deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

Browse Source
This commit is contained in:
officedocspr 2019-12-05 23:53:09 +00:00
commit 00130f2271
24 changed files with 210 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
devices/hololens/TOC.md
View File

@ -52,9 +52,11 @@
## [Environment considerations for HoloLens](hololens-environment-considerations.md)
## [Spatial mapping on HoloLens](hololens-spaces.md)
# Update and recovery
# Update, troubleshoot, or recover HoloLens
## [Update, troubleshoot, or recover HoloLens](hololens-management-overview.md)
## [Update HoloLens](hololens-update-hololens.md)
## [Restart, reset, or recover](hololens-recovery.md)
## [Troubleshoot HoloLens](hololens-troubleshooting.md)
## [Known issues](hololens-known-issues.md)
## [Frequently asked questions](hololens-faq.md)

32
devices/hololens/hololens-management-overview.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Update, troubleshoot, or recover HoloLens
description:
author: Teresa-Motiv
ms.author: v-tea
ms.date: 11/27/2019
ms.prod: hololens
ms.topic: article
ms.custom: CSSTroubleshooting
audience: ITPro
keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
manager: jarrettr
ms.localizationpriority: medium
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Update, troubleshoot, or recover HoloLens
The articles in this section help you keep your HoloLens up-to-date and help you resolve any issues that you encounter.
**In this section**
| Article | Description |
| --- | --- |
| [Update HoloLens](hololens-update-hololens.md) | Describes how to identify the build number of your device, and how to update your device manually. |
| [Manage updates on many HoloLens](hololens-updates.md) | Describes how to use policies to manage device updates. |
| [Restart, reset, or recover](hololens-recovery.md) | Describes how to restart, reset, or recover a HoloLens device |
| [Troubleshoot HoloLens](hololens-troubleshooting.md) | Describes solutions to common HoloLens problems. |
| [Known issues](hololens-known-issues.md) | Describes known HoloLens issues. |
| [Frequently asked questions](hololens-faq.md) | Provides answers to common questions about HoloLens.|

92
devices/hololens/hololens-troubleshooting.md Normal file
View File

@ -0,0 +1,92 @@
---
title: HoloLens troubleshooting
description: Solutions for common HoloLens issues.
author: mattzmsft
ms.author: mazeller
ms.date: 12/02/2019
ms.prod: hololens
ms.topic: article
ms.custom: CSSTroubleshooting
audience: ITPro
ms.localizationpriority: medium
keywords: issues, bug, troubleshoot, fix, help, support, HoloLens
manager: jarrettr
appliesto:
- HoloLens (1st gen)
- HoloLens 2
---
# Troubleshooting HoloLens issues
This article describes how to resolve several common HoloLens issues.
## My HoloLens is unresponsive or wont start
If your HoloLens won't start:
- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to charge your HoloLens.
- If the LEDs light up when you press the power button but you can't see anything on the displays, hold the power button until all five of the LEDs turn off.
If your HoloLens becomes frozen or unresponsive:
- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 10 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again.
If these steps don't work, you can try [recovering your device](hololens-recovery.md).
## Holograms don't look good or are moving around
If your holograms are unstable, jumpy, or dont look right, try one of these fixes:
- Clean your device visor and make sure that nothing is obstructing the sensors.
- Make sure that theres enough light in your room.
- Try walking around and looking at your surroundings so that HoloLens can scan them more completely.
- Try running the Calibration app. It calibrates your HoloLens to work best for your eyes. Go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**.
## HoloLens doesnt respond to my gestures
To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures](hololens1-basic-usage.md#use-hololens-with-your-hands).
If your environment is too dark, HoloLens might not see your hand, so make sure that theres enough light.
If your visor has fingerprints or smudges, use the microfiber cleaning cloth that came with the HoloLens to clean your visor gently.
## HoloLens doesnt respond to my voice commands.
If Cortana isnt responding to your voice commands, make sure Cortana is turned on. On the All apps list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md).
## I cant place holograms or see holograms that I previously placed
If HoloLens cant map or load your space, it enters Limited mode and you wont be able to place holograms or see holograms that youve placed. Here are some things to try:
- Make sure that theres enough light in your environment so HoloLens can see and map the space.
- Make sure that youre connected to a Wi-Fi network. If youre not connected to Wi-Fi, HoloLens cant identify and load a known space.
- If you need to create a new space, connect to Wi-Fi, then restart your HoloLens.
- To see if the correct space is active, or to manually load a space, go to **Settings** > **System** > **Spaces**.
- If the correct space is loaded and youre still having problems, the space may be corrupt. To fix this issue, select the space, then select **Remove**. After you remove the space, HoloLens starts to map your surroundings and create a new space.
## My HoloLens frequently enters Limited mode or shows a “Tracking lost” message
If your device often shows a "Limited mode" or "Tracking lost" message, try the suggestions listed in [My Holograms don't look good or are moving around](#holograms-dont-look-good-or-are-moving-around).
## My HoloLens cant tell what space Im in
If your HoloLens cant identify and load the space youre in automatically, check the following factors:
- Make sure that youre connected to Wi-Fi
- Make sure that theres plenty of light in the room
- Make sure that there havent been any major changes to the surroundings.
You can also load a space manually or manage your spaces by going to **Settings** > **System** > **Spaces**.
## Im getting a “low disk space” error
Youll need to free up some storage space by doing one or more of the following:
- Delete some unused spaces. Go to **Settings** > **System** > **Spaces**, select a space that you no longer need, and then select **Remove**.
- Remove some of the holograms that youve placed.
- Delete some pictures and videos from the Photos app.
- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, and then select **Uninstall**.
## My HoloLens cant create a new space
The most likely problem is that youre running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.

2
windows/client-management/mdm/networkproxy-csp.md
View File

@ -84,7 +84,7 @@ Valid values:
The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
# Configuration Example
## Configuration Example
These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace. Only enter the portion of code needed in the **Replace** section.
```xml

5
windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
View File

@ -30,13 +30,8 @@ You can access the Query tool from within Compatibility Administrator. The Query
For information about the Search feature, see [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md). However, the Query tool provides more detailed search criteria, including tabs that enable you to search the program properties, the compatibility fix properties, and the fix description. You can perform a search by using SQL SELECT and WHERE clauses, in addition to searching specific types of databases.
<<<<<<< HEAD
> [!IMPORTANT]
> You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
=======
>[!IMPORTANT]
>You must perform your search with the correct version of the Compatibility Administrator tool. To use the Query tool to search for a 32-bit custom database, you must use the 32-bit version of Compatibility Administrator. To use the Query tool to search for a 64-bit custom database, you must use the 64-bit version of Compatibility Administrator.
>>>>>>> bfaab3359a63dde24e6d0dca11b841e045c481f6
## Querying by Using the Program Properties Tab

2
windows/deployment/update/update-compliance-wd-av-status.md
View File

@ -23,7 +23,7 @@ The Windows Defender AV Status section deals with data concerning signature and
>[!NOTE]
>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/Licensing/product-licensing/windows10.aspx).
# Windows Defender AV Status sections
## Windows Defender AV Status sections
The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query.
The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation.

6
windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -131,16 +131,16 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
> - Disable it from group policy
> - Clear the TPM on the system
# TPM Group Policy settings in the Windows Security app
## TPM Group Policy settings in the Windows Security app
You can change what users see about TPM in the Windows Security app. The Group Policy settings for the TPM area in the Windows Security app are located at:
**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security**
## Disable the Clear TPM button
### Disable the Clear TPM button
If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
## Hide the TPM Firmware Update recommendation
### Hide the TPM Firmware Update recommendation
If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected.
## Related topics

2
windows/security/threat-protection/TOC.md
View File

@ -4,8 +4,8 @@
### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md)
### [Threat & Vulnerability Management]()
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)

3
windows/security/threat-protection/auditing/audit-sam.md
View File

@ -56,6 +56,3 @@ For information about reducing the number of events generated in this subcategor
**Events List:**
- [4661](event-4661.md)(S, F): A handle to an object was requested.
#

2
windows/security/threat-protection/index.md
View File

@ -102,7 +102,7 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
- [Threat remediation](microsoft-defender-atp/automated-investigations.md#how-threats-are-remediated)
- [Manage automated investigations](microsoft-defender-atp/manage-auto-investigation.md)
- [Manage automated investigation](microsoft-defender-atp/manage-auto-investigation.md)
- [Analyze automated investigation](microsoft-defender-atp/manage-auto-investigation.md#analyze-automated-investigations)
<a name="ss"></a>

4
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -30,7 +30,7 @@ Use the following advanced features to get better protected from potentially mal
## Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
## Live response
@ -44,7 +44,7 @@ Enabling this feature allows you to run unsigned scripts in a live response sess
## Auto-resolve remediated alerts
For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you dont want to have alerts auto-resolved, youll need to manually turn off the feature.
For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you dont want to have alerts auto-resolved, youll need to manually turn off the feature.
>[!TIP]
>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.

2
windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
View File

@ -46,7 +46,7 @@ Read the walkthrough document provided with each attack scenario. Each document
- **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
- **Scenario 3: Automated incident response** - triggers Automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
- **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.

3
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -29,9 +29,6 @@ The action center consists of two main tabs:
- All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
- Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.

86
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -1,5 +1,5 @@
---
title: Use Automated investigations to investigate and remediate threats
title: Use automated investigations to investigate and remediate threats
description: View the list of automated investigations, its status, detection source and other details.
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
search.product: eADQiWindows 10XVcnh
@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@ -17,72 +17,70 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Overview of Automated investigations
# Overview of automated investigations
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
The Microsoft Defender ATP service has a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address.
## Understand the automated investigation flow
To address this challenge, Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
### How the automated investigation starts
The Automated investigations list shows all the investigations that have been initiated automatically and shows other details such as its status, detection source, and the date for when the investigation was initiated.
## Understand the Automated investigation flow
### How the Automated investigation starts
Entities are the starting point for Automated investigations. When an alert contains a supported entity for Automated investigation (for example, a file) that resides on a machine that has a supported operating system for Automated investigation then an Automated investigation can start.
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation.
>[!NOTE]
>Currently, Automated investigation only supports the following OS versions:
>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441)) or later
>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464)) or later
>Currently, automated investigation only supports the following OS versions:
>- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
>- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
>- Later versions of Windows 10
The Automated investigation starts by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view.
### Details of an automated investigation
### Details of an Automated investigation
During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs.
As the investigation proceeds, you'll be able to view the details of the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs.
|Tab |Description |
|--|--|
|**Alerts**| Shows the alert that started the investigation.|
|**Machines** |Shows where the alert was seen.|
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *Clean*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
|**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. |
In the **Alerts** tab, you'll see the alert that started the investigation.
> [!IMPORTANT]
> Go to the **Action center** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
The **Machines** tab shows where the alert was seen.
### How an automated investigation expands its scope
The **Evidence** tab shows the entities that were found to be malicious during the investigation.
While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
During an Automated investigation, details about each analyzed entity is categorized in the **Entities** tab. You'll be able to see the determination for each entity type, such as whether it was determined to be malicious, suspicious, or clean.
The **Log** tab reflects the chronological detailed view of all the investigation actions taken on the alert.
If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. You can also go to the **Action center** to get an aggregated view all pending actions and manage remediaton actions. It also acts as an audit trail for all Automated investigation actions.
### How an Automated investigation expands its scope
While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
If an incriminated entity is seen in another machine, the Automated investigation will expand the investigation to include that machine and a generic machine playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
### How threats are remediated
Depending on how you set up the machine groups and their level of automation, the Automated investigation will either require user approval (default) or automatically remediate threats.
Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation:
Automation level | Description
:---|:---
Not protected | Machines will not get any automated investigations run on them.
Semi - require approval for any remediation | This is the default automation level.<br><br> An approval is needed for any remediation action.
Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.
Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.
Full - remediate threats automatically | All remediation actions will be performed automatically.
|Automation level | Description|
|---|---|
|Not protected | Machines do not get any automated investigations run on them. |
|Semi - require approval for any remediation | This is the default automation level.<br><br> An approval is needed for any remediation action. |
|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.|
|Full - remediate threats automatically | All remediation actions will be performed automatically.|
For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
> [!TIP]
> For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that needs to be remediated requires an approval and the investigation is added to the **Pending actions** section, this can be changed to fully automatic so that no user approval is needed.
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.
## Related topic
## Next step
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)

1
windows/security/threat-protection/microsoft-defender-atp/files.md
View File

@ -50,4 +50,3 @@ signer | String | File signer.
issuer | String | File issuer.
signerHash | String | Hash of the signing certificate.
isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender ATP agent.

1
windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
View File

@ -123,4 +123,3 @@ Content-type: application/json
]
}
```

2
windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
View File

@ -26,7 +26,7 @@ ms.topic: article
Initiate AutoIR investigation on a machine.
>[!Note]
> This page focuses on performing an automated investigation on a machine. See [Automated Investigation](automated-investigations.md) for more information.
> This page focuses on performing an automated investigation on a machine. See [automated investigation](automated-investigations.md) for more information.
## Limitations
1. The number of executions is limited (up to 5 calls per hour).

2
windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
View File

@ -54,7 +54,7 @@ The machine details section provides information such as the domain, OS, and hea
Response actions run along the top of a specific machine page and include:
- Manage tags
- Initiate Automated Investigation
- Initiate automated investigation
- Initiate Live Response Session
- Collect investigation package
- Run antivirus scan

34
windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
View File

@ -18,7 +18,7 @@ ms.topic: conceptual
---
# Learn about the automated investigations dashboard
By default, the Automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
@ -31,14 +31,14 @@ From this view, you can also download the entire list in CSV format using the **
**Filters**</br>
You can use the following operations to customize the list of Automated investigations displayed:
You can use the following operations to customize the list of automated investigations displayed:
**Triggering alert**</br>
The alert the initiated the Automated investigation.
The alert the initiated the automated investigation.
**Status**</br>
An Automated investigation can be in one of the following status:
An automated investigation can be in one of the following status:
Status | Description
:---|:---
@ -57,26 +57,26 @@ Status | Description
**Detection source**</br>
Source of the alert that initiated the Automated investigation.
Source of the alert that initiated the automated investigation.
**Threat**</br>
The category of threat detected during the Automated investigation.
The category of threat detected during the automated investigation.
**Tags**</br>
Filter using manually added tags that capture the context of an Automated investigation.
Filter using manually added tags that capture the context of an automated investigation.
**Machines**</br>
You can filter the Automated investigations list to zone in a specific machine to see other investigations related to the machine.
You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine.
**Machine groups**</br>
Apply this filter to see specific machine groups that you might have created.
**Comments**</br>
Select between filtering the list between Automated investigations that have comments and those that don't.
Select between filtering the list between automated investigations that have comments and those that don't.
## Analyze Automated investigations
You can view the details of an Automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
## Analyze automated investigations
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
@ -118,14 +118,14 @@ You'll also have access to the following sections that help you see details of t
In any of the sections, you can customize columns to further expand to limit the details you see in a section.
### Investigation graph
The investigation graph provides a graphical representation of an Automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
### Alerts
Shows details such as a short description of the alert that initiated the Automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
Additional alerts seen on a machine can be added to an Automated investigation as long as the investigation is ongoing.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, Automated investigation details, related machine, logged-on users, and comments and history.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
@ -158,11 +158,11 @@ This tab is only displayed when an investigation is complete and shows all pendi
## Pending actions
If there are pending actions on an Automated investigation, you'll see a pop up similar to the following image.
If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
![Image of pending actions](images/pending-actions.png)
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **Automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**. For more information, see [Action center](auto-investigation-action-center.md).
## Related topic

2
windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
View File

@ -32,7 +32,7 @@ Method|Return Type |Description
For more information on creating indicators, see [Manage indicators](manage-indicators.md).
# Properties
## Properties
Property | Type | Description
:---|:---|:---
indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity.

6
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -52,9 +52,9 @@ Area | Description
(1) Menu | Select menu to expand the navigation pane and see the names of the Threat & Vulnerability Management capabilities.
(2) Threat & Vulnerability Management navigation pane | Use the navigation pane to move across the **Threat and Vulnerability Management Dashboard**, **Security recommendations**, **Remediation**, **Software inventory**, and **Weaknesses**.
**Dashboards** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data.
**Security recommendations** | See the list of security recommendations, their related components, whether applications in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Security recommendations** | See the list of security recommendations, their related components, whether the software in your network have reached their end-of-life, insights, number or exposed devices, impact, and request for remediation. You can click each item on the list, a flyout panel opens with vulnerability details, open the software page, see the remediation, and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. See [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) for more information.
**Remediation** | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. See [Remediation and exception](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation) for more information.
**Software inventory** | See the list of applications, versions, weaknesses, whether theres an exploit found on the application, whether the application has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Software inventory** | See the list of software, versions, weaknesses, whether theres an exploit found on the software, whether the software has reached its end-of-life, prevalence in the organization, how many were installed, how many exposed devices are there, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. See [Software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) for more information.
**Weaknesses** | See the list of common vulnerabilities and exposures, the severity, its common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines are there. You can select each item in the list and it opens a flyout panel with the vulnerability description and other details. See [Weaknesses](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) for more information.
(3) Threat & Vulnerability Management dashboard | Access the **Exposure score**, **Configuration score**, **Exposure distribution**, **Top security recommendations**, **Top vulnerable software**, **Top remediation activities**, and **Top exposed machines**.
**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data that you want to see in the dashboard and widgets by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages only.
@ -62,7 +62,7 @@ Area | Description
**Organization Configuration score** | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. You can click the bars and it takes you to the **Security recommendation** page for details. See [Configuration score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score) for more information.
**Machine exposure distribution** | See how many machines are exposed based on their exposure level. You can click the sections in the doughnut chart and it takes you to the **Machines list** page where you'll see the affected machine names, exposure level side by side with risk level, among other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organizations risk exposure and the urgency that it requires. Useful icons also quickly calls your attention on possible active alerts ![Possible active alert](images/tvm_alert_icon.png), associated public exploits ![Threat insight](images/tvm_bug_icon.png), and recommendation insights ![Recommendation insight](images/tvm_insight_icon.png). You can drill down on the security recommendation to see the potential risks, list of exposed machines, and read the insights. Thus, providing you with an informed decision to either proceed with a remediation request. Click **Show more** to see the rest of the security recommendations in the list.
**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your networks devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable application list in the **Software inventory** page.
**Top vulnerable software** | Get real-time visibility into the organizational software inventory, with stack-ranked list of vulnerable software installed on your networks devices and how they impact on your organizational exposure score. Click each item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
**Top remediation activities** | Track the remediation activities generated from the security recommendations. You can click each item on the list to see the details in the **Remediation** page or click **Show more** to see the rest of the remediation activities, and active exceptions.
**Top exposed machines** | See the exposed machine names and their exposure level. You can click each machine name from the list and it will take you to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, discovered vulnerabilities associated with the exposed machines. You can also do other EDR-related tasks in it, such as: manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. You can also click **Show more** to see the rest of the exposed machines list.

2
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -50,7 +50,7 @@ You can access the remediation page in a few places in the portal:
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
*Remediation in the navigation menu*
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of applications which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter.
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. You can filter your view based on remediation type, machine remediation progress, and exception justification. If you want to see the remediation activities of software which have reached their end-of-life, select **Software uninstall** from the **Remediation type** filter.
2. Select the remediation activity that you need to see or process.
*Top remediation activities widget in the dashboard*

2
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -53,7 +53,7 @@ You can click on each one of them and see the details, the description, the pote
From that page, you can do any of the following depending on what you need to do:
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, application end-of-life, and charts so you can see the exposure trend over time.
- Open software page - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software end-of-life, and charts so you can see the exposure trend over time.
- Choose from remediation options - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.

12
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -28,14 +28,14 @@ ms.date: 04/11/2019
Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it.
## Navigate through your software inventory
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of applications installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the applications, threats associated with them, and whether the applications have reached their end-of-life.
2. In the **Software inventory** page, select the application that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**.
3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the application, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
1. Select **Software inventory** from the Threat & Vulnerability management navigation menu. The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact, tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software have reached their end-of-life.
2. In the **Software inventory** page, select the software that you want to investigate and a flyout panel opens up with the same details mentioned above but in a more compact view. You can either dive deeper into the investigation and select **Open software page** or flag any technical inconsistencies by selecting **Report inaccuracy**.
3. Select **Open software page** to dive deeper into your software inventory to see how many weaknesses are discovered in the software, devices exposed, installed machines, version distribution, and the corresponding security recommendations for the weaknesses and vulnerabilities identified.
## How it works
In the field of discovery, we are leveraging the same set of signals in Microsoft Defender ATP's endpoint detection and response that's responsible for detection, for vulnerability assessment.
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular software is connected to a live threat campaign. It also provides a link to a Threat Analytics report soon as it's available.
## Report inaccuracy
@ -55,8 +55,8 @@ You can report a false positive when you see any vague, inaccurate version, inco
5. Include your machine name for investigation context.
>[!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
>[!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.