 365 Business Premium app protection settings took effect on your users' Windows 10 devices."

-# Validate device protection settings for Windows 10 or 11 PCs

-## Verify that Windows 10 or 11 device policies are set

-After you [set up device policies](../business-premium/m365bp-protection-settings-for-windows-10-devices.md), it may take up to a few hours for the policy to take effect on users' devices. You can confirm that the policies took effect by looking at various Windows Settings screens on the users' devices. Because the users won't be able to modify the Windows Update and Microsoft Defender Antivirus settings on their Windows 10 or 11 devices, many options will be grayed out.

-

-1. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Restart options** and confirm that all settings are grayed out.

- 

-

-2. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Advanced options** and confirm that all settings are grayed out.

- 

-

-3. Go to **Settings** \> **Update &amp; security** \> **Windows Update** \> **Advanced options** \> **Choose how updates are delivered**.

- Confirm that you can see the message (in red) that some settings are hidden or managed by your organization, and all the options are grayed out.

- 

-

-4. To open the Windows Defender Security Center, go to **Settings** \> **Update &amp; security** \> **Windows Defender** \> click **Open Windows Defender Security Center** \> **Virus &amp; thread protection** \> **Virus &amp; threat protection settings**.

-5. Verify that all options are grayed out.

- 

-

-## Related content

-[Microsoft 365 for business documentation and resources](/admin)

-[Set device configurations for Windows 10 PCs](../business-premium/m365bp-protection-settings-for-windows-10-devices.md)

-[Best practices for securing Microsoft 365 for business plans](../admin/security-and-compliance/secure-your-business-data.md)

-## Next objective

-[Review and edit protection policies](m365bp-view-edit-create-mdb-policies.md)

-In Microsoft 365 Business Premium, security settings for managed devices are configured through device protection policies in Microsoft Defender's security center or the Admin center. To help simplify setup and configuration, there are pre-configured policies that help protect your organization's devices as soon as they are onboarded. You can use the default policies, edit existing policies, or create your own policies.

-These policies are part of Microsoft Defender for Business, included in your Microsoft 365 Business Premium subscription. Information is provided for working with policies in the Microsoft Defender security center as well as how to work with policies in the Admin center and Intune.

-## Working with device polices in the Microsoft Defender security center

-To view your existing device protection policies in the security center:

-## Using device policies in the Admin center

-The following information describes viewing and managing policies in the Microsoft Business Premium Admin center.

-### Working with device policies

-To work with policies in the Admin center:

-1. Go to the admin center at <a href="https://go.microsoft.com/fwlink/p/?linkid=837890" target="_blank">https://admin.microsoft.com</a>.

-1. On the left nav, choose **Devices** \> **Policies**.

- On this page, you can create, edit, change target group, or delete a policy.

- 

-

-### View and manage devices

-To view and manage policies:

-1. On the left nav, choose **Devices** \> **Manage**.

- On this page, you can select one or more devices and remove company data. For Windows 10 devices for which you have set device protections settings, you can also choose to reset the device to factory settings.

-

- 

-## Working with device policies in Intune

-> Not all accounts have a billing profile. If you're not sure if you have a one, you can [view a list of your billing profiles]

-(manage-billing-profiles.md#view-my-billing-profiles).

-## Recommended actions

-Recommended actions can help your organization get started with communication compliance capabilities and get the most out of your existing policies. Included on the **Policies** page, recommended actions provide insights and summarizes sensitive information types and inappropriate content activities in communications in your organization. Insights are supported by [data classification](/microsoft-365/compliance/data-classification-overview) and the application of sensitivity labels, retention labels, and sensitive information type classification. These insights don't include any personally identifiable information (PII) for users in your organization.

-Activity in messages containing inappropriate content is aggregated by [classifier type](/microsoft-365/compliance/communication-compliance-policies#classifiers) from existing policies that use the inappropriate content template or custom policies that use classifiers for inappropriate content. Investigate alerts for these messages on the Alert dashboard for your policies.

-Activity involving [sensitive information types](/microsoft-365/compliance/communication-compliance-policies#sensitive-information-types) is detected in messages covered in existing policies and for messages that aren't covered by existing policies. Insights are aggregated for all sensitive information types, including ones that your organization hasn't previously defined in an existing communication compliance policy. Use these insights to create a new communication compliance policy or to update existing policies.

-The Pattern element has a required confidenceLevel attribute. You can think of the value of confidenceLevel (an integer between 1 and 100) as a unique ID for each pattern in an entity ΓÇö the patterns in an entity must have different confidence levels that you assign. The precise value of the integer doesn't matter ΓÇö simply pick numbers that make sense to your compliance team. After you upload your custom sensitive information type and then create a policy, you can reference these confidence levels in the conditions of the rules that you create.

- - When this action is selected for the final stage of disposition review, or there's only one stage of disposition: The item is marked as eligible for permanent deletion, which a timer job then actions within 7 days. The exact timing for the item to then be permanently deleted depends on the workload. For more information, see [How retention works for SharePoint and OneDrive](retention-policies-sharepoint.md#how-retention-works-for-sharepoint-and-onedrive) and [How retention works for Exchange](retention-policies-exchange.md#how-retention-works-for-exchange).

- - **Remove encryption if the file or email is encrypted**: This option is supported by the Azure Information Protection unified labeling client only. When you select this option and use built-in labeling, the label might not display in apps, or display and not make any encryption changes.

- For more information about this scenario, see the [What happens to existing encryption when a label's applied](#what-happens-to-existing-encryption-when-a-labels-applied) section. It's important to understand that this setting can result in a sensitivity label that users might not be able to apply when they don't have sufficient permissions.

-> [!NOTE]

-> The option **Remove encryption if the file or email is encrypted** is supported only by the Azure Information Protection unified labeling client. You can achieve the same effect for emails by [configuring a mail flow rule](define-mail-flow-rules-to-encrypt-email.md#use-the-eac-to-create-a-rule-to-remove-encryption-from-email-messages-with-microsoft-purview-message-encryption).

-| | Encryption: Not selected | Encryption: Configured | Encryption: Remove ^\* |

-**Footnote:**

-^\*

-Supported by the Azure Information Protection unified labeling client only

-If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices will automatically show up in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP. .

-When a document has been encrypted with administrator-defined permissions, the encryption information includes information about a matching sensitivity label. As a result, when a user opens that document in an Office app, the matching label is displayed in the Office app and persists if the document is saved.

-Encryption-based label matching works only within the tenant, for admin-defined permissions, and the matching sensitivity label must be published to the user who opens the document.

-> This feature is gradually rolling out in preview and subject to change. It is also a premium feature with licensing details to be provided when the feature becomes generally available (GA).

-> [!NOTE]

-> These new settings are gradually rolling out to tenants. If you don't see them, try again in a few days.

-A prerequisite to managing Teams content in eDiscovery (Premium) is to understand the type of Teams content that you can collect, process, and review in eDiscovery (Premium) and where that content is stored in Microsoft 365. The following table lists Teams content type and where each is stored.

- > [!NOTE]

- > We've recently updated our setup steps to enable cross-tenant mailbox migration to no longer require Azure Key Vault! If this is the first time you are onboarding to this preview, no action is required, and you can go ahead and follow the steps detailed in this document. If you have started configuring your tenants using the previous AKV method, we highly recommend you stop or remove that configuration to begin using this new method. If you have mailbox migrations in progress with the previous AKV method, then please wait until your existing migrations are complete and follow the steps below to enable the new simplified method. Azure Key Vault required setup steps are archived but can be found **[here](https://github.com/microsoft/cross-tenant/wiki/V1-Content#cross-tenant-mailbox-migration-preview)**, for reference.

- > [!NOTE]

- > You must configure the target (destination) first. To complete these steps, you are not required to have or know the tenant admin credentials for both source and target tenant. Steps can be performed individually for each tenant by different administrators.

- > [!NOTE]

- > This is the password that will be used when creating your migration endpoint. It is extremely important that you copy this password to your clipboard and or copy this password to secure/secret password safe location. This is the only time you will be able to see this password! If you do somehow lose it or need to reset it, you can log back into our Azure portal, go to App registrations, find your migration app, select Secrets & certificates, and create a new secret for your app.

->[!TIP]

->Microsoft is developing a feature to provide a secure automated method to set many of the attributes in the following section. This feature, named Cross-Tenant Identity Mapping, is currently looking for customers willing to participate in a small private preview. For more information about this pre-release feature and how it can simplify your cross-tenant migration processes, see the article **[Cross-Tenant Identity Mapping](cross-tenant-identity-mapping.md)**.

- - ExchangeGUID (direct flow from source to target): The mailbox GUID must match. The move process will not proceed if this isn't present on target object.

- - ArchiveGUID (direct flow from source to target): The archive GUID must match. The move process won't proceed if this isn't present on the target object. (This is only required if the source mailbox is Archive enabled).

- - LegacyExchangeDN (flow as proxyAddress, "x500:\<LegacyExchangeDN>"): The LegacyExchangeDN must be present on target MailUser as x500: proxyAddress. In addition, you also need to copy all x500 addresses from the source mailbox to the target mail user. The move processes won't proceed if these aren't present on the target object.

- - UserPrincipalName: UPN will align to the user's NEW identity or target company (for example, user@northwindtraders.onmicrosoft.com).

- - Primary SMTPAddress: Primary SMTP address will align to the user's NEW company (for example, user@northwind.com).

- - TargetAddress/ExternalEmailAddress: MailUser will reference the user's current mailbox hosted in source tenant (for example user@contoso.onmicrosoft.com). When assigning this value, verify that you have/are also assigning PrimarySMTPAddress or this value will set the PrimarySMTPAddress, which will cause move failures.

- - You can't add legacy smtp proxy addresses from source mailbox to target MailUser. For example, you can't maintain contoso.com on the MEU in fabrikam.onmicrosoft.com tenant objects). Domains are associated with one Azure AD or Exchange Online tenant only.

- > [!NOTE]

- > SAMPLE ΓÇô AS IS, NO WARRANTY

- >

- > This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.

- ```powershell

- $ELCValue = 0

- if ($source.LitigationHoldEnabled) {$ELCValue = $ELCValue + 8} if ($source.SingleItemRecoveryEnabled) {$ELCValue = $ELCValue + 16} if ($ELCValue -gt 0) {Set-ADUser -Server $domainController -Identity $destination.SamAccountName -Replace @{msExchELCMailboxFlags=$ELCValue}}

- ```

- > [!NOTE]

- > When you apply a license on a Mailbox or MailUser object, all SMTP type proxyAddresses are scrubbed to ensure only verified domains are included in the Exchange EmailAddresses array.

- > [!CAUTION]

- > This process is irreversible. If the object has a softDeleted mailbox, it cannot be restored after this point. Once cleared, however, you can synchronize the correct ExchangeGuid to the target object and MRS will connect the source mailbox to the newly created target mailbox. (Reference EHLO blog on the new parameter.)

- Find objects that were previously mailboxes using this command.

- ```powershell

- Get-User <identity> | select Name, *recipient* | Format-Table -AutoSize

- ```

- Here is an example.

- ```powershell

- Get-User John@northwindtraders.com |select name, *recipient*| Format-Table -AutoSize

- Name PreviousRecipientTypeDetails RecipientType RecipientTypeDetails

- - - - --

- John UserMailbox MailUser MailUser

- ```

- Clear the soft-deleted mailbox using this command.

- ```powershell

- Set-User <identity> -PermanentlyClearPreviousMailboxInfo

- ```

- Here is an example.

- ```powershell

- Set-User John@northwindtraders.com -PermanentlyClearPreviousMailboxInfo -Confirm

- Are you sure you want to perform this action?

- Delete all existing information about user "John@northwindtraders.com"?. This operation will clear existing values from Previous home MDB and Previous Mailbox GUID of the user. After deletion, reconnecting to the previous mailbox that existed in the cloud will not be possible and any content it had will be unrecoverable PERMANENTLY.

- Do you want to continue?

- [Y] Yes [A] Yes to All [N] No [L] No to All [?] Help (default is "Y"): Y

- ```

-Migration batch submission is also supported from the new <a href="https://go.microsoft.com/fwlink/p/?linkid=2059104" target="_blank">Exchange admin center</a> when selecting the cross-tenant option.

-Yes, you should update the targetAddress (RemoteRoutingAddress/ExternalEmailAddress) of the source on-premises users when the source tenant mailbox moves to target tenant. While mail routing can follow the referrals across multiple mail users with different targetAddresses, Free/Busy lookups for mail users MUST target the location of the mailbox user. Free/Busy lookups will not chase multiple redirects.

-No, the Teams chat folder content does not migrate cross-tenant.

-> This script assumes a connection to both source mailbox (to get source values) and the target on-premises Active Directory Domain Services (to stamp the ADUser object). If source has litigation or single item recovery enabled, set this on the destination account. This will increase the dumpster size of destination account to 100 GB.

- ```powershell

- # This will export users from the source tenant with the CustomAttribute1 = "Cross-Tenant-Project"

- # These are the 'target' users to be moved to the Northwind org tenant

- $outFileUsers = "$home\desktop\UsersToMigrate.txt"

- $outFileUsersXML = "$home\desktop\UsersToMigrate.xml"

- Get-Mailbox -Filter "CustomAttribute1 -like 'Cross-Tenant-Project'" -ResultSize Unlimited | Select-Object -ExpandProperty Alias | Out-File $outFileUsers

- $mailboxes = Get-Content $outFileUsers

- $mailboxes | ForEach-Object {Get-Mailbox $_} | Select-Object PrimarySMTPAddress,Alias,SamAccountName,FirstName,LastName,DisplayName,Name,ExchangeGuid,ArchiveGuid,LegacyExchangeDn,EmailAddresses | Export-Clixml $outFileUsersXML

- ```

- ```powershell

- # Copy the file $outfile to the desktop of the target on-premises then run the below to create MEU in Target

- $mailboxes = Import-Clixml $home\desktop\UsersToMigrate.xml

- add-type -AssemblyName System.Web

- foreach ($m in $mailboxes) {

- $organization = "@contoso.onmicrosoft.com"

- $mosi = $m.Alias+$organization

- $Password = [System.Web.Security.Membership]::GeneratePassword(16,4) | ConvertTo-SecureString -AsPlainText -Force

- $x500 = "x500:" +$m.LegacyExchangeDn

- $tmpUser = New-MailUser -MicrosoftOnlineServicesID $mosi -PrimarySmtpAddress $mosi -ExternalEmailAddress $m.PrimarySmtpAddress -FirstName $m.FirstName -LastName $m.LastName -Name $m.Name -DisplayName $m.DisplayName -Alias $m.Alias -Password $Password

- $tmpUser | Set-MailUser -EmailAddresses @{add=$x500} -ExchangeGuid $m.ExchangeGuid -ArchiveGuid $m.ArchiveGuid -CustomAttribute1 "Cross-Tenant-Project"

- $tmpx500 = $m.EmailAddresses | ?{$_ -match "x500"}

- $tmpx500 | %{Set-MailUser $m.Alias -EmailAddresses @{add="$_"}}

- }

- ```

- ```powershell

- # Now sync the changes from On-Premises to Azure and Exchange Online in the Target tenant

- # This action should create the target mail enabled users (MEUs) in the Target tenant

- Start-ADSyncSyncCycle

- ```

-### Can the source and target tenant utilize the same domain name?

-No. The source and target tenant domain names must be unique. For example, a source domain of contoso.com and the target domain of fourthcoffee.com.

-### Protecting documents in the source tenant consumable by users in the destination tenant.**

-### Can I have the same labels in the destination tenant as you had in the source tenant, either as the only set of labels or an additional set of labels for the migrated users depending on alignment between the organizations.**

- > [!NOTE]

- > The _contoso.onmicrosoft.com_ address is _not_ present in the EmailAddresses / proxyAddresses array.

- MailUser objects are pointers to non-local mailboxes. In the case for cross-tenant mailbox migrations, we use MailUser objects to represent either the source mailbox (from the target organization's perspective) or target mailbox (from the source organization's perspective). The MailUsers will have an ExternalEmailAddress (targetAddress) that points to the smtp address of the actual mailbox (ProxyTest@fabrikam.onmicrosoft.com) and primarySMTP address that represents the displayed SMTP address of the mailbox user in the directory. Some organizations choose to display the primary SMTP address as an external SMTP address, not as an address owned/verified by the local tenant (such as fabrikam.com rather than as contoso.com). However, once an Exchange service plan object is applied to the MailUser via licensing operations, the primary SMTP address is modified to show as a domain verified by the local organization (contoso.com). There are two potential reasons:

- Results in the set of ServicePlans assigned are shown here.

- | eDiscovery (Premium) Storage (500 GB) |

- | Graph Connectors Search with Index |

- | Microsoft Purview Audit (Premium) |

- | Microsoft MyAnalytics (Full)

- | Microsoft Communications Compliance |

- | Office 365 eDiscovery (Premium) |

-

-

-# Overview of the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse

-Microsoft Defender for Endpoint provides endpoint security to secure your customers' devices from ransomware, malware, phishing, and other threats. Microsoft 365 Lighthouse allows you to view endpoint security insights and information for all your customer tenants.

-You can access the Microsoft Defender for Endpoint page in Microsoft 365 Lighthouse from the **Security incidents** card on the Home page or from the left navigation pane by selecting **Devices** > **Device security**. You'll see any security incidents and alerts in your tenants that need attention, and devices that have been onboarded to Microsoft Defender for Endpoint.

-The Incidents and alerts tab provides a multi-tenant incidents queue of incidents and alerts that were flagged from devices in your customers' network. By default, the queue displays any active incidents seen in the last 30 days. You can select any incident or alert to view more information.

-The Devices tab lists all of the devices in your customer tenants that have been onboarded to Microsoft Defender for Endpoint. This list includes devices that are managed by Microsoft Endpoint Manager and Microsoft Defender for Endpoint.

-description: Create and grade assignments, build and curate course content, and collaborate on files in real time with the new Microsoft OneDrive Learning Tools Interoperability App for Canvas.

-3. Select the **Create new LTI Tenant** button. On the LTI Registration page select **Canvas** in the dropdown and enter the base URL of your Canvas instance.

-> [!NOTE]

-> For collaboration to work for educators and students, you shouldn't enable the collaboration setting. To make sure the setting isn't enabled, follow the steps below.

-1. Sign in as an admin and go to the **Settings** section.

-1. Set the **External Collaborations Tool** feature to be not enabled.

-> [!NOTE]

-> Collaboration can be assigned to individual students and to groups of students. Assigning to individual students works by default. To be able to assign collaboration to group of students, follow these steps:

-1. Login as admin and go to the **Developer Keys** section.

-1. Find the key with value 170000000000710 and set it to **On**.

-## Register the Teams Meetings LTI app in Schoology

-1. You'll be asked if this should be installed for your entire organization, or just for you. Select **Add to Organization**, and you'll be redirected to the **Organization Apps** page to complete the configuration.

-(<a id="fna">a</a>) Microsoft Intune is required to modify or customize attack surface reduction rules. Intune is included in Microsoft 365 Business Premium.

-|[Attack surface reduction capabilities](../defender-endpoint/overview-attack-surface-reduction.md)|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Endpoint detection and response](../defender-endpoint/overview-endpoint-detection-response.md) ^[[2](#fn2)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Automated investigation and response](../defender-endpoint/automated-investigations.md) ^[[3](#fn3)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: ||:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Threat hunting](../defender-endpoint/advanced-hunting-overview.md) and six months of data retention ^[[4](#fn4)] | | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Threat analytics](../defender-endpoint/threat-analytics.md) ^[[5](#fn5)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: | |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Cross-platform support](../defender-endpoint/minimum-requirements.md) <br/>(Windows, Mac, iOS, and Android OS) ^[[6](#fn6)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included":::|

-|[Microsoft 365 Lighthouse integration](../../lighthouse/m365-lighthouse-overview.md) <br/>(For viewing security incidents across customer tenants) ^[[7](#fn7)]|:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |:::image type="content" source="../../media/d238e041-6854-4a78-9141-049224df0795.png" alt-text="Included"::: |

-(<a id="fn2">2</a>) Endpoint detection and response (EDR) capabilities in Defender for Business include behavior-based detection and the following manual response actions:

-(<a id="fn3">3</a>) In Defender for Business, automated investigation and response is turned on by default, tenant wide. Turning off automated investigation and response affects real-time protection. See [Review settings for advanced features](mdb-configure-security-settings.md#review-settings-for-advanced-features).

-(<a id="fn4">4</a>) There's no timeline view in Defender for Business.

-(<a id="fn5">5</a>) In Defender for Business, threat analytics are optimized for small and medium-sized businesses.

-(<a id="fn6">6</a>) See [Onboard devices to Microsoft Defender for Business](mdb-onboard-devices.md).

-(<a id="fn7">7</a>) The ability to view incidents across tenants using Defender for Endpoint is new!

-Also see [Compare Microsoft endpoint security plans](../defender-endpoint/defender-endpoint-plan-1-2.md).

-2. In the navigation pane, choose **Device inventory**.

-1. In the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), in the navigation pane, choose **Device inventory**.

-2. Open a command prompt as an administrator.

-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). On the navigation pane, under **Endpoints**, choose **Device inventory**.

-When you run the local script on a Mac:

-5. On a Mac, save the installation package as `wdav.pkg` to a local directory.

-After a Mac is enrolled in Intune, you can add it to a device group. [Learn more about device groups in Defender for Business](mdb-create-edit-device-groups.md).

-You can enroll Mac computers in Intune by using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)). There are several methods available for enrolling Mac in Intune. We recommend one of the following methods:

-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, under **Endpoints**, choose **Device inventory**.

-2. Open a command prompt as an administrator.

-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). In the navigation pane, under **Endpoints**, choose **Device inventory**.

-> Defender for Business standalone does not include the Intune license that is required to onboard iOS and Android devices. You can add Intune to your Defender for Business subscription to onboard mobile devices.

-To view the list of devices that are onboarded to Defender for Business, go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). On the navigation pane, under **Endpoints**, choose **Device inventory**.

-| **Device health and compliance** | The device health and compliance report provides information about device health and trends. You can use this report to determine whether Defender for Business sensors are working correctly on devices and the current status of Microsoft Defender Antivirus. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Device health and compliance**. <br/><br/>You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |

-| **Vulnerable devices** | The vulnerable devices report provides information about devices and trends. Use the **Trends** column to view information about devices that had alerts over the last 30 days. Use the **Status** column to view current snapshot information about devices that have alerts. To access this report, in the navigation pane, choose **Reports** > **Endpoints** > **Vulnerable devices**.<br/><br/>**TIP**: You can use the **Device inventory** list to view information about your company's devices. In the navigation pane, choose **Device inventory**. To learn more, see [Manage devices in Defender for Business](mdb-manage-devices.md). |

-| Client device operating system | To manage devices in the Microsoft 365 Defender portal, your devices must be running one of the following operating systems: <ul><li>Windows 10 or 11 Business</li><li>Windows 10 or 11 Professional</li><li>Windows 10 or 11 Enterprise</li><li>Mac (the three most-current releases are supported)</li></ul><br/><br/>Make sure that [KB5006738](https://support.microsoft.com/topic/october-26-2021-kb5006738-os-builds-19041-1320-19042-1320-and-19043-1320-preview-ccbce6bf-ae00-4e66-9789-ce8e7ea35541) is installed on the Windows devices. <br/><br/>If you're already managing devices in Microsoft Intune, you can continue to use the Microsoft Endpoint Manager admin center. In that case, the following other operating systems are supported: <ul><li>iOS and iPadOS</li><li>Android OS</li></ul> |

-3. Select a button or link on the card to view more information and take action. As an example, our **Devices at risk** card includes a **View details** button. Selecting that button takes us to the **Device inventory** page, as shown in the following image:

- The **Device inventory** page lists company devices, along with their risk level and exposure level.

-If your company has been using Microsoft 365 Business Premium, the Defender for Business setup wizard will run the first time someone goes to **Endpoints** > **Device inventory**.

-##### [Removable Storage Access Control](device-control-removable-storage-access-control.md)

-####### [Export broswer extenstions assessment](get-assessment-browser-extensions.md)

-####### [Get browser extenstions permisson information](get-browser-extensions-permission-info.md)

-> ```reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /v PreferStaticProxyForHttpRequest /t REG_DWORD /d 1 /f```

-## Device Control Removable Storage Access Control Overview

-|Capability|Deploy through Intune|Deploy through Group Policy|

-||||

-|Removable Media Group Creation <br/>Allows you to create reusable removable media group|Step 4 and 6 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Step 4 and 6 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|

-|Policy Creation<br/>Allows you to create policy to enforce each removable media group|Step 5 and 7 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Steps 5 and 7 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|

-|Default Enforcement<br/>Allows you to set default access (Deny or Allow) to removable media if there is no policy|Step 2 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri) | Step 2 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|

-|Enable or Disable Removable Storage Access Control<br/>If you set Disable, it will disable the Removable Storage Access Control policy on this machine| Step 1 in the section, [Deploying Removable Storage Access Control by using Intune OMA-URI](#deploying-removable-storage-access-control-by-using-intune-oma-uri)| Step 1 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy)|

-|Capture file information<br/>Allows you to create policy to capture file information when Write access happens| | Step 10 in the section, [Deploying Removable Storage Access Control by using Group Policy](#deploying-removable-storage-access-control-by-using-group-policy) |

-Deploy Removable Storage Access Control on Windows 10 and Windows 11 devices that have antimalware client version **4.18.2103.3 or later**.

-## Device Control Removable Storage Access Control Policies

-You can use the following properties to create a removable storage group:

-> [!NOTE]

-> Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

-### Removable Storage Group

-|**DescriptorIdList**|List the device properties you want to use to cover in the group. All properties are case sensitive. |**PrimaryId**: The Primary ID includes `RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`. <p>**InstancePathId**: InstancePathId is a string that uniquely identifies the device in the system, for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611&0`. It is the `Device instance path` in the Device Manager. The number at the end (for example &0) represents the available slot and may change from device to device. For best results, use a wildcard at the end. For example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07\8735B611*`. <p>**DeviceId**: To transform `Device instance path` to Device ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers), for example, `USBSTOR\DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07` <p>**HardwareId**: A string that identifies the device in the system, for example, `USBSTOR\DiskGeneric_Flash_Disk___8.07`, It is `Hardware Ids` in the Device Manager. <br>**Note**: Hardware Id is not unique; different devices might share the same value.<p>**FriendlyNameId**: It is a string attached to the device, for example, `Generic Flash Disk USB Device`. It is the `Friendly name` in the Device Manager. <p>**BusId**: For example, USB, SCSI <p>**SerialNumberId**: You can find SerialNumberId from `Device instance path` in the Device Manager, for example, `03003324080520232521` is SerialNumberId in USBSTOR\DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00\\`03003324080520232521`&0 <p>**VID_PID**: Vendor ID is the four-digit vendor code that the USB committee assigns to the vendor. Product ID is the four-digit product code that the vendor assigns to the device. It supports wildcard. To transform `Device instance path` to Vendor ID and Product ID format, see [Standard USB Identifiers](/windows-hardware/drivers/install/standard-usb-identifiers). For example: <br>`0751_55E0`: match this exact VID/PID pair<br>`_55E0`: match any media with PID=55E0 <br>`0751_`: match any media with VID=0751 <p> **Note**: See [How do I find the media property in the Device Manager?](#how-do-i-find-the-media-property-in-the-device-manager) under [Frequently asked questions](#frequently-asked-questions) section below to understand how to find the property in Device Manager.|

-### Access Control Policy

-| **ExcludedIDList** | The group(s) that the policy will not be applied to. | The Group ID/GUID must be used at this instance. |

-| **Sid** | Local user Sid or user Sid group or the Sid of the AD object, defines whether to apply this policy over a specific user or user group; one entry can have a maximum of one Sid and an entry without any Sid means applying the policy over the machine. | |

-| **ComputerSid** | Local computer Sid or computer Sid group or the Sid of the AD object, defines whether to apply this policy over a specific machine or machine group; one entry can have a maximum of one ComputerSid and an entry without any ComputerSid means applying the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both Sid and ComputerSid into the same Entry. | |

-| **Options** | Defines whether to display notification or not |**When Type Allow is selected**: <p>0: nothing<p>4: disable **AuditAllowed** and **AuditDenied** for this Entry. Even if **Allow** happens and the AuditAllowed is setting configured, the system will not send event. <p>8: capture file information and have a copy of the file as evidence for Write access. <p>16: capture file information for Write access. <p>**When Type Deny is selected**: <p>0: nothing<p>4: disable **AuditDenied** for this Entry. Even if **Block** happens and the AuditDenied is setting configured, the system will not show notification. <p>**When Type **AuditAllowed** is selected**: <p>0: nothing <p>1: nothing <p>2: send event<p> **When Type **AuditDenied** is selected**: <p>0: nothing <p>1: show notification <p>2: send event<p>3: show notification and send event |

-## Device Control Removable Storage Access Control Scenarios

-To help you familiarize with Microsoft Defender for Endpoint Removable Storage Access Control, we have put together some common scenarios for you to follow.

-### Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs

-1. Create groups

- 1. Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

- 2. Group 2: Approved USBs based on device properties. An example for this use case is:

- Instance ID - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Approved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

- > [!TIP]

- > Replace `&` with `&amp;` in the value.

-2. Create policy

- 1. Policy 1: Block Write and Execute Access but allow approved USBs. An example for this use case is: PolicyRule **c544a991-5786-4402-949e-a032cb790d0e** in the sample [Scenario 1 Block Write and Execute Access but allow approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

- 2. Policy 2: Audit Write and Execute access to allowed USBs. An example for this use case is: PolicyRule **36ae1037-a639-4cff-946b-b36c53089a4c** in the sample [Scenario 1 Audit Write and Execute access to approved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

-### Scenario 2: Audit Write and Execute access to all but block specific unapproved USBs

-1. Create groups

- 1. Group 1: Any removable storage and CD/DVD. An example for this use case is:

- Group **9b28fae8-72f7-4267-a1a5-685f747a7146** in the sample [Any Removable Storage and CD-DVD Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

- 2. Group 2: Unapproved USBs based on device properties, for example, Vendor ID / Product ID, Friendly Name - Group **65fa649a-a111-4912-9294-fb6337a25038** in the sample [Unapproved USBs Group.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

- > [!TIP]

- > Replace `&` with `&amp;` in the value.

-2. Create policy

- 1. Policy 1: Block Write and Execute access to all but block specific unapproved USBs. An example of this use case is: PolicyRule **23b8e437-66ac-4b32-b3d7-24044637fc98** in the sample [Scenario 2 Audit Write and Execute access to all but block specific unapproved USBs.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

- 2. Policy 2: Audit Write and Execute access to others. An example of this use case is: PolicyRule **b58ab853-9a6f-405c-a194-740e69422b48** in the sample [Scenario 2 Audit Write and Execute access to others.xml](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) file.

-## Deploying and managing Removable Storage Access Control by using Intune OMA-URI

-The Removable Storage Access Control feature enables you to apply policy by using OMA-URI to either user or device, or both.

-### Licensing requirements

-Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5.

-### Permission

-For policy deployment in Intune, the account must have permissions to create, edit, update, or delete device configuration profiles. You can create custom roles or use any of the built-in roles with these permissions.

-### Deploying Removable Storage Access Control by using Intune OMA-URI

-To block a specific removable storage class but allow specific media, you can use 'IncludedIdList a group through PrimaryId and ExcludedIDList a group through DeviceId/HardwareId/etc.'

-Go to Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>) > **Devices** > **Create profile** > **Platform: Windows 10 and later, Profile type: Templates** > Custom**

-1. Enable or Disable Device control as follows:

- - Under **Custom** > **Configuration settings**, select **Add**.

- - In the **Add Row** pane, specify the following settings:

- - **Name** as **Enable Device Control**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControlEnabled`

- - **Data Type** as **Integer**

- - **Value** as **1**

- `Disable: 0`

- `Enable: 1`

- - Select **Save**.

- :::image type="content" source="images/enable-rsac.png" alt-text="Screenshot of enabling Removable Storage Access Control policy" lightbox="images/enable-rsac.png":::

-2. Set Default Enforcement:

- You can set the default access (Deny or Allow) for all Device Control features (`RemovableMediaDevices`, `CdRomDevices`, `WpdDevices`, `PrinterDevices`).

- For example, you can have either a **Deny** or an **Allow** policy for `RemovableMediaDevices`, but not for `CdRomDevices` or `WpdDevices`. You can set **Default Deny** through this policy, then Read/Write/Execute access to `CdRomDevices` or `WpdDevices` will be blocked. If you only want to manage storage, make sure to create an **Allow** policy for your printer; otherwise, this default enforcement will be applied to printers as well.

- - In the **Add Row** pane, specify the following settings:

- - **Name** as **Default Deny**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DefaultEnforcement`

- - **Data Type** as **Integer**

- - **Value** as **1** or **2**

- `DefaultEnforcementAllow = 1`

- `DefaultEnforcementDeny = 2`

- - Select **Save**.

- :::image type="content" source="images/default-deny.png" alt-text="Screenshot of setting Default Enforcement as Deny" lightbox="images/default-deny.png":::

-3. Audit Default Deny:

- You can create an Audit policy for Default Deny as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Audit Default Deny**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf3520ea7-fd1b-4237-8ebc-96911db44f8e%7d/RuleData`

- :::image type="content" source="images/audit-default-deny-1.png" alt-text="Screenshot of creating Audit Default Deny policy." lightbox="images/audit-default-deny-1.png":::

- - **Data Type** as **String (XML file)**

- - **Custom XML** as **Audit Default Deny.xml** file.

- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Audit%20Default%20Deny.xml>

- Use the following XML data to create your Audit policy for Default Deny:

- :::image type="content" source="images/audit-default-deny-xml-file-1.png" alt-text="Screenshot of audit default deny xml file.":::

-4. ReadOnly - Group:

- You can create a removable storage group with ReadOnly access as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Any Removable Storage Group**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b9b28fae8-72f7-4267-a1a5-685f747a7146%7d/GroupData`

- :::image type="content" source="images/any-removable-storage-group.png" alt-text="Screenshot of creating any Removable Storage Group." lightbox="images/any-removable-storage-group.png":::

- - **Data Type** as **String (XML file)**

- - **Custom XML** as **Any Removable Storage and CD-DVD and WPD Group.xml** file

- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml>

- Use the following XML data to create 'Any Removable Storage and CD-DVD and WPD Group' with ReadOnly access:

- :::image type="content" source="images/read-only-group-xml-file.png" alt-text="Screenshot of read only group xml file":::

-5. ReadOnly - Policy:

- You can create a ReadOnly policy and apply it to the ReadOnly removable storage group to allow read activity as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Allow Read Activity**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bf7e75634-7eec-4e67-bec5-5e7750cb9e02%7d/RuleData`

- :::image type="content" source="images/allow-read-activity.png" alt-text="Screenshot of Allow Read Activity policy" lightbox= "images/allow-read-activity.png":::

- - **Data Type** as **String (XML file)**

- - **Custom XML** as **Allow Read.xml** file

- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20Read.xml>

- Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group:

- :::image type="content" source="images/read-only-policy-xml-file.png" alt-text="Screenshot of read only policy xml file":::

-6. Create a Group for Allowed Media: You can create your allowed media group as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Approved USBs Group**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyGroups/%7b65fa649a-a111-4912-9294-fb6337a25038%7d/GroupData`

- :::image type="content" source="images/create-group-allowed-medias.png" alt-text="Screenshot of creating Approved USBs group" lightbox="images/create-group-allowed-medias.png":::

- - **Data Type** as **String (XML file)**

- - **Custom XML** as **Approved USBs Group.xml** file

- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Approved%20USBs%20Group.xml>

- Use the following XML data to create allowed media group:

- :::image type="content" source="images/create-group-allowed-medias-xml-file.png" alt-text="Screenshot of creating group for allowed medias xml file":::

-7. Create a policy to allow the approved USB Group: You can create a policy to allow the approved USB group as follows:

- - In the **Add Row** pane, enter:

- - **Name** as **Allow access and Audit file information**

- - **OMA-URI** as `./Vendor/MSFT/Defender/Configuration/DeviceControl/PolicyRules/%7bb2061588-029e-427d-8404-6dfec096a571%7d/RuleData`

- :::image type="content" source="images/allow-access-audit-file-information-1.png" alt-text="Screenshot of Allow access and audit file information" lightbox= "images/allow-access-audit-file-information-1.png":::

- - **Data Type** as **String (XML file)**

- - **Custom XML** as **Allow full access and audit file.xml** file

- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Allow%20full%20access%20and%20audit%20file.xml>

- Use the following XML data to create policy to allow the approved USB group:

- :::image type="content" source="images/create-policy-allow-approved-usb-group-xml-intune.png" alt-text="Screenshot of creating policy to allow the approved USB Group XML file":::

- What does '47' mean in the policy? It's 9 + 2 + 36 = 47:

- - Read access: 1 + 8 = 9.

- - Write access: disk level 2.

- - Execute: 4 + 32 = 36.

-## Deploying and managing policy by using Intune user interface

-This capability is available in the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>). Go to **Endpoint Security** > **Attack Surface Reduction** > **Create Policy**. Choose **Platform: Windows 10 and later** with **Profile: Device Control**.

-## Deploying and managing Removable Storage Access Control by using Group Policy

-The Removable Storage Access Control feature enables you to apply a policy by using Group Policy to either user or device, or both.

-### Licensing

-Before you get started with Removable Storage Access Control, you must confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=2). To access and use Removable Storage Access Control, you must have Microsoft 365 E3 or Microsoft 365 E5.

-### Deploying Removable Storage Access Control by using Group Policy

-1. Enable or Disable Removable Storage Access Control:

- You can enable Device control as follows:

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control**

- - In the **Device Control** window, select **Enabled**.

- :::image type="content" source="images/enable-rsac-gp.png" alt-text="Screenshot of Enabling RSAC using Group Policy " lightbox="images/enable-rsac-gp.png":::

-> [!NOTE]

-> If you don't see this group policy objects, you need to add group policy administrative template. you can download administrative template (WindowsDefender.adml and WindowsDefender.admx) from https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples.

-2. Set Default Enforcement:

- You can set default access (Deny or Allow) for all Device Control features (RemovableMediaDevices, CdRomDevices, WpdDevices, PrinterDevices).

- For example, you can have either a Deny or an Allow policy for RemovableMediaDevices, but not for CdRomDevices or WpdDevices. You set Default Deny through this policy, then Read/Write/Execute access to CdRomDevices or WpdDevices will be blocked. If you only want to manage storage, make sure to create Allow policy for Printer, otherwise, this Default Enforcement will be applied to Printer as well.

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Features** > **Device Control** > **Select Device Control Default Enforcement**

- - In the **Select Device Control Default Enforcement** pane, select **Default Deny**:

- :::image type="content" source="images/set-default-enforcement-deny-gp.png" alt-text="Screenshot of setting Default Enforcement = Deny using Group Policy" lightbox="images/set-default-enforcement-deny-gp.png":::

-3. Audit Default Deny:

- Use the following XML data to create Audit policy for Default Deny:

- :::image type="content" source="images/audit-default-deny-gp.png" alt-text="Screenshot of audit default deny xml data":::

-4. ReadOnly - Group:

- Use the following XML data to create removable storage group with ReadOnly access:

- :::image type="content" source="images/read-only-group-gp.png" alt-text="Screen shot of Read only removable storage group xml data":::

-5. ReadOnly - Policy:

- Use the following XML data to create ReadOnly policy and apply to the ReadOnly removable storage group to allow read activity:

- :::image type="content" source="images/read-only-policy-gp.png" alt-text="Screenshot of Read only policy xml data." lightbox="images/read-only-policy-gp.png":::

-6. Create a group for allowed Media:

- Use the following XML data to create removable storage allowed media group:

- :::image type="content" source="images/create-group-allowed-medias-gp.png" alt-text="Screenshot of xml data for creating group for allowed medias" lightbox="images/create-group-allowed-medias-gp.png":::

-7. Create a policy to allow the approved USB Group:

- Use the following XML data to create a policy to allow the approved USB group:

- :::image type="content" source="images/create-policy-allow-approved-usb-group-xml.png" alt-text="Screenshot of XML data to create policy to allow the approved USB Group using Group Policy" lightbox="images/create-policy-allow-approved-usb-group-xml.png":::

- What does '47' mean in the policy? It's 9 + 2 + 36 = 47:

- - Read access: 1+8 = 9.

- - Write access: disk level 2.

- - Execute: 4 + 32 = 36.

-8. Combine groups into one XML file:

- You can combine device control policy groups into one XML file as follows:

- - Go to **Computer Configuration** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Device Control** \> **Define device control policy groups**.

- :::image type="content" source="images/define-device-control-policy-grps-gp.png" alt-text="Screenshot of Define device control policy groups" lightbox="images/define-device-control-policy-grps-gp.png":::

- - In the **Define device control policy groups** window, specify the file path containing the XML groups data.

- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Groups.xml>

- The following is the device control policy groups xml schema:

- :::image type="content" source="images/combine-grps-xml-file-gp.png" alt-text="Screenshot of combine groups into one XML file":::

-9. Combine policies into one XML file:

- You can combine device control policy rules into one XML file as follows:

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define device control policy rules**.

- :::image type="content" source="images/define-device-cntrl-policy-rules-gp.png" alt-text="Screenshot of define device control policy rules" lightbox="images/define-device-cntrl-policy-rules-gp.png":::

- - In the **Define device control policy rules** window, select **Enabled**, and enter the file path containing the XML rules data.

- XML file path: <https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Group%20Policy/Demo_Policies.xml>

- The following is the device control policy rules xml schema:

- :::image type="content" source="images/combine-policies-xml-gp.png" alt-text="Screenshot of combine policies into one XML file":::

-10. Set location for a copy of the file (evidence):

- If you want to have a copy of the file (evidence) when Write access happens, specify the location where system can save the copy.

- - Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Device Control** > **Define Device Control evidence data remote location**.

- - In the **Define Device Control evidence data remote location** pane, select **Enabled**, and then specify the local or network share folder path.

- :::image type="content" source="images/evidence-data-remote-location-gp.png" alt-text="Screenshot of Define Device Control evidence data remote location." lightbox="images/evidence-data-remote-location-gp.png":::

-## View Device Control Removable Storage Access Control data in Microsoft Defender for Endpoint

-## Frequently asked questions

-### How to generate GUID for Group Id/PolicyRule Id/Entry Id?

-You can generate the GUID through online open source, or through PowerShell - [How to generate GUID through PowerShell](/powershell/module/microsoft.powershell.utility/new-guid)

-

-### What are the removable storage media and policy limitations?

-Either from the Microsoft Endpoint Manager admin center (Intune) or through Microsoft Graph API, the backend call is done through OMA-URI (GET to read or PATCH to update) and therefore the limitation is the same as any OMA-URI custom configuration profile in Microsoft which is officially 350,000 characters for XML files.

-For example, if you need two blocks of entries per user SID to "Allow"/"Audit allowed" specific users and two blocks of entries at the end to "Deny" all, you will be able to manage 2,276 users.

-### Why doesn't the policy work?

-1. The most common reason is there's no required [antimalware client version](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control#prepare-your-endpoints).

-2. Another reason could be that the XML file isn't correctly formatted, for example, not using the correct markdown formatting for the "&" character in the XML file, or the text editor might add a byte order mark (BOM) 0xEF 0xBB 0xBF at the beginning of the files, which causes the XML parsing not to work. One simple solution is to download the [sample file](https://github.com/microsoft/mdatp-devicecontrol/tree/main/Removable%20Storage%20Access%20Control%20Samples) (select **Raw** and then **Save as**) and then update.

-3. If you are deploying and managing the policy by using Group Policy, please make sure to combine all PolicyRule into one XML file within a parent node called PolicyRules and all Group into one XML file within a parent node called Groups; if you manage through Intune, keep one PolicyRule one XML file, same thing, one Group one XML file.

-If it still doesn't work, you contact support, and share your support cab. To get that file, use Command Prompt as an administrator:

-`"%programfiles%\Windows Defender\MpCmdRun.exe" -GetFiles`

-### There is no configuration UX for **Define device control policy groups** and **Define device control policy rules** on my Group Policy

-We don't backport the Group Policy configuration UX, but you can still get the related adml and admx files by selecting **Raw** and **Save as** at the [WindowsDefender.adml](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.adml) and [WindowsDefender.admx](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/WindowsDefender.admx) files.

-### How do I confirm that the latest policy has been deployed to the target machine?

-You can run the PowerShell cmdlet `Get-MpComputerStatus` as an administrator. The following value will show whether the latest policy has been applied to the target machine.

-### How can I know which machine is using out of date antimalware client version in the organization?

-You can use following query to get antimalware client version on the Microsoft 365 security portal:

-```kusto

-//check the antimalware client version

-DeviceFileEvents

-|where FileName == "MsMpEng.exe"

-|where FolderPath contains @"C:\ProgramData\Microsoft\Windows Defender\Platform\"

-|extend PlatformVersion=tostring(split(FolderPath, "\\", 5))

-//|project DeviceName, PlatformVersion // check which machine is using legacy platformVersion

-|summarize dcount(DeviceName) by PlatformVersion // check how many machines are using which platformVersion

-|order by PlatformVersion desc

-```

-### How do I find the media property in the Device Manager?

-1. Plug in the media.

-2. Open Device Manager.

- 

-3. Locate the media in the Device Manager, right-click, and then select **Properties**.

- :::image type="content" alt-text="Screenshot of media in the Device Manager." source="https://user-images.githubusercontent.com/81826151/181859700-62a6f704-b12e-41e3-a048-7d63432654a4.png":::

-4. Open **Details**, and select **Properties**.

- :::image type="content" alt-text="Screenshot of device property in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png":::

-

-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You'll be notified if you need to restart the process, app, or Windows.

-To set app-level mitigations to audit mode, use `Set-ProcessMitigation` with the **Audit mode** cmdlet.

-|Mitigation|Audit mode cmdlet|

-For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command:

-If machine with the specified ID was not found - 404 Not Found.

-Here is an example of the request.

-Here is an example of the response.

-GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c/machinereferences

- "@odata.context": "https://wpatdadi-luna-stg.cloudapp.net/api/$metadata#MachineReferences",

-GET https://api-luna.securitycenter.windows.com/api/remediationtasks/03942ef5-aecb-4c6e-b555-d6a97013844c

- "@odata.context": "https://wpatdadi-luna-stg.cloudapp.net/api/$metadata#RemediationTasks/$entity",

-|cloud_automatic_sample_submission_consent|Current sample submission level. Can be one of the following values: <ul><li>**None**: No suspicious samples are submitted to Microsoft.</li><li>**Safe**: Only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.</li><li>**All**: All suspicious samples are submitted to Microsoft.</li></ul>|

-|conflicting_applications|List of applications that are possibly conflicting with Microsoft Defender for Endpoint. This list includes, but is not limited to, other security products and other applications known to cause compatibility issues.|

-|network_protection_status|Status of the network protection component (macOS only). Can be one of the following values: <ul><li>**starting** - Network protection is starting</li><li>**failed_to_start** - Network protection couldn't be started due to an error</li><li>**started** - Network protection is currently running on the device</li><li>**restarting** - Network protection is currently restarting</li><li>**stopping** - Network protection is stopping</li><li>**stopped** - Network protection is not running</li></ul>|

-|org_id|Organization that the device is onboarded to. If the device is not yet onboarded to any organization, this prints unavailable. For more information on onboarding, see [Onboard to Microsoft Defender for Endpoint](onboarding.md).|

-|real_time_protection_subsystem|Subsystem used to serve real-time protection. If real-time protection is not operating as expected, this prints unavailable.|

-The **Device health status** card shows a summarized health report for the specific device. One of the following status is displayed at the top of the card to indicate the overall status of the device:

->[!NOTE]

->The overall status message for macOS and Linux devices currently shows up as 'Status not available for macOS & Linux'. Currently, the status summary is only available for Windows devices. All other information in the table is up to date to show the individual states of each device health signal for all supported platforms.

-### To backup crontab entries

-| | | +ΓÇöΓÇö- month (values: 1 - 12) (special characters: , \- \* / ) <br>

-2. Right Click **Device Collection** and select **Create Device Collection**.

-5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.

-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.

-2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.

-8. Click **Browse**.

-10. Click **Next**.

-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.

-13. Verify the configuration, then click **Next**.

-14. Click **Close** when the Wizard completes.

-16. On the right panel, select the previously created collection and click **OK**.

-Follow the steps below to identify the Defender for Endpoint Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.

-2. Under operating system choose **Windows 7 SP1 and 8.1**.

-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.

- For more details, see [Windows Security configuration framework](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework).

-3. Right-click on the newly created antimalware policy and select **Deploy**.

-4. Target the new antimalware policy to your Windows collection and click **OK**.

-All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft 365 Defender portal. The goal with a deployment is to step-by-step move security controls into block mode.

-To set ASR rules in Audit mode:

-3. Set rules to **Audit** and click **Next**.

-4. Confirm the new Exploit Guard policy by clicking on **Next**.

-5. Once the policy is created click **Close**.

-7. Target the policy to the newly created Windows collection and click **OK**.

-After completing this task, you now have successfully configured ASR rules in audit mode.

-3. Click **Go to attack surface management** in the Attack surface management panel.

-4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.

-5. Click each device shows configuration details of ASR rules.

-#### Set Network Protection rules in Audit mode

-3. Set the setting to **Audit** and click **Next**.

-4. Confirm the new Exploit Guard Policy by clicking **Next**.

-5. Once the policy is created click on **Close**.

-After completing this task, you now have successfully configured Network Protection in audit mode.

-#### To set Controlled Folder Access rules in Audit mode

-3. Set the configuration to **Audit** and click **Next**.

-4. Confirm the new Exploit Guard Policy by clicking on **Next**.

-5. Once the policy is created click on **Close**.

-7. Target the policy to the newly created Windows collection and click **OK**.

-You have now successfully configured Controlled folder access in audit mode.

-Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](alerts-queue.md).

-Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.

- - Sense version 10.8049.22439.1084 (KB5005292) or later

- - Microsoft Defender Antivirus - Platform: 4.18.2207.7 (KB4052623) or later

- - Microsoft Defender Antivirus - Engine: 1.1.19500.2 (KB2267602) or later

-If incident with the specified id was not found - 404 Not Found.

-Here is an example of the request.

- - If a URL opens into a link that directly downloads a file. However, you will see the downloaded file in the detonation chain.

-*Latest delivery location*: The latest delivery location is the location where an email landed after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest delivery location is not intended to inform admins of the message's *current* location. For example, if a user deletes a message, or moves it to archive, the delivery location won't be updated. However, if a system action has taken place and updated the location (like a ZAP resulting in an email moving to quarantine) this would update the Latest delivery location to quarantine.

- - None: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.

-Security teams can now take email actions like soft delete and hard delete, move to junk, move to inbox, trigger an investigation, submit to Microsoft for review in line, and et cetera. **Tenant level block** actions like file and URL or sender can also be trigged from Email entity page.

-You will be able to click on **Take actions** from the top right corner of the entity page and this will open the Action wizard for you to select the specific action you need.

-The email summary panel is a summarized view of the full email entity page. It contains standardized details about the email (e.g., detections), as well as context-specific information (e.g., for Quarantine or Submissions metadata). The email summary panel replaces the traditional Real-time Detections, Threat Explorer, Submissions, and Reporting flyouts.

-In addition to the above sections, you will also see sections specific to few experiences which are integrated with the summary panel:

- > Entries in the "Do not rewrite the following URLs" list are not scanned or wrapped by Safe Links during mail flow. Use [URL allow entries in the Tenant Allow/Block List](allow-block-urls.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-urls-in-the-submissions-portal) so URLs are not scanned or wrapped by Safe Links during mail flow _and_ at time of click.

-|Find PowerShell cmdlet help references to manage Microsoft Whiteboard|[PowerShell for Whiteboard](/powershell/module/whiteboard/)|