From a6193a67bc66e80c6e96015e68483bb6c2ecdff4 Mon Sep 17 00:00:00 2001 From: faoquong <61523250+faoquong@users.noreply.github.com> Date: Fri, 4 Oct 2024 18:58:15 -0700 Subject: [PATCH 1/2] Update quarantine-faq.yml @chrisda --- defender-office-365/quarantine-faq.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/defender-office-365/quarantine-faq.yml b/defender-office-365/quarantine-faq.yml index cd0f223c2d..dc8cc414bc 100644 --- a/defender-office-365/quarantine-faq.yml +++ b/defender-office-365/quarantine-faq.yml @@ -133,10 +133,14 @@ sections: If a third party filter isn't preventing the message from reaching the user's Inbox and the first release attempt didn't work, admins can try using the [Release-QuarantineMessage](/powershell/module/exchange/release-quarantinemessage) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) with the _Force_ switch to release the message. - If **Release-QuarantineMessage** with the _Force_ switch doesn't work, admins should try releasing the message to an alternate mailbox after filtering by the third party service is turned off. + If **Release-QuarantineMessage** with the _Force_ switch doesn't work, admins should try releasing the message to an alternate mailbox after filtering by the third party service is turned off. Note that Force release could cause messages to be released multiple times + + Note that if there is a recipient level delete that has occured on any of the messages where bulk release to all action is attempted on, it will error. The Admin needs to release that specific message only to the recipient where delete from quarantine has not taken place for - Inbox rules ([created by users in Outlook](https://support.microsoft.com/office/c24f5dea-9465-4df4-ad17-a50704d66c59) or by admins using the **\*-InboxRule** cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox. + - Some transport rules that led to the Quarantine of a message will cause the released quaratine message to be quarantined again. + Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox. - question: | @@ -159,6 +163,8 @@ sections: For bulk actions that are available on the **Quarantine** page, see [Take action on multiple quarantined email messages](quarantine-admin-manage-messages-files.md#take-action-on-multiple-quarantined-email-messages). + P2/E5 customers they can use Threat explorer to perform larger bulk release operations (Upper limit of 200,000). + - question: | Are wildcards supported when searching for quarantined messages? Can I search for quarantined messages for a specific domain? answer: | @@ -210,6 +216,8 @@ sections: > The fastest, most frequent notification schedule that's available is every four hours. > > If you select every four hours, and a message is quarantined _just after_ the last notification generation, the recipient will receive the quarantine notification _slightly more than_ four hours later. + > + > for messages zapped to Quarantine, Quarantine notifications are generated in accordance to the time the messages landed in Quarantine (not when it landed inbox) - question: | Why aren't users receiving notifications about their quarantined messages? From d8e77305f57f6f0ba1647dcced3d7772df778b32 Mon Sep 17 00:00:00 2001 From: Chris Davis Date: Mon, 7 Oct 2024 09:26:53 -0700 Subject: [PATCH 2/2] Update quarantine-faq.yml --- defender-office-365/quarantine-faq.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/defender-office-365/quarantine-faq.yml b/defender-office-365/quarantine-faq.yml index dc8cc414bc..d06d5142dd 100644 --- a/defender-office-365/quarantine-faq.yml +++ b/defender-office-365/quarantine-faq.yml @@ -6,7 +6,7 @@ metadata: ms.author: chrisda author: chrisda manager: deniseb - ms.date: 09/11/2024 + ms.date: 10/07/2024 audience: ITPro ms.topic: faq @@ -133,13 +133,13 @@ sections: If a third party filter isn't preventing the message from reaching the user's Inbox and the first release attempt didn't work, admins can try using the [Release-QuarantineMessage](/powershell/module/exchange/release-quarantinemessage) cmdlet in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell) with the _Force_ switch to release the message. - If **Release-QuarantineMessage** with the _Force_ switch doesn't work, admins should try releasing the message to an alternate mailbox after filtering by the third party service is turned off. Note that Force release could cause messages to be released multiple times + If **Release-QuarantineMessage** with the _Force_ switch doesn't work, admins should try releasing the message to an alternate mailbox after filtering by the third party service is turned off. Forced release might cause messages to be released multiple times. - Note that if there is a recipient level delete that has occured on any of the messages where bulk release to all action is attempted on, it will error. The Admin needs to release that specific message only to the recipient where delete from quarantine has not taken place for + You receive an error if you try to bulk release multiple messages to all recipients and a recipient-level message delete was done on any of the messages. The admin needs to release that specific message only to the recipient where delete from quarantine has not occurred. - Inbox rules ([created by users in Outlook](https://support.microsoft.com/office/c24f5dea-9465-4df4-ad17-a50704d66c59) or by admins using the **\*-InboxRule** cmdlets in Exchange Online PowerShell) can move or delete messages from the Inbox. - - Some transport rules that led to the Quarantine of a message will cause the released quaratine message to be quarantined again. + - Some mail flow rules that quarantined a message can cause the released message to be quarantined again. Admins can use [message trace](message-trace-defender-portal.md) to determine if a released message was delivered to the recipient's Inbox. @@ -163,7 +163,7 @@ sections: For bulk actions that are available on the **Quarantine** page, see [Take action on multiple quarantined email messages](quarantine-admin-manage-messages-files.md#take-action-on-multiple-quarantined-email-messages). - P2/E5 customers they can use Threat explorer to perform larger bulk release operations (Upper limit of 200,000). + In Defender for Office 365 Plan 2, you can use Explorer (Threat Explorer) to do larger bulk release operations (a maximum of 200,000 messages). - question: | Are wildcards supported when searching for quarantined messages? Can I search for quarantined messages for a specific domain? @@ -217,7 +217,7 @@ sections: > > If you select every four hours, and a message is quarantined _just after_ the last notification generation, the recipient will receive the quarantine notification _slightly more than_ four hours later. > - > for messages zapped to Quarantine, Quarantine notifications are generated in accordance to the time the messages landed in Quarantine (not when it landed inbox) + > For messages quarantied by zero-hour auto purge (ZAP), quarantine notifications are generated based on when the message was quarantined, not when the message was delivered to the mailbox. - question: | Why aren't users receiving notifications about their quarantined messages?