From 82b0be7e75836e75cdf29242102f7ee67496a0b5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 08:56:00 -0800 Subject: [PATCH 01/91] ms.custom: nextgen --- ...igure-real-time-protection-windows-defender-antivirus.md | 5 +++-- .../windows-defender-antivirus-in-windows-10.md | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index 90c2964d84..e9e8300c9e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -9,11 +9,12 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb ms.date: 11/13/2018 ms.reviewer: manager: dansimp +ms.custom: nextgen --- # Enable and configure antivirus always-on protection and monitoring diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 6327898e26..d1ec034818 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -14,6 +14,7 @@ ms.author: deniseb ms.date: 10/14/2019 ms.reviewer: manager: dansimp +ms.custom: nextgen --- # Next-generation protection in Windows 10 and Windows Server 2016 @@ -33,8 +34,7 @@ Next-generation protection includes services that use machine learning together >- [Cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) >- Fast learning (including [block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md)) >- [Potentially unwanted application blocking](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) - -> [!NOTE] +> > For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp). ## Minimum system requirements @@ -44,7 +44,7 @@ Windows Defender Antivirus is your main vehicle for next-generation protection, - [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview) - [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components) -## Configuring Next-generation services +## Configuring next-generation services You can use the following to configure and manage next-generation services in Windows 10 while running Windows Defender Antivirus: From 001ce9ab9d9a3b40469a346ec294c0344e462b54 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 08:56:33 -0800 Subject: [PATCH 02/91] Update configure-real-time-protection-windows-defender-antivirus.md --- ...configure-real-time-protection-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index e9e8300c9e..484d5ecd8f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -70,7 +70,7 @@ The main real-time protection capability is enabled by default, but you can disa 4. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**. -## Related topics +## Related articles - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From aec49ebfac6e0b15947dc9ccabe7d1987f13f632 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 09:05:13 -0800 Subject: [PATCH 03/91] ms.custom: nextgen --- ...d-protection-windows-defender-antivirus.md | 5 ++- ...ection-level-windows-defender-antivirus.md | 40 +++++++++---------- ...d-protection-windows-defender-antivirus.md | 7 ++-- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index c9aca52f0d..1bc4cdbd31 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -9,10 +9,11 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb ms.reviewer: manager: dansimp +ms.custom: nextgen --- # Enable cloud-delivered protection diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index f8a9335f5f..e6b6bf10d0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -9,11 +9,12 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.custom: nextgen --- # Specify the cloud-delivered protection level @@ -27,9 +28,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. - - -**Use Intune to specify the level of cloud-delivered protection:** +## Use Intune to specify the level of cloud-delivered protection 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. @@ -46,13 +45,15 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) -**Use Configuration Manager to specify the level of cloud-delivered protection:** +## Use Configuration Manager to specify the level of cloud-delivered protection -1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). -**Use Group Policy to specify the level of cloud-delivered protection:** +## Use Group Policy to specify the level of cloud-delivered protection -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). + +2. Right-click the Group Policy Object you want to configure, and then click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -60,20 +61,19 @@ For more information about Intune device profiles, including how to create and c 5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. -1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - 1. **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files. - 2. **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives). - 3. **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives). - 4. **Zero tolerance blocking level** blocks all unknown executables. +6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: + - **Default Windows Defender Antivirus blocking level** provides strong detection without increasing the risk of detecting legitimate files. + - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives). + - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives). + - **Zero tolerance blocking level** blocks all unknown executables. + + > [!WARNING] + > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection). - > [!WARNING] - > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection). -6. Click **OK**. +7. Click **OK**. - - -## Related topics +## Related articles - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 5553e762b8..e1d2d9c8e9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -9,10 +9,11 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb ms.reviewer: manager: dansimp +ms.custom: nextgen --- # Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection @@ -21,7 +22,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. +Microsoft next-generation technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) From 3cd81f453244e31d6b4545605bf4fb2b4c1e9e0f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 09:10:16 -0800 Subject: [PATCH 04/91] Update configure-network-connections-windows-defender-antivirus.md --- ...-network-connections-windows-defender-antivirus.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index d600158473..9977362328 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 10/08/2018 ms.reviewer: manager: dansimp @@ -26,7 +27,7 @@ To ensure Windows Defender Antivirus cloud-delivered protection works properly, This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services. -See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity. +See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. >[!TIP] >You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: @@ -119,9 +120,9 @@ The Windows event log will also show [Windows Defender client event ID 2050](tro >[!IMPORTANT] >You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. -## Related topics +## Related articles - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) - [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) -- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) +- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) From 3c5ef97d77b569bf9ddecd194941f99d9f7bdefd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 10:20:38 -0800 Subject: [PATCH 05/91] ms.custom: nextgen --- .../troubleshoot-asr.md | 4 +- .../microsoft-defender-atp/troubleshoot-np.md | 2 +- ...llect-diagnostic-data-update-compliance.md | 2 +- ...-first-sight-windows-defender-antivirus.md | 70 +++++++++---------- .../troubleshoot-reporting.md | 8 +-- .../windows-defender-offline.md | 2 +- .../wd-app-guard-overview.md | 2 +- 7 files changed, 44 insertions(+), 46 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index dc8f75b9f2..5bd14e868f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -1,6 +1,6 @@ --- title: Troubleshoot problems with attack surface reduction rules -description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues +description: Check prerequisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -45,7 +45,7 @@ Attack surface reduction rules will only work on devices with the following cond > * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). -If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. +If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. ## Use audit mode to test the rule diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index af397987a0..743860ad46 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -1,6 +1,6 @@ --- title: Troubleshoot problems with Network protection -description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues +description: Check prerequisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index 3cb7596969..aeae0cc44a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -24,7 +24,7 @@ manager: dansimp This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. -Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require pre-requisites, and taken any other suggested troubleshooting steps. +Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. 1. On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 0100d2bd05..80515f04eb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -9,10 +9,11 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb ms.reviewer: manager: dansimp +ms.custom: nextgen --- # Enable block at first sight @@ -21,16 +22,12 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. +Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. -It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. - -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. - -You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. +You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. >[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. +>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works @@ -67,7 +64,7 @@ Block at first sight requires a number of settings to be configured correctly or ![Intune config](images/defender/intune-block-at-first-sight.png) -> [!Warning] +> [!WARNING] > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). @@ -77,18 +74,24 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev ### Enable block at first sight with SCCM 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. -1. Click **Home** > **Create Antimalware Policy**. -1. Enter a name and a description, and add these settings: + +2. Click **Home** > **Create Antimalware Policy**. + +3. Enter a name and a description, and add these settings: - **Real time protection** - **Advanced** - **Cloud Protection Service** -1. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. + +4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. ![Enable real-time protection](images/defender/sccm-real-time-protection.png) -1. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. + +5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) -1. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. + +6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) -1. Click **OK** to create the policy. + +7. Click **OK** to create the policy. ### Confirm block at first sight is enabled with Group Policy @@ -97,25 +100,20 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies: +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: + - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. - - Send safe samples (1) - - Send all samples (3) + > [!WARNING] + > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. - > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means block at first sight will not function. +4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**: - 3. Click **OK**. + 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. -4. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**: - - 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**. Click **OK**. - - 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**. Click **OK**. + 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. @@ -125,7 +123,7 @@ You can confirm that block at first sight is enabled in Windows Settings. Block at first sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. -**Confirm Block at First Sight is enabled on individual clients** +### Confirm Block at First Sight is enabled on individual clients 1. Open the Windows Security app by clicking the shield icon in the task bar. @@ -136,7 +134,7 @@ Block at first sight is automatically enabled as long as **Cloud-based protectio 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. > [!NOTE] -> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. +> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. ### Validate block at first sight is working @@ -147,20 +145,20 @@ You can validate that the feature is working by following the steps outlined in > [!WARNING] > Disabling block at first sight will lower the protection state of the endpoint and your network. -You may choose to disable block at first sight if you want to retain the pre-requisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. +You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. -**Disable block at first sight with Group Policy** +### Disable block at first sight with Group Policy -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**. +3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**. 4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. > [!NOTE] - > Disabling block at first sight will not disable or alter the pre-requisite group policies. + > Disabling block at first sight will not disable or alter the prerequisite group policies. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index 787e3d4728..c4a5b85e7f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -34,7 +34,7 @@ For common error codes and event IDs related to the Windows Defender Antivirus s There are three steps to troubleshooting these problems: -1. Confirm that you have met all pre-requisites +1. Confirm that you have met all prerequisites 2. Check your connectivity to the Windows Defender cloud-based service 3. Submit support logs @@ -42,9 +42,9 @@ There are three steps to troubleshooting these problems: >It typically takes 3 days for devices to start appearing in Update Compliance. -## Confirm pre-requisites +## Confirm prerequisites -In order for devices to properly show up in Update Compliance, you have to meet certain pre-requisites for both the Update Compliance service and for Windows Defender Antivirus: +In order for devices to properly show up in Update Compliance, you have to meet certain prerequisites for both the Update Compliance service and for Windows Defender Antivirus: >[!div class="checklist"] >- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance. @@ -55,7 +55,7 @@ In order for devices to properly show up in Update Compliance, you have to meet “You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" -If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. +If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. > [!div class="nextstepaction"] > [Collect diagnostic data for Update Compliance troubleshooting](collect-diagnostic-data-update-compliance.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index e106d82384..80913b13be 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -28,7 +28,7 @@ You can use Windows Defender Offline if you suspect a malware infection, or you In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. -## Pre-requisites and requirements +## prerequisites and requirements Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 63342cb030..aa8c80886a 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -44,7 +44,7 @@ Application Guard has been created to target several types of systems: |Article |Description | |------|------------| -|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard.| +|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| |[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| From a12744d0f148f887a899445fec304c3c7dbacda6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 10:30:05 -0800 Subject: [PATCH 06/91] Update configure-cloud-block-timeout-period-windows-defender-antivirus.md ms.custom: nextgen --- ...loud-block-timeout-period-windows-defender-antivirus.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index 7b99538868..ed0ae8bbe2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -9,11 +9,12 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.custom: nextgen --- # Configure the cloud block timeout period @@ -47,6 +48,6 @@ You can use Group Policy to specify an extended timeout for cloud checks. ## Related topics - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Use next-gen antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) - [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) From 99d8751d1cab823c59b27fc2d1f81ceba6db1328 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 10:34:31 -0800 Subject: [PATCH 07/91] Update collect-diagnostic-data-update-compliance.md --- ...llect-diagnostic-data-update-compliance.md | 47 ++++++++++--------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index aeae0cc44a..c4c23a9ddd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -26,33 +27,33 @@ This topic describes how to collect diagnostic data that can be used by Microsof Before attempting this process, ensure you have read [Troubleshoot Windows Defender Antivirus reporting](troubleshoot-reporting.md), met all require prerequisites, and taken any other suggested troubleshooting steps. -1. On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process: +On at least two endpoints that are not reporting or showing up in Update Compliance, obtain the .cab diagnostic file by following this process: - 1. Open an administrator-level version of the command prompt: +1. Open an administrator-level version of the command prompt as follows: - 1. Open the **Start** menu. + a. Open the **Start** menu. + + b. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**. + + c. Enter administrator credentials or approve the prompt. - 2. Type **cmd**. Right-click on **Command Prompt** and click **Run as administrator**. +2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example: + + ```Dos + cd c:\program files\windows\defender + ``` + +3. Enter the following command and press **Enter** - 3. Enter administrator credentials or approve the prompt. - - 2. Navigate to the Windows Defender directory. By default, this is C:\Program Files\Windows Defender, as in the following example: - - ```Dos - cd c:\program files\windows\defender - ``` + ```Dos + mpcmdrun -getfiles + ``` - 3. Enter the following command and press **Enter** - - ```Dos - mpcmdrun -getfiles - ``` - - 4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. +4. A .cab file will be generated that contains various diagnostic logs. The location of the file will be specified in the output in the command prompt, but by default it will be in C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. -2. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. +5. Copy these .cab files to a location that can be accessed by Microsoft support. An example could be a password-protected OneDrive folder that you can share with us. -3. Send an email using the Update Compliance support email template, and fill out the template with the following information: +6. Send an email using the Update Compliance support email template, and fill out the template with the following information: ``` I am encountering the following issue when using Windows Defender Antivirus in Update Compliance: @@ -64,7 +65,7 @@ Before attempting this process, ensure you have read [Troubleshoot Windows Defen Please contact me at: ``` -## Related topics +## See also - [Troubleshoot Windows Defender Windows Defender Antivirus reporting](troubleshoot-reporting.md) From 61c752b2582e4a9ef5a339d753237ba5a4e655b5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 10:39:14 -0800 Subject: [PATCH 08/91] Update configure-process-opened-file-exclusions-windows-defender-antivirus.md --- ...e-exclusions-windows-defender-antivirus.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index d2191e0488..36714d75c3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 12/10/2018 ms.reviewer: manager: dansimp @@ -52,15 +53,15 @@ You can [configure how locally and globally defined exclusions lists are merged] -**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** +### Use Microsoft Intune to exclude files that have been opened by specified processes from scans See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -**Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:** +### Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). -**Use Group Policy to exclude files that have been opened by specified processes from scans:** +### Use Group Policy to exclude files that have been opened by specified processes from scans 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -80,7 +81,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// -**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:** +### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -109,7 +110,7 @@ Add-MpPreference -ExclusionProcess "c:\internal\test.exe" See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:** +### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -125,7 +126,7 @@ See the following for more information and allowed parameters: -**Use the Windows Security app to exclude files that have been opened by specified processes from scans:** +### Use the Windows Security app to exclude files that have been opened by specified processes from scans See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. @@ -156,7 +157,7 @@ If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Validate the exclusion list by using MpCmdRun:** +### Validate the exclusion list by using MpCmdRun To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: @@ -168,7 +169,7 @@ MpCmdRun.exe -CheckExclusion -path >Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** +### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell Use the following cmdlet: @@ -178,7 +179,7 @@ Get-MpPreference See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list by using PowerShell:** +### Retrieve a specific exclusions list by using PowerShell Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: @@ -189,7 +190,7 @@ $WDAVprefs.ExclusionProcess See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -## Related topics +## Related articles - [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) From 48d2a8a60b11e3443ef95ccf5898d68544865bb6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 10:51:02 -0800 Subject: [PATCH 09/91] ms.custom: nextgen --- ...ne-arguments-windows-defender-antivirus.md | 5 +++-- ...nt-reference-windows-defender-antivirus.md | 5 +++-- ...d-scan-types-windows-defender-antivirus.md | 5 +++-- ...meout-period-windows-defender-antivirus.md | 1 + ...-interaction-windows-defender-antivirus.md | 5 +++-- ...e-exclusions-windows-defender-antivirus.md | 5 +++-- ...e-exclusions-windows-defender-antivirus.md | 5 +++-- ...cy-overrides-windows-defender-antivirus.md | 5 +++-- ...otifications-windows-defender-antivirus.md | 5 +++-- ...ion-features-windows-defender-antivirus.md | 5 +++-- ...e-protection-windows-defender-antivirus.md | 2 +- ...-remediation-windows-defender-antivirus.md | 5 +++-- ...r-exclusions-windows-defender-antivirus.md | 19 ++++++++++++------- 13 files changed, 44 insertions(+), 28 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 6832c65573..987853d3f7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.reviewer: manager: dansimp --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index 4d41c1529f..c92a3fe1f8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index bd6ba2bfb4..5d969e79a9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 10/25/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index ed0ae8bbe2..1b9c177447 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -11,6 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index d4eface258..47161748b2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index 21812cde6a..f6da565014 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index c83644c873..4e5fc9ff72 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 12/10/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 499df8dfac..c51a7da9ea 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 61c02f6a88..6bd6aeb7b2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index c1495c80c6..8e6f966e08 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index 484d5ecd8f..b62d657934 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -60,7 +60,7 @@ Root | Allow antimalware service to remain running always | If protection update The main real-time protection capability is enabled by default, but you can disable it with Group Policy: -**Use Group Policy to disable real-time protection:** +### Use Group Policy to disable real-time protection 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 2b5bb82466..9702fdb478 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index caae6efc4e..85b7b015a3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -11,8 +11,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen --- # Configure Windows Defender Antivirus exclusions on Windows Server @@ -35,8 +36,6 @@ Custom exclusions take precedence over automatic exclusions. > [!TIP] > Custom and duplicate exclusions do not conflict with automatic exclusions. - - Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer. ## Opt out of automatic exclusions @@ -54,7 +53,7 @@ In Windows Server 2016, the predefined exclusions delivered by Security intellig You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI. -**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** +### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -74,7 +73,7 @@ Set-MpPreference -DisableAutoExclusions $true See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:** +### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -294,6 +293,7 @@ This section lists the exclusions that are delivered automatically when you inst - %systemroot%\System32\lsass.exe ### DHCP Server exclusions + This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` - *%systemroot%*\System32\DHCP\\*\\\*.mdb @@ -307,6 +307,7 @@ This section lists the exclusions that are delivered automatically when you inst - *%systemroot%*\System32\DHCP\\*\\\*.edb ### DNS Server exclusions + This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role. - File and folder exclusions for the DNS Server role: @@ -324,6 +325,7 @@ This section lists the file and folder exclusions and the process exclusions tha - *%systemroot%*\System32\dns.exe ### File and Storage Services exclusions + This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. - *%SystemDrive%*\ClusterStorage @@ -333,6 +335,7 @@ This section lists the file and folder exclusions that are delivered automatical - *%SystemDrive%*\mscs ### Print Server exclusions + This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role. - File type exclusions: @@ -350,6 +353,7 @@ This section lists the file type exclusions, folder exclusions, and the process - spoolsv.exe ### Web Server exclusions + This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role. - Folder exclusions: @@ -373,6 +377,7 @@ This section lists the folder exclusions and the process exclusions that are del - *%SystemDrive%*\PHP5433\php-cgi.exe ### Windows Server Update Services exclusions + This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` - *%systemroot%*\WSUS\WSUSContent @@ -383,7 +388,7 @@ This section lists the folder exclusions that are delivered automatically when y - *%systemroot%*\SoftwareDistribution\Download -## Related topics +## Related articles - [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) From 4deeb6850467b7f7a78d5b40228d466a44165d13 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 19 Nov 2019 10:53:18 -0800 Subject: [PATCH 10/91] Improved scenario-focused guidance for IT pros --- .../TOC.md | 14 ++++--- .../create-initial-default-policy.md | 6 +-- ...wdac-policy-for-lightly-managed-devices.md | 34 +++++++++++++++++ ...s-defender-application-control-policies.md | 4 +- .../example-wdac-base-policies.md | 38 +++++++++++++++++++ .../types-of-devices.md | 24 ++++++++---- ...control-with-intelligent-security-graph.md | 6 +-- ...lication-control-with-managed-installer.md | 6 +-- ...fender-application-control-design-guide.md | 4 +- 9 files changed, 109 insertions(+), 27 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md create mode 100644 windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 02767f2f29..a83d4e34e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -5,20 +5,22 @@ ### Design and create your WDAC policy #### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) #### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) -#### [Create an initial default policy](create-initial-default-policy.md) -#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) +##### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) +##### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) +#### [Example WDAC base policies](example-wdac-base-policies.md) +#### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) +#### [Common WDAC deployment scenarios](types-of-devices.md) +##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) +##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md) +##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) -### [Types of devices](types-of-devices.md) ### [Audit WDAC policies](audit-windows-defender-application-control-policies.md) ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) -### [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) ### [Allow COM object registration](allow-com-object-registration-in-windows-defender-application-control-policy.md) -### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) -### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 9f2f505f65..04f8c31125 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,5 +1,5 @@ --- -title: Create a Windows Defender Application Control policy from a reference computer (Windows 10) +title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -20,12 +20,12 @@ manager: dansimp ms.date: 05/03/2018 --- -# Create a Windows Defender Application Control policy from a reference computer +# Create a WDAC policy for fixed-workload devices using a reference computer **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and above This section outlines the process to create a WDAC policy with Windows PowerShell. For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md new file mode 100644 index 0000000000..05c0c13621 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -0,0 +1,34 @@ +--- +title: Create a WDAC policy for lightly-managed devices (Windows 10) +description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 11/15/2019 +--- + +# Create a WDAC policy for lightly-managed devices + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +This section outlines the process to create a WDAC policy for lightly-managed devices within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics. + +## Example: Lamna Healthcare Company + +As described in the [previous topic](types-of-devices.md), Lamna Healthcare Company (Lamna) is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. Alice Pena is the IT team lead tasked with the roll out of WDAC. Recognizing where Lamna is starting from, with very loose application policies, Alice knows that she will need to take an incremental approach to application control that begins with a very relaxed initial policy for most user devices. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index d70793409e..13547435c1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Deploy multiple Windows Defender Application Control Policies (Windows 10) +title: Use multiple Windows Defender Application Control Policies (Windows 10) description: Windows Defender Application Control supports multiple code integrity policies for one device. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -17,7 +17,7 @@ manager: dansimp ms.date: 05/17/2019 --- -# Deploy multiple Windows Defender Application Control Policies +# Use multiple Windows Defender Application Control Policies **Applies to:** diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md new file mode 100644 index 0000000000..dbbccbf94e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -0,0 +1,38 @@ +--- +title: Example WDAC base policies (Windows 10) +description: When creating a WDAC policy for an organization, start from one of the many available example base policies. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 11/15/2019 +--- + +# Windows Defender Application Control example base policies + +**Applies to** +- Windows 10 +- Windows Server 2016 and above + +When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start from an existing base policy and then add or remove rules to build your own custom policy XML files. Windows includes several example policies which can be used or organizations which use the Device Guard Signing Service can download a starter policy from that service. + +## Example Base Policies + +| **Example Base Policy** | **Description** | **Where it can be found** | +|----------------------------|---------------------------------------------------------------|--------| +| **DefaultWindows.xml** | This example policy is available in either audit or enforce mode. It includes the rules necessary to ensure that Windows, 3rd party hardware and software kernel drivers, and Windows Store apps will run. Used as the basis for all [Microsoft Endpoint Manager(MEM)](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +| **AllowAll.xml** | This example policy is useful when creating a block list policy. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://docs.microsoft.com/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +| **DenyAllAudit.xml** | This example policy should only be deployed in audit mode and can be used to audit all binaries running on critical systems or to comply with regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies | +| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [DGSS in the Microsoft Store for Business](https://businessstore.microsoft.com/manage/settings/devices) | +| **MEM Configuration Manager** | Customers who use MEM Configuration Manager (MEMCM), formerly known as System Center Configuration Manager, can deploy a policy to a device using MEMCM's built-in integration with WDAC and then copy the resulting policy XML to use as a custom base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint | diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 6a955009ea..6d7101e72a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -1,5 +1,5 @@ --- -title: Types of devices (Windows 10) +title: Common WDAC deployment scenarios (Windows 10) description: Typically, deployment of Windows Defender Application Control happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -21,21 +21,29 @@ ms.date: 03/01/2018 **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and above -Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. +Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described. + +## Types of devices | **Type of device** | **How WDAC relates to this type of device** | |------------------------------------|------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | -| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. | | **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | +| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. | +| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | +## An introduction to Lamna Healthcare Company -## Related topics +In the next set of topics, we will explore each of the above scenarios using a fictional organization called Lamna Healthcare Company. -- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md) -- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) +Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. +Lamna uses Microsoft Endpoint Manager (MEM) in hybrid mode with both Configuration Manager and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices and individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use Microsoft Defender Advanced Threat Protection (MDATP) for better endpoint detection and response. +Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control. + +## Up next + +- [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 62085ad482..ab14272bde 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -1,5 +1,5 @@ --- -title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10) +title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windows 10) description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -17,12 +17,12 @@ manager: dansimp ms.date: 06/14/2018 --- -# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph +# Authorize reputable apps with the Intelligent Security Graph (ISG) **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and above Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index aac3df82fc..e22de90c86 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -1,5 +1,5 @@ --- -title: Deploy Managed Installer for Windows Defender Device Guard (Windows 10) +title: Authorize apps deployed with a WDAC managed installer (Windows 10) description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -17,12 +17,12 @@ manager: dansimp ms.date: 06/13/2018 --- -# Deploy Managed Installer for Windows Defender Application Control +# Authorize apps deployed with a WDAC managed installer **Applies to:** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and above Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 605383ec22..36a49771c4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -41,8 +41,8 @@ Once these business factors are in place, you are ready to begin planning your W | Topic | Description | | - | - | -| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | -| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | | [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | +| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | +| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. | After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies. From 27c6f5c1adb9d2256786fa20236d8723741ec861 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 10:54:26 -0800 Subject: [PATCH 11/91] Update windows-defender-security-center-antivirus.md --- ...dows-defender-security-center-antivirus.md | 33 +++++++++++-------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 6333dad0ae..5935c90319 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -40,7 +41,7 @@ See the [Windows Security topic](/windows/threat-protection/windows-defender-sec >[!NOTE] >The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). -**Review virus and threat protection settings in the Windows Security app:** +## Review virus and threat protection settings in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -66,7 +67,6 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option - ## Common tasks This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app. @@ -75,7 +75,9 @@ This section describes how to perform some of the most common tasks when reviewi > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured. -**Run a scan with the Windows Security app** + +### Run a scan with the Windows Security app + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -85,7 +87,9 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan. -**Review the security intelligence update version and download the latest updates in the Windows Security app** + +### Review the security intelligence update version and download the latest updates in the Windows Security app + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -97,8 +101,7 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **Check for updates** to download new protection updates (if there are any). - -**Ensure Windows Defender Antivirus is enabled in the Windows Security app** +### Ensure Windows Defender Antivirus is enabled in the Windows Security app 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -114,7 +117,9 @@ This section describes how to perform some of the most common tasks when reviewi -**Add exclusions for Windows Defender Antivirus in the Windows Security app** + +### Add exclusions for Windows Defender Antivirus in the Windows Security app + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -126,7 +131,8 @@ This section describes how to perform some of the most common tasks when reviewi 5. Click the plus icon to choose the type and set the options for each exclusion. -**Review threat detection history in the Windows Defender Security Center app** + +### Review threat detection history in the Windows Defender Security Center app 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -136,7 +142,9 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). -**Set ransomware protection and recovery options** + +### Set ransomware protection and recovery options + 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -147,8 +155,7 @@ This section describes how to perform some of the most common tasks when reviewi 5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. - -## Related topics +## Related articles - [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) From c3c5a98e40b8d57b9507fdaa44882057fb88592e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 10:55:27 -0800 Subject: [PATCH 12/91] Update windows-defender-offline.md --- .../windows-defender-offline.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index 80913b13be..4187645c2e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -92,7 +93,7 @@ You can run a Windows Defender Offline scan with the following: -**Use PowerShell cmdlets to run an offline scan:** +### Use PowerShell cmdlets to run an offline scan Use the following cmdlets: @@ -102,7 +103,7 @@ Start-MpWDOScan See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to run an offline scan:** +### Use Windows Management Instruction (WMI) to run an offline scan Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan. @@ -116,7 +117,7 @@ See the following for more information: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -**Use the Windows Defender Security app to run an offline scan:** +### Use the Windows Defender Security app to run an offline scan 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -135,7 +136,7 @@ See the following for more information: Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). -## Related topics +## Related articles - [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From a51538081e4b16e9b50df856e96db17dc50bba59 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:00:44 -0800 Subject: [PATCH 13/91] Update run-scan-windows-defender-antivirus.md --- .../run-scan-windows-defender-antivirus.md | 29 +++++++------------ 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 4c62952e60..66db88455e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -38,49 +39,40 @@ A full scan can be useful on endpoints that have encountered a malware threat to >[!NOTE] >By default, quick scans run on mounted removable devices, such as USB drives. -**Use Configuration Manager to run a scan:** +## Use Configuration Manager to run a scan See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. -**Use the mpcmdrun.exe command-line utility to run a scan:** +## Use the mpcmdrun.exe command-line utility to run a scan Use the following `-scan` parameter: ```DOS mpcmdrun.exe -scan -scantype 1 ``` - - - See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. - - -**Use Microsoft Intune to run a scan:** +## Use Microsoft Intune to run a scan 1. In Intune, go to **Devices > All Devices** and select the device you want to scan. 2. Select **...More** and then select **Quick Scan** or **Full Scan**. -**Use the Windows Security app to run a scan:** +## Use the Windows Security app to run a scan See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. - - -**Use PowerShell cmdlets to run a scan:** +## Use PowerShell cmdlets to run a scan Use the following cmdlet: ```PowerShell Start-MpScan ``` - - See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to run a scan:** +## Use Windows Management Instruction (WMI) to run a scan Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class. @@ -88,8 +80,7 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -## Related topics - +## Related articles - [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) - [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-windows-defender-antivirus.md) From 3d17f6e0d04133155185e248bf712ac443481874 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:01:58 -0800 Subject: [PATCH 14/91] Update review-scan-results-windows-defender-antivirus.md --- ...scan-results-windows-defender-antivirus.md | 24 +++++++------------ 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 1c07b37c51..78fed4d5d4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -25,18 +26,17 @@ manager: dansimp After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. -**Use Microsoft Intune to review scan results:** +## Use Microsoft Intune to review scan results 1. In Intune, go to **Devices > All Devices** and select the device you want to scan. 2. Click the scan results in **Device actions status**. -**Use Configuration Manager to review scan results:** +## Use Configuration Manager to review scan results See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). - -**Use the Windows Security app to review scan results:** +## Use the Windows Security app to review scan results 1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. @@ -45,10 +45,7 @@ See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/ - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list. - Information about the last scan is displayed at the bottom of the page. - - - -**Use PowerShell cmdlets to review scan results:** +## Use PowerShell cmdlets to review scan results The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection: @@ -70,15 +67,12 @@ Get-MpThreat See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to review scan results:** +## Use Windows Management Instruction (WMI) to review scan results Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) classes. - - - -## Related topics +## Related articles - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From 29eb0f5af79ab48d7379d7c8224f9954add9ca66 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:03:16 -0800 Subject: [PATCH 15/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- ...end-user-interaction-windows-defender-antivirus.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 583e4365b4..a491e7bf11 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -44,7 +45,7 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl ![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png) -**Use Group Policy to hide the Windows Defender AV interface from users:** +## Use Group Policy to hide the Windows Defender AV interface from users 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -64,7 +65,7 @@ Also see the [Prevent users from locally modifying policy settings](configure-lo You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users. -**Use Group Policy to prevent users from pausing a scan:** +### Use Group Policy to prevent users from pausing a scan 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -77,7 +78,7 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule 6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. -## Related topics +## Related articles - [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) From 02e3a7ce8cb0e35485b22e505bba050016728506 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:06:40 -0800 Subject: [PATCH 16/91] Update prevent-changes-to-security-settings-with-tamper-protection.md --- ...revent-changes-to-security-settings-with-tamper-protection.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index acfa9717f3..5eb2cef516 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -14,6 +14,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb +ms.custom: nextgen --- # Protect security settings with Tamper Protection From ed91547f64703290882fdb2a2636bd3da82bce8d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:08:28 -0800 Subject: [PATCH 17/91] Update manage-updates-mobile-devices-vms-windows-defender-antivirus.md --- ...-devices-vms-windows-defender-antivirus.md | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index 179c55aac4..94b9e04752 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -46,7 +47,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following 2. Use a VBScript to create a script, then run it on each computer in your network. 3. Manually opt-in every computer on your network through the **Settings** menu. -**Use Group Policy to opt-in to Microsoft Update:** +### Use Group Policy to opt-in to Microsoft Update 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -54,18 +55,17 @@ You can opt-in to Microsoft Update on the mobile device in one of the following 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. 6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. -**Use a VBScript to opt-in to Microsoft Update** +### Use a VBScript to opt-in to Microsoft Update 1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. 2. Run the VBScript you created on each computer in your network. - -**Manually opt-in to Microsoft Update** +### Manually opt-in to Microsoft Update 1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. 2. Click **Advanced** options. @@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source. -**Use Group Policy to prevent security intelligence updates on battery power:** +### Use Group Policy to prevent security intelligence updates on battery power 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -89,10 +89,7 @@ You can configure Windows Defender Antivirus to only download protection updates 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. - - - -## Related topics +## Related articles - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) - [Update and manage Windows Defender Antivirus in Windows 10](deploy-manage-report-windows-defender-antivirus.md) From e55837386f474dad8843e70d1d78840d5611850d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:10:24 -0800 Subject: [PATCH 18/91] Update manage-protection-update-schedule-windows-defender-antivirus.md --- ...update-schedule-windows-defender-antivirus.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index 146b92de6f..0185b12a58 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -10,8 +10,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -33,7 +34,7 @@ You can schedule updates for your endpoints by: You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information. -**Use Configuration Manager to schedule protection updates:** +## Use Configuration Manager to schedule protection updates 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) @@ -47,7 +48,7 @@ You can also randomize the times when each endpoint checks and downloads protect 5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). -**Use Group Policy to schedule protection updates:** +## Use Group Policy to schedule protection updates > [!IMPORTANT] > By default, Windows Defender Antivirus will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. @@ -65,8 +66,7 @@ You can also randomize the times when each endpoint checks and downloads protect 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. - -**Use PowerShell cmdlets to schedule protection updates:** +## Use PowerShell cmdlets to schedule protection updates Use the following cmdlets: @@ -78,7 +78,7 @@ Set-MpPreference -SignatureUpdateInterval See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to schedule protection updates:** +## Use Windows Management Instruction (WMI) to schedule protection updates Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -92,7 +92,7 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -## Related topics +## Related articles - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) From 1fb01046712c3c06c53333e1134b5b87f4be90f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:43:35 -0800 Subject: [PATCH 19/91] ms.custom: nextgen --- ...ed-endpoints-windows-defender-antivirus.md | 30 ++++++++----------- ...es-baselines-windows-defender-antivirus.md | 7 +++-- ...port-monitor-windows-defender-antivirus.md | 8 ++--- ...ntined-files-windows-defender-antivirus.md | 7 +++-- ...tch-up-scans-windows-defender-antivirus.md | 5 ++-- .../troubleshoot-reporting.md | 5 ++-- ...troubleshoot-windows-defender-antivirus.md | 10 +++---- ...group-policy-windows-defender-antivirus.md | 12 +++----- ...nfig-manager-windows-defender-antivirus.md | 7 +++-- ...hell-cmdlets-windows-defender-antivirus.md | 7 +++-- .../use-wmi-windows-defender-antivirus.md | 5 ++-- ...indows-defender-antivirus-compatibility.md | 5 ++-- 12 files changed, 53 insertions(+), 55 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index ca75fa1e6f..fabe399119 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -32,7 +33,7 @@ When the user returns to work and logs on to their PC, Windows Defender Antiviru If Windows Defender Antivirus did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md). -**Use Configuration Manager to configure catch-up protection updates:** +### Use Configuration Manager to configure catch-up protection updates 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) @@ -45,7 +46,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). -**Use Group Policy to enable and configure the catch-up update feature:** +### Use Group Policy to enable and configure the catch-up update feature 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -59,7 +60,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 6. Click **OK**. -**Use PowerShell cmdlets to configure catch-up protection updates:** +### Use PowerShell cmdlets to configure catch-up protection updates Use the following cmdlets: @@ -69,7 +70,7 @@ Set-MpPreference -SignatureUpdateCatchupInterval See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to configure catch-up protection updates:** +### Use Windows Management Instruction (WMI) to configure catch-up protection updates Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -81,13 +82,11 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - - ## Set the number of days before protection is reported as out-of-date You can also specify the number of days after which Windows Defender Antivirus protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender Antivirus to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)), such as when using MMPC as a secondary source after setting WSUS or Microsoft Update as the first source. -**Use Group Policy to specify the number of days before protection is considered out-of-date:** +### Use Group Policy to specify the number of days before protection is considered out-of-date 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -106,8 +105,6 @@ You can also specify the number of days after which Windows Defender Antivirus p 4. Click **OK**. - - ## Set up catch-up scans for endpoints that have not been scanned for a while You can set the number of consecutive scheduled scans that can be missed before Windows Defender Antivirus will force a scan. @@ -120,7 +117,7 @@ The process for enabling this feature is: This feature can be enabled for both full and quick scans. -**Use Group Policy to enable and configure the catch-up scan feature:** +### Use Group Policy to enable and configure the catch-up scan feature 1. Ensure you have set up at least one scheduled scan. @@ -140,7 +137,7 @@ This feature can be enabled for both full and quick scans. > [!NOTE] > The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run. -**Use PowerShell cmdlets to configure catch-up scans:** +### Use PowerShell cmdlets to configure catch-up scans Use the following cmdlets: @@ -152,7 +149,7 @@ Set-MpPreference -DisableCatchupQuickScan See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to configure catch-up scans:** +### Use Windows Management Instruction (WMI) to configure catch-up scans Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -165,7 +162,7 @@ See the following for more information and allowed parameters: - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -**Use Configuration Manager to configure catch-up scans:** +### Use Configuration Manager to configure catch-up scans 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) @@ -175,8 +172,7 @@ See the following for more information and allowed parameters: 4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). - -## Related topics +## Related articles - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index e5efd9c691..775068abed 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -24,6 +25,7 @@ manager: dansimp There are two types of updates related to keeping Windows Defender Antivirus up to date: 1. Protection updates + 2. Product updates You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. @@ -34,7 +36,6 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. - ## Product updates Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 41a8f3094f..72b23bfec1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -28,7 +29,6 @@ You can use System Center Configuration Manager to [monitor Windows Defender Ant Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. - If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). @@ -39,7 +39,7 @@ You can also [monitor malware events using the Malware Assessment solution in Lo For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2). -## Related topics +## Related articles - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 68c4accc82..f99aa7584f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 11/16/2018 ms.reviewer: manager: dansimp @@ -32,7 +33,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y > [!NOTE] > You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. -## Related topics +## Related articles - [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) - [Review scan results](review-scan-results-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index bf6852066d..e49771c6ae 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 12/10/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index c4a5b85e7f..d123f26a35 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.reviewer: manager: dansimp --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index a371aaca96..e73f8d37d8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/11/2018 ms.reviewer: manager: dansimp @@ -46,7 +47,7 @@ You can directly view the event log, or if you have a third-party security infor The table in this section lists the main Windows Defender Antivirus event IDs and, where possible, provides suggested solutions to fix or resolve the error. -**To view a Windows Defender Antivirus event** +## To view a Windows Defender Antivirus event 1. Open **Event Viewer**. 2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender Antivirus**. @@ -54,9 +55,6 @@ The table in this section lists the main Windows Defender Antivirus event IDs an 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. - - - diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index b7114cd1fd..dcf2f5dd8d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -143,12 +144,7 @@ Threats | Specify threat alert levels at which default action should not be take Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) - - - - - -## Related topics +## Related articles - [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 0a6c5dc31a..6ed604307a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -31,7 +32,7 @@ See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -## Related topics +## Related articles - [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index bd4a22592f..326511d75c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -38,7 +39,7 @@ You can [configure which settings can be overridden locally with local policy ov PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_. -**Use Windows Defender Antivirus PowerShell cmdlets:** +## Use Windows Defender Antivirus PowerShell cmdlets 1. Click **Start**, type **powershell**, and press **Enter**. 2. Click **Windows PowerShell** to open the interface. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index c0e86e1a2b..0e88dfd58b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 717e08d7d4..369ebfe876 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp From 12f206e03fb86a8ba81975bf92e1bea2039e11a5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:46:42 -0800 Subject: [PATCH 20/91] Update manage-event-based-updates-windows-defender-antivirus.md --- ...ased-updates-windows-defender-antivirus.md | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 805f9c697f..738e0a392f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -28,7 +29,7 @@ Windows Defender Antivirus allows you to determine if updates should (or should You can use System Center Configuration Manager, Group Policy, PowerShell cmdlets, and WMI to force Windows Defender Antivirus to check and download protection updates before running a scheduled scan. -**Use Configuration Manager to check for protection updates before running a scan:** +### Use Configuration Manager to check for protection updates before running a scan 1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) @@ -38,7 +39,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet 4.[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). -**Use Group Policy to check for protection updates before running a scan:** +### Use Group Policy to check for protection updates before running a scan 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -46,13 +47,13 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. +4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**. 5. Double-click **Check for the latest virus and spyware definitions before running a scheduled scan** and set the option to **Enabled**. 6. Click **OK**. -**Use PowerShell cmdlets to check for protection updates before running a scan:** +### Use PowerShell cmdlets to check for protection updates before running a scan Use the following cmdlets: @@ -62,7 +63,7 @@ Set-MpPreference -CheckForSignaturesBeforeRunningScan See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to check for protection updates before running a scan** +### Use Windows Management Instruction (WMI) to check for protection updates before running a scan Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -91,7 +92,7 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo You can also use Group Policy, PowerShell, or WMI to configure Windows Defender Antivirus to check for updates at startup even when it is not running. -**Use Group Policy to download updates when Windows Defender Antivirus is not present:** +### Use Group Policy to download updates when Windows Defender Antivirus is not present 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -105,7 +106,7 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender 6. Click **OK**. -**Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present:** +### Use PowerShell cmdlets to download updates when Windows Defender Antivirus is not present Use the following cmdlets: @@ -115,7 +116,7 @@ Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present:** +### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -134,7 +135,7 @@ Windows Defender AV can make changes to its protection based on cloud-delivered If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied. -**Use Group Policy to automatically download recent updates based on cloud-delivered protection:** +### Use Group Policy to automatically download recent updates based on cloud-delivered protection 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -149,7 +150,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi > [!NOTE] > "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. -## Related topics +## Related artcles - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) From e876f1dcf83102c97b5be62f2851a559e16433f1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:50:08 -0800 Subject: [PATCH 21/91] ms.custom: nextgen --- ...-review-remediate-scans-windows-defender-antivirus.md | 5 +++-- .../deploy-manage-report-windows-defender-antivirus.md | 5 +++-- .../deploy-windows-defender-antivirus.md | 5 +++-- .../deployment-vdi-windows-defender-antivirus.md | 5 +++-- ...tentially-unwanted-apps-windows-defender-antivirus.md | 9 +++++---- .../evaluate-windows-defender-antivirus.md | 5 +++-- ...mited-periodic-scanning-windows-defender-antivirus.md | 7 ++++--- ...age-event-based-updates-windows-defender-antivirus.md | 2 +- 8 files changed, 25 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index a700977d08..4e5666fd45 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index b95dce5844..ad4a8eee3e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 4371855830..9f668be613 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index 307d8fcd7d..dffaa6f470 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index acad6edc05..c9ade7db82 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: detect ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen audience: ITPro ms.date: 10/02/2018 ms.reviewer: @@ -142,7 +143,7 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. See [How to Configure Endpoint Protection in Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/hh508770(v=technet.10)#to-exclude-specific-files-or-folders) for information on allowing files which are currently blocked by PUA protection in Windows Defender Antivirus. -## Related topics +## Related articles -- [Next gen protection](windows-defender-antivirus-in-windows-10.md) +- [Next-generation protection](windows-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index 33b7f2e9ab..6173192baf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index a5cbbeb7a7..cac6d0f3fb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp @@ -50,7 +51,7 @@ Sliding the swtich to **On** will show the standard Windows Defender AV options ![When enabled, periodic scanning shows the normal Windows Defender Antivirus options](images/vtp-3ps-lps-on.png) -## Related topics +## Related articles - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 738e0a392f..8f4ce77a47 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -150,7 +150,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi > [!NOTE] > "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. -## Related artcles +## Related articles - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) - [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) From 910396c06463ff4fc3b0d72914da57824b42395e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 11:52:56 -0800 Subject: [PATCH 22/91] ms.custom: nextgen --- .../command-line-arguments-windows-defender-antivirus.md | 2 +- .../configure-windows-defender-antivirus-features.md | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 987853d3f7..b5d9f68991 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Use the command line to manage Windows Defender Antivirus -description: Run Windows Defender Antivirus scans and configure next gen protection with a dedicated command-line utility. +description: Run Windows Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index da95773da3..d771955c80 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -9,8 +9,9 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp From b944279718dfecba49c5af165e3e9b159cf4567a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 12:24:00 -0800 Subject: [PATCH 23/91] fixing insecure links --- .../configure-network-connections-windows-defender-antivirus.md | 2 +- .../deployment-vdi-windows-defender-antivirus.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 9977362328..54e8305938 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -56,7 +56,7 @@ As a cloud service, it is required that computers have access to the internet an | *Microsoft Update Service (MU)*| Security intelligence and product updates |\*.update.microsoft.com| | *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| \*.download.microsoft.com| | *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | -| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | +| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | https://www.microsoft.com/pkiops/crl/ https://www.microsoft.com/pkiops/certs https://crl.microsoft.com/pki/crl/products https://www.microsoft.com/pki/certs | | *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | | *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com| diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index dffaa6f470..3dfe9a2e82 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -203,6 +203,6 @@ On Windows Server 2016, Windows Defender Antivirus will automatically deliver th ## Additional resources -- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( https://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) From 7687a90c94f9ad0f0c70b19cb81286a632f9f86b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 12:24:30 -0800 Subject: [PATCH 24/91] Update troubleshoot-windows-defender-antivirus.md --- .../troubleshoot-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index e73f8d37d8..1aa32f693e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -2891,7 +2891,7 @@ Run a full system scan. From 7dd43d693d7f6c3d6da52116c0c035191f20c1f3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 15:22:56 -0800 Subject: [PATCH 25/91] Update troubleshoot-asr.md --- .../troubleshoot-asr.md | 61 +++++++++++-------- 1 file changed, 36 insertions(+), 25 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index 5bd14e868f..a3dda43322 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -10,11 +10,12 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dansimp -ms.author: dansimp +author: denisebmsft +ms.author: deniseb ms.date: 03/27/2019 ms.reviewer: manager: dansimp +ms.custom: asr --- # Troubleshoot attack surface reduction rules @@ -23,48 +24,56 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -When you use [attack surface reduction rules](attack-surface-reduction.md) you may encounter issues, such as: +When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: -* A rule blocks a file, process, or performs some other action that it should not (false positive) -* A rule does not work as described, or does not block a file or process that it should (false negative) +- A rule blocks a file, process, or performs some other action that it should not (false positive) + +- A rule does not work as described, or does not block a file or process that it should (false negative) There are four steps to troubleshooting these problems: -1. Confirm prerequisites -2. Use audit mode to test the rule -3. Add exclusions for the specified rule (for false positives) -4. Submit support logs +1. [Confirm prerequisites](#confirm-prerequisites) + +2. [Use audit mode to test the rule](#use-audit-mode-to-test-the-rule) + +3. [Add exclusions for the specified rule](#add-exclusions-for-a-false-positive) (for false positives) + +4. [Submit support logs](#collect-diagnostic-data-for-file-submissions) ## Confirm prerequisites Attack surface reduction rules will only work on devices with the following conditions: -> [!div class="checklist"] -> * Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update). -> * Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). -> * [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. -> * Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +- Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update). + +- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + +- [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. + +- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. ## Use audit mode to test the rule -You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. +You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. + 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). + 3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. -> ->If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. -> ->Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. +If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. + +Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: 1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). + 2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). ## Add exclusions for a false positive @@ -79,7 +88,7 @@ To add an exclusion, see [Customize Attack surface reduction](customize-attack-s ## Report a false positive or false negative -Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). ## Collect diagnostic data for file submissions @@ -97,10 +106,12 @@ When you report a problem with attack surface reduction rules, you are asked to mpcmdrun -getfiles ``` -3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. +3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. -## Related topics +## Related articles -* [Attack surface reduction rules](attack-surface-reduction.md) -* [Enable attack surface reduction rules](enable-attack-surface-reduction.md) -* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) +- [Attack surface reduction rules](attack-surface-reduction.md) + +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) + +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) From 3ef7c5786118a5fdadaff833bf12c6477f2ed19c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 15:24:26 -0800 Subject: [PATCH 26/91] Update configuration-management-reference-windows-defender-antivirus.md --- ...iguration-management-reference-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index c92a3fe1f8..7bee1e3696 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Manage Windows Defender in your business -description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line to manage Windows Defender AV +description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Windows Defender AV keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection search.product: eADQiWindows 10XVcnh ms.pagetype: security From 355514a289ab0a53968fff9cb1bb8ff88df3f9db Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 15:26:34 -0800 Subject: [PATCH 27/91] Update limited-periodic-scanning-windows-defender-antivirus.md --- ...imited-periodic-scanning-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index cac6d0f3fb..8285dbdc5e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -27,9 +27,9 @@ manager: dansimp Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. -It can only be enabled in certain situations. See [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products. +It can only be enabled in certain situations. For more information about limited periodic scanning and how Microsoft Defender Antivirus works with other antivirus products, see [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md). -**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. +**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a limited subset of the Windows Defender Antivirus capabilities to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively. ## How to enable limited periodic scanning @@ -43,11 +43,11 @@ If another antivirus product is installed and working correctly, Windows Defende ![Windows Security app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png) -Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. +Underneath any third party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. ![The limited periodic option is a toggle to enable or disable **periodic scanning**](images/vtp-3ps-lps.png) -Sliding the swtich to **On** will show the standard Windows Defender AV options underneath the 3rd party AV product. The limited periodic scanning option will appear at the bottom of the page. +Sliding the switch to **On** will show the standard Windows Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page. ![When enabled, periodic scanning shows the normal Windows Defender Antivirus options](images/vtp-3ps-lps-on.png) From 309a58e75c7fd792e8aa188dbce99649370e3185 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 15:36:04 -0800 Subject: [PATCH 28/91] Update manage-event-based-updates-windows-defender-antivirus.md --- ...-based-updates-windows-defender-antivirus.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 8f4ce77a47..eb4a6480b8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -61,7 +61,7 @@ Use the following cmdlets: Set-MpPreference -CheckForSignaturesBeforeRunningScan ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index). ### Use Windows Management Instruction (WMI) to check for protection updates before running a scan @@ -114,7 +114,7 @@ Use the following cmdlets: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine ``` -See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. ### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present @@ -124,14 +124,13 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com SignatureDisableUpdateOnStartupWithoutEngine ``` -See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal). ## Allow ad hoc changes to protection based on cloud-delivered protection -Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates. +Windows Defender AV can make changes to its protection based on cloud-delivered protection. Such changes can occur outside of normal or scheduled protection updates. If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied. @@ -143,9 +142,11 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following: - 1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. - 2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**. +4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. + +5. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. + +6. **Allow notifications to disable definitions-based reports to Microsoft MAPS** and set the option to **Enabled**. Then click **OK**. > [!NOTE] > "Allow notifications to disable definitions based reports" enables Microsoft MAPS to disable those definitions known to cause false-positive reports. You must configure your computer to join Microsoft MAPS for this function to work. From a0c9968495a87f9cc1aea9b727bd3dd5f2430de2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:29:03 -0800 Subject: [PATCH 29/91] Update manage-event-based-updates-windows-defender-antivirus.md --- ...nage-event-based-updates-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index eb4a6480b8..74383d6cf6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -41,7 +41,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet ### Use Group Policy to check for protection updates before running a scan -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -78,7 +78,7 @@ See the following for more information: You can use Group Policy to force Windows Defender Antivirus to check and download protection updates when the machine is started. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -94,7 +94,7 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender ### Use Group Policy to download updates when Windows Defender Antivirus is not present -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -136,7 +136,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi ### Use Group Policy to automatically download recent updates based on cloud-delivered protection -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration**. From a32d898e46b1b2bd7d6716c25a0dc06aae904505 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:30:33 -0800 Subject: [PATCH 30/91] Update manage-event-based-updates-windows-defender-antivirus.md --- ...nage-event-based-updates-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 74383d6cf6..23aa812c8a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -43,7 +43,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. +2. Using the **Group Policy Management Editor** go to **Computer configuration**. 3. Click **Policies** then **Administrative templates**. @@ -80,7 +80,7 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. +2. Using the **Group Policy Management Editor** go to **Computer configuration**. 3. Click **Policies** then **Administrative templates**. @@ -96,7 +96,7 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. +2. Using the **Group Policy Management Editor**, go to **Computer configuration**. 3. Click **Policies** then **Administrative templates**. @@ -138,7 +138,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. +2. Using the **Group Policy Management Editor** go to **Computer configuration**. 3. Click **Policies** then **Administrative templates**. From 05e3f7be56089c838d808e16a3019f8474a2bbef Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:32:41 -0800 Subject: [PATCH 31/91] Update manage-event-based-updates-windows-defender-antivirus.md --- ...manage-event-based-updates-windows-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 23aa812c8a..544c616a0a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -84,7 +84,7 @@ You can use Group Policy to force Windows Defender Antivirus to check and downlo 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. +4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Signature Updates**. 5. Double-click **Check for the latest virus and spyware definitions on startup** and set the option to **Enabled**. @@ -100,7 +100,7 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender 3. Click **Policies** then **Administrative templates**. -4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**. +4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**. 5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**. @@ -118,7 +118,7 @@ For more information, see [Use PowerShell cmdlets to manage Windows Defender Ant ### Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties: ```WMI SignatureDisableUpdateOnStartupWithoutEngine From 3d6628c1eb1970f11228521e174c1d6f544f922d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:34:33 -0800 Subject: [PATCH 32/91] Update manage-event-based-updates-windows-defender-antivirus.md --- .../manage-event-based-updates-windows-defender-antivirus.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 544c616a0a..262af74b43 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -71,8 +71,7 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com CheckForSignaturesBeforeRunningScan ``` -See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +For more information, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal). ## Check for protection updates on startup From 3c4d1ac7a1773f4a17ca143961c25f1c0c108a6b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:35:14 -0800 Subject: [PATCH 33/91] Update manage-event-based-updates-windows-defender-antivirus.md --- .../manage-event-based-updates-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 262af74b43..c238f05823 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -37,7 +37,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet 3. Click **OK**. -4.[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Use Group Policy to check for protection updates before running a scan From d194fb5f5cae0d66bf594300ac36fa5d3a40e473 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:36:59 -0800 Subject: [PATCH 34/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- ...ent-end-user-interaction-windows-defender-antivirus.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index a491e7bf11..c508e639f2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -38,8 +38,7 @@ With the setting set to **Disabled** or not configured: ![Scheenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] ->Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) - +>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.": @@ -47,7 +46,7 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl ## Use Group Policy to hide the Windows Defender AV interface from users -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -67,7 +66,7 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule ### Use Group Policy to prevent users from pausing a scan -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -77,7 +76,6 @@ You can prevent users from pausing scans. This can be helpful to ensure schedule 6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. - ## Related articles From 97fe6faef6f24aebb3a5aaf1aa822a52d4256384 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:38:38 -0800 Subject: [PATCH 35/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- ...end-user-interaction-windows-defender-antivirus.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index c508e639f2..733885cd92 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -48,16 +48,15 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Administrative templates**. +3. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. +4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. -6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. +5. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. - -Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs. +See [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) for more options on preventing users form modifying protection on their PCs. ## Prevent users from pausing a scan From f89f4fb5f8975bf6a998858d96a365e58170554d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:39:48 -0800 Subject: [PATCH 36/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- ...-user-interaction-windows-defender-antivirus.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 733885cd92..34850f74c5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -62,22 +62,22 @@ See [Prevent users from locally modifying policy settings](configure-local-polic You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users. - ### Use Group Policy to prevent users from pausing a scan -1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. In the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Administrative templates**. +3. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. +4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Scan**. -6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. +5. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. ## Related articles - - [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) + - [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) + - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) From fb58f2f3cd6ab0b4eb27edcb74181a39d931e3ce Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:40:44 -0800 Subject: [PATCH 37/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- ...ent-end-user-interaction-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 34850f74c5..a073892655 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -35,12 +35,12 @@ With the setting set to **Enabled**: With the setting set to **Disabled** or not configured: -![Scheenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) +![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] >Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.": +In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app.": ![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png) @@ -48,7 +48,7 @@ In earlier versions of Windows 10, the setting will hide the Windows Defender cl 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. +2. Using the **Group Policy Management Editor** go to **Computer configuration**. 3. Click **Administrative templates**. @@ -60,7 +60,7 @@ See [Prevent users from locally modifying policy settings](configure-local-polic ## Prevent users from pausing a scan -You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users. +You can prevent users from pausing scans, which can be helpful to ensure scheduled or on-demand scans are not interrupted by users. ### Use Group Policy to prevent users from pausing a scan From 30d1e4ddf391dce14e62c73f6c9486c943e6a054 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:41:42 -0800 Subject: [PATCH 38/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- ...prevent-end-user-interaction-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index a073892655..973407b113 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -42,7 +42,7 @@ With the setting set to **Disabled** or not configured: In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app.": -![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png) +![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this ](images/defender/wdav-headless-mode-1607.png) ## Use Group Policy to hide the Windows Defender AV interface from users @@ -66,7 +66,7 @@ You can prevent users from pausing scans, which can be helpful to ensure schedul 1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration**. +2. Using the **Group Policy Management Editor** go to **Computer configuration**. 3. Click **Administrative templates**. From fabcf889e5185d879fc8b63ae58f5fc02f393ea5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:42:18 -0800 Subject: [PATCH 39/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- .../prevent-end-user-interaction-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 973407b113..dee7550e00 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -42,7 +42,7 @@ With the setting set to **Disabled** or not configured: In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app.": -![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this ](images/defender/wdav-headless-mode-1607.png) +![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703](images/defender/wdav-headless-mode-1607.png) ## Use Group Policy to hide the Windows Defender AV interface from users From 8cb0580f79f064ac8106e106cf47a2809ac2b780 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 16:42:47 -0800 Subject: [PATCH 40/91] Update prevent-end-user-interaction-windows-defender-antivirus.md --- .../prevent-end-user-interaction-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index dee7550e00..8f6ebb3c64 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -40,7 +40,7 @@ With the setting set to **Disabled** or not configured: >[!NOTE] >Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) -In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app.": +In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." ![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703](images/defender/wdav-headless-mode-1607.png) From 58bfb5c4c111689a5944cb6ac41a5c516cd2b668 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 17:02:06 -0800 Subject: [PATCH 41/91] Update use-group-policy-windows-defender-antivirus.md --- ...group-policy-windows-defender-antivirus.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index dcf2f5dd8d..84d8ca6968 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -27,22 +27,21 @@ You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85). In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings: -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +2. Using the **Group Policy Management Editor** go to **Computer configuration**. -4. Click **Administrative templates**. +3. Click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus**. +4. Expand the tree to **Windows components** > **Windows Defender Antivirus**. -6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. +5. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +6. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable). - -Location | Setting | Documented in topic +Location | Setting | Article ---|---|--- Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) @@ -89,10 +88,10 @@ Reporting | Configure time out for detections requiring additional action | Not Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) Root | Turn off Windows Defender Antivirus | Not used (This setting must be set to **Not configured** to ensure any installed third-party antivirus apps work correctly) Root | Define addresses to bypass proxy server | Not used -Root | Define proxy auto-config (.pac) for connecting to the network | Not used +Root | Define proxy autoconfig (.pac) for connecting to the network | Not used Root | Define proxy server for connecting to the network | Not used Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) -Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) +Root | Allow antimalware service to start up with normal priority | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) Root | Turn off routine remediation | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md) Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) @@ -127,7 +126,7 @@ Scan | Specify the time of day to run a scheduled scan | [Configure scheduled sc Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md) Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Security intelligence updates | Allow notifications to disable definitions-based reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md) @@ -148,3 +147,4 @@ Threats | Specify threats upon which default action should not be taken when det - [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + From cc2a94d454ca373939ddf893e244f8aad6c77073 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 17:03:42 -0800 Subject: [PATCH 42/91] Update report-monitor-windows-defender-antivirus.md --- .../report-monitor-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 72b23bfec1..4f6e3c6ded 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Monitor and report on Windows Defender Antivirus protection -description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI. +description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI. keywords: siem, monitor, report, windows defender av search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -29,7 +29,7 @@ You can use System Center Configuration Manager to [monitor Windows Defender Ant Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. -If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). +If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). From f5401a084980f8fb18cf9f7d48d58cb14295fd1f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 19 Nov 2019 17:06:18 -0800 Subject: [PATCH 43/91] Update report-monitor-windows-defender-antivirus.md --- .../report-monitor-windows-defender-antivirus.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 4f6e3c6ded..16f606bbae 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -23,17 +23,15 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus. - -You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +With Windows Defender Antivirus, you have several options for reviewing protection status and alerts. You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. If you have a third-party security information and event management (SIEM) server, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). -Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). +Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security auditing](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). -These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM. +These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). Often, SIEM servers have connectors for Windows events, allowing you to correlate all security events in your SIEM server. You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware). @@ -42,4 +40,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s ## Related articles - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + - [Deploy Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) From f71f47da3406968059b22506aac169e552c106cd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:13:59 -0800 Subject: [PATCH 44/91] Update troubleshoot-asr.md --- .../microsoft-defender-atp/troubleshoot-asr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index a3dda43322..963402fe1d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -64,7 +64,7 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). -3. [Review the attack surface reductio rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. +3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. From 2beab75cf5cbd292edcfabd2b8bc74aa1c0fc1b4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:19:13 -0800 Subject: [PATCH 45/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...e-exclusions-windows-defender-antivirus.md | 35 +++++++++---------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 4e5fc9ff72..904f471e8b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -26,24 +26,21 @@ manager: dansimp > [!IMPORTANT] > Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). -You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. +## Exclusion lists -Generally, you shouldn't need to apply exclusions. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] -> Automatic exclusions apply only to Windows Server 2016 and above. - ->[!TIP] ->The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. +> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. This topic describes how to configure exclusion lists for the following: Exclusion | Examples | Exclusion list ---|---|--- -Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions -Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions -A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions -A specific process | The executable file c:\test\process.exe | File and folder exclusions +Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions +Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions +A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions +A specific process | The executable file `c:\test\process.exe` | File and folder exclusions This means the exclusion lists have the following characteristics: @@ -72,15 +69,15 @@ You can [configure how locally and globally defined exclusions lists are merged] ## Configure the list of exclusions based on folder name or file extension -**Use Intune to configure file name, folder, or file extension exclusions:** +### Use Intune to configure file name, folder, or file extension exclusions See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -**Use Configuration Manager to configure file name, folder, or file extension exclusions:** +### Use Configuration Manager to configure file name, folder, or file extension exclusions See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). -**Use Group Policy to configure folder or file extension exclusions:** +### Use Group Policy to configure folder or file extension exclusions >[!NOTE] >If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. @@ -113,7 +110,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// -**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:** +### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). @@ -149,7 +146,7 @@ Add-MpPreference -ExclusionExtension ".test" See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** +### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: @@ -166,7 +163,7 @@ See the following for more information and allowed parameters: -**Use the Windows Security app to configure file name, folder, or file extension exclusions:** +### Use the Windows Security app to configure file name, folder, or file extension exclusions See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. @@ -285,7 +282,7 @@ If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Validate the exclusion list by using MpCmdRun:** +### Validate the exclusion list by using MpCmdRun To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: @@ -296,7 +293,7 @@ MpCmdRun.exe -CheckExclusion -path >[!NOTE] >Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** +### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell Use the following cmdlet: @@ -310,7 +307,7 @@ In the following example, the items contained in the `ExclusionExtension` list a See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list by using PowerShell:** +### Retrieve a specific exclusions list by using PowerShell Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: From 977058e7f5d37b7d273deb4dfa55121306590f42 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:20:14 -0800 Subject: [PATCH 46/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...-extension-file-exclusions-windows-defender-antivirus.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 904f471e8b..d43f44ca5d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -191,7 +191,7 @@ The following table describes how the wildcards can be used and provides some ex - + - + @@ -758,7 +758,7 @@ Description: @@ -2450,7 +2450,7 @@ Message: Description: -
Event ID: 1000 This error indicates that an offline scan is required.
Resolution -Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article. +Run offline Windows Defender Antivirus. You can read about how to do this in the offline Windows Defender Antivirus article.
* (asterisk) Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wilcarded and named folders, all subfolders will also be included.		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wildcarded and named folders, all subfolders will also be included.
  1. C:\MyData\*.txt
    2. @@ -225,7 +225,7 @@ The following table describes how the wildcards can be used and provides some ex
Replaces a single character in a folder name.
- After matching the number of wilcarded and named folders, all subfolders will also be included. + After matching the number of wildcarded and named folders, all subfolders will also be included.
    @@ -305,7 +305,7 @@ In the following example, the items contained in the `ExclusionExtension` list a ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Retrieve a specific exclusions list by using PowerShell From affca41597e21d1543df754fd03d75a1f6014c8b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:20:37 -0800 Subject: [PATCH 47/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...gure-extension-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index d43f44ca5d..757c5b1d12 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -321,7 +321,7 @@ In the following example, the list is split into new lines for each use of the ` ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). From 7f8d38b49ef5fff4b4532e9cf1f06184f74b73ae Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:21:08 -0800 Subject: [PATCH 48/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...gure-extension-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 757c5b1d12..37e67c0ddd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -329,7 +329,7 @@ For more information, see [Use PowerShell cmdlets to configure and run Windows D You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. -In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path. +In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path. ```PowerShell Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" From 284e75ca44f9f6c326cda8d576a791ec1e6518bb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:21:22 -0800 Subject: [PATCH 49/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...gure-extension-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 37e67c0ddd..e47ba8afe9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -335,7 +335,7 @@ In the following PowerShell snippet, replace *test.txt* with a file that conform Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" ``` -If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). +If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: From 18926656671d59f118e90c8e8e747e5558decdb5 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 20 Nov 2019 11:21:58 -0800 Subject: [PATCH 50/91] update version and add link to autoupdate --- .../endpoint-detection-response-mac-preview.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 94b0798855..b4823bcb7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -133,6 +133,12 @@ In the command prompt, run: mdatp --edr --early-preview true ``` +>[!NOTE] +>For this command to work, you will need to be at version 100.78.x. +>To get the latest version of the Microsoft Defender ATP for MAC, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). + + + ## Troubleshooting ### Verify you are running the correct version From a9162e7d3d07a0c85c1634b44a378ffcf785d3bb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:23:01 -0800 Subject: [PATCH 51/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...-extension-file-exclusions-windows-defender-antivirus.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index e47ba8afe9..8f2e0de392 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -157,9 +157,7 @@ ExclusionPath The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. -See the following for more information and allowed parameters: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) +For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). @@ -337,7 +335,7 @@ Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.t If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html). -You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: +You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: ```PowerShell $client = new-object System.Net.WebClient From a5087ab95b56a3f4c8831ecd7b91f4356f3fb378 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:23:59 -0800 Subject: [PATCH 52/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...re-extension-file-exclusions-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 8f2e0de392..597c3fed54 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -33,7 +33,7 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. -This topic describes how to configure exclusion lists for the following: +This topic describes how to configure exclusion lists for the files and folders. Exclusion | Examples | Exclusion list ---|---|--- @@ -42,7 +42,7 @@ Any file under a specific folder | All files under the `c:\test\sample` folder | A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions A specific process | The executable file `c:\test\process.exe` | File and folder exclusions -This means the exclusion lists have the following characteristics: +Exclusion lists have the following characteristics: - Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. - File extensions will apply to any file name with the defined extension if a path or folder is not defined. From 3ffdbeffd20f2731b26f947c3a132f7c2303e919 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:25:00 -0800 Subject: [PATCH 53/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...re-extension-file-exclusions-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 597c3fed54..691e41805d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -63,7 +63,7 @@ The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defen > >Changes made in the Windows Security app **will not show** in the Group Policy lists. -By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in case of conflicts. +By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. @@ -144,7 +144,7 @@ For example, the following code snippet would cause Windows Defender AV scans to Add-MpPreference -ExclusionExtension ".test" ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. +For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index). ### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions From 7607d41a146f42bb23d7d241d458c9cad10afd10 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:27:08 -0800 Subject: [PATCH 54/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...re-extension-file-exclusions-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 691e41805d..6477b7496c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -138,7 +138,7 @@ All files under a folder (including files in subdirectories), or a specific file >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension: +For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension: ```PowerShell Add-MpPreference -ExclusionExtension ".test" @@ -168,7 +168,7 @@ See [Add exclusions in the Windows Security app](windows-defender-security-cente ## Use wildcards in the file name and folder path or extension exclusion lists -You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages, so you should read this section to understand their specific limitations. +You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. >[!IMPORTANT] >There are key limitations and usage scenarios for these wildcards: From 557605111b77288a1c6197e4e41064c468435899 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:29:22 -0800 Subject: [PATCH 55/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...xtension-file-exclusions-windows-defender-antivirus.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 6477b7496c..c3b1587ed9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -71,7 +71,9 @@ You can [configure how locally and globally defined exclusions lists are merged] ### Use Intune to configure file name, folder, or file extension exclusions -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See the following articles: +- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) +- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) ### Use Configuration Manager to configure file name, folder, or file extension exclusions @@ -260,9 +262,9 @@ The following table describes how the wildcards can be used and provides some ex >[!IMPORTANT] >If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. > ->For example, you can exclude all files that start with "date" in the folders *c:\data\final\marked* and *c:\data\review\marked* by using the rule argument c:\data\\\*\marked\date*.\*. +>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*. > ->This argument, however, will not match any files in **subfolders** under *c:\data\final\marked* or *c:\data\review\marked*. +>This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`. From 772f9d4f7d2f9435e6daced66a62d3678f439ff8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:33:35 -0800 Subject: [PATCH 56/91] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...sion-file-exclusions-windows-defender-antivirus.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index c3b1587ed9..a1020bef6f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -191,7 +191,7 @@ The following table describes how the wildcards can be used and provides some ex
* (asterisk) Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wildcarded and named folders, all subfolders will also be included.		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wild carded and named folders, all subfolders will also be included.
  1. C:\MyData\*.txt
    2. @@ -225,7 +225,7 @@ The following table describes how the wildcards can be used and provides some ex
Replaces a single character in a folder name.
- After matching the number of wildcarded and named folders, all subfolders will also be included. + After matching the number of wild carded and named folders, all subfolders will also be included.
    @@ -270,7 +270,12 @@ The following table describes how the wildcards can be used and provides some ex ## Review the list of exclusions -You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list using one of the following methods: +- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) +- [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) +- MpCmdRun +- PowerShell +- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions) >[!IMPORTANT] >Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). From 6240ed77e5b7b01cba839a396105d7e453c8eb97 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:36:38 -0800 Subject: [PATCH 57/91] Update configure-network-connections-windows-defender-antivirus.md --- .../configure-network-connections-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 54e8305938..bc91b2c46f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -25,7 +25,7 @@ manager: dansimp To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. -This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services. +This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services. See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. From 34058689c1659744d2ef45abfd9fc63e4671e54a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:39:57 -0800 Subject: [PATCH 58/91] Update configure-network-connections-windows-defender-antivirus.md --- ...gure-network-connections-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index bc91b2c46f..531490795e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -38,7 +38,7 @@ See the blog post [Important changes to Microsoft Active Protection Services end ## Allow connections to the Windows Defender Antivirus cloud service -The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides very important protection against malware on your endpoints and across your network. +The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. @@ -47,7 +47,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -As a cloud service, it is required that computers have access to the internet and that the ATP machine learning services are reachable. The URL: "\*.blob.core.windows.net" should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL: "\*.blob.core.windows.net"). Below mention URLs are using port 443 for communication. +Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. The URL `*.blob.core.windows.net` should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. | **Service**| **Description** |**URL** | @@ -67,7 +67,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t **Use the cmdline tool to validate cloud-delivered protection:** -Use the following argument with the Windows Defender Antivirus command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service: +Use the following argument with the Windows Defender Antivirus command-line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service: ```DOS "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection @@ -76,7 +76,7 @@ Use the following argument with the Windows Defender Antivirus command line util > [!NOTE] > You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. -See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility. +For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md). **Attempt to download a fake malware file from Microsoft:** From f5174ba0d6f77f26d7312ee1ca54be8169cabb82 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:41:11 -0800 Subject: [PATCH 59/91] Update configure-network-connections-windows-defender-antivirus.md --- ...onfigure-network-connections-windows-defender-antivirus.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 531490795e..b4f87c5753 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -47,7 +47,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. The URL `*.blob.core.windows.net` should not be excluded from any kind of network inspection. The table below lists the services and their associated URLs. You should ensure there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. +Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. | **Service**| **Description** |**URL** | @@ -113,7 +113,7 @@ You will also see a detection under **Quarantined threats** in the **Scan histor ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) >[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces. +>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md). The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). From 2bded228985310a41911b59bdd8d3c3c96541e97 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:45:29 -0800 Subject: [PATCH 60/91] Update configure-network-connections-windows-defender-antivirus.md --- ...ork-connections-windows-defender-antivirus.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index b4f87c5753..f0fb1e1960 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -52,13 +52,13 @@ Because your protection is a cloud service, computers must have access to the in | **Service**| **Description** |**URL** | | :--: | :-- | :-- | -| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|\*.wdcp.microsoft.com \*.wdcpalt.microsoft.com \*.wd.microsoft.com| -| *Microsoft Update Service (MU)*| Security intelligence and product updates |\*.update.microsoft.com| -| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| \*.download.microsoft.com| -| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | -| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | https://www.microsoft.com/pkiops/crl/ https://www.microsoft.com/pkiops/certs https://crl.microsoft.com/pki/crl/products https://www.microsoft.com/pki/certs | -| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | -| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: vortex-win.data.microsoft.com settings-win.data.microsoft.com| +| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
    `*.wdcpalt.microsoft.com`
    `*.wd.microsoft.com`| +| *Microsoft Update Service (MU)*| Security intelligence and product updates |`*.update.microsoft.com`| +| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
    `ussus1westprod.blob.core.windows.net`
    `usseu1northprod.blob.core.windows.net`
    `usseu1westprod.blob.core.windows.net`
    `ussuk1southprod.blob.core.windows.net`
    `ussuk1westprod.blob.core.windows.net`
    `ussas1eastprod.blob.core.windows.net`
    `ussas1southeastprod.blob.core.windows.net`
    `ussau1eastprod.blob.core.windows.net`
    `ussau1southeastprod.blob.core.windows.net` | +| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
    `https://www.microsoft.com/pkiops/certs`
    `https://crl.microsoft.com/pki/crl/products`
    `https://www.microsoft.com/pki/certs` | +| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | +| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
    `settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud @@ -67,7 +67,7 @@ After whitelisting the URLs listed above, you can test if you are connected to t **Use the cmdline tool to validate cloud-delivered protection:** -Use the following argument with the Windows Defender Antivirus command-line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender Antivirus cloud service: +Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service: ```DOS "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection From 8630eab7286ab1133a32f4a452059418b11e8b7e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:45:54 -0800 Subject: [PATCH 61/91] Update configure-network-connections-windows-defender-antivirus.md --- ...configure-network-connections-windows-defender-antivirus.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index f0fb1e1960..2b646f930a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -123,6 +123,9 @@ The Windows event log will also show [Windows Defender client event ID 2050](tro ## Related articles - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) + - [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) + - [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) From 6c48c404ac57eb7f845f568b99017473584dfe60 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:47:11 -0800 Subject: [PATCH 62/91] Update configure-network-connections-windows-defender-antivirus.md --- ...twork-connections-windows-defender-antivirus.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 2b646f930a..a562fd5f60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -52,13 +52,13 @@ Because your protection is a cloud service, computers must have access to the in | **Service**| **Description** |**URL** | | :--: | :-- | :-- | -| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
    `*.wdcpalt.microsoft.com`
    `*.wd.microsoft.com`| -| *Microsoft Update Service (MU)*| Security intelligence and product updates |`*.update.microsoft.com`| -| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| -| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
    `ussus1westprod.blob.core.windows.net`
    `usseu1northprod.blob.core.windows.net`
    `usseu1westprod.blob.core.windows.net`
    `ussuk1southprod.blob.core.windows.net`
    `ussuk1westprod.blob.core.windows.net`
    `ussas1eastprod.blob.core.windows.net`
    `ussas1southeastprod.blob.core.windows.net`
    `ussau1eastprod.blob.core.windows.net`
    `ussau1southeastprod.blob.core.windows.net` | -| *Certificate Revocation List (CRL)*|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
    `https://www.microsoft.com/pkiops/certs`
    `https://crl.microsoft.com/pki/crl/products`
    `https://www.microsoft.com/pki/certs` | -| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | -| *Universal Telemetry Client*| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
    `settings-win.data.microsoft.com`| +| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
    `*.wdcpalt.microsoft.com`
    `*.wd.microsoft.com`| +| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| +|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| +| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
    `ussus1westprod.blob.core.windows.net`
    `usseu1northprod.blob.core.windows.net`
    `usseu1westprod.blob.core.windows.net`
    `ussuk1southprod.blob.core.windows.net`
    `ussuk1westprod.blob.core.windows.net`
    `ussas1eastprod.blob.core.windows.net`
    `ussas1southeastprod.blob.core.windows.net`
    `ussau1eastprod.blob.core.windows.net`
    `ussau1southeastprod.blob.core.windows.net` | +| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
    `https://www.microsoft.com/pkiops/certs`
    `https://crl.microsoft.com/pki/crl/products`
    `https://www.microsoft.com/pki/certs` | +| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` | +| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
    `settings-win.data.microsoft.com`| ## Validate connections between your network and the cloud From cd749c88368213b569c3c7e5a18dc77e88032e5c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 20 Nov 2019 11:58:24 -0800 Subject: [PATCH 63/91] Update troubleshoot-windows-defender-antivirus.md --- ...troubleshoot-windows-defender-antivirus.md | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index 1aa32f693e..8b02e56f61 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -359,7 +359,7 @@ Message: Description:
-For more information please see the following: +For more information, see the following:
Name: <Threat name>
ID: <Threat ID>
@@ -432,7 +432,7 @@ Message: Description:
-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following: +Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software. For more information, see the following:
User: <Domain>\<User>
Name: <Threat name>
@@ -450,7 +450,7 @@ Windows Defender Antivirus has taken action to protect this machine from malware
  • Quarantine: The resource was quarantined
  • Remove: The resource was deleted
  • Allow: The resource was allowed to execute/exist
    • -
  • User defined: User defined action which is normally one from this list of actions that the user has specified
    • +
  • User defined: User-defined action that is normally one from this list of actions that the user has specified
  • No action: No action
  • Block: The resource was blocked from executing
    • @@ -484,7 +484,7 @@ Message: Description:
    		-Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following: +Windows Defender Antivirus has encountered an error when taking action on malware or other potentially unwanted software. For more information, see the following:
    User: <Domain>\<User>
    Name: <Threat name>
    @@ -503,7 +503,7 @@ Windows Defender Antivirus has encountered an error when taking action on malwar
  • Quarantine: The resource was quarantined
  • Remove: The resource was deleted
  • Allow: The resource was allowed to execute/exist
    • -
  • User defined: User defined action which is normally one from this list of actions that the user has specified
    • +
  • User defined: User-defined action that is normally one from this list of actions that the user has specified
  • No action: No action
  • Block: The resource was blocked from executing
    • @@ -543,7 +543,7 @@ Message: Description:
    		-Windows Defender Antivirus has restored an item from quarantine. For more information please see the following: +Windows Defender Antivirus has restored an item from quarantine. For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -587,7 +587,7 @@ Message: Description:
    		-Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information please see the following: +Windows Defender Antivirus has encountered an error trying to restore an item from quarantine. For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -634,7 +634,7 @@ Message: Description:
    		-Windows Defender Antivirus has deleted an item from quarantine.
    For more information please see the following: +Windows Defender Antivirus has deleted an item from quarantine.
    For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -678,7 +678,7 @@ Description:
    		Windows Defender Antivirus has encountered an error trying to delete an item from quarantine. -For more information please see the following: +For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -727,7 +727,7 @@ Description:
    		Windows Defender Antivirus has removed history of malware and other potentially unwanted software.
    -
    Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
    +
    Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
    User: <Domain>\<User>
    		 Windows Defender Antivirus has encountered an error trying to remove history of malware and other potentially unwanted software.
    -
    Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
    +
    Time: The time when the event occurred, for example when the history is purged. This parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
    User: <Domain>\<User>
    Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
    @@ -791,7 +791,7 @@ Message: Description:
    		-Windows Defender Antivirus has detected a suspicious behavior.
    For more information please see the following: +Windows Defender Antivirus has detected a suspicious behavior.
    For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -868,7 +868,7 @@ Message: Description:
    		-Windows Defender Antivirus has detected malware or other potentially unwanted software.
    For more information please see the following: +Windows Defender Antivirus has detected malware or other potentially unwanted software.
    For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -949,7 +949,7 @@ Message: Description:
    		-Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
    For more information please see the following: +Windows Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.
    For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -997,7 +997,7 @@ UAC
  • Quarantine: The resource was quarantined
  • Remove: The resource was deleted
  • Allow: The resource was allowed to execute/exist
    • -
  • User defined: User defined action which is normally one from this list of actions that the user has specified
    • +
  • User defined: User-defined action that is normally one from this list of actions that the user has specified
  • No action: No action
  • Block: The resource was blocked from executing
    • @@ -1010,7 +1010,7 @@ Description of the error.
    Signature Version: <Definition version>
    Engine Version: <Antimalware Engine version>
    NOTE: -Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:
      +Whenever Windows Defender Antivirus, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services that the malware might have changed:
      • Default Internet Explorer or Microsoft Edge setting
      • User Access Control settings
      • Chrome settings
        • @@ -1076,7 +1076,7 @@ Message: Description:
    		-Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
    For more information please see the following: +Windows Defender Antivirus has encountered a non-critical error when taking action on malware or other potentially unwanted software.
    For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -1124,7 +1124,7 @@ UAC
  • Quarantine: The resource was quarantined
  • Remove: The resource was deleted
  • Allow: The resource was allowed to execute/exist
    • -
  • User defined: User defined action which is normally one from this list of actions that the user has specified
    • +
  • User defined: User-defined action that is normally one from this list of actions that the user has specified
  • No action: No action
  • Block: The resource was blocked from executing
    • @@ -1171,7 +1171,7 @@ Message: Description:
    		-Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
    For more information please see the following: +Windows Defender Antivirus has encountered a critical error when taking action on malware or other potentially unwanted software.
    For more information, see the following:
    Name: <Threat name>
    ID: <Threat ID>
    @@ -1219,7 +1219,7 @@ UAC
  • Quarantine: The resource was quarantined
  • Remove: The resource was deleted
  • Allow: The resource was allowed to execute/exist
    • -
  • User defined: User defined action which is normally one from this list of actions that the user has specified
    • +
  • User defined: User-defined action that is normally one from this list of actions that the user has specified
  • No action: No action
  • Block: The resource was blocked from executing
    • @@ -1321,7 +1321,7 @@ Windows Defender Antivirus client is up and running in a healthy state.
    -
    Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
    +
    Note: This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
    -Windows Defender Antivirus configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. +Windows Defender Antivirus configuration has changed. If this is an unexpected event, you should review the settings as this may be the result of malware.
    Old value: <Old value number> Old antivirus configuration value.
    From d79c74649a252de284f20e830a6cadc9d94317a7 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Nov 2019 12:42:11 -0800 Subject: [PATCH 64/91] Updates for ProX and SEMM --- .../surface-enterprise-management-mode.md | 4 ++-- .../surface/surface-pro-arm-app-management.md | 20 ++++++++++++------- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index de1879bcba..ac2ff45422 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -229,8 +229,8 @@ create a reset package using PowerShell to reset SEMM. ## Version History -### Version 2.59.139 -* Support to Surface Pro 7 and Surface Laptop 3 +### Version 2.59. +* Support to Surface Pro 7 and Surface Laptop 3 13 inch. Note: Surface Laptop 3 15inch AMD processor is not supported. - Support to Wake on Power feature ### Version 2.54.139.0 diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index 2f8061c0b4..ba6fcf8bab 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -8,7 +8,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 10/03/2019 +ms.date: 11/20/2019 ms.reviewer: jessko manager: dansimp ms.audience: itpro @@ -36,7 +36,7 @@ Organizations already using modern management, security, and productivity soluti ## Image-based deployment considerations -Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager (SCCM) operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. +Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager) currently do not support Surface Pro X for operating system deployment. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. ## Managing Surface Pro X devices @@ -48,7 +48,7 @@ For more information about setting up Intune, refer to the [Intune documentation ### Co-management -Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with SCCM, which will install the 32-bit x86 ConfigMgr client. +Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with Endpoint Configuration Manager, which will install the 32-bit x86 ConfigMgr client. ### Third party MDM solutions @@ -69,6 +69,12 @@ Outside of personal devices that rely on Windows Update, servicing devices in mo > [!NOTE] > Surface Pro X supports Windows 10, version 1903 and later. +### Windows Server Update Services +Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X. + +For more information, refer to the [Microsoft Endpoint Configuration Manager documentation] (https://docs.microsoft.com/configmgr/sum/get-started/configure-classifications-and-products). + + ## Running apps on Surface Pro X Most apps run on ARM-based Windows 10 PCs with limited exclusions. @@ -120,7 +126,7 @@ The following tables show the availability of selected key features on Surface P | Support for Network Boot (PXE) | Yes | Yes | | | Windows Configuration Designer | Yes | No | Not recommended for Surface Pro X. | | WinPE | Yes | Yes | Not recommended for Surface Pro X. Microsoft does not provide the necessary .ISO and drivers to support WinPE with Surface Pro X. | -| SCCM: Operating System Deployment (OSD) | Yes | No | Not supported on Surface Pro X. | +| Endpoint Configuration Manager: Operating System Deployment (OSD) | Yes | No | Not supported on Surface Pro X. | | MDT | Yes | No | Not supported on Surface Pro X. | @@ -129,7 +135,7 @@ The following tables show the availability of selected key features on Surface P | Intune | Yes | Yes | Manage LTE with eSIM profiles. | | Windows Autopilot | Yes | Yes | | | Azure AD (co-management) | Yes | Yes | Ability to join Surface Pro X to Azure AD or Active Directory (Hybrid Azure AD Join). | -| SCCM | Yes | Yes | | +| Endpoint Configuration Manager | Yes | Yes | | | Power on When AC Restore | Yes | Yes | | | Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | | | Surface Dock Firmware Update | Yes | Yes | | @@ -150,7 +156,7 @@ The following tables show the availability of selected key features on Surface P | Surface Data Eraser (SDE) | Yes | Yes | ## FAQ -### Can I deploy Surface Pro X with MDT or SCCM? +### Can I deploy Surface Pro X with MDT or Endpoint Configuration Manager? The Microsoft Deployment Toolkit and System Center Configuration Manager operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. @@ -164,4 +170,4 @@ Yes. ### Is Intune required to manage Surface Pro X? -Intune is recommended but not required. Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with SCCM, which will install the 32-bit x86 ConfigMgr client. +Intune is recommended but not required. Once deployed in Autopilot, you can join Surface Pro X devices to Azure AD or Active Directory (Hybrid Azure AD Join) where you will be able to manage the devices with Intune or co-manage them with Endpoint Configuration Manager, which will install the 32-bit x86 ConfigMgr client. From da2562fb17654e781bb507f027752c6b72a2b835 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Nov 2019 12:46:40 -0800 Subject: [PATCH 65/91] Update surface-pro-arm-app-management.md --- devices/surface/surface-pro-arm-app-management.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index ba6fcf8bab..3e867c8f49 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -70,9 +70,9 @@ Outside of personal devices that rely on Windows Update, servicing devices in mo > Surface Pro X supports Windows 10, version 1903 and later. ### Windows Server Update Services -Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X. +Windows Server Update Services (WSUS) does not support the ability to deliver drivers and firmware to Surface Pro X. -For more information, refer to the [Microsoft Endpoint Configuration Manager documentation] (https://docs.microsoft.com/configmgr/sum/get-started/configure-classifications-and-products). +For more information, refer to the [Microsoft Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/sum/get-started/configure-classifications-and-products). ## Running apps on Surface Pro X @@ -158,7 +158,7 @@ The following tables show the availability of selected key features on Surface P ### Can I deploy Surface Pro X with MDT or Endpoint Configuration Manager? -The Microsoft Deployment Toolkit and System Center Configuration Manager operating system deployment currently do not support Surface Pro X. Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. +The Microsoft Deployment Toolkit (MDT) and Microsoft Endpoint Configuration Manager currently do not support Surface Pro X for operating system deployment.Customers relying on image-based deployment should consider Surface Pro 7 while they continue to evaluate the right time to transition to the cloud. ### How can I deploy Surface Pro X? From 8b28d1ea449074a44f6ed4f195c3e02adaf76e48 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 20 Nov 2019 13:02:18 -0800 Subject: [PATCH 66/91] Added scenario topic for fully-managed devices. Made minor edits to other topics. --- .../TOC.md | 1 + ...e-wdac-policy-for-fully-managed-devices.md | 170 ++++++++++++++++++ ...wdac-policy-for-lightly-managed-devices.md | 158 +++++++++++++++- .../select-types-of-rules-to-create.md | 2 +- .../types-of-devices.md | 7 +- ...control-with-intelligent-security-graph.md | 2 +- 6 files changed, 333 insertions(+), 7 deletions(-) create mode 100644 windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index a83d4e34e0..7275492629 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -11,6 +11,7 @@ #### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) #### [Common WDAC deployment scenarios](types-of-devices.md) ##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) +##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) ##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md) ##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md new file mode 100644 index 0000000000..445b6fb85e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -0,0 +1,170 @@ +--- +title: Create a WDAC policy for fully-managed devices (Windows 10) +description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. +keywords: whitelisting, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jsuther1974 +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 11/20/2019 +--- + +# Create a WDAC policy for fully-managed devices + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access. + +> [!NOTE] +> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. + +As described in [common WDAC deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. + +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. + +Alice previously created a policy for the organization's lightly-managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and task-workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT. + +## Define the "circle-of-trust" for fully-managed devices + +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices: + +- All clients are running Windows 10 version 1903 or above; +- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; + +> [!NOTE] +> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) + +- Most, but not all, apps are deployed using MEMCM; +- Sometimes, IT staff install apps directly to these devices without using MEMCM; +- All users except IT are standard users on these devices. + +Alice's team develops a simple console application, called *LamnaITInstaller.exe*, which will become the authorized way for IT staff to install apps directly to devices. *LamnaITInstaller.exe* allows the IT pro to launch another process, such as an app installer. Alice will configure *LamnaITInstaller.exe* as an additional managed installer for WDAC and allows her to remove the need for filepath rules. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. **“Windows works”** rules which authorizes: + - Windows + - WHQL (3rd party kernel drivers) + - Windows Store signed apps + +2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function +3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) + +The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#Define-the-"circle-of-trust"-for-lightly-managed-devices) are: + +- Removal of the Intelligent Security Graph (ISG) option; and +- Removal of filepath rules. + +## Create a custom base policy using an example WDAC base policy + +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's fully-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. + +Alice follows these steps to complete this task: + +> [!NOTE] +> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. + +1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above. + +2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: + + ```powershell + $PolicyName= "Lamna_FullyManagedClients_Audit" + $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" + ``` + +3. Copy the policy created by MEMCM to the desktop: + + ```powershell + cp $MEMCMPolicy $LamnaPolicy + ``` + +4. Give the new policy a unique ID, descriptive name, and initial version number: + + ```powershell + Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID + Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0" + ``` + +5. Modify the copied policy to set policy rules: + + ```powershell + Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode + Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy + Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu + Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps + Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer + Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot + Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental + Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security + ``` + +6. If appropriate, add additional signer or file rules to further customize the policy for your organization. + +7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: + + > [!NOTE] + > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. + + ```powershell + $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" + ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin + ``` + +8. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). + +At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. + +## Security considerations of this fully-managed policy + +Alice has defined a policy for Lamna's fully-managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include: + +- **Users with administrative access**
    + Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish. + + Possible mitigations: + - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. + - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. + - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources. +- **Unsigned policies**
    + Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy. + + Existing mitigations applied: + - Limit who can elevate to administrator on the device. + + Possible mitigations: + - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. +- **Managed installer**
    + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) + + Existing mitigations applied: + - Limit who can elevate to administrator on the device. + + Possible mitigations: + - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. +- **Supplemental policies**
    + Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. + + Possible mitgations: + - Use signed WDAC policies which allow authorized signed supplemental policies only. + - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. + +## Up next + +- [Create a WDAC policy for fixed-workload devices using a reference computer](create-initial-default-policy.md) +- [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 05c0c13621..a0aef66202 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -27,8 +27,160 @@ ms.date: 11/15/2019 - Windows 10 - Windows Server 2016 and above -This section outlines the process to create a WDAC policy for lightly-managed devices within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics. +This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics. -## Example: Lamna Healthcare Company +> [!NOTE] +> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -As described in the [previous topic](types-of-devices.md), Lamna Healthcare Company (Lamna) is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. Alice Pena is the IT team lead tasked with the roll out of WDAC. Recognizing where Lamna is starting from, with very loose application policies, Alice knows that she will need to take an incremental approach to application control that begins with a very relaxed initial policy for most user devices. \ No newline at end of file +As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. + +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with very loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads. + +For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value. + +## Define the "circle-of-trust" for lightly-managed devices + +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly-managed devices, which currently includes most end-user devices: + +- All clients are running Windows 10 version 1903 or above; +- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune; + +> [!NOTE] +> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) + +- Some, but not all, apps are deployed using MEMCM; +- Most users are local administrators on their devices; +- Some teams may need additional rules to authorize specific apps that don't apply generally to all other users. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. **“Windows works”** rules which authorizes: + - Windows + - WHQL (3rd party kernel drivers) + - Windows Store signed apps + +2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function +3. **Allow Managed Installer** (MEMCM configured as a managed installer) +4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization) +5. **Admin-only path rules** for the following locations: + - C:\Program Files\* + - C:\Program Files (x86)\* + - %windir%\* + +## Create a custom base policy using an example WDAC base policy + +Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs. + +Alice follows these steps to complete this task: + +> [!NOTE] +> If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy. + +1. [Use MEMCM to create and deploy an audit policy](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above. + +2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: + + ```powershell + $PolicyName= "Lamna_LightlyManagedClients_Audit" + $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" + ``` + +3. Copy the policy created by MEMCM to the desktop: + + ```powershell + cp $MEMCMPolicy $LamnaPolicy + ``` + +4. Give the new policy a unique ID, descriptive name, and initial version number: + + ```powershell + Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID + Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0" + ``` + +5. Modify the copied policy to set policy rules: + + ```powershell + Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode + Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy + Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu + Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps + Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer + Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG + Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot + Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental + Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security + ``` + +6. Add rules to allow windir and Program Files directories: + + ```powershell + $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*" + $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*" + $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*" + Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules + ``` + +7. If appropriate, add additional signer or file rules to further customize the policy for your organization. + +8. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: + + > [!NOTE] + > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. + + ```powershell + $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" + ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin + ``` + +9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). + +At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna. + +## Security considerations of this lightly-managed policy + +In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include: + +- **Users with administrative access**
    + By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish. + + Possible mitigations: + - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. + - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. + - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources. +- **Unsigned policies**
    + Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy. + + Possible mitigations: + - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. + - Limit who can elevate to administrator on the device. +- **Managed installer**
    + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) + + Possible mitigations: + - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. + - Limit who can elevate to administrator on the device. +- **Intelligent Security Graph (ISG)**
    + See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#Security-considerations-with-the-Intelligent-Security-Graph) + + Possible mitigations: + - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules. + - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. +- **Supplemental policies**
    + Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. + + Possible mitgations: + - Use signed WDAC policies which allow authorized signed supplemental policies only. + - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. +- **FilePath rules**
    + See [more information about filepath rules](select-types-of-rules-to-create.md#More-information-about-filepath-rules) + + Possible mitigations: + - Limit who can elevate to administrator on the device. + - Migrate from filepath rules to managed installer or signature-based rules. + +## Up next + +- [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) +- [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 6e77768954..4a8db44a9f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -54,7 +54,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. | | **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. | | **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. | -| **5 Enabled:Inherit Default Policy** | This option is not currently supported. | +| **5 Enabled:Inherit Default Policy** | This option is reserved for future use. | | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. | | **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | | **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. | diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 6d7101e72a..6a2781b950 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -32,7 +32,7 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes | **Lightly managed devices**: Company-owned, but users are free to install software.
    Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | | **Fully managed devices**: Allowed software is restricted by IT department.
    Users can request additional software, or install from a list of applications provided by IT department.
    Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
    WDAC policies are supported by the HVCI service. | | **Fixed-workload devices**: Perform same tasks every day.
    Lists of approved applications rarely change.
    Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
    After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | ## An introduction to Lamna Healthcare Company @@ -40,7 +40,10 @@ In the next set of topics, we will explore each of the above scenarios using a f Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. -Lamna uses Microsoft Endpoint Manager (MEM) in hybrid mode with both Configuration Manager and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices and individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use Microsoft Defender Advanced Threat Protection (MDATP) for better endpoint detection and response. +Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices and individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response. + +> [!NOTE] +> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index ab14272bde..18194e489d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -89,7 +89,7 @@ appidtel start For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required. -## Security considerations with using the Intelligent Security Graph +## Security considerations with the Intelligent Security Graph Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. From 0544f20f133c56864cf57d979c157ff0c045acb0 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 20 Nov 2019 13:17:12 -0800 Subject: [PATCH 67/91] Fixed links --- .../create-wdac-policy-for-fully-managed-devices.md | 4 ++-- .../create-wdac-policy-for-lightly-managed-devices.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 445b6fb85e..db4bf85899 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -64,7 +64,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: 2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function 3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) -The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#Define-the-"circle-of-trust"-for-lightly-managed-devices) are: +The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices#Define-the-"circle-of-trust"-for-lightly-managed-devices) are: - Removal of the Intelligent Security Graph (ISG) option; and - Removal of filepath rules. @@ -150,7 +150,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - **Managed installer**
    - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer#Security-considerations-with-managed-installer) Existing mitigations applied: - Limit who can elevate to administrator on the device. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index a0aef66202..e6b6d9ad54 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -156,13 +156,13 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - Limit who can elevate to administrator on the device. - **Managed installer**
    - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer#Security-considerations-with-managed-installer) Possible mitigations: - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Limit who can elevate to administrator on the device. - **Intelligent Security Graph (ISG)**
    - See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#Security-considerations-with-the-Intelligent-Security-Graph) + See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph#Security-considerations-with-the-Intelligent-Security-Graph) Possible mitigations: - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules. @@ -174,7 +174,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies which allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **FilePath rules**
    - See [more information about filepath rules](select-types-of-rules-to-create.md#More-information-about-filepath-rules) + See [more information about filepath rules](select-types-of-rules-to-create#More-information-about-filepath-rules) Possible mitigations: - Limit who can elevate to administrator on the device. From d0a1b4c6e78c6464b9814ddfc9410eb05d56b48b Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Nov 2019 13:23:19 -0800 Subject: [PATCH 68/91] Update surface-enterprise-management-mode.md --- devices/surface/surface-enterprise-management-mode.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index ac2ff45422..6999d3aec8 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -21,8 +21,7 @@ ms.audience: itpro Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devices with Surface UEFI that allows you to secure and manage firmware settings within your organization. With SEMM, IT professionals can prepare configurations of UEFI settings and install them on a Surface device. In addition to the ability to configure UEFI settings, SEMM also uses a certificate to protect the configuration from unauthorized tampering or removal. >[!NOTE] ->SEMM is only available on devices with Surface UEFI firmware. - +>SEMM is only available on devices with Surface UEFI firmware. This includes most Surface devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3 commercial SKUs with an Intel processor. SEMM is not supported on the 15" Surface Laptop 3 SKU with AMD processor (only available as a retail SKU). When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. @@ -230,7 +229,7 @@ create a reset package using PowerShell to reset SEMM. ## Version History ### Version 2.59. -* Support to Surface Pro 7 and Surface Laptop 3 13 inch. Note: Surface Laptop 3 15inch AMD processor is not supported. +* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. - Support to Wake on Power feature ### Version 2.54.139.0 From 5cda0b9af7d0bc62b2ac4e5b9445758da39e5b4b Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Nov 2019 13:25:19 -0800 Subject: [PATCH 69/91] Update surface-enterprise-management-mode.md --- devices/surface/surface-enterprise-management-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 6999d3aec8..6281fa157d 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,7 +9,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 10/31/2019 +ms.date: 11/20/2019 ms.reviewer: scottmca manager: dansimp ms.localizationpriority: medium From 815f9df3f4a52aa493cd67909e974fefd7ae5594 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Wed, 20 Nov 2019 14:31:47 -0800 Subject: [PATCH 70/91] Revert "Fixed links" This reverts commit 0544f20f133c56864cf57d979c157ff0c045acb0. --- .../create-wdac-policy-for-fully-managed-devices.md | 4 ++-- .../create-wdac-policy-for-lightly-managed-devices.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index db4bf85899..445b6fb85e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -64,7 +64,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: 2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function 3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) -The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices#Define-the-"circle-of-trust"-for-lightly-managed-devices) are: +The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#Define-the-"circle-of-trust"-for-lightly-managed-devices) are: - Removal of the Intelligent Security Graph (ISG) option; and - Removal of filepath rules. @@ -150,7 +150,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - **Managed installer**
    - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer#Security-considerations-with-managed-installer) + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) Existing mitigations applied: - Limit who can elevate to administrator on the device. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index e6b6d9ad54..a0aef66202 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -156,13 +156,13 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - Limit who can elevate to administrator on the device. - **Managed installer**
    - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer#Security-considerations-with-managed-installer) + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) Possible mitigations: - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Limit who can elevate to administrator on the device. - **Intelligent Security Graph (ISG)**
    - See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph#Security-considerations-with-the-Intelligent-Security-Graph) + See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#Security-considerations-with-the-Intelligent-Security-Graph) Possible mitigations: - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules. @@ -174,7 +174,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies which allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **FilePath rules**
    - See [more information about filepath rules](select-types-of-rules-to-create#More-information-about-filepath-rules) + See [more information about filepath rules](select-types-of-rules-to-create.md#More-information-about-filepath-rules) Possible mitigations: - Limit who can elevate to administrator on the device. From 4f80e4c6afe3e0dc6dca3191ed16dd242d7a4b59 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 20 Nov 2019 14:37:53 -0800 Subject: [PATCH 71/91] Corrected indentation of code block --- .../microsoft-defender-atp/troubleshoot-np.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 743860ad46..8589345cbe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -61,12 +61,12 @@ You can enable network protection in audit mode and then visit a website that we 1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). 1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. - > - >If network protection is not blocking a connection that you are expecting it should block, enable the feature. + + If network protection is not blocking a connection that you are expecting it should block, enable the feature. -```PowerShell -Set-MpPreference -EnableNetworkProtection Enabled -``` + ```PowerShell + Set-MpPreference -EnableNetworkProtection Enabled + ``` ## Report a false positive or false negative From 38a2f2a029c1373e27326df1832495d691cc7b54 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 20 Nov 2019 14:40:18 -0800 Subject: [PATCH 72/91] Corrected indentation of notes Corrected indentation of notes under "Confirm block at first sight is enabled with Intune" --- ...ure-block-at-first-sight-windows-defender-antivirus.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 80515f04eb..47b2f1d42a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -52,8 +52,8 @@ Block at first sight requires a number of settings to be configured correctly or 1. In Intune, navigate to **Device configuration - Profiles > *Profile name* > Device restrictions > Windows Defender Antivirus**. -> [!NOTE] -> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. + > [!NOTE] + > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. 2. Verify these settings are configured as follows: @@ -64,8 +64,8 @@ Block at first sight requires a number of settings to be configured correctly or ![Intune config](images/defender/intune-block-at-first-sight.png) -> [!WARNING] -> Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). + > [!WARNING] + > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus). For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). From c0e3b3590792295335747ec8b0c3be2361fa569a Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Wed, 20 Nov 2019 16:03:47 -0800 Subject: [PATCH 73/91] Update WDAC fully-managed devices metadata to remove duplicate info --- .../create-wdac-policy-for-fully-managed-devices.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 445b6fb85e..ae08cbe091 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -3,9 +3,6 @@ title: Create a WDAC policy for fully-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library From 6dbc32d18f7eacfdbbced716be62092a8f8a18b9 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Wed, 20 Nov 2019 16:13:42 -0800 Subject: [PATCH 74/91] Fix WDAC fully-managed formatting --- .../create-wdac-policy-for-fully-managed-devices.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index ae08cbe091..2b8c612155 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -134,30 +134,30 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra - **Users with administrative access**
    Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish. - Possible mitigations: + Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources. - **Unsigned policies**
    Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy. - Existing mitigations applied: + Existing mitigations applied: - Limit who can elevate to administrator on the device. - Possible mitigations: + Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - **Managed installer**
    See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) - Existing mitigations applied: + Existing mitigations applied: - Limit who can elevate to administrator on the device. - Possible mitigations: + Possible mitigations: - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - **Supplemental policies**
    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. - Possible mitgations: + Possible mitigations: - Use signed WDAC policies which allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. From 3c0a78fc69bdf5719e8c4c39087af963f201ac5f Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Wed, 20 Nov 2019 16:21:35 -0800 Subject: [PATCH 75/91] WDAC initial policy remove references to device guard Also add info on multiple policy format --- .../create-initial-default-policy.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 04f8c31125..b621d99439 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -3,9 +3,6 @@ title: Create a WDAC policy for fixed-workload devices using a reference compute description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -52,13 +49,13 @@ You can remove or disable such software on the reference computer. To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order: -1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created: +1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **WDACPolicy.bin** for the names of the files that will be created: `$CIPolicyPath=$env:userprofile+"\Desktop\"` `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + `$CIPolicyBin=$CIPolicyPath+"WDACPolicy.bin"` 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: @@ -69,7 +66,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi > [!Note] > > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - > + > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). > > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. @@ -82,7 +79,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin ``` -After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. +After you complete these steps, the WDAC binary file (WDACPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. > [!NOTE] > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). From 8c54ae158c5d2cd10fbcb529f74014850290659a Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Wed, 20 Nov 2019 16:23:26 -0800 Subject: [PATCH 76/91] Update WDAC lightly managed metadata Remove duplicate info --- .../create-wdac-policy-for-lightly-managed-devices.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index a0aef66202..cd0886c8ad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -3,9 +3,6 @@ title: Create a WDAC policy for lightly-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.reviewer: -manager: dansimp -ms.author: dansimp ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library From e15c96e8a47aea5210cfe25cd449702b90ae9adf Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 21 Nov 2019 10:15:50 -0800 Subject: [PATCH 77/91] Minor update to intro paragraph --- .../create-initial-default-policy.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 04f8c31125..3d827d4672 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -27,7 +27,8 @@ ms.date: 05/03/2018 - Windows 10 - Windows Server 2016 and above -This section outlines the process to create a WDAC policy with Windows PowerShell. +This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc... + For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. Then create the WDAC policy by scanning the system for installed applications. The policy file is converted to binary format when it gets created so that Windows can interpret it. From 36a7ac4548c196e7dc9157185ac5b309e065a87d Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 10:33:34 -0800 Subject: [PATCH 78/91] Update fixed workload so names are consistent Policy names should be consistent with lightly managed policy documentation --- .../create-initial-default-policy.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 876a07582b..ef4d51e0e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -50,18 +50,20 @@ You can remove or disable such software on the reference computer. To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order: -1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **WDACPolicy.bin** for the names of the files that will be created: +1. Initialize variables that you will use. - `$CIPolicyPath=$env:userprofile+"\Desktop\"` + > [!NOTE] + > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. - `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - - `$CIPolicyBin=$CIPolicyPath+"WDACPolicy.bin"` + ```powershell + $PolicyName="FixedWorkloadPolicy_Audit" + $WDACPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: ```powershell - New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt + New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt ``` > [!Note] @@ -77,10 +79,10 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi 3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: ```powershell - ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin + ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin ``` -After you complete these steps, the WDAC binary file (WDACPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. +After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. > [!NOTE] > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). From ce86fb3f8d20d7c61f868c525843b96637d510aa Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 10:42:54 -0800 Subject: [PATCH 79/91] Fixed workload minor edit for pre-1903 guidance --- .../create-initial-default-policy.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index ef4d51e0e8..bf0bb97074 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -52,13 +52,11 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi 1. Initialize variables that you will use. - > [!NOTE] - > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. - ```powershell + $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName="FixedWorkloadPolicy_Audit" - $WDACPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" - $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" + $WDACPolicy=$PolicyPath+$PolicyName+".xml" + $WDACPolicyBin=$PolicyPath+$PolicyName+".bin" 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: From 65d38c5324284e5c9fc0f4f7be65e9f928aad9e6 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 10:46:32 -0800 Subject: [PATCH 80/91] grammar nitpick --- .../example-wdac-base-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index dbbccbf94e..6e08d9ec94 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -23,7 +23,7 @@ ms.date: 11/15/2019 - Windows 10 - Windows Server 2016 and above -When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start from an existing base policy and then add or remove rules to build your own custom policy XML files. Windows includes several example policies which can be used or organizations which use the Device Guard Signing Service can download a starter policy from that service. +When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start from an existing base policy and then add or remove rules to build your own custom policy XML files. Windows includes several example policies which can be used, or organizations which use the Device Guard Signing Service can download a starter policy from that service. ## Example Base Policies From 81bcbf18eec8bd7a7ae7760327d4d1a08b8e55c8 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 10:51:27 -0800 Subject: [PATCH 81/91] more grammar nitpicks --- .../windows-defender-application-control/types-of-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 6a2781b950..d6e8fa89a5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -40,7 +40,7 @@ In the next set of topics, we will explore each of the above scenarios using a f Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff. -Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices and individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response. +Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response. > [!NOTE] > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM) From efbfd6eaaae3de9818882ddd13bfab7be0028a64 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Thu, 21 Nov 2019 15:33:45 -0800 Subject: [PATCH 82/91] Update line 174 bookmark link --- .../create-wdac-policy-for-lightly-managed-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index cd0886c8ad..6c2e789a0f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -171,7 +171,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies which allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **FilePath rules**
    - See [more information about filepath rules](select-types-of-rules-to-create.md#More-information-about-filepath-rules) + See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules) Possible mitigations: - Limit who can elevate to administrator on the device. From 6c67e7fd3d0ddf6b81a5f59b4dc9a514ea98b7f2 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 16:04:17 -0800 Subject: [PATCH 83/91] Fix link capitalization error --- .../create-wdac-policy-for-lightly-managed-devices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 6c2e789a0f..c9dbb32612 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -153,13 +153,13 @@ In order to minimize user productivity impact, Alice has defined a policy that m - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - Limit who can elevate to administrator on the device. - **Managed installer**
    - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer) Possible mitigations: - Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer. - Limit who can elevate to administrator on the device. - **Intelligent Security Graph (ISG)**
    - See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#Security-considerations-with-the-Intelligent-Security-Graph) + See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph) Possible mitigations: - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules. From c7d77bc9d72e5d8e71fdb5ad12dfc3b910708ccc Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 16:07:28 -0800 Subject: [PATCH 84/91] Add topic and fix link capitalization error --- .../create-wdac-policy-for-fully-managed-devices.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 2b8c612155..c2825b535a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -2,6 +2,7 @@ title: Create a WDAC policy for fully-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware +ms.topic: allow-listing ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy @@ -61,7 +62,7 @@ Based on the above, Alice defines the pseudo-rules for the policy: 2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function 3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer) -The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#Define-the-"circle-of-trust"-for-lightly-managed-devices) are: +The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are: - Removal of the Intelligent Security Graph (ISG) option; and - Removal of filepath rules. @@ -147,7 +148,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra Possible mitigations: - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies. - **Managed installer**
    - See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#Security-considerations-with-managed-installer) + See [security considerations with managed installer](use-windows-defender-application-control-with-managed-installer.md#security-considerations-with-managed-installer) Existing mitigations applied: - Limit who can elevate to administrator on the device. From f9ddc05108475f32472fce82e1054bc717a5f0a8 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 16:08:20 -0800 Subject: [PATCH 85/91] Add topic and fix typo --- .../create-wdac-policy-for-lightly-managed-devices.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index c9dbb32612..b92a5dd11b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -2,6 +2,7 @@ title: Create a WDAC policy for lightly-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware +ms.topic: allow-listing ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy @@ -167,7 +168,7 @@ In order to minimize user productivity impact, Alice has defined a policy that m - **Supplemental policies**
    Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction. - Possible mitgations: + Possible mitigations: - Use signed WDAC policies which allow authorized signed supplemental policies only. - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection. - **FilePath rules**
    From d860ddd14b534f8a409c52d83e8b0341733e9a4c Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Thu, 21 Nov 2019 16:08:48 -0800 Subject: [PATCH 86/91] Add ms.topic --- .../example-wdac-base-policies.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 6e08d9ec94..5003cbf5a6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -2,6 +2,7 @@ title: Example WDAC base policies (Windows 10) description: When creating a WDAC policy for an organization, start from one of the many available example base policies. keywords: whitelisting, security, malware +ms.topic: allow-listing ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy From 56abe80e8aa25056d165b9ff10b5cad997da137f Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Fri, 22 Nov 2019 09:40:48 -0800 Subject: [PATCH 87/91] update topic fully-managed devices --- .../create-wdac-policy-for-fully-managed-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index c2825b535a..93758237b0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -2,7 +2,7 @@ title: Create a WDAC policy for fully-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware -ms.topic: allow-listing +ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy From 8fc50e780d46cd434e1d06a308df70de7de54717 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Fri, 22 Nov 2019 09:41:25 -0800 Subject: [PATCH 88/91] update topic lightly-managed devices --- .../create-wdac-policy-for-lightly-managed-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index b92a5dd11b..6fc44116aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -2,7 +2,7 @@ title: Create a WDAC policy for lightly-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. keywords: whitelisting, security, malware -ms.topic: allow-listing +ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy From c06fde950430071cb4a27a5a033a2225acae5936 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Fri, 22 Nov 2019 09:43:09 -0800 Subject: [PATCH 89/91] update topic example WDAC policies --- .../example-wdac-base-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 5003cbf5a6..e51e5b06af 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -2,7 +2,7 @@ title: Example WDAC base policies (Windows 10) description: When creating a WDAC policy for an organization, start from one of the many available example base policies. keywords: whitelisting, security, malware -ms.topic: allow-listing +ms.topic: article ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: w10 ms.mktglfcycl: deploy From ec73e678648af2f3a2de81250a809f7b75f49e90 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Fri, 22 Nov 2019 12:13:56 -0800 Subject: [PATCH 90/91] Update manage-windows-1903-endpoints.md --- .../privacy/manage-windows-1903-endpoints.md | 56 ++++++++++++------- 1 file changed, 37 insertions(+), 19 deletions(-) diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 01c084966d..67ba2be075 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -50,7 +50,9 @@ The following methodology was used to derive these network endpoints: |Area|Description|Protocol|Destination| |----------------|----------|----------|------------| -|Apps|The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| +|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com| +|||HTTP|tile-service.weather.microsoft.com |||HTTP|tile-service.weather.microsoft.com ||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US ||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*| @@ -65,8 +67,10 @@ The following methodology was used to derive these network endpoints: |Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com| |||HTTPS|ris-prod-atm.trafficmanager.net| |||HTTPS|validation-v2.sls.trafficmanager.net| -|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.|HTTP|ctldl.windowsupdate.com| -|Cortana and Search|The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions. |HTTPS|store-images.*microsoft.com| +|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)| +|||HTTP|ctldl.windowsupdate.com| +|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)| +||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com| ||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com/client| |||HTTPS|www.bing.com| |||HTTPS|www.bing.com/proactive| @@ -76,10 +80,12 @@ The following methodology was used to derive these network endpoints: |||HTTP|fp-vp.azureedge.net| |||HTTP|odinvzc.azureedge.net| |||HTTP|spo-ring.msedge.net| -|Device authentication| +|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| ||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*| +|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)| ||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTP|dmd.metaservices.microsoft.com| -|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.|HTTP|v10.events.data.microsoft.com| +|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||HTTP|v10.events.data.microsoft.com| |||HTTPS|v10.vortex-win.data.microsoft.com/collect/v1| |||HTTP|www.microsoft.com| ||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|co4.telecommand.telemetry.microsoft.com| @@ -87,16 +93,21 @@ The following methodology was used to derive these network endpoints: |||HTTPS|cs1137.wpc.gammacdn.net| |||TLS v1.2|modern.watson.data.microsoft.com*| |||HTTPS|watson.telemetry.microsoft.com| -|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|HTTPS|*licensing.mp.microsoft.com*| -|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|HTTPS|inference.location.live.net| +|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)| +|||HTTPS|*licensing.mp.microsoft.com*| +|Location|The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location)| +|||HTTPS|inference.location.live.net| |||HTTP|location-inference-westus.cloudapp.net| -|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| +|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)| +||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTPS|*g.akamaiedge.net| |||HTTP|*maps.windows.com*| -|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| +|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)| +||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |HTTP|login.msa.akadns6.net| |||HTTP|us.configsvc1.live.com.akadns.net| |Microsoft Edge|This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com| |Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com| -|Microsoft Store|The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| +|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)| +||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|HTTPS|*.wns.windows.com| ||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTP|storecatalogrevocation.storequality.microsoft.com| ||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com*| |||HTTPS|store-images.microsoft.com| @@ -106,9 +117,10 @@ The following methodology was used to derive these network endpoints: |||HTTP|storeedgefd.dsx.mp.microsoft.com| |||HTTP|markets.books.microsoft.com| |||HTTP |share.microsoft.com| -|Network Connection Status Indicator (NCSI)| +|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)| ||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTP|www.msftconnecttest.com*| -Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTP|*.c-msedge.net| +|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTP|*.c-msedge.net| |||HTTPS|*.e-msedge.net| |||HTTPS|*.s-msedge.net| |||HTTPS|nexusrules.officeapps.live.com| @@ -120,29 +132,35 @@ Office|The following endpoints are used to connect to the Office 365 portal's sh |||HTTPS|onecollector.cloudapp.aria| |||HTTP|v10.events.data.microsoft.com/onecollector/1.0/| |||HTTPS|self.events.data.microsoft.com| -||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com -|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| +||The following endpoint is used to connect the Office To-Do app to its cloud service. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store.|HTTPS|to-do.microsoft.com| +|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)| +|||HTTP \ HTTPS|g.live.com/1rewlive5skydrive/*| |||HTTP|msagfx.live.com| |||HTTPS|oneclient.sfx.ms| -|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|HTTPS|cy2.settings.data.microsoft.com.akadns.net| +|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)| +|||HTTPS|cy2.settings.data.microsoft.com.akadns.net| |||HTTPS|settings.data.microsoft.com| |||HTTPS|settings-win.data.microsoft.com| -|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|browser.pipe.aria.microsoft.com| +|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)| +|||HTTPS|browser.pipe.aria.microsoft.com| |||HTTP|config.edge.skype.com| |||HTTP|s2s.config.skype.com| |||HTTPS|skypeecs-prod-usw-0-b.cloudapp.net| -|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.|HTTPS|wdcp.microsoft.com| +|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)| +|||HTTPS|wdcp.microsoft.com| |||HTTPS|definitionupdates.microsoft.com| |||HTTPS|go.microsoft.com| ||The following endpoints are used for Windows Defender Smartscreen reporting and notifications. If you turn off traffic for these endpoints, Smartscreen notifications will not appear.|HTTPS|*smartscreen.microsoft.com| |||HTTPS|smartscreen-sn3p.smartscreen.microsoft.com| |||HTTPS|unitedstates.smartscreen-prod.microsoft.com| -|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.|TLS v1.2|*.search.msn.com| +|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)| +|||TLS v1.2|*.search.msn.com| |||HTTPS|arc.msn.com| |||HTTPS|g.msn.com*| |||HTTPS|query.prod.cms.rt.microsoft.com| |||HTTPS|ris.api.iris.microsoft.com| -|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.|HTTPS|*.prod.do.dsp.mp.microsoft.com| +|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)| +|||HTTPS|*.prod.do.dsp.mp.microsoft.com| |||HTTP|cs9.wac.phicdn.net| |||HTTP|emdl.ws.microsoft.com| ||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com| From 567334c8b2c3d7a148f4e68714c4b94a6e3465ff Mon Sep 17 00:00:00 2001 From: John Liu <49762389+ShenLanJohn@users.noreply.github.com> Date: Fri, 22 Nov 2019 18:11:56 -0800 Subject: [PATCH 91/91] CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20191122174023 (#1589) --- .../resolved-issues-windows-10-1507.yml | 10 ---------- .../resolved-issues-windows-10-1607.yml | 2 -- .../resolved-issues-windows-10-1709.yml | 10 ---------- .../resolved-issues-windows-10-1803.yml | 10 ---------- ...s-windows-10-1809-and-windows-server-2019.yml | 14 -------------- .../resolved-issues-windows-10-1903.yml | 2 ++ .../resolved-issues-windows-10-1909.yml | 2 ++ ...-windows-7-and-windows-server-2008-r2-sp1.yml | 10 ---------- ...es-windows-8.1-and-windows-server-2012-r2.yml | 10 ---------- .../resolved-issues-windows-server-2012.yml | 10 ---------- .../status-windows-10-1507.yml | 10 ++++++++++ ...s-windows-10-1607-and-windows-server-2016.yml | 10 ++++++++++ .../status-windows-10-1709.yml | 10 ++++++++++ .../status-windows-10-1803.yml | 10 ++++++++++ ...s-windows-10-1809-and-windows-server-2019.yml | 12 ++++++++++++ .../status-windows-10-1903.yml | 16 ++++------------ .../status-windows-10-1909.yml | 14 ++++++++++++-- ...-windows-7-and-windows-server-2008-r2-sp1.yml | 10 ++++++++++ ...us-windows-8.1-and-windows-server-2012-r2.yml | 2 ++ .../status-windows-server-2008-sp2.yml | 10 ---------- .../status-windows-server-2012.yml | 2 ++ 21 files changed, 86 insertions(+), 100 deletions(-) diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml index 50c83837eb..d782b8d33e 100644 --- a/windows/release-information/resolved-issues-windows-10-1507.yml +++ b/windows/release-information/resolved-issues-windows-10-1507.yml @@ -36,7 +36,6 @@ sections:
    Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
    Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.

    See details >    		OS Build 10240.18305

    August 13, 2019
    KB4512497    		Resolved
    KB4517276    		August 17, 2019
    02:00 PM PT
    MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
    You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

    See details >    		OS Build 10240.18244

    June 11, 2019
    KB4503291    		Resolved External
    		August 09, 2019
    07:03 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

    See details >    		OS Build 10240.18244

    June 11, 2019
    KB4503291    		Resolved
    KB4507458    		July 09, 2019
    10:00 AM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		OS Build 10240.18215

    May 14, 2019
    KB4499154    		Resolved
    KB4505051    		May 19, 2019
    02:00 PM PT
    " @@ -74,12 +73,3 @@ sections:
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4507458.

    Back to topOS Build 10240.18244

    June 11, 2019
    KB4503291Resolved
    KB4507458Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    June 12, 2019
    11:11 AM PT " - -- title: May 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505051) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505051 from Windows Update and then restarting your device.

    This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505051, search for it in the Microsoft Update Catalog.
     

    Back to top    		OS Build 10240.18215

    May 14, 2019
    KB4499154    		Resolved
    KB4505051    		Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    - " diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 09d2a2a5c1..84bc5ffff2 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -47,7 +47,6 @@ sections:
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

    See details >OS Build 14393.3025

    June 11, 2019
    KB4503267Resolved
    KB4503294June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >OS Build 14393.2999

    May 23, 2019
    KB4499177Resolved
    KB4503267June 11, 2019
    10:00 AM PT
    Issue using PXE to start a device from WDS
    There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

    See details >OS Build 14393.2848

    March 12, 2019
    KB4489882Resolved
    KB4503267June 11, 2019
    10:00 AM PT -
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 14393.2969

    May 14, 2019
    KB4494440Resolved
    KB4505052May 19, 2019
    02:00 PM PT " @@ -109,7 +108,6 @@ sections: text: " -
    DetailsOriginating updateStatusHistory
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

    Affected platforms:
    • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Resolution: This issue was resolved in KB4507460.

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4507460    		Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.

    This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
     

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Resolved
    KB4505052    		Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    " diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml index 3006fe92db..35c7f5856c 100644 --- a/windows/release-information/resolved-issues-windows-10-1709.yml +++ b/windows/release-information/resolved-issues-windows-10-1709.yml @@ -41,7 +41,6 @@ sections:
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >OS Build 16299.1182

    May 28, 2019
    KB4499147Resolved
    KB4509477June 26, 2019
    04:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

    See details >OS Build 16299.1217

    June 11, 2019
    KB4503284Resolved
    KB4503281June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >OS Build 16299.1182

    May 28, 2019
    KB4499147Resolved
    KB4503284June 11, 2019
    10:00 AM PT -
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 16299.1143

    May 14, 2019
    KB4498946Resolved
    KB4505062May 19, 2019
    02:00 PM PT " @@ -93,12 +92,3 @@ sections:
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4503284.

    Back to topOS Build 16299.1182

    May 28, 2019
    KB4499147Resolved
    KB4503284Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    June 05, 2019
    05:49 PM PT " - -- title: May 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolved: We have released an \"out-of-band\" update for Windows 10 (KB4505062) to resolve this issue.

    • UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
    • Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505062 from Windows Update and then restarting your device.
    To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505062, search for it in the Microsoft Update Catalog.
     

    Back to top    		OS Build 16299.1143

    May 14, 2019
    KB4498946    		Resolved
    KB4505062    		Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    - " diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index 323540b947..9aadd14d5a 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -44,7 +44,6 @@ sections:
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >OS Build 17134.799

    May 21, 2019
    KB4499183Resolved
    KB4509478June 26, 2019
    04:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

    See details >OS Build 17134.829

    June 11, 2019
    KB4503286Resolved
    KB4503288June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >OS Build 17134.799

    May 21, 2019
    KB4499183Resolved
    KB4503286June 11, 2019
    10:00 AM PT -
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 17134.765

    May 14, 2019
    KB4499167Resolved
    KB4505064May 19, 2019
    02:00 PM PT " @@ -99,12 +98,3 @@ sections:
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4503286.

    Back to topOS Build 17134.799

    May 21, 2019
    KB4499183Resolved
    KB4503286Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    June 05, 2019
    05:49 PM PT " - -- title: May 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolved: We have released an \"out-of-band\" update for Windows 10 (KB4505064) to resolve this issue.

    • UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
    • Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505064 from Windows Update and then restarting your device.
    To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505064, search for it in the Microsoft Update Catalog.
     

    Back to top    		OS Build 17134.765

    May 14, 2019
    KB4499167    		Resolved
    KB4505064    		Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    - " diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index cf6d53d9b5..f6351c2c0b 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -48,9 +48,6 @@ sections:
    Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
    Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.

    See details >OS Build 17763.379

    March 12, 2019
    KB4489899Resolved
    KB4501371June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >OS Build 17763.529

    May 21, 2019
    KB4497934Resolved
    KB4503327June 11, 2019
    10:00 AM PT
    Issue using PXE to start a device from WDS
    Using PXE to start a device from a WDS server configured to use Variable Window Extension may terminate the connection.

    See details >OS Build 17763.379

    March 12, 2019
    KB4489899Resolved
    KB4503327June 11, 2019
    10:00 AM PT -
    Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
    Upgrade block: Certain new Intel display drivers may accidentally turn on unsupported features in Windows.

    See details >OS Build 17763.134

    November 13, 2018
    KB4467708Resolved
    May 21, 2019
    07:42 AM PT -
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 17763.503

    May 14, 2019
    KB4494441Resolved
    KB4505056May 19, 2019
    02:00 PM PT -
    Windows 10, version 1809 update history may show an update installed twice
    Some customers are reporting that KB4494441 installed twice on their device

    See details >OS Build 17763.503

    May 14, 2019
    KB4494441Resolved
    May 16, 2019
    02:37 PM PT " @@ -122,8 +119,6 @@ sections: text: " - -
    DetailsOriginating updateStatusHistory
    Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
    When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications you may receive the error, \"Your printer has experienced an unexpected configuration problem. 0x80070007e.\"
     
    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
    • Server: Windows Server, version 1809; Windows Server 2019
    Resolution: This issue was resolved in KB4501371

    Back to top    		OS Build 17763.379

    March 12, 2019
    KB4489899    		Resolved
    KB4501371    		Resolved:
    June 18, 2019
    02:00 PM PT

    Opened:
    May 02, 2019
    04:47 PM PT
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolved: We have released an \"out-of-band\" update for Windows 10 (KB4505056) to resolve this issue.

    • UK customers: This update will be applied automatically to resolve this issue. You may be required to restart your device again. If you are affected by this issue, Check for updates to apply the update immediately.
    • Customers outside of the UK: This update will not be applied automatically. If you are affected by this issue, we recommend you apply this update by installing KB4505056 from Windows Update and then restarting your device.
    To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505056, search for it in the Microsoft Update Catalog.
     

    Back to top    		OS Build 17763.503

    May 14, 2019
    KB4494441    		Resolved
    KB4505056    		Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Windows 10, version 1809 update history may show an update installed twice
    Affected platforms:
    • Client: Windows 10, version 1809
    Cause:
    In certain situations, installing an update requires multiple download and restart steps. In cases where two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice. 

    Resolution:
    No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed. We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).

    Back to top    		OS Build 17763.503

    May 14, 2019
    KB4494441    		Resolved
    		Resolved:
    May 16, 2019
    02:37 PM PT

    Opened:
    May 14, 2019
    02:56 PM PT
    " @@ -135,12 +130,3 @@ sections:
    Issue using PXE to start a device from WDS
    After installing KB4489899, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Resolution: This issue was resolved in KB4503327.

    Back to topOS Build 17763.379

    March 12, 2019
    KB4489899Resolved
    KB4503327Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    March 12, 2019
    10:00 AM PT " - -- title: November 2018 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
    Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. 
     
    As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
    Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
    • Server: Windows Server, version 1809; Windows Server 2019 
    Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.

    Resolution: Microsoft has removed the safeguard hold.



    Back to top    		OS Build 17763.134

    November 13, 2018
    KB4467708    		Resolved
    		Resolved:
    May 21, 2019
    07:42 AM PT

    Opened:
    November 13, 2018
    10:00 AM PT
    - " diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index cbaf4d7c40..89f8b611f6 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -137,6 +138,7 @@ sections: - type: markdown text: "
    SummaryOriginating updateStatusDate resolved
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		November 22, 2019
    04:10 PM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		November 15, 2019
    05:59 PM PT
    Updates may fail to install and you may receive Error 0x80073701
    Installation of updates may fail and you may receive error code 0x80073701.

    See details >    		OS Build 18362.145

    May 29, 2019
    KB4497935    		Resolved
    		November 12, 2019
    08:11 AM PT
    Intel Audio displays an intcdaud.sys notification
    Devices with a range of Intel Display Audio device drivers may experience battery drain.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		November 12, 2019
    08:04 AM PT
    + diff --git a/windows/release-information/resolved-issues-windows-10-1909.yml b/windows/release-information/resolved-issues-windows-10-1909.yml index e757f424e8..002f9b5358 100644 --- a/windows/release-information/resolved-issues-windows-10-1909.yml +++ b/windows/release-information/resolved-issues-windows-10-1909.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: "
    DetailsOriginating updateStatusHistory
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		Last updated:
    November 22, 2019
    04:10 PM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    • Server: Windows 10, version 1909; Windows Server, version 1903
    Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		Last updated:
    November 15, 2019
    05:59 PM PT

    Opened:
    May 21, 2019
    07:29 AM PT
    Intel Audio displays an intcdaud.sys notification
    Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
      
    To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809
    Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

    Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		Last updated:
    November 12, 2019
    08:04 AM PT

    Opened:
    May 21, 2019
    07:22 AM PT
    Gamma ramps, color profiles, and night light settings do not apply in some cases
    Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

    Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
    • Connecting to (or disconnecting from) an external monitor, dock, or projector
    • Rotating the screen
    • Updating display drivers or making other display mode changes
    • Closing full screen applications
    • Applying custom color profiles
    • Running applications that rely on custom gamma ramps
    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4505903    		Resolved:
    July 26, 2019
    02:00 PM PT

    Opened:
    May 21, 2019
    07:28 AM PT
    +
    SummaryOriginating updateStatusDate resolved
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		November 22, 2019
    04:10 PM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

    See details >    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		November 15, 2019
    05:59 PM PT
    " @@ -48,6 +49,7 @@ sections: - type: markdown text: " +
    DetailsOriginating updateStatusHistory
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		Last updated:
    November 22, 2019
    04:10 PM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    • Server: Windows 10, version 1909; Windows Server, version 1903
    Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		Last updated:
    November 15, 2019
    05:59 PM PT

    Opened:
    May 21, 2019
    07:29 AM PT
    " diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index b311991b25..3ba826b5ad 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -41,7 +41,6 @@ sections:
    MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
    You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on certain Windows devices.

    See details >June 11, 2019
    KB4503292Resolved External
    August 09, 2019
    07:03 PM PT
    IE11 may stop working when loading or interacting with Power BI reports
    Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

    See details >May 14, 2019
    KB4499164Resolved
    KB4503277June 20, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

    See details >June 11, 2019
    KB4503292Resolved
    KB4503277June 20, 2019
    02:00 PM PT -
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >May 14, 2019
    KB4499164Resolved
    KB4505050May 18, 2019
    02:00 PM PT " @@ -92,15 +91,6 @@ sections: " -- title: May 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolved: We have released an \"optional\" update for Internet Explorer 11 (KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
    To download and install this update, see How to get an update through Windows Update. This update is also available through the Microsoft Update Catalog website.

    Back to top    		May 14, 2019
    KB4499164    		Resolved
    KB4505050    		Resolved:
    May 18, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    - " - - title: April 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index e363c11076..3c7d3b0fbb 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -41,7 +41,6 @@ sections:
    IE11 may stop working when loading or interacting with Power BI reports
    Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

    See details >May 14, 2019
    KB4499151Resolved
    KB4503283June 20, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

    See details >June 11, 2019
    KB4503276Resolved
    KB4503283June 20, 2019
    02:00 PM PT
    Issue using PXE to start a device from WDS
    There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

    See details >March 12, 2019
    KB4489881Resolved
    KB4503276June 11, 2019
    10:00 AM PT -
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >May 14, 2019
    KB4499151Resolved
    KB4505050May 18, 2019
    02:00 PM PT " @@ -91,15 +90,6 @@ sections: " -- title: May 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolved: We have released an \"optional\" update for Internet Explorer 11 (KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
    To download and install this update, see How to get an update through Windows Update. This update is also available through the Microsoft Update Catalog website.

    Back to top    		May 14, 2019
    KB4499151    		Resolved
    KB4505050    		Resolved:
    May 18, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    - " - - title: April 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml index 72ea52e905..cdd5b0cab5 100644 --- a/windows/release-information/resolved-issues-windows-server-2012.yml +++ b/windows/release-information/resolved-issues-windows-server-2012.yml @@ -40,7 +40,6 @@ sections:
    IE11 may stop working when loading or interacting with Power BI reports
    Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

    See details >May 14, 2019
    KB4499171Resolved
    KB4503295June 21, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may see an error or the app may close.

    See details >June 11, 2019
    KB4503285Resolved
    KB4503295June 20, 2019
    02:00 PM PT
    Issue using PXE to start a device from WDS
    There may be issues using PXE to start a device from a WDS server configured to use Variable Window Extension.

    See details >March 12, 2019
    KB4489891Resolved
    KB4503285June 11, 2019
    10:00 AM PT -
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >May 14, 2019
    KB4499171Resolved
    KB4505050May 18, 2019
    02:00 PM PT " @@ -90,15 +89,6 @@ sections: " -- title: May 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolved: We have released an \"optional\" update for Internet Explorer 11 (KB4505050) to resolve this issue. We recommend you apply this update by installing KB4505050 from Windows Update and then restarting your device.
    To download and install this update, see How to get an update through Windows Update. This update is also available through the Microsoft Update Catalog website.

    Back to top    		May 14, 2019
    KB4499171    		Resolved
    KB4505050    		Resolved:
    May 18, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    - " - - title: March 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 780532c8fb..85acf35ce0 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -61,6 +61,7 @@ sections: text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    +
    SummaryOriginating updateStatusLast updated
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		OS Build 10240.18368

    October 08, 2019
    KB4520011    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		OS Build 10240.18215

    May 14, 2019
    KB4499154    		Investigating
    KB4505051    		May 16, 2019
    06:41 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >    		OS Build 10240.18094

    January 08, 2019
    KB4480962    		Mitigated
    		April 25, 2019
    02:00 PM PT
    " @@ -81,6 +82,15 @@ sections: " +- title: May 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		OS Build 10240.18215

    May 14, 2019
    KB4499154    		Investigating
    KB4505051    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    + " + - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index b7c13357d2..45080603e4 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -61,6 +61,7 @@ sections: text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + @@ -83,6 +84,15 @@ sections:
    SummaryOriginating updateStatusLast updated
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		OS Build 14393.3274

    October 08, 2019
    KB4519998    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Investigating
    KB4505052    		May 16, 2019
    06:41 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >    		OS Build 14393.2724

    January 08, 2019
    KB4480961    		Mitigated
    		April 25, 2019
    02:00 PM PT
    Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
    Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

    See details >    		OS Build 14393.2608

    November 13, 2018
    KB4467691    		Mitigated
    		February 19, 2019
    10:00 AM PT
    Cluster service may fail if the minimum password length is set to greater than 14
    The cluster service may fail to start if “Minimum Password Length” is configured with greater than 14 characters.

    See details >    		OS Build 14393.2639

    November 27, 2018
    KB4467684    		Mitigated
    		April 25, 2019
    02:00 PM PT
    " +- title: May 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		OS Build 14393.2969

    May 14, 2019
    KB4494440    		Investigating
    KB4505052    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    + " + - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 20cdc6691b..098a7ef42d 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -62,6 +62,7 @@ sections: +
    SummaryOriginating updateStatusLast updated
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 16299.1387

    September 10, 2019
    KB4516066    		Mitigated
    		November 12, 2019
    08:05 AM PT
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		OS Build 16299.1451

    October 08, 2019
    KB4520004    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		OS Build 16299.1143

    May 14, 2019
    KB4498946    		Investigating
    KB4505062    		May 16, 2019
    06:41 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >    		OS Build 16299.904

    January 08, 2019
    KB4480978    		Mitigated
    		April 25, 2019
    02:00 PM PT
    " @@ -91,6 +92,15 @@ sections: " +- title: May 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		OS Build 16299.1143

    May 14, 2019
    KB4498946    		Investigating
    KB4505062    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    + " + - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 259b1f258f..0f9feb0c89 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -66,6 +66,7 @@ sections: +
    SummaryOriginating updateStatusLast updated
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 17134.1006

    September 10, 2019
    KB4516058    		Mitigated
    		November 12, 2019
    08:05 AM PT
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		OS Build 17134.1069

    October 08, 2019
    KB4520008    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		OS Build 17134.765

    May 14, 2019
    KB4499167    		Investigating
    KB4505064    		May 16, 2019
    06:41 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >    		OS Build 17134.523

    January 08, 2019
    KB4480966    		Mitigated
    		April 25, 2019
    02:00 PM PT
    " @@ -95,6 +96,15 @@ sections: " +- title: May 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		OS Build 17134.765

    May 14, 2019
    KB4499167    		Investigating
    KB4505064    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    + " + - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 88e42ce4a7..6129fbe2f0 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -67,8 +67,10 @@ sections:
    Microsoft Defender Advanced Threat Protection might stop running
    The Microsoft Defender ATP service might stop running and might fail to send reporting data.

    See details >OS Build 17763.832

    October 15, 2019
    KB4520062Resolved
    KB4523205November 12, 2019
    10:00 AM PT
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >OS Build 17763.737

    September 10, 2019
    KB4512578Mitigated
    November 12, 2019
    08:05 AM PT
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >OS Build 17763.805

    October 08, 2019
    KB4519338Mitigated External
    November 05, 2019
    03:36 PM PT +
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >OS Build 17763.503

    May 14, 2019
    KB4494441Investigating
    KB4505056May 16, 2019
    06:41 PM PT
    Devices with some Asian language packs installed may receive an error
    Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

    See details >OS Build 17763.437

    April 09, 2019
    KB4493509Mitigated
    May 03, 2019
    10:59 AM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >OS Build 17763.253

    January 08, 2019
    KB4480116Mitigated
    April 09, 2019
    10:00 AM PT +
    Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
    Upgrade block: Certain new Intel display drivers may accidentally turn on unsupported features in Windows.

    See details >OS Build 17763.134

    November 13, 2018
    KB4467708Mitigated
    March 15, 2019
    12:00 PM PT " @@ -103,6 +105,7 @@ sections: - type: markdown text: " +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		OS Build 17763.503

    May 14, 2019
    KB4494441    		Investigating
    KB4505056    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Devices with some Asian language packs installed may receive an error
    After installing the April 2019 Cumulative Update (KB4493509), devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
    • Server: Windows Server, version 1809; Windows Server 2019
    Workaround:
    1. Uninstall and reinstall any recently added language packs. For instructions, see \"Manage the input and display language settings in Windows 10\".
    2. Click Check for Updates and install the April 2019 Cumulative Update. For instructions, see \"Update Windows 10\".
    Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:
      1. Go to Settings app -> Recovery.
      2. Click on Get Started under \"Reset this PC\" recovery option.
      3. Select \"Keep my Files\".
    Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

    Back to top    		OS Build 17763.437

    April 09, 2019
    KB4493509    		Mitigated
    		Last updated:
    May 03, 2019
    10:59 AM PT

    Opened:
    May 02, 2019
    04:36 PM PT
    " @@ -115,3 +118,12 @@ sections:
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\". This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. 

    Affected platforms: 
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Workaround: Do one of the following:  
    • Perform the operation from a process that has administrator privilege. 
    • Perform the operation from a node that doesn’t have CSV ownership. 
    Next steps: Microsoft is working on a resolution and will provide an update in an upcoming release.

    Back to topOS Build 17763.253

    January 08, 2019
    KB4480116Mitigated
    Last updated:
    April 09, 2019
    10:00 AM PT

    Opened:
    January 08, 2019
    10:00 AM PT " + +- title: November 2018 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
    Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. 
     
    As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
    • Server: Windows Server, version 1809; Windows Server 2019 
    Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update.

    For more information, see the Intel Customer Support article.

    Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.

    Back to top    		OS Build 17763.134

    November 13, 2018
    KB4467708    		Mitigated
    		Last updated:
    March 15, 2019
    12:00 PM PT

    Opened:
    November 13, 2018
    10:00 AM PT
    + " diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index d666ac6451..804016b432 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -64,9 +64,10 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + + - @@ -74,7 +75,6 @@ sections: -
    SummaryOriginating updateStatusLast updated
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		November 22, 2019
    04:10 PM PT
    Issues with some older versions of Avast and AVG anti-virus products
    Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

    See details >    		N/A

    		Mitigated External
    		November 22, 2019
    04:10 PM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		November 15, 2019
    05:59 PM PT
    Updates may fail to install and you may receive Error 0x80073701
    Installation of updates may fail and you may receive error code 0x80073701.

    See details >    		OS Build 18362.145

    May 29, 2019
    KB4497935    		Resolved
    		November 12, 2019
    08:11 AM PT
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated External
    		November 12, 2019
    08:08 AM PT
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 18362.356

    September 10, 2019
    KB4515384    		Mitigated
    		November 12, 2019
    08:05 AM PT
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		OS Build 18362.418

    October 08, 2019
    KB4517389    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Intel Audio displays an intcdaud.sys notification
    Devices with a range of Intel Display Audio device drivers may experience battery drain.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		November 12, 2019
    08:04 AM PT
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 or Intel RealSense S200 camera apps.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4501375    		June 27, 2019
    10:00 AM PT
    Unable to discover or connect to Bluetooth devices using some Qualcomm adapters
    Microsoft has identified compatibility issues with some versions of Qualcomm Bluetooth radio drivers.

    See details >    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4517389    		October 08, 2019
    10:00 AM PT
    Safeguard on certain devices with some Intel and Broadcom Wi-Fi adapters
    Some devices with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards may experience compatibility issues.

    See details >    		N/A

    		Resolved
    KB4522355    		October 24, 2019
    10:00 AM PT
    dGPU occasionally disappear from device manager on Surface Book 2
    Some apps or games may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

    See details >    		OS Build 18362.145

    May 29, 2019
    KB4497935    		Resolved
    		October 18, 2019
    04:33 PM PT
    " @@ -90,6 +90,7 @@ sections: - type: markdown text: " +
    DetailsOriginating updateStatusHistory
    Issues with some older versions of Avast and AVG anti-virus products
    Microsoft and Avast has identified compatibility issues with some versions of Avast Antivirus and AVG Antivirus. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.

    To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    • Server: Windows Server, version 1909; Windows Server, version 1903
    Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

    Back to top    		N/A

    		Mitigated External
    		Last updated:
    November 22, 2019
    04:10 PM PT

    Opened:
    November 22, 2019
    04:10 PM PT
    TLS connections might fail or timeout
    Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
    • \"The request was aborted: Could not create SSL/TLS secure Channel\"
    • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

    Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

    Back to top    		OS Build 18362.418

    October 08, 2019
    KB4517389    		Mitigated External
    		Last updated:
    November 05, 2019
    03:36 PM PT

    Opened:
    November 05, 2019
    03:36 PM PT
    " @@ -122,22 +123,13 @@ sections: " -- title: July 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    dGPU occasionally disappear from device manager on Surface Book 2
    Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing units (dGPUs). After updating to Windows 10, version 1903 (the May 2019 Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.
     
    To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPU from being offered Windows 10, version 1903 until this issue is resolved.
     
    Affected platforms:
    • Client: Windows 10, version 1903
    Resolved: To resolve this issue, you will need to update the firmware of your Surface Book 2 device. Please see the Surface Book 2 update history page for instructions on how to install the October 2019 updates on your device. There is no update for Windows needed for this issue.
     
    The safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1903.

    Back to top    		OS Build 18362.145

    May 29, 2019
    KB4497935    		Resolved
    		Resolved:
    October 18, 2019
    04:33 PM PT

    Opened:
    July 12, 2019
    04:20 PM PT
    - " - - title: May 2019 - items: - type: markdown text: " + - diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml index 37e82669bb..34d19acbca 100644 --- a/windows/release-information/status-windows-10-1909.yml +++ b/windows/release-information/status-windows-10-1909.yml @@ -64,8 +64,9 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    DetailsOriginating updateStatusHistory
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		Last updated:
    November 22, 2019
    04:10 PM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    • Server: Windows 10, version 1909; Windows Server, version 1903
    Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		Last updated:
    November 15, 2019
    05:59 PM PT

    Opened:
    May 21, 2019
    07:29 AM PT
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
     
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Mitigated External
    		Last updated:
    November 12, 2019
    08:08 AM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    Intel Audio displays an intcdaud.sys notification
    Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
      
    To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809
    Resolution: This issue was resolved with updated drivers from your device manufacturer (OEM) or Intel. The safeguard hold has been removed.

    Note If you are still experiencing the issue described, please contact your device manufacturer (OEM).

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved External
    		Last updated:
    November 12, 2019
    08:04 AM PT

    Opened:
    May 21, 2019
    07:22 AM PT
    Gamma ramps, color profiles, and night light settings do not apply in some cases
    Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

    Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
    • Connecting to (or disconnecting from) an external monitor, dock, or projector
    • Rotating the screen
    • Updating display drivers or making other display mode changes
    • Closing full screen applications
    • Applying custom color profiles
    • Running applications that rely on custom gamma ramps
    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4505903    		Resolved:
    July 26, 2019
    02:00 PM PT

    Opened:
    May 21, 2019
    07:28 AM PT
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:
            \"Close other apps, error code: 0XA00F4243.”

    To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4501375 and the safeguard hold has been removed.

    Back to top    		OS Build 18362.116

    May 21, 2019
    KB4505057    		Resolved
    KB4501375    		Resolved:
    June 27, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    07:20 AM PT
    + + -
    SummaryOriginating updateStatusLast updated
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		November 22, 2019
    04:10 PM PT
    Issues with some older versions of Avast and AVG anti-virus products
    Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.

    See details >    		N/A

    		Mitigated External
    		November 22, 2019
    04:10 PM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some versions of Realtek Bluetooth radio drivers.

    See details >    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		November 15, 2019
    05:59 PM PT
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Mitigated External
    		November 12, 2019
    08:08 AM PT
    Unable to create local users in Chinese, Japanese and Korean during device setup
    You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.

    See details >    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Mitigated
    		November 12, 2019
    08:05 AM PT
    " @@ -77,6 +78,15 @@ sections:
    " +- title: November 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Issues with some older versions of Avast and AVG anti-virus products
    Microsoft and Avast has identified compatibility issues with some versions of Avast Antivirus and AVG Antivirus. Any application from Avast or AVG that contains Antivirus version 19.5.4444.567 or earlier is affected.

    To safeguard your upgrade experience, we have applied a hold on devices with affected Avast and AVG Antivirus from being offered or installing Windows 10, version 1903 or Windows 10, version 1909, until the application is updated.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    • Server: Windows Server, version 1909; Windows Server, version 1903
    Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated version of your Avast or AVG application. Guidance for Avast and AVG customers can be found in the following support articles:
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new version of your Avast or AVG application has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

    Back to top    		N/A

    		Mitigated External
    		Last updated:
    November 22, 2019
    04:10 PM PT

    Opened:
    November 22, 2019
    04:10 PM PT
    + " + - title: October 2019 - items: - type: markdown @@ -91,7 +101,7 @@ sections: - type: markdown text: " + -
    DetailsOriginating updateStatusHistory
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    Resolution: This issue was resolved with an updated Qualcomm Wifi driver and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		Last updated:
    November 22, 2019
    04:10 PM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    Unable to discover or connect to Bluetooth devices using some Realtek adapters
    Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    • Server: Windows 10, version 1909; Windows Server, version 1903
    Resolution: This issue was resolved with an updated driver for the affected Realtek Bluetooth radio and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to offered Windows 10, version 1909 or Windows 10, version 1903.

    Back to top    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Resolved External
    		Last updated:
    November 15, 2019
    05:59 PM PT

    Opened:
    May 21, 2019
    07:29 AM PT
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with affected Qualcomm driver from being offered Windows 10, version 1903 or Windows 10, version 1909, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1909; Windows 10, version 1903
    Workaround: Before updating to Windows 10, version 1903 or Windows 10, version 1909, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
     
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 or Windows 10, version 1909 feature update has been automatically offered to you.

    Back to top    		OS Build 18363.476

    November 12, 2019
    KB4524570    		Mitigated External
    		Last updated:
    November 12, 2019
    08:08 AM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    " diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index dadedc3369..e8343dc359 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -63,6 +63,7 @@ sections:
    MSRT might fail to install and be re-offered from Windows Update or WSUS
    The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

    See details >
    Mitigated
    November 15, 2019
    05:59 PM PT
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >October 08, 2019
    KB4519976Mitigated External
    November 05, 2019
    03:36 PM PT
    IA64 and x64 devices may fail to start after installing updates
    After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.

    See details >August 13, 2019
    KB4512506Mitigated
    August 17, 2019
    12:59 PM PT +
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >May 14, 2019
    KB4499164Investigating
    KB4505050May 16, 2019
    06:41 PM PT " @@ -91,3 +92,12 @@ sections:
    IA64 and x64 devices may fail to start after installing updates
    IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:
    \"File: \\Windows\\system32\\winload.efi
    Status: 0xc0000428
    Info: Windows cannot verify the digital signature for this file.\"

    Affected platforms:
    • Client: Windows 7 SP1
    • Server: Windows Server 2008 R2 SP1
    Take Action: To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.

    Back to topAugust 13, 2019
    KB4512506Mitigated
    Last updated:
    August 17, 2019
    12:59 PM PT

    Opened:
    August 13, 2019
    08:34 AM PT " + +- title: May 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		May 14, 2019
    KB4499164    		Investigating
    KB4505050    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    + " diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 3db7d9a3ea..4847988383 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -61,6 +61,7 @@ sections: text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    +
    SummaryOriginating updateStatusLast updated
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		October 08, 2019
    KB4520005    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		May 14, 2019
    KB4499151    		Investigating
    KB4505050    		May 16, 2019
    06:41 PM PT
    Japanese IME doesn't show the new Japanese Era name as a text input option
    With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

    See details >    		April 25, 2019
    KB4493443    		Mitigated
    		May 15, 2019
    05:53 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >    		January 08, 2019
    KB4480963    		Mitigated
    		April 25, 2019
    02:00 PM PT
    @@ -87,6 +88,7 @@ sections: - type: markdown text: " +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		May 14, 2019
    KB4499151    		Investigating
    KB4505050    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Japanese IME doesn't show the new Japanese Era name as a text input option
    If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

    Affected platforms:
    • Client: Windows 8.1
    • Server: Windows Server 2012 R2; Windows Server 2012
    Workaround:
    If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.
    • Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
    • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
    • Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
    • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
    • Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
    • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)

    Back to top    		April 25, 2019
    KB4493443    		Mitigated
    		Last updated:
    May 15, 2019
    05:53 PM PT

    Opened:
    May 15, 2019
    05:53 PM PT
    " diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 0b6aeeea7b..ba7311b1cc 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -62,7 +62,6 @@ sections: -
    SummaryOriginating updateStatusLast updated
    MSRT might fail to install and be re-offered from Windows Update or WSUS
    The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.

    See details >
    		Mitigated
    		November 15, 2019
    05:59 PM PT
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		October 08, 2019
    KB4520002    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Issues manually installing updates by double-clicking the .msu file
    You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.

    See details >    		September 10, 2019
    KB4474419    		Resolved
    KB4474419    		September 23, 2019
    10:00 AM PT
    " @@ -82,12 +81,3 @@ sections:
    TLS connections might fail or timeout
    Updates for Windows released October 8, 2019 or later provide protections, tracked by CVE-2019-1318, against an attack that could allow unauthorized access to information or data within TLS connections. This type of attack is known as a man-in-the-middle exploit. Windows might fail to connect to TLS clients and servers that do not support Extended Master Secret for resumption (RFC 7627). Lack of RFC support might cause one or more of the following errors or logged events:
    • \"The request was aborted: Could not create SSL/TLS secure Channel\"
    • SCHANNEL event 36887 is logged in the System event log with the description, \"A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​\"
    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

    Next Steps: Connections between two devices running any supported version of Windows should not have this issue when fully updated. There is no update for Windows needed for this issue. These changes are required to address a security issue and security compliance. For information, see KB4528489.

    Back to topOctober 08, 2019
    KB4520002Mitigated External
    Last updated:
    November 05, 2019
    03:36 PM PT

    Opened:
    November 05, 2019
    03:36 PM PT " - -- title: September 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Issues manually installing updates by double-clicking the .msu file
    After installing the SHA-2 update (KB4474419) released on September 10, 2019, you may encounter issues manually installing updates by double-clicking on the .msu file and may receive the error, \"Installer encountered an error: 0x80073afc. The resource loader failed to find MUI file.\"

    Affected platforms:
    • Server: Windows Server 2008 SP2
    Workaround: Open a command prompt and use the following command (replacing <msu location> with the actual location and filename of the update): wusa.exe <msu location> /quiet

    Resolution: This issue is resolved in KB4474419 released October 8, 2019. It will install automatically from Windows Update and Windows Server Update Services (WSUS). If you need to install this update manually, you will need to use the workaround above.

    Note If you previously installed KB4474419 released September 23, 2019, then you already have the latest version of this update and do not need to reinstall.

    Back to top    		September 10, 2019
    KB4474419    		Resolved
    KB4474419    		Resolved:
    September 23, 2019
    10:00 AM PT

    Opened:
    September 20, 2019
    04:57 PM PT
    - " diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index ae33c73b72..e41336b414 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -61,6 +61,7 @@ sections: text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    +
    SummaryOriginating updateStatusLast updated
    TLS connections might fail or timeout
    Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.

    See details >    		October 08, 2019
    KB4520007    		Mitigated External
    		November 05, 2019
    03:36 PM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >    		May 14, 2019
    KB4499171    		Investigating
    KB4505050    		May 16, 2019
    06:41 PM PT
    Japanese IME doesn't show the new Japanese Era name as a text input option
    With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.

    See details >    		April 25, 2019
    KB4493462    		Mitigated
    		May 15, 2019
    05:53 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).

    See details >    		January 08, 2019
    KB4480975    		Mitigated
    		April 25, 2019
    02:00 PM PT
    @@ -87,6 +88,7 @@ sections: - type: markdown text: " +
    DetailsOriginating updateStatusHistory
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Next Steps: Microsoft is working on a resolution and will provide an update as quickly as possible.
     
     

    Back to top    		May 14, 2019
    KB4499171    		Investigating
    KB4505050    		Last updated:
    May 16, 2019
    06:41 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Japanese IME doesn't show the new Japanese Era name as a text input option
    If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

    Affected platforms:
    • Client: Windows 8.1
    • Server: Windows Server 2012 R2; Windows Server 2012
    Workaround:
    If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.
    • Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
    • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
    • Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
    • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
    • Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
    • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)

    Back to top    		April 25, 2019
    KB4493462    		Mitigated
    		Last updated:
    May 15, 2019
    05:53 PM PT

    Opened:
    May 15, 2019
    05:53 PM PT
    "