deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

machine to endpoint

Browse Source
This commit is contained in:
Joey Caparas
2018-03-22 17:05:52 -07:00
parent 269088a887
commit 0092abbd0e
31 changed files with 200 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
View File

@ -63,7 +63,7 @@ You can sort and filter the alerts using the available filters or clicking on a
Alert severity | Description
:---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints.
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.

6
windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -61,7 +61,7 @@ ms.date: 04/16/2018
9. Click **OK** and close any open GPMC windows.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
## Additional Windows Defender ATP configuration settings
For each machine, you can state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
@ -115,7 +115,7 @@ Possible values are:
The default value in case the registry key doesnt exist is Normal.
## Offboard machines using Group Policy
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
@ -159,7 +159,7 @@ With Group Policy there isnt an option to monitor deployment of policies on t
3. Verify that machines are appearing.
> [!NOTE]
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics

2
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -95,7 +95,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
When the policy is deployed and is propagated, machines will be shown in the **Machines list**.
You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
You can use the following onboarding policies to deploy configuration settings on machines. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines

4
windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -67,7 +67,7 @@ You can use existing System Center Configuration Manager functionality to create
> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
### Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
@ -145,7 +145,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
### Monitor endpoint configuration
### Monitor machine configuration
Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network.

28
windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -58,16 +58,16 @@ You can also manually onboard individual machines to Windows Defender ATP. You m
5. Press the **Enter** key or click **OK**.
For information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.
You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry:
@ -79,17 +79,17 @@ Value: 0 or 1
Where:<br>
Name type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this endpoint
- 1 - allows sharing of all file types from this endpoint
- 0 - doesn't allow sample sharing from this machine
- 1 - allows sharing of all file types from this machine
The default value in case the registry key doesnt exist is 1.
## Offboard machines using a local script
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
@ -101,9 +101,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
3. Open an elevated command-line prompt on the machine and run the script:
a. Go to **Start** and type **cmd**.
@ -119,17 +119,17 @@ For security reasons, the package used to Offboard machines will expire 30 days
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor endpoint configuration
## Monitor machine configuration
You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor endpoints using the portal
### Monitor machines using the portal
1. Go to the Windows Defender ATP portal.
2. Click **Machines list**.
3. Verify that endpoints are appearing.
3. Verify that machines are appearing.
## Related topics
@ -137,5 +137,5 @@ Monitoring can also be done directly on the portal, or by using the different de
- [Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Onboard non-persistent virtual desktop infrastructure (VDI) machines
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

8
windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -25,7 +25,7 @@ ms.date: 04/16/2018
[!include[Prerelease information](prerelease.md)]
Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization.
Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization.
Windows Defender ATP supports the following deployment tools and methods:
@ -37,9 +37,9 @@ Windows Defender ATP supports the following deployment tools and methods:
## In this section
Topic | Description
:---|:---
[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints.
[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on endpoints.
[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on machines.
[Onboard Windows 10 machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on machines.
[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine.
[Onboard Windows 10 machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md) | Learn how to use the configuration package to configure VDI machines.

10
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: Configure endpoint proxy and Internet connection settings
title: Configure machine proxy and Internet connection settings
description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ ms.date: 10/16/2017
---
# Configure endpoint proxy and Internet connectivity settings
# Configure machine proxy and Internet connectivity settings
**Applies to:**
@ -39,7 +39,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special endpoint configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Windows Defender ATP URL exclusions in the proxy, see [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server).
- Manual static proxy configuration:
@ -99,7 +99,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on.
2. Extract the contents of WDATPConnectivityAnalyzer on the endpoint.
2. Extract the contents of WDATPConnectivityAnalyzer on the machine.
3. Open an elevated command-line:
@ -135,5 +135,5 @@ If at least one of the connectivity options returns a (200) status, then the Win
However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

15
windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -40,7 +40,7 @@ To onboard your servers to Windows Defender ATP, youll need to:
- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
>[!TIP]
> After onboarding the endpoint, you can choose to run a detection test to verify that an endpoint is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
### Turn on Server monitoring from the Windows Defender Security Center portal
@ -66,7 +66,8 @@ To onboard your servers to Windows Defender ATP, youll need to:
Once completed, you should see onboarded servers in the portal within an hour.
<span id="server-proxy"/>
### Configure server endpoint proxy and Internet connectivity settings
### Configure server proxy and Internet connectivity settings
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service:
@ -82,11 +83,11 @@ Once completed, you should see onboarded servers in the portal within an hour.
| winatp-gw-weu.microsoft.com | 443 |
## Onboard Windows Server, version 1803
Youll be able to onboard in the same method available for Windows 10 client endpoints. For more information, see [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
Youll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Install the latest Windows Server Insider build on an endpoint. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
1. Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
2. Configure Windows Defender ATP onboarding settings on the Server endpoint. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md).
2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Windows Defender ATP client onboarding](configure-endpoints-windows-defender-advanced-threat-protection.md).
3. If youre running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
@ -115,7 +116,7 @@ For more information, see [To disable an agent](https://docs.microsoft.com/en-us
## Related topics
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md)
- [Troubleshooting Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -105,7 +105,7 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
</tr>
<tr>
<td>Polling Interval</td>
<td>Number of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.</td>
<td>Number of seconds that Splunk will ping the Windows Defender ATP machine. Accepted values are in seconds.</td>
</tr>
<tr>
<td>Set sourcetype</td>

8
windows/security/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -71,11 +71,11 @@ Click the name of the machine to see details about that machine. For more inform
You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md).
## Machines with active malware detections
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender Antivirus.
The **Machines with active malware detections** tile will only appear if your machines are using Windows Defender Antivirus.
Active malware is defined as threats that were actively executing at the time of detection.
Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.
Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of machines with at least one active detection (as **Machines**) over the past 30 days.
![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/atp-machines-active-threats-tile.png)
@ -93,7 +93,7 @@ Threats are considered "active" if there is a very high probability that the mal
Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine.
> [!NOTE]
> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> The **Machines with active malware detections** tile will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
## Daily machines reporting
@ -130,7 +130,7 @@ This tile shows the blocked events based on detections from various security com
## Sensor health
The **Sensor health** tile provides information on the individual endpoints ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
The **Sensor health** tile provides information on the individual machines ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines.
![Sensor health tile](images/atp-tile-sensor-health.png)

2
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac
## What data does Windows Defender ATP collect?
Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes.
Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).

6
windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
View File

@ -33,12 +33,12 @@ The Windows Defender Advanced Threat Protection agent depends on Windows Defende
>[!IMPORTANT]
>Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings.
You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).

64
windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: Review events and errors on endpoints with Event Viewer
title: Review events and errors on Event Viewer
description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service.
keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ ms.date: 04/16/2018
---
# Review events and errors on endpoints with Event Viewer
# Review events and errors on Event Viewer
**Applies to:**
@ -27,12 +27,12 @@ ms.date: 04/16/2018
[!include[Prerelease information](prerelease.md)]
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines.
For example, if endpoints are not appearing in the **Machines list**, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
> It can take several days for machines to begin reporting to the Windows Defender ATP service.
**Open Event Viewer and find the Windows Defender ATP service event log:**
@ -65,7 +65,7 @@ For example, if endpoints are not appearing in the **Machines list**, you might
<tr>
<td>2</td>
<td>Windows Defender Advanced Threat Protection service shutdown.</td>
<td>Occurs when the endpoint is shut down or offboarded.</td>
<td>Occurs when the machine is shut down or offboarded.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
@ -91,17 +91,17 @@ The service could not contact the external processing servers at that URL.</td>
<tr>
<td>6</td>
<td>Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>Onboarding must be run before starting the service.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>7</td>
<td>Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```.</td>
<td>Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>8</td>
@ -109,28 +109,28 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
<td>**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> **During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
</td>
<td>**Onboarding:** No action required. <br><br> **Offboarding:** Reboot the system.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>9</td>
<td>Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```.</td>
<td>**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td>
<td>**During onboarding:** The machine did not onboard correctly and will not be reporting to the portal. <br><br>**During offboarding:** Failed to change the service start type. The offboarding process continues. </td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>10</td>
<td>Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly and will not be reporting to the portal.</td>
<td>The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>11</td>
<td>Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed.</td>
<td>The endpoint onboarded correctly.</td>
<td>The machine onboarded correctly.</td>
<td>Normal operating notification; no action required.<br>
It may take several hours for the endpoint to appear in the portal.</td>
It may take several hours for the machine to appear in the portal.</td>
</tr>
<tr>
<td>12</td>
@ -157,7 +157,7 @@ The service could not contact the external processing servers at that URL.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>18</td>
@ -181,25 +181,25 @@ If this error persists after a system restart, ensure all Windows updates have f
<tr>
<td>25</td>
<td>Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly.
<td>The machine did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>26</td>
<td>Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```.</td>
<td>The endpoint did not onboard correctly.<br>
<td>The machine did not onboard correctly.<br>
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>27</td>
<td>Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).<br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
@ -208,14 +208,14 @@ Ensure real-time antimalware protection is running properly.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>30</td>
<td>Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Windows Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)<br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
@ -233,9 +233,9 @@ Ensure real-time antimalware protection is running properly.</td>
<tr>
<td>33</td>
<td>Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```.</td>
<td>A unique identifier is used to represent each endpoint that is reporting to the portal.<br>
<td>A unique identifier is used to represent each machine that is reporting to the portal.<br>
If the identifier does not persist, the same machine might appear twice in the portal.</td>
<td>Check registry permissions on the endpoint to ensure the service can update the registry.</td>
<td>Check registry permissions on the machine to ensure the service can update the registry.</td>
</tr>
<tr>
<td>34</td>
@ -243,7 +243,7 @@ If the identifier does not persist, the same machine might appear twice in the p
<td>An error occurred with the Windows telemetry service.</td>
<td>[Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostic-data-service-is-enabled).<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
See [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).</td>
</tr>
<tr>
<td>35</td>
@ -337,6 +337,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

8
windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -54,7 +54,7 @@ This status indicates that there's limited communication between the machine and
The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
- [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
@ -66,17 +66,17 @@ If you took corrective actions and the machine status is still misconfigured, [o
A misconfigured machine with status No sensor data has communication with the service but can only report partial sensor data.
Follow theses actions to correct known issues related to a misconfigured machine with status No sensor data:
- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
- [Ensure the machine has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)</br>
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs.
- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-diagnostics-service-is-enabled)</br>
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)</br>
If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).

2
windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Investigate Windows Defender Advanced Threat Protection alerts
description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
keywords: investigate, investigation, machines, machine, endpoints, endpoint, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
keywords: investigate, investigation, machines, machine, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Investigate machines in the Windows Defender ATP Machines list
description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health.
keywords: machines, endpoints, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh
keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

10
windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
View File

@ -118,19 +118,19 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
10. You are almost done. Before you can start using Windows Defender ATP you'll need to:
- [Onboard endpoints and setup access](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection)
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- Run detection test (optional)
![Image of Onboard endpoints and run detection test](images\atp-onboard-endpoints-run-detection-test.png)
![Image of Onboard machines and run detection test](images\atp-onboard-endpoints-run-detection-test.png)
> [!IMPORTANT]
> If you click **Start using Windows Defender ATP** before onboarding endpoints you will receive the following notification:
> If you click **Start using Windows Defender ATP** before onboarding machines you will receive the following notification:
>![Image of setup imcomplete](images\atp-setup-incomplete.png)
11. After onboarding endpoints you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time.
11. After onboarding machines you can click **Start using Windows Defender ATP**. You will now launch Windows Defender ATP for the first time.
![Image of onboard endpoints](images\atp-onboard-endpoints-WDATP-portal.png)
![Image of onboard machines](images\atp-onboard-endpoints-WDATP-portal.png)
## Related topics
- [Onboard machines to the Windows Defender Advanced Threat Protection service](onboard-configure-windows-defender-advanced-threat-protection.md)

4
windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
View File

@ -30,7 +30,7 @@ The **Machines list** shows a list of the machines in your network, the domain o
Use the Machines list in these main scenarios:
- **During onboarding**<br>
During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
- **Day-to-day work** <br>
The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
@ -117,7 +117,7 @@ You can sort the **Machines list** by the following columns:
- **Active malware alerts** - Number of active malware detections reported by the machine
> [!NOTE]
> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.
> The **Active malware detections** filter column will only appear if your machines are using [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) as the active real-time protection antimalware product.
## Related topics

28
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Minimum requirements for Windows Defender ATP
description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel
description: Minimum network and data storage configuration, machine hardware and software requirements, and deployment channel requirements for Windows Defender ATP.
keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, machine configuration, deployment channel
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -25,7 +25,7 @@ ms.date: 04/16/2018
[!include[Prerelease information](prerelease.md)]
There are some minimum requirements for onboarding your network and endpoints.
There are some minimum requirements for onboarding your network and machines.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
@ -49,7 +49,7 @@ When you run the onboarding wizard for the first time, you must choose where you
> - You cannot change your data storage location after the first-time setup.
> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
### Endpoint hardware and software requirements
### Hardware and software requirements
The Windows Defender ATP agent only supports the following editions of Windows 10:
@ -58,30 +58,30 @@ The Windows Defender ATP agent only supports the following editions of Windows 1
- Windows 10 Pro
- Windows 10 Pro Education
Endpoints on your network must be running one of these editions.
Machines on your network must be running one of these editions.
The hardware requirements for Windows Defender ATP on endpoints is the same as those for the supported editions.
The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions.
> [!NOTE]
> Endpoints that are running mobile versions of Windows are not supported.
> Machines that are running mobile versions of Windows are not supported.
#### Internet connectivity
Internet connectivity on endpoints is required either directly or through proxy.
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
<span id="telemetry-and-diagnostics-settings" />
### Diagnostic data settings
You must ensure that the diagnostic data service is enabled on all the endpoints in your organization.
You must ensure that the diagnostic data service is enabled on all the machines in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the endpoint:
1. Open an elevated command-line prompt on the machine:
a. Go to **Start** and type **cmd**.
@ -124,16 +124,16 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
## Windows Defender Antivirus signature updates are configured
The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).

10
windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -33,7 +33,7 @@ ms.date: 04/16/2018
You need to onboard to Windows Defender ATP before you can use the service.
For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
@ -47,11 +47,11 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
## Windows Defender Antivirus configuration requirement
The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
If you are onboarding servers and Windows Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Windows Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
@ -60,10 +60,10 @@ For more information, see [Windows Defender Antivirus compatibility](../windows-
## In this section
Topic | Description
:---|:---
[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP
[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded endpoint to verify that it is properly reporting to the Windows Defender ATP service.
[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.

4
windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection portal overview
description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, endpoint management, advanced attacks
keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -44,7 +44,7 @@ When you open the portal, youll see the main areas of the application:
- (3) Search, Community center, Time settings, Help and support, Feedback
> [!NOTE]
> Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
> Malware related detections will only appear if your machines are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product.
You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.

4
windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -43,7 +43,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
@ -54,7 +54,7 @@ Windows Defender ATP supports the use of Power BI data connectors to enable you
- [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you, to automate workflows and innovate based on Windows Defender ATP capabilities.
- [Configure non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)<br>
- [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)<br>
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data.

8
windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
View File

@ -73,7 +73,7 @@ The action takes effect on machines with Windows 10, version 1703 or later, wher
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
**Notification on machine user**:</br>
When the file is being removed from an endpoint, the following notification is shown:
When the file is being removed from a machine, the following notification is shown:
![Image of notification on machine user](images/atp-notification-file.png)
@ -89,7 +89,7 @@ For prevalent files in the organization, a warning is shown before an action is
## Remove file from quarantine
You can roll back and remove a file from quarantine if youve determined that its clean after an investigation. Run the following command on each machine where the file was quarantined.
1. Open an elevated commandline prompt on the endpoint:
1. Open an elevated commandline prompt on the machine:
a. Go to **Start** and type cmd.
@ -134,7 +134,7 @@ You can prevent further propagation of an attack in your organization by banning
When the file is blocked, there will be a new event in the machine timeline.</br>
**Notification on machine user**:</br>
When a file is being blocked on the endpoint, the following notification is displayed to inform the user that the file was blocked:
When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked:
![Image of notification on machine user](images/atp-notification-file.png)
@ -234,7 +234,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
4. Verify the policy setting enables sample collection and try to submit the file again.
a. Change the following registry entry and values to change the policy on specific endpoints:
a. Change the following registry entry and values to change the policy on specific machines:
```
HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Value = 0 block sample collection

18
windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Run a detection test on a newly onboarded Windows Defender ATP endpoint
description: Run the detection script on a newly onboarded endpoint to verify that it is properly onboarded to the Windows Defender ATP service.
keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, endpoint, test
title: Run a detection test on a newly onboarded Windows Defender ATP machine
description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Windows Defender ATP service.
keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, test
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.date: 11/06/2017
---
# Run a detection test on a newly onboarded Windows Defender ATP endpoint
# Run a detection test on a newly onboarded Windows Defender ATP machine
**Applies to:**
@ -24,9 +24,9 @@ ms.date: 11/06/2017
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Run the following PowerShell script on a newly onboarded endpoint to verify that it is properly reporting to the Windows Defender ATP service.
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
1. Open an elevated command-line prompt on the endpoint and run the script:
1. Open an elevated command-line prompt on the machine and run the script:
a. Go to **Start** and type **cmd**.
@ -40,8 +40,8 @@ Run the following PowerShell script on a newly onboarded endpoint to verify that
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe'
```
The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded endpoint in approximately 10 minutes.
The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.
## Related topics
- [Configure client endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure server endpoints](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)

42
windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
View File

@ -90,7 +90,7 @@ You can click on specific date points to see the total score for that security c
Each security control lists recommendations that you can take to increase the security posture of your organization.
### Endpoint detection and response (EDR) optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
For an machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for your Endpoint detection and response tool.
>[!IMPORTANT]
>This feature is available for machines on Windows 10, version 1607 or later.
@ -109,13 +109,13 @@ You can take the following actions to increase the overall security score of you
For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md).
### Windows Defender Antivirus (Windows Defender AV) optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AV is fulfilled.
>[!IMPORTANT]
>This feature is available for machines on Windows 10, version 1607 or later.
#### Minimum baseline configuration setting for Windows Defender AV:
Endpoints are considered "well configured" for Windows Defender AV if the following requirements are met:
Machines are considered "well configured" for Windows Defender AV if the following requirements are met:
- Windows Defender AV is reporting correctly
- Windows Defender AV is turned on
@ -127,7 +127,7 @@ Endpoints are considered "well configured" for Windows Defender AV if the follow
You can take the following actions to increase the overall security score of your organization:
>[!NOTE]
> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the endpoint.
> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine.
- Fix antivirus reporting
- This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
@ -154,14 +154,14 @@ For more information, see [Windows Update Troubleshooter](https://support.micros
### Windows Defender Exploit Guard (Windows Defender EG) optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on machines so that the minimum baseline configuration setting for Windows Defender EG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender EG events on the Windows Defender ATP Machine timeline.
>[!IMPORTANT]
>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
>This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender EG:
Endpoints are considered "well configured" for Windows Defender EG if the following requirements are met:
Machines are considered "well configured" for Windows Defender EG if the following requirements are met:
- System level protection settings are configured correctly
- Attack Surface Reduction rules are configured correctly
@ -216,13 +216,13 @@ You can take the following actions to increase the overall security score of you
For more information, see [Windows Defender Exploit Guard](../windows-defender-exploit-guard/windows-defender-exploit-guard.md).
### Windows Defender Application Guard (Windows Defender AG) optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender AG is fulfilled. When endpoints are configured according to the baseline you'll be able to see Windows Defender AG events on the Windows Defender ATP Machine timeline.
>[!IMPORTANT]
>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
>This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender AG:
Endpoints are considered "well configured" for Windows Defender AG if the following requirements are met:
Machines are considered "well configured" for Windows Defender AG if the following requirements are met:
- Hardware and software prerequisites are met
- Windows Defender AG is turned on compatible machines
@ -243,10 +243,10 @@ For more information, see [Windows Defender Application Guard overview](../windo
### Windows Defender SmartScreen optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled.
>[!IMPORTANT]
>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
>This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender SmartScreen:
The following settings must be configured with the following settings:
@ -265,10 +265,10 @@ For more information, see [Windows Defender SmartScreen](../windows-defender-sma
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
### Windows Defender Firewall optimization
For an endpoint to be considered "well configured", Windows Defender Firewall must be turned on and enabled for all profiles and inbound connections are blocked by default. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Firewall is fulfilled.
For a machine to be considered "well configured", Windows Defender Firewall must be turned on and enabled for all profiles and inbound connections are blocked by default. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Firewall is fulfilled.
>[!IMPORTANT]
>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
>This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender Firewall
@ -296,10 +296,10 @@ You can take the following actions to increase the overall security score of you
For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
### Windows Hello optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Hello is fulfilled.
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Hello is fulfilled.
>[!IMPORTANT]
>This security control is only applicable for endpoints with Windows 10, version 1803 or later.
>This security control is only applicable for machines with Windows 10, version 1803 or later.
#### Minimum baseline configuration setting for Windows Hello
- Windows Hello is configured for all users
@ -311,10 +311,10 @@ You can take the following actions to increase the overall security score of you
- Encourage all users to use Windows Hello
### BitLocker optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled.
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled.
>[!IMPORTANT]
>This security control is only applicable for endpoints with Windows 10, version 1803 or later.
>This security control is only applicable for machines with Windows 10, version 1803 or later.
#### Minimum baseline configuration setting for BitLocker
- Ensure all supported internal drives are encrypted
@ -330,13 +330,13 @@ You can take the following actions to increase the overall security score of you
### Windows Defender Credential Guard optimization
For an endpoint to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Credential Guard is fulfilled.
For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender Credential Guard is fulfilled.
>[!IMPORTANT]
>This security control is only applicable for endpoints with Windows 10, version 1709 or later.
>This security control is only applicable for machines with Windows 10, version 1709 or later.
#### Minimum baseline configuration setting for Windows Defender Credential Guard:
Endpoints are considered "well configured" for Windows Defender Credential Guard if the following requirements are met:
Machines are considered "well configured" for Windows Defender Credential Guard if the following requirements are met:
- Hardware and software prerequisites are met
- Windows Defender Credential Guard is turned on on compatible machines

4
windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
View File

@ -50,10 +50,10 @@ For both cases you should contact Microsoft support at [General Windows Defender
If while accessing the Windows Defender ATP portal you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the endpoint offboarding package, should you choose to not renew the license.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.
> [!NOTE]
> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
![Image of subscription expired](images\atp-subscription-expired.png)

74
windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Troubleshoot Windows Defender ATP onboarding issues
description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service.
description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service.
keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -28,34 +28,34 @@ ms.date: 04/16/2018
[!include[Prerelease information](prerelease.md)]
You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines.
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem.
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an onboarding or connectivity problem.
## Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not.
Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
If the script completes successfully, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur.
## Troubleshoot onboarding issues when deploying with System Center Configuration Manager
When onboarding endpoints using the following versions of System Center Configuration Manager:
When onboarding machines using the following versions of System Center Configuration Manager:
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
- System Center Configuration Manager (current branch) version 1511
- System Center Configuration Manager (current branch) version 1602
Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console.
Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the endpoints.
If the deployment fails, you can check the output of the script on the machines.
If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues](#troubleshoot-onboarding-issues) for additional errors that might occur.
## Troubleshoot onboarding when deploying with a script on the endpoint
## Troubleshoot onboarding when deploying with a script
**Check the result of the script on the endpoint**:
**Check the result of the script on the machine**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Go to **Windows Logs** > **Application**.
@ -70,17 +70,17 @@ Event ID | Error Type | Resolution steps
:---|:---|:---
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.<br>Verify that the script was ran as an administrator.
15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the endpoint is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on machines with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on machines with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
65 | Insufficient privileges| Run the script again with administrator privileges.
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on endpoints, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
Use the following tables to understand the possible causes of issues while onboarding:
@ -88,14 +88,14 @@ Use the following tables to understand the possible causes of issues while onboa
- Known issues with non-compliance table
- Mobile Device Management (MDM) event logs table
If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint management** section of the portal, and run it in an elevated command prompt.
If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt.
**Microsoft Intune error codes and OMA-URIs**:
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:---
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` <br> <br> If it doesn't exist, open an elevated command and add the key.
| | | | SenseIsRunning <br> OnboardingState <br> OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
|| | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional. <br> Server is not supported.
@ -125,16 +125,16 @@ ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the endpoint
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
## Troubleshoot onboarding issues on the machine
If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the endpoint has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
- [Ensure the machine has an Internet connection](#ensure-the-endpoint-has-an-internet-connection)
- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
### View agent onboarding errors in the endpoint event log
### View agent onboarding errors in the machine event log
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@ -155,16 +155,16 @@ If the deployment tools used does not indicate an error in the onboarding proces
Event ID | Message | Resolution steps
:---|:---|:---
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection).
6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again.
9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). <br><br>If the event happened during offboarding, contact support.
10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). <br><br>If the problem persists, contact support.
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection).
15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-endpoint-has-an-internet-connection).
17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support.
25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again.
29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again.
30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support.
32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine.
55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine.
@ -174,11 +174,11 @@ Event ID | Message | Resolution steps
69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
<br>
There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
There are additional components on the machine that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
<span id="ensure-the-diagnostics-service-is-enabled" />
### Ensure the diagnostic data service is enabled
If the endpoints aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes.
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
@ -186,7 +186,7 @@ First, you should check that the service is set to start automatically when Wind
**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the endpoint:
1. Open an elevated command-line prompt on the machine:
a. Click **Start**, type **cmd**, and press **Enter**.
@ -207,7 +207,7 @@ First, you should check that the service is set to start automatically when Wind
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
1. Open an elevated command-line prompt on the machine:
a. Click **Start**, type **cmd**, and press **Enter**.
@ -233,7 +233,7 @@ First, you should check that the service is set to start automatically when Wind
sc start diagtrack
```
### Ensure the endpoint has an Internet connection
### Ensure the machine has an Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service.
@ -248,7 +248,7 @@ If the verification fails and your environment is using a proxy to connect to th
**Symptom**: Onboarding successfully completes, but you see error 577 when trying to start the service.
**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
**Solution**: If your machines are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
@ -259,7 +259,7 @@ If the verification fails and your environment is using a proxy to connect to th
- ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
- ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
- After clearing the policy, run the onboarding steps again on the endpoint.
- After clearing the policy, run the onboarding steps again.
- You can also check the following registry key values to verify that the policy is disabled:
@ -273,7 +273,7 @@ If the verification fails and your environment is using a proxy to connect to th
If you encounter issues while onboarding a server, go through the following verification steps to address possible issues.
- [Ensure Microsoft Monitoring Agent (MMA) is installed and configured to report sensor data to the service](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-mma)
- [Ensure that the server endpoint proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy)
- [Ensure that the server proxy and Internet connectivity settings are configured properly](configure-server-endpoints-windows-defender-advanced-threat-protection.md#server-proxy)
You might also need to check the following:
- Check that there is a Windows Defender Advanced Threat Protection Service running in the **Processes** tab in **Task Manager**. For example:
@ -308,5 +308,5 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
## Related topics
- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)

6
windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -42,11 +42,11 @@ Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.
### Windows Defender ATP service shows event or error logs in the Event Viewer
See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
See the topic [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors.
### Windows Defender ATP service fails to start after a reboot and shows error 577
If onboarding endpoints successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
If onboarding machines successfully completes but Windows Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy.
For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
@ -73,4 +73,4 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
## Related topics
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
- [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
- [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
View File

@ -41,7 +41,7 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex
Topic | Description
:---|:---
[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions.
[View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
[View the Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
[View the Secure score dashboard and improve your secure score](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Secure score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.

14
windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection
description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, endpoint behavioral sensor, cloud security, analytics, threat intelligence
keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -35,7 +35,7 @@ Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and th
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
- **machine behavioral sensors**: Embedded in Windows 10, these sensors
collect and process behavioral signals from the operating system
(for example, process, registry, file, and network communications)
and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
@ -57,13 +57,13 @@ Windows Defender ATP uses the following combination of technology built into Win
![Windows Defender ATP service component](images/components.png)
Endpoint investigation capabilities in this service let you drill down
Machine investigation capabilities in this service let you drill down
into security alerts and understand the scope and nature of a potential
breach. You can submit files for deep analysis and receive the results
without leaving the [Windows Defender ATP portal](https://securitycenter.windows.com). The automated investigation and remediation capability reduces the volume of alerts by leveraging various inspection algorithms to resolve breaches.
Windows Defender ATP works with existing Windows security technologies
on endpoints, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device Guard. It
on machines, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device Guard. It
can also work side-by-side with third-party security solutions and
antimalware products.
@ -72,7 +72,7 @@ detect sophisticated cyber-attacks, providing:
- Behavior-based, cloud-powered, advanced attack detection
Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints.
Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on machines.
- Rich timeline for forensic investigation and mitigation
@ -91,13 +91,13 @@ detect sophisticated cyber-attacks, providing:
Topic | Description
:---|:---
Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
[Onboard endpoints](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about configuring client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about configuring client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations and Secure score dashboard, and how to navigate the portal.
Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
Prevent threats | Use conditional access to help better protect your users and enterprise information by making sure only secure devices have access to applications.
API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal.
Reporting | Create and build Power BI reports using Windows Defender ATP data.
Check service health and sensor state | Verify that the service is running and check the sensor state on endpoints.
Check service health and sensor state | Verify that the service is running and check the sensor state on machines.
[Configure Windows Defender settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product.
[Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.