Litigation Hold and In-Place Hold in Exchange 2013 and Exchange Online
In Exchange 2010 and Exchange Online, we introduced Litigation Hold to allow you to immutably preserve mailbox content to meet long term preservation and eDiscovery requirements. When a mailbox is placed on Litigation Hold, mailbox content is preserved indefinitely. Placing a mailbox on Litigation Hold You can place a mailbox on Litigation Hold by using the Exchange Administration Center (EAC) or the Shell (set the LitigationHoldEnabled parameter). In Exchange 2010, you can also use the Exchange Management Console (EMC) to do this. Figure 1: Enabling Litigation Hold for a mailbox using the EAC in Exchange 2013 and Exchange Online Figure 2: Adding a note and a URL to inform & educate users placed on Litigation Hold Preserving items for a specified duration To preserve items for a specified period, we added the LitigationHoldDuration parameter to Exchange Online. This helps you meet your compliance needs by preserving all items in a mailbox for the specified duration, calculated from the date the item was created (date received in case of inbound email). For example, if your organization needs to preserve all mailbox data for seven years, you can place all mailboxes on Litigation Hold and set the LitigationHoldDuration to 7 years (in days). This functionality is also available in Exchange 2013, allowing you to preserve items for a specified duration in your on-premises organization – one example of how developments in Exchange Online benefit Exchange Server on-premises. In-Place Hold in Exchange 2013 and Exchange Online In Exchange 2013 and the new Exchange Online, we introduced In-Place Hold, which allows more flexibility in preserving your data. Hold functionality is integrated with In-Place eDiscovery to allow you to search and preserve using a single wizard or a single cmdlet (New-MailboxSearch). You can use the In-Place eDiscovery & Hold wizard or the cmdlet to search for and preserve items matching your query parameters, known as a query-based In-Place Hold, preserve items for a specified period, known as a time-based hold, and also preserve everything indefinitely, which emulates the old Litigation Hold feature. Check out In-Place eDiscovery and In-Place Hold in the New Exchange - Part I and Part II for more info. Using Litigation Hold in Exchange 2013 and Exchange Online If you tried placing a mailbox on Litigation Hold using the EAC or the Shell, both the interfaces displayed an alert message with a recommendation to switch to the new In-Place Hold feature. This recommendation was also reflected in the product documentation. Figure 3: Warning displayed when using Litigation Hold in the EAC in Exchange 2013 Litigation Hold isn't going away: Since the release of Exchange 2013 and the new Exchange Online, we've received a lot of questions and feedback from you about whether Litigation Hold will be removed. We want to clarify that we do not plan to remove Litigation Hold from Exchange Online or Exchange 2013. We've removed the alert from Exchange Online and in Exchange 2013 SP1. We've also removed the recommendation from Exchange Online and Exchange 2013 documentation. Use the hold feature that best meets your needs You can use either hold feature to preserve mailbox data in Exchange 2013 and Exchange Online, based on your preservation needs. Here are some scenarios to help you choose between the two holds. You want to… Use Litigation Hold Use In-Place Hold Preserve all items in a mailbox Yes Yes. To preserve all items, don’t specify any query parameters. Preserve all items in a mailbox for a specific duration Yes. Specify the LitigationHoldDuration parameter for the mailbox using the Shell. Yes. Create a time-based In-Place Hold. Specify the duration in the In-Place Hold settings in EAC or ItemHoldDuration parameter from the Shell. Preserve items matching query parameters No. Litigation Hold preserves all items. Yes. Create a query-based In-Place Hold. Specify query parameters such as start date, end date, sender, recipients and keywords. Specify types of items to preserve (such as email, calendar, notes) No. Litigation Hold preserves all items. Yes. You can use the EAC or the MessageTypes parameter from the Shell. Specify hold settings for members of a distribution group Yes. Use the Get-DistributionGroupMembercmdlet in the Shell to pipe distribution group members to the Set-Mailbox cmdlet. 1 Yes. Easily specify distribution groups in the In-Place eDiscovery and Hold wizard in the EAC or in the SourceMailboxes parameter in the Shell. 2 Max users on hold No. Litigation Hold is a mailbox parameter. No maximum limits apply. You can use the Shell to quickly place all users in an organization on hold. You can specify a maximum of 10,000 users per In-Place Hold object. To place additional users on hold, you must create another hold. Place multiple holds on a mailbox No Yes. You can place a user on multiple In-Place Holds, for example when a user is subject to multiple investigations or legal cases. Make mailboxes inactive to preserve data in Exchange Online Yes 3 Yes Archive Lync conversations and meeting content to Exchange Yes Yes 1 Distribution group is expanded when you run the command. Future changes to the group require running the command again. 2 Distribution groups are expanded only when you create or refresh the In-Place Hold. Future changes to the group require refreshing the search object. 3 Inactive mailboxes is an Exchange Online feature. The linked documentation is being updated to clarify you can also use Litigation Hold to make a mailbox inactive. Bharat Suneja Updates 12/11/2013: Added 'Specify types of items to preserve' row to comparison table. 12/11/2013: Added 'ItemHoldDuration' parameter to comparison table. 8/12/2014: Updated max mailboxes per In-Place Hold limit to 10,000 mailboxes. Added link to Place all mailboxes on hold. Added another row to table for archiving Lync content to Exchange. 6/3/2015: Changed the Litigation Hold column for "Archive Lync conversations and meeting content to Exchange" row in table to "Yes". Litigation Hold also enables you to archive Lync content in Exchange. Removed the following text: "To archive Lync Online IM conversations to Exchange Online, you must place a mailbox on In-Place Hold. In on-premises deployments, you can configure Lync Server to archive to Exchange Server without placing the user on In-Place Hold."In-Place eDiscovery and In-Place Hold in the New Exchange - Part I
When faced with eDiscovery requests, organizations need to be able to preserve email records, search relevant records and produce them for review. In Exchange Server 2010 and Office 365, Litigation Hold makes it possible to preserve mailbox items. When a user or a process attempts to delete an item permanently, it is removed from the user’s view to an inaccessible location in the mailbox. Additionally, when a user or a process modifies an item, a Copy-on-write (COW) is performed and a copy of the original item is saved right before the changed version is committed, preserving original content. The process is repeated for every change, preserving a copy of all subsequent versions. Using Multi-Mailbox Search, also new in Exchange 2010, delegated legal, human resources or IT personnel (referred to as discovery managers because they need to be assigned Discovery Management permissions) can search mailbox content across their entire Exchange 2010 organization. Messages returned from a search can be copied to a Discovery mailbox, which is a special type of mailbox with higher mailbox quotas and no capability to send or receive messages. What's New in In-Place eDiscovery & Hold in Exchange 2013 Since the release of Exchange 2010 and Office 365, we have received a lot of feedback from organizations of all sizes about the messaging policy & compliance features, including archiving, eDiscovery & hold. When planning the evolution of compliance features, we’ve kept your feedback front and center. Let’s take a look at what has changed. A new name In the new Exchange, Multi-Mailbox Search is known as In-Place eDiscovery. A new search engine In-Place eDiscovery still uses the search indexes generated by Exchange Search, but under the hood Exchange Search has been retooled to use Microsoft Search Foundation. The content indexing function was previously performed by Windows Search. Microsoft Search Foundation is a rich search platform that comes with significantly improved indexing and querying performance and improved search functionality. A new way to preserve In the new Exchange, you can use In-Place Hold to place searched content on hold. In-Place Hold is integrated with In-Place eDiscovery, allowing you to simultaneously search and hold content using the same easy-to-use interface. Integrating hold with eDiscovery allows you to be very specific as to what you hold using a query. Reducing the volume of data you preserve lowers the cost of reviewing the data later. A new UI The new Exchange sports a brand new, unified web-based admin tool, the Exchange Administration Center (EAC). Discovery Managers use the new In-Place eDiscovery & Hold wizard to perform eDiscovery searches. Keyword statistics After you create an In-Place eDiscovery search, you can get detailed keyword statistics showing you the number of items matched for each keyword. You can use this information to determine if the query has returned the number of messages you estimated. Depending on whether a query is too broad or too narrow, the search may return too many or too few messages. Use this information to fine-tune your query. eDiscovery Search Preview After you’ve created an eDiscovery search, you can quickly preview search results. Messages returned from each source mailbox are displayed in search preview. Being able to quickly preview messages allows you to ensure your query returns the content you’re searching and further fine-tune your query. Integration with the New SharePoint Exchange offers an integrated eDiscovery & Hold experience with the new SharePoint. Using the eDiscovery Center, you can search and hold in-place all content related to a case -– SharePoint web sites, documents, file shares indexed by SharePoint, mailbox content in Exchange and archived Lync content from a single location. You can export content associated with case, including files, lists, web pages and Exchange mailbox content. Mailbox content is exported as a .PST file. An XML manifest that complies with the Electronic Discovery Reference Model (EDRM) specification provides an overview of the exported information. To search Exchange content, SharePoint uses Exchange’s Federated Search API. Regardless of whether you search Exchange content from the EAC or using SharePoint, the same search results are returned. The new SharePoint and Exchange both use the same underlying indexing and querying engine – Microsoft Search Foundation, which allows you to use the same search query for both SharePoint and Exchange content. Performing an In-Place eDiscovery search Let’s take a look at how one discovery manager performs an In-Place eDiscovery search. Robin works on the legal team at marketing firm Contoso. Contoso receives a request from a company called Tailspin Toys to assist with a marketing campaign for a new toy they are producing. Contoso is known for doing great toy marketing campaigns since they do a lot of work in the toy industry. This is great for business but they also have to be careful because many of the toy companies with which they work are competitors. Contoso just finished a highly successful marketing campaign with another toy company called Wingtip Toys and Robin wants to ensure that there's no confidential information that may accidentally get past from one customer to another through his team. To that end, Robin wants to search through her company's email and documents with the help of her legal team to make sure there are no potential issues. To use In-Place eDiscovery, a user must be delegated the Discovery Management role group. You can delegate the role to authorized legal, compliance management or human resources personnel. Robin is one of those legal team members. This ability to have scoped roles in the new Exchange 2013 allows IT Pros to delegate compliance responsibilities to folks like Robin without giving them full access to all Exchange server functionality. Robin starts by navigating to the Exchange Administration center Center. The EAC ’s Compliance Management tab is where you can manage compliance features in the new Exchange. Because Robin doesn’t have any other Exchange administrator roles, she only sees the interface relevant to the Discovery Management role group. On the compliance management tab, she can only see In-Place eDiscovery & Hold. Figure 1: In-Place eDiscovery and Hold tab is accessible to users with delegated Discovery Management permissions She clicks on the Add button to start the New new In-Place eDiscovery & Hold wizard and enters a name and an optional description for the search. Figure 2: Create an In-Place eDiscovery search using the new In-Place eDiscovery & Hold wizard in EAC Robin can search all mailboxes in the Exchange organization or select the mailboxes she wants to search. Figure 3: Specify mailboxes (to search or search all mailboxes) On the Search query page, Robin can select the option to return all mailbox content or just specific content. Robin wants to find specific content related to work done between hers team members and WingTip Toys. She has the option to perform a simple search by just entering in a few key words or more complex search if she wants with Boolean operators like ANDs, ORs, parenthesis, etc. so she can be very specific as to what she is looking for. This can be a big time and cost savings for her since multiple gigabyte mailboxes are very common and she wants to reduce that set of content down to the minimum amount she needs to look at to find what she wants. Figure 4: Specify a search query, including keywords, start and end dates, sender and recipients In addition to using Boolean logic she’s also using the proximity operator (NEAR), which allows her to find words that are close to each other. You can also see her using a wildcard character so in this case she is looking for the word wingtip within three words of toy, toys, toymaker or anything similar. In this particular case, Robin wants to look for these keywords anywhere in a given email, but if she wants to be more specific, for example search for a phrase only in the message subject, she could type in Subject: and then her phrase right after it. Depending on how specific she wants to be, she can create complex queries. You can use several hundred keywords in a query. She can also choose specific types of messages. An Exchange mailbox has email but also calendar items, tasks, notes and other items related to personal information management. The new Exchange allows her to search all of those items or she can narrow the query down to specific types of items. She selects email and also meetings so she can track which ones of her employees met with Wingtip and read the meeting invites to find out what was discussed. Figure 5: Select all message types or specify the message types to search Once Robin has created hers query to define what content is important to her, she has a few options in terms of what to do with the results. If she feels it's important to protect this content she has the option to place it on hold. When content is placed on hold, Exchange automatically captures any attempts to edit or delete or delete data and stores those items in a hidden folder in the mailbox. It's completely invisible to the end-users so it doesn't interrupt their daily workflow, but it does keep that important data for recovery later. Figure 6: Placing search results on an In-Place Hold We will talk more about In-Place Hold in Part II of this post. Robin clicks Finish. The search is running against Exchange 2013 mailboxes and placing items on hold. When the search is complete, Robin takes a look at the total size and item count to see if it’s manageable. If there are a million items, her query is likely too broad;, if there are no items, it may be too narrow. If she wants to dig into the details, she can view the search statistics to see exactly how each keyword contributed to the overall result set. That lets her really be targeted about the way she's tweaking her queries so she can quickly get a result set down to a manageable size. Figure 7: Use search estimate and keyword statistics to fine-tune search queries Once she is done tweaking her query, she can stop the search and discuss with her team or legal counsel whether the query is correct. She can also create additional eDiscovery searches and use different query parameters. She can also choose to preview messages returned in the search. Figure 8: eDiscovery Search Preview to preview messages and determine query effectiveness The eDiscovery Search Preview displays message count and total size for each mailbox searched. The preview functionality is built on Outlook Web App, which shows the message in its native format without any changes. Figure 9: eDiscovery Search Preview displays live message preview without copying messages to a Discovery mailbox Robin can quickly scroll through all of her results to view additional items that came back with her search. Since she is using the full- fidelity Outlook Web App preview, she can also view attachments. Once Robin has previewed her results and she's happy with them, she can make a copy for of them for later review, or export them so that she can export them to handoff to her outside legal counsel. To do that, she simply clicks on the Copy search results link. Figure 10: Copying messages returned by the search to a Discovery mailbox When copying messages to a discovery mailbox, she has the following options: Include unsearchable items She can choose whether she wants to include "unsearchable" items, items that our indexing system may not be able to handle, such as a corrupted item, a password-protected zip attachment, or an item encrypted with something other than Information Rights Management. This check box gives her the option to include those two in case she wants to review them manually just to make sure she's doing her due diligence and not missing anything. Enable de-duplication She also has the option to enable de-duplication. As you know, it's very common to send email to multiple people at once. De-duplication allows her to reduce that down to only one copy so there are fewer messages to review. Enable full logging She can also keep a full log of research results of she wants, which includes a complete list of every item she found. This is especially useful for de-duplication, since if you duplicate you only keep one copy of a message that multiple people may have. Later on, you she may have a need to know if one person had it in his inbox and it was flagged as important, but another person moved it into his deleted items folder and never read it. All that information is in that log. Email notification She can also choose to have an email sent to her when the copy process completes. If search results return 20-30 GB of data, it can take a while to copy them to a discovery mailbox. The last thing Robin will pick is the Discovery mailbox into which she wants to put her search results. After copying is completed, Robin can see that the copy operation is complete and she has a link to the mailbox where the results are stored. Robin can now navigate to the copy of her search results to view them. In this view, she does have the ability to perform a review on her items, she can tag items that are important, or if she decides some are not important, she can take them and move them to the deleted items folder so that they are no longer in her view. Once that's done, if Robin needs to share the consolidated results with an outside counsel, she can use her Outlook client to export the consolidated results list to a PST file. We’ve provided you with an overview of the In-Place eDiscovery & In-Place Hold functionality in the new Exchange. In Part II of this post, which is scheduled to be published shortly, we will dig deeper into In-Place Hold. Bharat Suneja and Julian Zbogar-Smith Go to In-Place eDiscovery and In-Place Hold in the New Exchange – Part IIRetention Hold and Litigation Hold in Exchange 2010
In Exchange 2010, you can place a mailbox on retention hold or legal hold. Both holds serve a different purpose. It's important to understand the functionality provided by both. Retention Hold: As the Messaging Records Management page in the EMC suggests (see Figure 1), retention hold is used to halt retention policy, which means the Managed Folder Assistant (MFA) does not move or delete items from the mailbox. It's typically used when a user may not have mailbox access for an extended duration, for example, when the user's on vacation. You can also use retention hold during the initial phase of MRM deployment and remove it as users become more comfortable with MRM functionality. Should users access their mailbox when it’s on retention hold, they may notice that items aren’t being deleted or moved to archive. Mailbox size increases as more email accumulates and you may need to raise the user's mailbox quotas to ensure mail flow to and from the mailbox isn’t interrupted. The mailbox owner or any user (or process) with mailbox access can delete messages when the mailbox is on retention hold. Deleted messages are not treated any differently when a mailbox is on retention hold. Deleted items are retained until the deleted item retention period (14 days by default) and then deleted permanently. See the Retention Hold section in Understanding Retention Tags and Retention Policies for more details. When placing a mailbox on retention hold, you can specify a start date and an end date. This allows you to configure retention hold in advance, and have it end at a predetermined date. Takeaway: retention hold is for planned activity, suspends move or delete actions taken by the MFA . If you haven't deployed either MRM feature (Retention Tags or Managed Folders), retention hold is unnecessary. Note: When you archive-enable a mailbox, the Default Archive and Retention Policy is automatically applied to the mailbox if it doesn't have a retention policy. Litigation Hold: Litigation hold, also known as legal hold, is used to preserve mailbox items for discovery before and during legal proceedings, investigations or similar events. The goal is to preserve mailbox items from inadvertent or purposeful modification or deletion by the mailbox owner or any user with mailbox access, and also automated deletion by processes such as the MFA . Unlike retention hold, you can’t configure litigation hold to start and end at a specified date – it’s either enabled or not. Until the hold is removed, deleted items are not purged from the mailbox database. If mailbox items are modified, a copy of the original item is also retained. These are returned in Discovery searches performed when the mailbox is on litigation hold. See Understanding Litigation Hold for more details. When you place a mailbox on litigation hold, Exchange also populates the LitigationHoldDate and the LitigationHoldOwner properties, which can be useful for tracking purposes. Note that an administrator can modify both of these properties. Administrator Audit Logging is the best place if you're looking for reliable audit trail of admin actions. Tip: You can run a litigation hold report from the Exchange Control Panel by going to Roles & Auditing > Auditing > Run a litigation hold report.... Mailbox quotas for mailboxes on hold Both types of hold will result in more data being stored in a mailbox. Understandably, both may require some adjustments to storage quotas. Mailboxes on retention hold may require higher mailbox quotas because the MFA doesn’t delete items or move them to the user’s archive mailbox. Mailboxes on litigation hold don’t require a higher mailbox quota because the user and MFA continue to delete messages, which are then retained in the Recoverable Items\Purges folder until the hold is removed. In Exchange 2010, Recoverable Items does not count towards the mailbox storage quota because it has its own quota. For details, see Understanding Recoverable Items. At 20 GB and 30 GB, the Recoverable Items Warning Quota and Recoverable Items Quota are set to fairly high defaults. Depending on how long a mailbox user is on litigation hold and the volume of email the mailbox receives, the Recoverable Items folder may reach its quota limits. It’s recommended that you monitor the size of Recoverable Items folder for mailboxes on litigation hold. To check Recoverable Items folder size for all mailboxes on litigation hold: Get-Mailbox -ResultSize Unlimited -Filter {LitigationHoldEnabled -eq $true} | Get-MailboxFolderStatistics –FolderScope RecoverableItems | Format-Table Identity,FolderAndSubfolderSize -Auto If the Recoverable Items folder is close to its quota limits, you can raise the Recoverable Items Quota for the mailbox – the simple solution and also the recommended one. Alternatively, you can use Search-Mailbox to extract messages from the folder and store them in another mailbox. See Clean Up The Recoverable Items Folder for the step-by-step procedure. This command sets the Recoverable Items Warning Quota and Recoverable Items Quota for a mailbox to 40 GB and 50 GB: Set-Mailbox “Mailbox User” –RecoverableItemsWarningQuota 40GB –RecoverableItemsQuota 50GB Note: A user’s archive mailbox also has a Recoverable Items folder. Although the same RecoverableItemsWarningQuota and RecoverableItemsQuota apply to the primary and archive mailbox, they're not combined but calculated separately (i.e., 30 GB for the primary mailbox and 30 GB for the archive, if enabled). Informing the user about litigation hold or retention hold When you place a mailbox on litigation hold or retention hold in Exchange 2010, you can populate the comment field using the EMC or the Set-Mailbox cmdlet. The comment shows up in the Backstage area in Outlook 2010 and can be used to inform the user about either hold. You can also include a URL to internal hold policies or other documentation. Figure 1: Placing a mailbox on litigation hold using the EMC When you place a mailbox on litigation hold, Exchange alerts you that it may take up to 60 minutes for the change to be processed. Figure 2: Warning displayed when you place a mailbox on litigation hold Although litigation hold is processed by Exchange in that period, the litigation hold comment does not show up in Outlook 2010 until the MFA has processed the mailbox. Depending on the assistant’s work cycle, it may take as long as 1 day (the default work cycle configuration on Exchange 2010) for the comment to be displayed in Outlook. To make the comment show up sooner, you can manually kick off the assistant against a mailbox. Start-ManagedFolderAssistant “Mailbox User” To have the assistant process multiple mailboxes, you’ll need to pipe output from the Get-Mailbox cmdlet, which can use recipient filters to filter mailboxes, or use distribution group membership. Additionally, LitigationHoldEnabled, LitigationHoldDate and LitigationHoldOwner are filterable properties in Exchange 2010. This means you can filter Get-Mailbox output using these properties and start the MFA against all mailboxes you’ve placed on litigation hold on a certain date. This command retrieves all mailboxes places on litigation hold by Paul Singh after 8/14/2010. Get-Mailbox –Filter {LitigationHoldEnabled –eq $true –and LitigationHoldDate –gt “8/14/2010” –and LitigationHoldOwner “Paul Singh”} | ft Name,Litigation* Once you’ve examined the list of mailboxes returned by the above command, you can start the MFA to process them. Get-Mailbox –Filter {LitigationHoldEnabled –eq $true –and LitigationHoldDate –gt “8/14/2010” –and LitigationHoldOwner “Paul Singh”} | Start-ManagedFolderAssistant After the Managed Folder Assistant has processed a mailbox, the hold comment is displayed in Outlook 2010. The user is not required to restart Outlook. Figure 3: The hold comment along with any links for more information, if configured, is displayed to the user in Outlook 2010 Exchange 2010 has a number of features to help you meet your organization's compliance goals. For more details, see Messaging Policy and Compliancein Exchange 2010 documentation. Bharat SunejaPrevent archiving of items in a default folder in Exchange 2010
In Exchange 2010, you can use Retention Policies to manage message retention. Retention Policies consist of delete tags, i.e. retention tags with either Delete and Allow Recovery or Permanently Delete actions, or archive tags, i.e. retention tags with the Move To Archive action, which move items to the user's archive mailbox. Depending on how they're applied to mailbox items, retention tags are categorized as the following three types: Default Policy Tags (DPTs), which apply to untagged items in the mailbox – untagged items being items that don't have a retention tag applied directly or by inheritance from parent folder. You can create three types of DPT s: an archive DPT, a delete DPT and a DPT for voicemail messages. Retention Policy Tags (RPTs), which are retention tags with a delete action, created for default folders such as Inbox and Deleted Items. Not all default folders are supported. You can find a table showing the default folders supported for RPT s in Understanding Retention Tags and Retention Policies. Notably, Calendar, Tasks and Contacts folders aren't supported 1 . Personal Tags, which are retention tags that users can apply to items and folders in Outlook 2010 and Outlook Web App. Personal tags can either be delete tags or archive tags. They're surfaced in Outlook 2010 and OWA as Retention policies and Archive policies. To deploy retention tags, you add them to a retention policy and apply the policy to mailbox users. In Exchange 2010 SP1, we added support for the Notes folder. In Exchange 2010 RTM, items in the Notes folder aren't processed. After you upgrade to SP1, if the user's retention policy doesn't have a RPT for the Notes folder, the DPT from the user's policy will apply to items in that folder. In existing deployments, your users may not be used to their notes being moved or deleted. To prevent the DPT from being applied to a default folder, you can create a disabled RPT for that folder (or disable any existing RPT for that folder). The Managed Folder Assistant, a mailbox assistant that processes mailbox items and applies retention policies, does not apply the retention action of a disabled tag. Since the item/folder still has a tag, it's not considered untagged and the DPT isn't applied to it. Figure 1: Create a disabled Retention Policy Tag for the Notes default folder to prevent the Default Policy Tag from being applied to items in that folder Note: You can create a disabled RPT for any supported default folder. Why are items in the Notes folder still archived? If you create a disabled RPT for the Notes folder, you'll see items in that folder are not deleted, but they do continue to be moved to the archive! Why does this happen? How do you prevent it? It's important to understand that: A retention policy can have a DPT to archive items (using the Move to Archive retention action) and a DPT to delete items (using the Delete and Allow Recovery or Permanently Delete retention actions). Both apply to untagged items. The move and delete actions are exclusive of each other. Mailbox folders and messages can have both types of tags applied - an archive tag and a delete tag. It's not an either/or proposition. If you create a disabled RPT for the Notes folder to not delete items, the archive DPT for the mailbox would still apply and move items. When it comes to archiving, there's only one archive policy that administrators can enforce – the DPT with 'Move to archive' action. You can't create a RPT with the 'Move to archive' action. This rules out using the disabled RPT approach to prevent items from being moved. How do you prevent items in a default folder from being archived? There's no admin-controlled way to prevent items in default folders from being archived 2 , short of removing the archive DPT from a retention policy. However, removing the archive DPT would result in messages not moving to archive automatically unless the user applies a personal tag to messages or folders. The workaround is to have users apply the Personal never move to archive personal tag (displayed as Never under Archive Policy in Outlook/ OWA ) to a default folder. The tag is included in the Default Archive and Retention Policy created by Exchange Setup. You can also add this tag to any Retention Policies you create. Figure 2: Users can apply the Never archive policy to a default folder to prevent items in that folder from being archived 1 Support for Calendar and Notes retention tags was added in Exchange 2010 SP2 RU4. 2 You can apply a disabled move tag to a folder in user's mailbox using EWS code/script. For details, see Using Exchange Web Services to Apply a Personal Tag to a Custom Folder. Applying a disabled archive policy to the Notes default folder You can't use Outlook 2010 or Outlook 2013 to apply an archive policy to the Notes default folder or individual notes items. If your users want to preven Notes items from being moved, they must apply a disabled move tag to the Notes folder using OWA . Figure 3: Apply Personal never move to archive policy to the Notes folder in Outlook Web App in Exchange 2013. The Exchange 2010 Outlook Web App UI differs slightly - it lists archive and retention policies separately. See a screenshot here. Bharat Suneja Updates 1/23/2013: In Exchange 2010 SP2 RU4, we added Calendar and Tasks retention tag support. You can prevent these from being moved or deleted by creating registry values. See Calendar and Tasks Retention Tag Support in Exchange 2010 SP2 RU4. 6/18/2013: Added screenshot - Applying disabled move tag to Notes folder in OWA and link to Using Exchange Web Services to Apply a Personal Tag to a Custom Folder.Introducing Attachment Inspection in Transport Rules
Transport Rules provides an organization with the tools needed to enforce messaging policies across their Exchange organization. You may be familiar with Transport Rules in Exchange Server 2007, and the ability to inspect different parts of a message such as subject, body, and headers for specific words and/or text patterns. If you are not familiar with Transport Rules, you can find an overview in this previous blog post or in the Exchange 2007 documentation on TechNet. Now supporting attachments In Exchange Server 2010, we have extended the word and text pattern matching functionality in Transport Rules to include the inspection of supported email attachments. Two new conditions (also known as 'predicates') have been added to Transport Rules: when an attachment contains words when an attachment matches text patterns Transport Rules with one of these conditions will parse the body of an attached document (including headers and footers, but not including metadata document properties), looking for word or pattern matches within the document. This enables better control of the information that flows through an Exchange Server 2010 organization. For example, your organization may have a policy that forbids documents containing confidentiality disclaimers from being sent outside of the organization. Transport Rules can be established to enforce that policy. In this example, let's say that the organization wants to bounce back any email with attached documents that contain "Contoso Confidential" in the document (e.g., in the page header or footer of the document). We might have a transport rule configured like this: In the previous example, we are relying on documents having some classification text already embedded in them. To further automate the leakage protection process, we may want to look for specific text patterns in the document. We can do this by using regular expressions to find text patterns in the attached document (Please see the Exchange 2007 TechNet documentation for details on the regular expressions supported in Exchange 2007 and Exchange 2010). For example, your organization has a policy that forbids the transmission of social security numbers in email, and this includes social security numbers in attached documents. We might have a transport rule configured like this: In the previous two examples, we focused on blocking messages that matched our criteria. There are several other actions available in transport rules, that can be invoked by these new conditions. These include: IRM-protect the message (and attachments) with an AD RMS template (IRM = Information Rights Management; AD RMS = Active Directory Rights Management Services) Forward the message for moderation Apply message classification Apply disclaimer Copy the message to another address Silently delete the message Which file types are supported? Transport Rules attachment inspection supports the same file types as supported by Exchange Search. The attachment inspection feature relies on IFilters to get a text stream from the file attachments. The full set of IFilters installed with Exchange out of the box can be found in the server's registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters . File types include: Microsoft Office documents (e.g., doc/docx, xls/xlsx, ppt/pptx.) Email message formats (e.g., msg, eml, .) HTML and text formats Note: for HTML and XML file attachments, Transport Rules only inspects the rendered content. It does not inspect content inside the markup tags (e.g. ). How can I add support for additional file types? Microsoft has tested and supports all of the default IFilters installed with Exchange Server 2010. Third-party IFilters can be added, which could extend the capability for inspecting additional file types. However, Microsoft has not tested third-party IFilters with Transport Rules, so it is highly advised that you fully test any third-party IFilters before deploying into your production environment. Additional files can be parsed by installing and registering the file type's IFilter on each Hub Transport server. For example, you can add support for inspecting PDF file attachments by downloading and installing the Adobe PDF IFilter. After that, simply register the IFilter DLL to the Exchange server registry location: Identify the CLSID of the installed IFilter (search under HKeyClassesRoot\CLSID\ in the registry, or get it from installation docs) For example, the CLSID for PDF files is: {E8978DA6-047F-4E3D-9C78-CDBE46041603} Create a new registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\CLSID with the same name as the CLSID, and a default value which points to the full path of the IFilter DLL file. For example, for PDF files, the default path of the PDF IFilter is: C:\Program Files\Adobe\Adobe PDF IFilter 9 for 64-bit platforms\bin\PDFFilter.dll Create a new key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\MSSearch\Filters with the name of the file extension that the filter will handle. Enter the default value for this key to be the CLSID of the IFilter For example, for PDF files, the key you should create: Name: .pdf Value: {E8978DA6-047F-4E3D-9C78-CDBE46041603} The Network Service needs to have read access to both of these keys. To check the permissions, and allow Read permissions for Network Service, right click on the CLSID and Filter keys, select "Permissions.." Network Service should be added with Read permissions allowed. Now the Transport Rules engine will be able to inspect these file attachments for the key words and text patterns configured in the Transport Rule condition. The registry cache automatically refreshes every 30 minutes, but if you want the changes to be immediately applied, then restart the Exchange Transport Service on the Hub Transport Server where you made the change. At the Exchange Shell prompt: Restart-Service msexchangetransport Note: 3 rd party IFilters need to be 64-bit capable for Exchange server to use them. Note: you can also remove support for specific file types by deleting the keys corresponding to that file extension from the above registry locations. What happens with attachments that are not supported? The attachment inspection conditions will only evaluate files that have a corresponding IFilter registered for that file type. If there is no IFilter for a given attachment, then that file is treated as "unsupported". The 2 conditions above will not trigger the rule action on unsupported attachments. For some organizations this may be desired: only act on messages with files that can be inspected. Other organizations may want a stricter control, and may wish to special handle any attachments that cannot be inspected. For this case, we introduced another Transport Rule condition in Exchange Server 2010: when attachment is unsupported For example, let's say that an organization wants to manually review any externally bound email with attachments that cannot be inspected by Transport Rules (e.g., with unsupported file types). We might have a transport rule configured like this: This enables the compliance officer(s) to approve or reject the message for delivery to external recipients. You can also add your own exceptions in the rule to allow selected users to bypass the control (in the example above we've added an exception for members of the Trusted Senders group to be able to bypass the control). What about encrypted files? In general, Transport Rules will not be able to access the contents of user encrypted files. The keys needed to decrypt the content are not available to the server. Exchange Server 2010, however, does support integration with Active Directory Rights Management Services(RMS) such that Transport Rules can decrypt and inspect the contents of Information Rights Management(IRM) protected email and attached Office documentswithin an organization. What about archive files? Transport Rules attachment inspection won't support archive files in Exchange Server 2010. The Exchange team will look to add support for navigating and decompressing contents of archive files (e.g., arc, zip, tar, cab, etc.) in a future release. In the Exchange 2010 RTM release, archive files will be treated as "unsupported" files. Can I block emails with attachments by file type? Yes, there is a Transport Rule condition that can be used for this in Exchange Server 2007 and Exchange Server 2010: when any attachment file name contains text patterns You can catch messages with attachment file types by adding the file extensions to match in this condition. For example: Then set the rule action to bounce the message. Note that this only inspects the attached file name and not the attached file contents to determine the file type. If your goal is to prevent viruses by filtering out specific attachment types, regardless of how the file is actually named, then you may want to employ the Attachment Filtering Agentinstead. Can I block attachments larger than a specific size? Yes, there is a Transport Rule condition that can be used for this in Exchange Server 2007 and Exchange Server 2010: when the size of any attachment is greater than or equal to limit You can catch messages with attachments larger or equal to specific size (in KB) and apply any of the Transport Rule actions. An organization may use this to prevent large files via email, and to encourage the use of SharePoint sites for collaboration instead. Is the Transport Rule attachment inspection feature available in the Exchange Server 2010 Beta release? No, it is not. The Transport Rule attachment inspection feature will be available in the Exchange Server 2010 final release. -Steve ClaggCalendar and Tasks Retention Tag Support in Exchange 2010 SP2 RU4
In order to ensure compliance policy requirements are met within the messaging environment, messaging data must be classified and maintained for periods of time based on the classification level. In Exchange 2003, the Mailbox Manager provided a means to delete messaging data, including calendar and task objects. Mailbox Manager was limited in its ability, however: The Mailbox Manager would ignore and not delete any appointments if they were tagged as recurring, regardless of end date, start date, sent date, or last modification date. The Mailbox Manager would ignore and not delete any tasks that were not marked as completed. In Exchange 2007, Mailbox Manager was replaced with Messaging Records Management (MRM). Managed Folders, the MRM feature in Exchange 2007, enabled customers to apply retention settings to default folders, such as Inbox and Deleted Items, and also deploy custom managed folders. Users would sort their messages by placing them into different managed folders, with each folder having a different retention setting. With respect to the calendar and tasks folders: Non-recurring calendar items expire according to their end date. Recurring calendar items expire according to the end date of their last occurrence. Recurring calendar items with no end date do not expire. Non-recurring tasks: A non-recurring task expires according to its message-received date, if one exists. If a non-recurring task does not have a message-received date, it expires according to its message-creation date. If a non-recurring task has neither a message-received date nor a message-creation date, it does not expire. Recurring tasks expires according to the end date of the last occurrence. If a recurring task does not have an end date, it does not expire. A regenerating task (which is a recurring task that regenerates a specified time after the preceding instance of the task is completed) does not expire. Messaging Records Management in Exchange 2010 Exchange 2010 introduced Messaging Records Management 2.0 and the Retention Policy framework. The framework consists of retention tags and retention policies. Retention tags are used to apply retention settings to messages and folders. A retention policy is a group of retention tags that can be applied to the mailbox. The use of the word “retention” in this MRM 2.0 naming convention is misleading. In addition to controlling when items are expired out of the mailbox, retention tags can also be used to control when items move to the archive . With Exchange 2010 RTM , SP1 and SP2 through SP2 RU3, MRM 2.0 does not provide support for assigning retention tags either directly to calendar and task items or to the calendar and tasks folders. Many of you, our customers, have spoken to us about the need for this functionality and see this as a takeaway when compared to previous versions of Exchange. In the end, compliance requirements need to be met. Excluding calendar and task items from the retention policy framework means that customers that have business and/or legal compliance policies for managing data are unable to guarantee the requirements are met. Calendar and Tasks Support in Exchange 2010 SP2 RU4 and later In Exchange 2010 SP2 RU4, we’ve added support for Calendar and Tasks folders to Retention Policies. If you currently use or plan to use Retention Policies, this has important implications for your messaging environment. Beginning with Exchange 2010 SP2 RU4, administrators can create retention tags via the cmdline for use with the Calendar and Tasks default folders. The supported retention actions are: DeleteAndAllowRecovery, PermanentlyDelete, MarkAsPastRetentionLimit. Note that calendar and task items can be moved to the archive mailbox via the MoveToArchive retention action that is associated with the All or Personal retention tag type. Default Policy Tags (DPTs) used to move or delete items will now apply to Calendar and Tasks folders. How Calendar and Tasks items are expired Calendar and task items are different than normal message items. When a calendar or task item is saved, the item is stamped with its specific properties. To ensure that a collision (or conflict) doesn't occur between the Mailbox Folder Assistant (MFA) and the assignment of the default properties during an auto-save event, the MFA will not process calendar and task items immediately. Instead, the assistant will delay processing of calendar and task items for 2 hours (based on last modification time of the item; if there is no last modification time, then it is based on the creation time). Unlike message items, end users cannot assign different retention tags to either the Calendar or Tasks folders or calendar and task items. In other words, Calendar and Tasks retention tags are only controlled via the administrator. The following logic is used to determine the start date for expiration or move to the archive for calendar items in the Calendar folder: Non-recurring calendar items expire (or move to the archive) based on the end date of the item. Recurring calendar items expire (or move to the archive) based on the end date of their last occurrence. Recurring calendar items without an end date neither expire nor move to the archive. If an item is found within the Calendar folder that doesn't have a proper item type, it's ignored (as the item is might be corrupt). The following logic is used to determine the start date for expiration or move to the archive for task items within the Tasks folder: Non-recurring tasks: A non-recurring task expires (or moves to the archive) according to its message-received date, if one exists. If a non-recurring task does not have a message-received date, it expires (or moves to the archive) according to its message-creation date. If a non-recurring task has neither a message-received date nor a message-creation date, it neither expires nor gets moved to the archive. Recurring tasks expire (or move to the archive) according to the end date of last occurrence. If a recurring task doesn't have an end date, it does not expire (and isn't moved to the archive). A regenerating task (which is a recurring task that regenerates a specified time after the preceding instance of the task is completed) doesn't expire (or get moved to the archive). If an item is found within the Tasks folder that doesn't have a proper item type, it's ignored (as the item might be corrupt). Before You Deploy Exchange 2010 SP2 RU4 Support for Calendar and Tasks in Exchange 2010 SP2 RU4 means you’ll need to treat this update rollup differently. If you don’t use Retention Policies or if you don’t mind Calendar and Tasks items being moved to archive or deleted automatically based on the DPT settings, you can skip the rest of this post. However, if you are concerned about the effects of this new functionality will have on your calendar and task items, you can implement the following temporary workarounds: If you don’t want Calendar and Tasks items to ever expire, you can disable the functionality that is included in Exchange 2010 SP2 RU4. Add the following registry key to your Mailbox servers: Path: HKLM\SYSTEM\CurrentControlSet\Services\MSExchangeMailboxAssistants\Parameters Name: ELCAssistantCalendarTaskRetentionEnabled Type: DWORD Value: 0 = Do not process Calendar and Task folders Value: 1 = Process (default with RU4) If you want Calendar and Tasks folders to expire at a different interval than DPT s, you can follow the following steps: Place all mailboxes on Retention Hold Apply Exchange 2010 SP2 RU4 to your Mailbox servers. Create RPT s for Calendar and Tasks folders with the desired retention settings. Inform users about the change. When ready, remove the retention hold from mailboxes. Conclusion We are glad that we were able to bring this long sought after feature to the product. If you have any questions, please let us know. Ross Smith IV Principal Program Manager Exchange Customer ExperiencePreserve mailbox data for eDiscovery using inactive mailboxes in Exchange Online
In Exchange Online and Exchange Server 2013, you can use In-Place Hold or Litigation Hold to preserve mailbox content for litigation or investigations. Many organizations also need to preserve mailbox data for users who are no longer in the organization. In on-premises Exchange deployments, this has typically been done by disabling the Active Directory user account and performing actions such as removing it from distribution groups, preventing inbound/outbound email to and from the mailbox (including setting delivery restrictions and configuring message size limits), hiding the mailbox from the Global Address List (GAL), and also setting an account expiration date on the user account in Active Direcory. Licensing costs are not a concern in this scenario, because you do not need a Client Access License (CAL) for a mailbox that’s no longer active. In Exchange Online, admins remove mailboxes for departed users. However, once you remove a mailbox, it can no longer be included in In-Place eDiscovey searches (Multi-Mailbox Search in the previous version of the service and in Exchange 2010). Additionally, 30 days after you remove a mailbox, it is permanently deleted from Exchange Online and can no longer be recovered. In-Place eDiscovery requires that the mailbox be active, which means an Exchange Online or Office 365 plan is required for the mailbox for as long as you want to preserve data for eDiscovery. Note: You can preserve mailbox data offline by exporting it to a PST file using Microsoft Outlook and then remove the mailbox. However, if you need to perform an eDiscovery search, you would need to inject it back to an Exchange Online mailbox. Inactive Mailboxes In the new Exchange Online, we’ve introduced the concept of inactive mailboxes to handle departed users. When a user leaves the organization and you need to retain their mailbox data for some time to facilitate eDiscovery (or meet retention or business requirements), you can place the mailbox on In-Place Hold or Litigation Hold before removing the Office 365 user. This preserves the mailbox, but prevents it from sending/receiving messages, hides it from users so it's no longer visible in the GAL and other recipient lists. You can add inactive mailboxes to In-Place eDiscovery searches. After you've made a mailbox inactive, you no longer require an Exchange Online or Office 365 plan for it. When your eDiscovery, retention or other business requirements are met and you no longer need to preserve the mailbox content, you can remove the mailbox from In-Place Holds or Litigation Hold. After you remove hold, the normal mailbox removal behavior of Exchange Online will resume for the mailbox - which means, if the mailbox was removed more than 30 days ago, it will be permanently deleted. If it was removed less than 30 days ago, it will be permanently deleted after 30 days of removal. For more details, see Overview of inactive mailboxes (short url: aka.ms/inactivembx) in Exchange Online documentation. Inactive mailboxes are available in March 2013 in the E3, E4, E5, A3, A4, G and Exchange Online P2 plans. Note: An inactive mailbox cannot exist without a Hold. To place a mailbox on hold, you require an Exchange Online Plan 2 license (standalone, or through Office 365 E3 or E5 plans). Customers with an Exchange Online Plan 1 can assign an Exchange Online Archiving (EOA) license to place a mailbox on hold. After you place a mailbox on hold and remove the user account, you can reassign the license. This preserves the mailbox data as long as it remains on hold. See Exchange Online service description for licensing and availability of features. Migrating inactive mailbox data to Exchange Online If you already have inactive mailboxes in your on-premises Exchange 2010 or Exchange 2013 environment or a third-party archive, you can move the data to inactive mailboxes in Exchange Online by first provisioning an Exchange Online mailbox, which requires a plan subscription, importing the data to the Exchange Online mailbox, placing the user on In-Place Hold or Litigation Hold and then deleting the user account, making it an inactive mailbox. You do not require a plan subscription for that mailbox after you make it inactive. However, you will need a subscription during the provisioning and data import process. If you have a large number of inactive mailboxes, you can provision them in batches using a smaller number of subscriptions. Note, the Product Usage Rights (PUR) states that licenses can only be reassigned once every 90 days. How long can a mailbox be inactive? You can preserve data in inactive mailboxes for as long as you need to, based on your organization's retention and eDiscovery requirements. Of course, you would need to continue to be an Office 365/Exchange Online customer. Do both primary and archive mailboxes become inactive mailboxes? When you place a mailbox on hold in Exchange, you're actually placing the user on hold. Both primary and archive mailboxes are placed on hold, and become inactive after you remove the Office 365 user. When you use Office 365's eDiscovery tools to search the (now inactive) user, both mailboxes are searched. How can you remove data from an inactive mailbox? If you've specified a hold duration using In-Place Hold or Litigation Hold, items older than the hold duration are removed when the Managed Folder Assistant (MFA) processes the mailbox. Can you search inactive mailboxes using Office 365 eDiscovery tools? Yes. Inactive mailboxes are visible to Office 365 eDiscovery tools - In-Place eDiscovery in Exchange Online, the eDiscovery Center in SharePoint Online, and eDiscovery or Content Search in the Office 365 Security and Compliance Center (SCC). No additional licenses are required to include inactive mailboxes in eDiscovery searches. What happens after July 1, 2017, when you'll no longer be able to create new In-Place Holds? As noted in Inactive mailboxes in Exchange Online and elsewhere in Exchange Online documentation: On July 1, 2017, you'll no longer be able to create In-Place Holds in Exchange Online (in Office 365 and Exchange Online standalone plans). You'll still be able to modify existing In-Place Holds, and creating new In-Place Holds in Exchange Server 2013 and Exchange hybrid deployments will still be supported. And, you'll still be able to place mailboxes on Litigation Hold. As an alternative to using In-Place Holds, you can use eDiscovery cases or retention policies in the Office 365 Security & Compliance Center. To make a mailbox inactive, you can use Litigation Hold, eDiscovery cases or Retention Policies in Office 365. Bharat Suneja Updates 3/16/2015: Changed the highlighted verbiage (in Migrating section) from "placing the user on In-Place Hold or Litigation Hold and then removing the subscription, making it an inactive mailbox" to "deleting the user account". Added links to In-Place eDiscovey and Litigation Hold. 5/23/2013: Added info about migrating inactive mailbox data to Exchange Online. 6/18/2013: Added note about Product Usage Rights (PUR). 3/5/2014: Added info about how long a mailbox can be inactive and included Litigation Hold. 4/14/2014: Added clarification about how you can remove data from inactive mailboxes (and hold duration specified for In-Place Hold or Litigation Hold has no impact.) 1/27/2016: Updated above clarificaiton about how you can remove data from inactive mailbox to state it is processed by MFA and items older than LitigationHoldDuration are removed. Removed: All content in an inactive mailbox is on hold until you remove the hold from the mailbox. 2/7/2017: Added following Q&A about archive mailboxes: Do both primary and archive mailboxes become inactive mailboxes? 5/22/2017: Added following Q&A about eDiscovery: Can you search inactive mailboxes using Office 365 eDiscovery tools? Added E5 plan to list ("Inactive mailboxes are available in March 2013 in the E3, E4, E5, A3, A4, G and Exchange Online P2 plans"). 6/19/2017: Added information regarding changes on July 1, 2017, when you'll no longer be able to create new In-Place Holds. 4/23/2020: Added note about licensing with link to service description and changed "Inactive mailboxes do not require an Exchange Online or Office 365 plan" to "After you've made a mailbox inactive, you no longer require an Exchange Online or Office 365 plan."Spotlight on Exchange 2010: E-mail Moderation
Moderation in Exchange Server 2010 In past versions of Exchange server, the best way to control mail flow to a distribution group or mailbox was delivery restrictions. Delivery restrictions allow you to reject mail from certain individuals or groups (sometimes referred to as a blacklist), allow mail only from certain individuals or groups (or a whitelist), or a combination of both. In Exchange Server 2010, moderation enables you to control messages sent to groups and individuals based on the human element: a moderator-not who sent it. Moderation isn't limited to groups. Like delivery restrictions, you can also moderate mail sent to individual mailboxes or mail contacts, in the same way as mail sent to distribution groups. If you wanted to moderate mail from a mailbox/contact, you would have to set up a transport rule, where moderation is available as an action. For the rest of this post, I'll be talking about moderated groups/lists. Sending mail to a moderated group For end users, sending mail to a moderated group is the same as sending to any other group. If they are using Outlook Web Access or Outlook 2010, they will see a MailTip telling them they are sending mail to a moderated group. Instead of expanding a message and sending it on to the members of a group, Exchange sends the mail to the Arbitration Mailbox. This mailbox is like a holding tank for messages that are under review by moderators. Upon receiving the message, the arbitration mailbox sends out approval request to each moderator. The original message is attached to the approval request and also shown in preview form in the approval request itself. Moderators have three options for a decision: Approve Reject Reject with comments These decisions are sent as messages back to the arbitration mailbox, where the decision is processed. Like mail to any other group, users are only notified if their message was not delivered (moderators can choose to include comments explaining why they rejected the message). If the message is approved, it is released from the arbitration mailbox for delivery to the group. In both Outlook and Outlook Web Access, moderators see buttons at the top of their message for approving and rejecting messages (see an Outlook Web Access example below). In older versions of Outlook, moderators can make decisions with voting buttons. Multiple moderators For groups configured with multiple moderators, when one moderator makes a decision, a message is sent to all the other moderators notifying them of the decision. This notification is processed by the receiving mailbox, and when this notification arrives in a moderators mailbox, the approval request is disabled (no further decision can be made) and moved to the deleted items folder. This keeps moderators' inboxes less cluttered, leaving only approval requests that still require a decision. Enabling moderation for a group To enable moderation for a group, you just need to enable moderation and specify who the moderators are. If you leave the list of moderators blank, the group owners will receive all the approval requests. In ECP, group owners and administrators can configure moderation here: Moderation can be similarly configured from EMC: Moderation in a transport rule For more customized scenarios, moderation is also available as an action with any transport rule. In the case of a rule where the condition is a match, the message is not delivered to any recipients until approved by moderator. FAQ Q: Are delivery restrictions still there in Exchange 2010? A: Delivery restrictions haven't gone anywhere. In fact, you can use moderated groups and delivery restrictions together; delivery restrictions simply take precedence over moderation. If a sender passes delivery restrictions, then they will be moderated (unless they are on the bypass list for moderation). Q: What if an email is sent to two groups: one moderated and one unmoderated? A: The message will be sent to moderators for approval for delivery to the moderated group. It will be delivered to all members of the unmoderated group without moderator intervention. Any user that is a member of both groups would get the message immediately. They won't see a second message (upon approval to the moderated group) thanks to duplicate detection. Q: What about nested moderated groups? A: If one moderated group (the "child") is a member of another moderated group (the "parent"), the message must be approved for both the parent and the child groups. If you set the BypassNestedModerationEnabled flag to $true on the parent group, any messages sent to that group will bypass moderation by child groups. For some messages, you might not want moderators of child groups to be able to reject them (say, messages from executives sent to an org-wide group). Q: What happens if two moderators make conflicting decisions at the same time? A: In most cases, moderators will not be able to make a decision after one has already been made. However, if two moderators do manage to make decisions at the exact same time, whichever decision message makes it to the arbitration mailbox wins. The "losing" moderator(s) are then notified that their decision did not take effect. Q: What versions of Exchange are required for moderation? A: Moderation requires Exchange 2010 to be deployed on all Hub Transport Servers to work properly. Earlier versions of Exchange will ignore moderation and simply deliver any messages to moderated recipients. - E.J. Dyksen.PST, Time to Walk the Plank
PST Capture Download Documentation Ask and ye shall receive, mateys! As we announced in July, we are always looking for new ways to make your work easier - especially when your work involves ending PST proliferation. Today, we are happy to announce that PST Capture is now available as a free download. PST Capture helps you search your network to discover and then import .pst files across your environment - all from a straightforward admin-driven tool. PST Capture will help reduce risk while increasing productivity for your users by importing .pst files into Exchange Online or Exchange Server 2010 - directly into users' primary mailboxes or archives. In addition to all the positive feedback you have given us regarding the Archiving, Retention, Legal Hold and Discovery capabilities of Exchange, you made it clear that PST import is an important area for us to focus on moving forward. As we looked at the best ways to address this challenging need, we saw the great work that ISV partner, Red Gate, has done with their stellar solution. We determined that acquiring this product from Red Gate as a starting point was the best strategy to ensuring a quality product for you. We put Red Gate’s tool through further feature development and a rigorous testing process that included beta testing with customers, passing through our internal product security gates, and overall quality assurance. It’s now ready for prime time and available as a free download here! For even more insight, watch the video below And thus, we offer you PST Captarrrrrrrrrgh - or PST Capture, for those more refined than I. As always, keep the feedback coming! Ankur Kothari Red Gate creates ingeniously simple software tools used by more than 500,000 IT professionals worldwide. The company works to uplift the market it serves through free web community sites, technical publications and conference sponsorships that reach millions annually.Data immutability and Office 365 tenant lifecycle
One of the more common questions about Office 365 has been – what happens to my data after my organization’s Office 365 subscription ends? The most common answer circulated in the community refers to a grace period of 30 days, during which you can still retrieve your data. The answer’s not wrong, but here’s some more detail about the tenant lifecycle after an Office 365 subscription is cancelled, as it relates to the organization’s data. During the first 30 days after an Office 365 subscription ends, the Office 365 tenant account is in this grace period, known as expired state. During this period, users can still access data. If the subscription ended unintentionally, a rare event I’d argue given the many alerts you get to prevent termination of subscription due to issues such as non-payment, this is a good time to set things right. After 30 days, the tenant account enters disabled state for 90 days. During this period, users no longer have access to data. The admin can still log in, backup data if required, or reactivate the subscription. At the end of the disabled state, which is 120 days after your subscription has expired, the account enters the deprovisioning state. This is when the data – from user accounts to email data and documents, is deleted permanently. State of subscription When What happens Expired 1-30 days after end of subscription All users have access Disabled 31-120 days after end of subscription Admin has access Admin can reactivate and backup data Deprovisioned After 120 days of end of subscription All user data is deleted (User data, documents, email, including mailboxes on hold and inactive mailboxes) Expedited deprovisioning Within 3 days of end of subscription All user data is deleted You can request expedited subscription deprovisioning by calling Support. Support will generate a lockout code. You must enter the lockout code in the admin portal. User data, documents, email, including mailboxes on hold and inactive mailboxes, are deleted. The tenant is removed as per normal tenant lifecycle. See What happens to my data and access when my Office 365 for business subscription ends? in Office 365 documentation for details. There are a few compliance-related questions arising out of end of subscription. 1. How quickly will you delete data after my organization’s Office 365 service ends? Some time after 120 days. The jobs that delete data do so based on service load. You can expect data to be permanently deleted in a reasonable timeframe after the 120 days have elapsed. 2. How can I ensure my organization’s Office 365 data is deleted quickly after service ends? Many security and compliance-minded organizations want to ensure there’s no residual data in a cloud service after they end service. Office 365 customers can request expedited deprovisioning by calling Support. Expedited deprovisioning ensures your users' data is deleted within 3 days. 3. Is data immutability maintained after service ends? (In other words, are mailboxes placed on In-Place Hold or Litigation Hold retained after service ends?) By far one of the most frequently asked questions. Data immutability refers to the ability to preserve data – in essence, protecting it from destruction and tampering. See links to additional resources on Immutability, In-Place Hold and Litigation Hold below. No. Microsoft’s responsibility as a service provider ends after your service ends, which is when you stop being a customer/subscriber of the service. As noted above, data is permanently deleted when your tenant account enters the deprovisioning state, within a reasonable time after 120 days of end of subscription, or within 3 days if you request expedited deprovisioning. Mailboxes placed on In-Place Hold or Litigation Hold, including inactive mailboxes, are also deleted as part of deprovisioning. Immutability in Office 365 and Exchange Since publishing this post, I've received some questions about how we achieve immutability in Office 365 and Exchange. Check out the following resources for answers: Blog and whitepaper: Office 365 Exchange Online Archiving now meets SEC Rule 17a-4 requirements Whitepaper: Achieving Immutability with Exchange Online and Exchange Server 2013 AskPerry blog: Immutability in Exchange Blog: In-Place eDiscovery and In-Place Hold in the New Exchange – Part II Documentation: In-Place Hold and Litigation Hold Bharat Suneja Updates 3/16/2017: Added following clarification about expedited deprovisioning: You can request expedited subscription deprovisioning by calling Support. Support will generate a lockout code. You must enter the lockout code in the admin portal. User data, documents, email, including mailboxes on hold and inactive mailboxes, are deleted. The tenant is removed as per normal tenant lifecycle. Changed "All customer data is deleted" to "All user data is deleted" in table.
